{"id":3369,"date":"2023-06-16T13:41:30","date_gmt":"2023-06-16T18:41:30","guid":{"rendered":"https:\/\/microsoftgeek.com\/?p=3369"},"modified":"2023-06-16T13:41:30","modified_gmt":"2023-06-16T18:41:30","slug":"how-to-configure-exchange-server-2016-for-smtp-application-relay","status":"publish","type":"post","link":"https:\/\/microsoftgeek.com\/?p=3369","title":{"rendered":"How to Configure Exchange Server 2016 for SMTP Application Relay"},"content":{"rendered":"\n

In most organizations there are several devices or applications that need to use an SMTP service to send email messages. An\u00a0Exchange 2016 server\u00a0can provide that service for you, however the configuration required on the server depends on the SMTP relay requirements of your scenario.<\/p>\n\n\n\n

The steps for how to configure Exchange Server 2016 SMTP relay are:<\/p>\n\n\n\n

    \n
  1. Determine whether your scenario is internal relay or external relay<\/li>\n\n\n\n
  2. Determine whether devices and applications will authenticate or connect anonymously<\/li>\n\n\n\n
  3. For authenticated relay, configure the TLS certificate for the client front end connector<\/li>\n\n\n\n
  4. For anonymous relay, configure a new receive connector that is restricted to specific remote IP addresses<\/li>\n<\/ol>\n\n\n\n

    <\/p>\n\n\n\n

    Determining Internal vs External Relay Scenarios<\/h2>\n\n\n\n

    There are generally two types of SMTP relay scenarios that Exchange Server 2016 is used for:<\/p>\n\n\n\n

      \n
    • Internal relay<\/strong> \u2013 devices and applications that need to send email messages only to internal recipients in the Exchange organization.<\/li>\n\n\n\n
    • External relay<\/strong> \u2013 devices and applications that need to send email messages to external recipients.<\/li>\n<\/ul>\n\n\n\n
      \"exchange-2016-smtp-relay-01\"<\/figure>\n\n\n\n

      Let\u2019s take a look at each of those scenarios, and then some additional considerations when you are deploying this in your own production environments.<\/p>\n\n\n\n

      <\/p>\n\n\n\n

      Internal SMTP Relay with Exchange Server 2016<\/h2>\n\n\n\n

      When Exchange Server 2016 is first installed the setup routine automatically creates a receive connector that is pre-configured to be used for receiving email messages from anonymous senders to internal recipients. This allows inbound internet email to be received by the server, and is also suitable for internal relay scenarios.<\/p>\n\n\n\n

      The receive connector is named \u201cSERVERNAMEDefault Frontend SERVERNAME\u201d, for example, \u201cEXSERVERDefault Frontend EXSERVER\u201d in my test environment.<\/p>\n\n\n\n

