I configured an internal application to relay off the Excahnge 2007. However, created receive connector only works when the recipients address(s) are internal addresses. This application also needs to send e-mails to external users. I granted the relay permission to Anonymous on created receive connector but received the same error : 550 5.7.1 Unable to relay. I followed the article below but it is not working. Please, help!!! http://msexchangeteam.com/archive/2006/12/28/432013.aspx Please, help!!!Irynana

Hi,This command from the article mentioned needs to be checked (that it is applied): Get-ReceiveConnector "CRM Application" | Add-ADPermission -User "NT AUTHORITY\ANONYMOUS LOGON" -ExtendedRights "ms-Exch-SMTP-Accept-Any-Recipient"Leif

I ran this command togrant the relay permission to Anonymous oncreatedconnector. It is not still working :)

What did you enter for the remote ip ranges and are you testing fron the ip address of a server that has permissions?

For the remote ip ranges I put only our internal application server ( that is locatedon different network interface)ip address. Yes, I am testing from the same app server.

Restart the Hub Transport service on the Exchange Server and test.

I did restart Hub transport service but it is still not working... I recreated Receive Connector and did all over again, but still no luck... Do I need to create a Send connector?

No, a send connector isnt required for this to work:I would go through this doc carefully and re-create the receive connector ensuring you do not miss any steps, specifically:http://technet.microsoft.com/en-us/library/bb232021.aspxHow to Allow Anonymous Relay on a Receive Connector The Anonymous permission group grants the following permissions to the Anonymous Logon security principal on the Receive connector: Ms-Exch-Accept-Headers-Routing Ms-Exch-SMTP-Accept-Any-Sender Ms-Exch-SMTP-Accept-Authoritative-Domain-Sender Ms-Exch-SMTP-Submit However, to allow anonymous relay on this Receive connector, you must also grant the following permission to the Anonymous Logon security principal on the Receive connector: Ms-Exchange-SMTP-Accept-Any-Recipient Also make sure you set the correct ip addressfor both the local and remote network settings.

I followed all steps stated in that doc to re-create the receive connector but it is not working :)

Hi, 1. Please run following command to get the Receive Connector permission and post result here: Get-ReceiveConnector ReceiveConnector | Get-ADpermission -User "NT AUTHORITY\ANONYMOUS LOGON" |fl User,Deny,Extendedrights 2. Please also run following command to get the Receive Connector configuration on the Hub Server: Get-ReceiveConnector |fl Note: Please also let me know the IP address of the Application server 3. On the Application Server, please telnet to the Hub Server to manually submit message to check whether the Unable to Relay is received a. Telnet Hub 25 Note: Please let me know the Banner which you received after telnet to Hub Server. b. helo c. mail from: a@a.com d. rcpt to: abc@externaldomain.com Please let me know whether the Unable to Replay error is still received. ~~~~~~~~~~~~~~~~ Mike Shen TechNet Subscriber Support in forum If you have any feedback on our support, please contact tngfb@microsoft.com ~~~~~~~~~~~~~~~~

