I have installed and setup a new Exchange 2013 server, emails work when sending via an email client, but not via an anonymous SMTP relay.
I have created an SMTP relay named "Allow unrestricted mail relaying from specific networks" with the permissions only set for Anonymous users and the scoping limited to 192.168.26.10 and 192.168.23.0/24. Here's the output from
powershell about them, with identifying information taken off the DN
[PS] C:\Windows\system32>Get-ReceiveConnector | fl PermissionGroups, AuthMechanism, Bindings, Enabled, RemoteIPRanges, Transportrole, DistinguishedName
PermissionGroups : ExchangeUsers, ExchangeServers, ExchangeLegacyServers
AuthMechanism : Tls, Integrated, BasicAuth, BasicAuthRequireTLS, ExchangeServer
Bindings : {0.0.0.0:2525, [::]:2525}
Enabled : True
RemoteIPRanges : {::-ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff, 0.0.0.0-255.255.255.255}
TransportRole : HubTransport
DistinguishedName : CN=Default RS-MX,CN=SMTP Receive Connectors,CN=Protocols,CN=RS-MX,CN=Servers,CN=Exchange
Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,
PermissionGroups : ExchangeUsers, ExchangeServers
AuthMechanism : Tls, Integrated, BasicAuth, BasicAuthRequireTLS, ExchangeServer
Bindings : {[::]:465, 0.0.0.0:465}
Enabled : True
RemoteIPRanges : {::-ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff, 0.0.0.0-255.255.255.255}
TransportRole : HubTransport
DistinguishedName : CN=Client Proxy RS-MX,CN=SMTP Receive Connectors,CN=Protocols,CN=RS-MX,CN=Servers,CN=Exchange
Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,
PermissionGroups : AnonymousUsers, ExchangeServers, ExchangeLegacyServers
AuthMechanism : Tls, Integrated, BasicAuth, BasicAuthRequireTLS, ExchangeServer
Bindings : {[::]:25, 0.0.0.0:25}
Enabled : True
RemoteIPRanges : {::-ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff, 0.0.0.0-255.255.255.255}
TransportRole : FrontendTransport
DistinguishedName : CN=Default Frontend RS-MX,CN=SMTP Receive Connectors,CN=Protocols,CN=RS-MX,CN=Servers,CN=Exchange
Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups
PermissionGroups : AnonymousUsers, ExchangeServers
AuthMechanism : Tls, Integrated, BasicAuth, BasicAuthRequireTLS, ExchangeServer
Bindings : {[::]:717, 0.0.0.0:717}
Enabled : True
RemoteIPRanges : {::-ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff, 0.0.0.0-255.255.255.255}
TransportRole : FrontendTransport
DistinguishedName : CN=Outbound Proxy Frontend RS-MX,CN=SMTP Receive
Connectors,CN=Protocols,CN=RS-MX,CN=Servers,CN=Exchange Administrative Group
(FYDIBOHF23SPDLT),CN=Administrative Groups
PermissionGroups : ExchangeUsers
AuthMechanism : Tls, Integrated, BasicAuth, BasicAuthRequireTLS
Bindings : {[::]:587, 0.0.0.0:587}
Enabled : True
RemoteIPRanges : {::-ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff, 0.0.0.0-255.255.255.255}
TransportRole : FrontendTransport
DistinguishedName : CN=Client Frontend RS-MX,CN=SMTP Receive Connectors,CN=Protocols,CN=RS-MX,CN=Servers,CN=Exchange
Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups
PermissionGroups : AnonymousUsers, Custom
AuthMechanism : None
Bindings : {0.0.0.0:25}
Enabled : True
RemoteIPRanges : {192.168.26.10, 192.168.23.0/24}
TransportRole : HubTransport
DistinguishedName : CN=Allow unrestricted mail relaying from specific networks,CN=SMTP Receive
Connectors,CN=Protocols,CN=RS-MX,CN=Servers,CN=Exchange Administrative Group
(FYDIBOHF23SPDLT),CN=Administrative Groups
The following is the actual conversation happening captured via WireShark. The same behavior happens when using a telnet client.
220 mail.domain.com
EHLO RS-RS1-VM1
250-RS-MX.domain.local Hello [192.168.26.10]
250-SIZE 37748736
250-PIPELINING
250-DSN
250-ENHANCEDSTATUSCODES
250-STARTTLS
250-X-ANONYMOUSTLS
250-AUTH
250-X-EXPS GSSAPI NTLM
250-8BITMIME
250-BINARYMIME
250-CHUNKING
250 XRDST
MAIL FROM:<RTT@testdomain.com>
250 2.1.0 Sender OK
RCPT TO:<matthew@runstraight.com>
250 2.1.5 Recipient OK
RCPT TO:<Something-Info@externaldomain.ca>
550 5.7.1 Unable to relay
DATA
354 Start mail input; end with <CRLF>.<CRLF>
MIME-Version: 1.0
From: "Project Team" <RTT@testdomain.com>
To: someone@internaldomain.com
Date: 2 Jul 2013 15:36:49 -0400
Subject: =?utf-8?B?Q0lNUyBSZvF1aXJlbWVujHMgVHJhY2tpbmcgVG9vbCAqUlRU?=
=?utf-8?B?KSDigQMgWW91ciBsb2dpbiBpbmZvcmGhdGlvbg==?=
Content-Type: text/html; charset=us-ascii
Content-Transfer-Encoding: quoted-printable
<html><head>
Blah blah important stuff
</body></html>
.
250 2.6.0 <7702b596-accd-4fe1-8c92-f5b18fea5fd0@RS-MX.runstraight.local> [InternalId=1962800054300] Queued mail for delivery
I have read in previous threads that "NT Authority/Anonymous Login" needs both ms-Exch-SMTP-Accept-Any-Sender and ms-Exch-SMTP-Accept-Any-Recipent extended rights, and I have granted both via Powershell. My permissions are as follows.
[PS] C:\Windows\system32>Get-ReceiveConnector -identity "Allow unrestricted mail relaying from specific networks" | Get-ADPermission | Where-Object {$_.User -like "NT Authority\Anonymous logon" } | Format-List accessrights, extendedrights
AccessRights : {ExtendedRight}
ExtendedRights : {ms-Exch-SMTP-Accept-Authoritative-Domain-Sender}
AccessRights : {ExtendedRight}
ExtendedRights : {ms-Exch-SMTP-Accept-Any-Sender}
AccessRights : {ExtendedRight}
ExtendedRights : {ms-Exch-SMTP-Submit}
AccessRights : {ExtendedRight}
ExtendedRights : {ms-Exch-SMTP-Accept-Any-Recipient}
AccessRights : {ExtendedRight}
ExtendedRights : {ms-Exch-Accept-Headers-Routing}
AccessRights : {ExtendedRight}
ExtendedRights : {ms-Exch-Store-Create-Named-Properties}
AccessRights : {ExtendedRight}
ExtendedRights : {ms-Exch-Create-Public-Folder}
AccessRights : {GenericRead}
ExtendedRights :
AccessRights : {GenericRead}
ExtendedRights :
Other recent topics