      [PS] C:\\>Get-ReceiveConnector\n\nIdentity                                Bindings                                Enabled\n--------                                --------                                -------\nEXSERVER\\Default EXSERVER               {0.0.0.0:2525, [::]:2525}               True\nEXSERVER\\Client Proxy EXSERVER          {[::]:465, 0.0.0.0:465}                 True\nEXSERVER\\Default Frontend EXSERVER      {[::]:25, 0.0.0.0:25}                   True\nEXSERVER\\Outbound Proxy Frontend EXS... {[::]:717, 0.0.0.0:717}                 True\nEXSERVER\\Client Frontend EXSERVER       {[::]:587, 0.0.0.0:587}                 True\n<\/pre>\n\n\n\n
      You can test this connector by\u00a0making an SMTP connection using Telnet\u00a0and issuing SMTP commands. For example:<\/p>\n\n\n\n
      C:\\>telnet exserver 25\n\n220 EXSERVER.exchange2016demo.com Microsoft ESMTP MAIL Service ready at Thu, 22\nOct 2015 11:39:23 +1000\nhelo\n250 EXSERVER.exchange2016demo.com Hello [192.168.0.30]\nmail from: test@test.com\n250 2.1.0 Sender OK\nrcpt to: adam.wally@exchange2016demo.com\n250 2.1.5 Recipient OK\nData\n354 Start mail input; end with .\nSubject: Test email\nTesting\n.\n250 2.6.0 <f7c2f921-ff7e-4ce4-b2eb-a70dc52f225f@EXSERVER.exchange2016demo.com> [\nInternalId=854698491929, Hostname=EXSERVER.exchange2016demo.com] Queued mail for\n delivery\n<\/pre>\n\n\n\n
      So there\u2019s no specific configuration required on the server or the connectors to allow this scenario, however it is recommended that you use a DNS alias instead of the real server name. This will allow you to configure all of your devices and applications with the DNS alias, and you can later move that DNS alias to point to a different Exchange server during a migration.<\/p>\n\n\n\n
      <\/p>\n\n\n\n
      External SMTP Relay with Exchange Server 2016<\/h2>\n\n\n\n
      Continuing from the previous demonstration, let\u2019s see what happens if I try to use Telnet to send an email message from a valid internal address to an external recipient.<\/p>\n\n\n\n
      220 EXSERVER.exchange2016demo.com Microsoft ESMTP MAIL Service ready at Thu, 22\nOct 2015 12:04:45 +1000\nhelo\n250 EXSERVER.exchange2016demo.com Hello [192.168.0.30]\nmail from: adam.wally@exchange2016demo.com\n250 2.1.0 Sender OK\nrcpt to: exchangeserverpro@gmail.com\n550 5.7.54 SMTP; Unable to relay recipient in non-accepted domain\n<\/pre>\n\n\n\n
      An SMTP error code \u201c550 5.7.54, Unable to relay recipient in non-accepted domain\u201d is received instead. The receive connector will not allow an anonymous, unauthenticated sender to relay to external domain names, which prevents your server from being exploited as an open relay.<\/p>\n\n\n\n
      There are two ways you can resolve this and allow your devices and applications to send to external recipients:<\/p>\n\n\n\n
        \n
      • Using authentication for SMTP connections<\/li>\n\n\n\n
      • Configuring an anonymous SMTP relay connector<\/li>\n<\/ul>\n\n\n\n
        <\/p>\n\n\n\n
        External SMTP Relay with Exchange Server 2016 Using Authentication<\/h3>\n\n\n\n
        The first method is to use authenticated SMTP connections. Exchange Server 2016 has a receive connector designed to be used by clients that need to send via SMTP called \u201cSERVERNAMEClient Frontend SERVERNAME\u201d, for example \u201cEXSERVERClient Frontend EXSERVER\u201d in my test environment.<\/p>\n\n\n\n
        [PS] C:\\>Get-ReceiveConnector\n\nIdentity                                Bindings                                Enabled\n--------                                --------                                -------\nEXSERVER\\Default EXSERVER               {0.0.0.0:2525, [::]:2525}               True\nEXSERVER\\Client Proxy EXSERVER          {[::]:465, 0.0.0.0:465}                 True\nEXSERVER\\Default Frontend EXSERVER      {[::]:25, 0.0.0.0:25}                   True\nEXSERVER\\Outbound Proxy Frontend EXS... {[::]:717, 0.0.0.0:717}                 True\nEXSERVER\\Client Frontend EXSERVER       {[::]:587, 0.0.0.0:587}                 True\n<\/pre>\n\n\n\n
        Minimal configuration is required to get this working. Assuming you\u2019ve already configured an\u00a0SSL certificate for Exchange Server 2016, and added a DNS alias for your SMTP devices and applications to use (I\u2019m using a DNS alias of\u00a0mail.exchange2016demo.com<\/strong>\u00a0in this example), you should then also set the\u00a0TlsCertificateName<\/strong>\u00a0for the receive connector.<\/p>\n\n\n\n
        Use\u00a0Get-ExchangeCertificate\u00a0to identify the thumbprint of the SSL certificate you\u2019ll be using.<\/p>\n\n\n\n
        [PS] C:\\>Get-ExchangeCertificate\n\nThumbprint                                Services   Subject\n----------                                --------   -------\nFC5259C0528657EF22BB818CA9B23FD220A9DE83  ...WS..    CN=mail.exchange2016demo.com, OU=IT, O=LockLAN Systems Pty Ltd,...\nFE6528BE1548D81C794AE9A00D144FF3D16E0CD2  ....S..    CN=Microsoft Exchange Server Auth Certificate\nDAB089E53CA660DEF7B8EE303212C31C0E3D3499  IP.WS..    CN=EXSERVER\n17839AF62AA3A1CBBD5F7EC81E92A609976D8AD9  .......    CN=WMSvc-EXSERVER\n<\/pre>\n\n\n\n
        The syntax of the TlsCertificateName string is made up of two different attributes of the certificate, so I use the following commands to apply the configuration to my receive connector.<\/p>\n\n\n\n
        [PS] C:\\>$cert = Get-ExchangeCertificate -Thumbprint FC5259C0528657EF22BB818CA9B23FD220A9DE83\n\n[PS] C:\\>$tlscertificatename = \"<i>$($cert.Issuer)<s>$($cert.Subject)\"\n\n[PS] C:\\>Set-ReceiveConnector \"EXSERVER\\Client Frontend EXSERVER\" -Fqdn mail.exchange2016demo.com -TlsCertificateName $tlscertificatename<\/pre>\n\n\n\n
        To test using the Client Frontend connector to send an email message I\u2019m going to use PowerShell\u2019s\u00a0Send-MailMessage\u00a0cmdlet instead of Telnet. First, capture some valid credentials to use for authentication.<\/p>\n\n\n\n
        PS C:\\>$credential = Get-Credential\n<\/pre>\n\n\n\n
        Next, use the Send-MailMessage cmdlet with parameters specifying the server, to and from addresses, subject line, and the port number.<\/p>\n\n\n\n
        PS C:\\>Send-MailMessage -SmtpServer mail.exchange2016demo.com -Credential $credential -From 'adam.wally@exchange2016demo.com' -To 'exchangeserverpro@gmail.com' -Subject 'Test email' -Port 587 -UseSsl\n<\/pre>\n\n\n\n
        In the above example the email is successfully received by the external recipient. So any device or application on the network that can use authenticated SMTP can be set up to use that connector listening on port 587 on your Exchange 2016 server.<\/p>\n\n\n\n
        External SMTP Relay with Exchange Server 2016 Using Anonymous Connections<\/h3>\n\n\n\n
        When authenticated SMTP is not an option you can create a new receive connector on the Exchange 2016 server that will allow anonymous SMTP relay from a specific list of IP addresses or IP ranges.<\/p>\n\n\n\n
        In the Exchange Admin Center navigate to mail flow<\/strong> and then receive connectors<\/strong>. Select the server that you want to create the new receive connector on, and click the \u201c+\u201d button to start the wizard.<\/p>\n\n\n\n
        \"exchange-2016-smtp-relay-02\"<\/figure>\n\n\n\n
        Give the new connector a name. I like to keep the name consistent with the other default connectors. Set the Role<\/strong> to \u201cFrontend Transport\u201d, and the Type<\/strong> to \u201cCustom\u201d.<\/p>\n\n\n\n
        \"exchange-2016-smtp-relay-03\"<\/figure>\n\n\n\n
        The default Network adapter bindings<\/strong> are fine. This represents the IP and port that the server will be listening<\/em> on for connections. Multiple receive connectors on the Frontend Transport service can listen on the same port of TCP 25.<\/p>\n\n\n\n
        \"exchange-2016-smtp-relay-04\"<\/figure>\n\n\n\n
        Remove the default IP range from the Remote network settings<\/strong>, and then add in the specific IP addresses or IP ranges that you want to allow anonymous SMTP relay from. I do not recommend adding entire IP subnets that contain other Exchange servers as this can cause issues with server to server communications.<\/p>\n\n\n\n
        \"exchange-2016-smtp-relay-05\"<\/figure>\n\n\n\n
        Click Finish to complete the wizard, then there is some additional configuration still required.<\/p>\n\n\n\n
        In the Exchange Management Shell run the following two commands.<\/p>\n\n\n\n
        [PS] C:\\>Set-ReceiveConnector \"EXSERVER\\Anon Relay EXSERVER\" -PermissionGroups AnonymousUsers\n\n[PS] C:\\>Get-ReceiveConnector \"EXSERVER\\Anon Relay EXSERVER\" | Add-ADPermission -User 'NT AUTHORITY\\Anonymous Logon' -ExtendedRights MS-Exch-SMTP-Accept-Any-Recipient\n<\/pre>\n\n\n\n
        We can now test the connector using Telnet from the IP address that was added to the remote network settings of the receive connector. In my test environment that IP address will now be allowed to send email from any email address (whether it is a valid internal address or not) to any external address.<\/p>\n\n\n\n
        220 EXSERVER.exchange2016demo.com Microsoft ESMTP MAIL Service ready at Thu, 22\nOct 2015 12:59:39 +1000\nhelo\n250 EXSERVER.exchange2016demo.com Hello [192.168.0.30]\nmail from: test@test.com\n250 2.1.0 Sender OK\nrcpt to: exchangeserverpro@gmail.com\n250 2.1.5 Recipient OK\nData\n354 Start mail input; end with .\nSubject: test\n.\n250 2.6.0 <e1739c5f-db11-4fdd-aa27-a9702bc15b15@EXSERVER.exchange2016demo.com> [\nInternalId=863288426497, Hostname=EXSERVER.exchange2016demo.com] Queued mail for\n delivery<\/pre>\n","protected":false},"excerpt":{"rendered":"
        In most organizations there are several devices or applications that need to use an SMTP service to send email messages. An\u00a0Exchange 2016 server\u00a0can provide that service for you, however the configuration required on the server depends on the SMTP relay requirements of your scenario. The steps for how to configure Exchange Server 2016 SMTP relay […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[62,63,74],"tags":[],"class_list":["post-3369","post","type-post","status-publish","format-standard","hentry","category-microsoft-exchange-server-2016","category-server-2016-2016","category-windows-server-2019"],"_links":{"self":[{"href":"https:\/\/microsoftgeek.com\/index.php?rest_route=\/wp\/v2\/posts\/3369","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/microsoftgeek.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/microsoftgeek.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/microsoftgeek.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/microsoftgeek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=3369"}],"version-history":[{"count":1,"href":"https:\/\/microsoftgeek.com\/index.php?rest_route=\/wp\/v2\/posts\/3369\/revisions"}],"predecessor-version":[{"id":3370,"href":"https:\/\/microsoftgeek.com\/index.php?rest_route=\/wp\/v2\/posts\/3369\/revisions\/3370"}],"wp:attachment":[{"href":"https:\/\/microsoftgeek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=3369"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/microsoftgeek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=3369"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/microsoftgeek.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=3369"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}