Hi Mike, Please, see below all results:1. User : NT AUTHORITY\ANONYMOUS LOGONDeny : FalseExtendedRights : {ms-Exch-SMTP-Accept-Authoritative-Domain-Sender} User : NT AUTHORITY\ANONYMOUS LOGONDeny : FalseExtendedRights : {ms-Exch-SMTP-Submit} User : NT AUTHORITY\ANONYMOUS LOGONDeny : FalseExtendedRights : {ms-Exch-Bypass-Anti-Spam} User : NT AUTHORITY\ANONYMOUS LOGONDeny : FalseExtendedRights : {ms-Exch-SMTP-Accept-Any-Sender} User : NT AUTHORITY\ANONYMOUS LOGONDeny : FalseExtendedRights : {ms-Exch-SMTP-Accept-Any-Recipient} User : NT AUTHORITY\ANONYMOUS LOGONDeny : FalseExtendedRights : {ms-Exch-Accept-Headers-Routing} User : NT AUTHORITY\ANONYMOUS LOGONDeny : FalseExtendedRights : {ms-Exch-Store-Create-Named-Properties} User : NT AUTHORITY\ANONYMOUS LOGONDeny : FalseExtendedRights : {ms-Exch-Create-Public-Folder} User : NT AUTHORITY\ANONYMOUS LOGONDeny : FalseExtendedRights : User : NT AUTHORITY\ANONYMOUS LOGONDeny : FalseExtendedRights : 2. (IP address of Application Server is 192.168.9.157; Receive connector for this application called App Relay) AuthMechanism : Tls, Integrated, ExchangeServerBanner : BinaryMimeEnabled : TrueBindings : {192.168.7.96:25, 192.168.7.97:25}ChunkingEnabled : TrueDefaultDomain : DeliveryStatusNotificationEnabled : TrueEightBitMimeEnabled : TrueDomainSecureEnabled : FalseEnhancedStatusCodesEnabled : TrueLongAddressesEnabled : FalseOrarEnabled : FalseFqdn : EXCH.internal.comComment : Enabled : TrueConnectionTimeout : 00:10:00ConnectionInactivityTimeout : 00:05:00MessageRateLimit : unlimitedMaxInboundConnection : 5000MaxInboundConnectionPerSource : unlimitedMaxInboundConnectionPercentagePerSource : 100MaxHeaderSize : 64KBMaxHopCount : 30MaxLocalHopCount : 8MaxLogonFailures : 3MaxMessageSize : 10MBMaxProtocolErrors : 5MaxRecipientsPerMessage : 5000PermissionGroups : AnonymousUsers, ExchangeUsers, Exchan geServers, CustomPipeliningEnabled : TrueProtocolLoggingLevel : NoneRemoteIPRanges : {0.0.0.0-255.255.255.255, 192.168.9.0 /24, 192.168.7.1-192.168.7.255}RequireEHLODomain : FalseRequireTLS : FalseEnableAuthGSSAPI : FalseServer : EXCHSizeEnabled : EnabledWithoutValueTarpitInterval : 00:00:05AdminDisplayName : ExchangeVersion : 0.1 (8.0.535.0)Name : Default EXCH DistinguishedName : CN=Default EXCH,CN=SMTP Receive Connectors,CN=Protocols,CN=EXCH, CN=Servers,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administr ative Groups,CN=First Organization,CN =Microsoft Exchange,CN=Services,CN=Co nfiguration,DC=internal,DC=comIdentity : EXCH\Default EXCHGuid : 82c18a47-1ba2-4cd5-972d-0a61b0662363ObjectCategory : internal.com/Configuration/Schema/ms-Exc h-Smtp-Receive-ConnectorObjectClass : {top, msExchSmtpReceiveConnector}WhenChanged : 11/25/2009 4:31:02 PMWhenCreated : 1/9/2009 4:33:08 PMOriginatingServer : DC.internal.comIsValid : True AuthMechanism : Tls, IntegratedBanner : BinaryMimeEnabled : TrueBindings : {0.0.0.0:587}ChunkingEnabled : TrueDefaultDomain : DeliveryStatusNotificationEnabled : TrueEightBitMimeEnabled : TrueDomainSecureEnabled : FalseEnhancedStatusCodesEnabled : TrueLongAddressesEnabled : FalseOrarEnabled : FalseFqdn : EXCH.INTERNAL.comComment : Enabled : TrueConnectionTimeout : 00:10:00ConnectionInactivityTimeout : 00:05:00MessageRateLimit : 600MaxInboundConnection : 5000MaxInboundConnectionPerSource : 20MaxInboundConnectionPercentagePerSource : 2MaxHeaderSize : 64KBMaxHopCount : 30MaxLocalHopCount : 8MaxLogonFailures : 3MaxMessageSize : 10MBMaxProtocolErrors : 5MaxRecipientsPerMessage : 200PermissionGroups : ExchangeUsersPipeliningEnabled : TrueProtocolLoggingLevel : NoneRemoteIPRanges : {0.0.0.0-255.255.255.255, 192.168.7.1 -192.168.7.250}RequireEHLODomain : FalseRequireTLS : FalseEnableAuthGSSAPI : TrueServer : EXCHSizeEnabled : EnabledTarpitInterval : 00:00:05AdminDisplayName : ExchangeVersion : 0.1 (8.0.535.0)Name : Client EXCHDistinguishedName : CN=Client EXCH,CN=SMTP Receive C onnectors,CN=Protocols,CN=EXCH,C N=Servers,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administra tive Groups,CN=First Organization,CN= Microsoft Exchange,CN=Services,CN=Con figuration,DC=Internal,DC=comIdentity : EXCH\Client EXCHGuid : 944791b2-4f3c-4c13-b258-155d5b37be14ObjectCategory : INTERNAL.com/Configuration/Schema/ms-Exc h-Smtp-Receive-ConnectorObjectClass : {top, msExchSmtpReceiveConnector}WhenChanged : 11/25/2009 11:44:50 AMWhenCreated : 1/9/2009 4:33:08 PMOriginatingServer : DC.internal.comIsValid : True AuthMechanism : TlsBanner : BinaryMimeEnabled : TrueBindings : {192.168.7.96:25}ChunkingEnabled : TrueDefaultDomain : DeliveryStatusNotificationEnabled : TrueEightBitMimeEnabled : TrueDomainSecureEnabled : FalseEnhancedStatusCodesEnabled : TrueLongAddressesEnabled : FalseOrarEnabled : FalseFqdn : EXCH.internal.comComment : Enabled : TrueConnectionTimeout : 00:10:00ConnectionInactivityTimeout : 00:05:00MessageRateLimit : unlimitedMaxInboundConnection : 5000MaxInboundConnectionPerSource : 20MaxInboundConnectionPercentagePerSource : 2MaxHeaderSize : 64KBMaxHopCount : 30MaxLocalHopCount : 8MaxLogonFailures : 3MaxMessageSize : 10MBMaxProtocolErrors : 5MaxRecipientsPerMessage : 200PermissionGroups : AnonymousUsers, CustomPipeliningEnabled : TrueProtocolLoggingLevel : NoneRemoteIPRanges : {192.168.9.157}RequireEHLODomain : FalseRequireTLS : FalseEnableAuthGSSAPI : FalseServer : EXCHSizeEnabled : EnabledTarpitInterval : 00:00:05AdminDisplayName : ExchangeVersion : 0.1 (8.0.535.0)Name : App RelayDistinguishedName : CN=App Relay,CN=SMTP Receive Connect ors,CN=Protocols,CN=EXCH,CN=Serv ers,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative G roups,CN=First Organization,CN=Micros oft Exchange,CN=Services,CN=Configura tion,DC=INTERNAL,DC=COMIdentity : EXCH\App RelayGuid : e130065b-37cd-479e-b5e4-96a7b202815cObjectCategory : Internal.com/Configuration/Schema/ms-Exc h-Smtp-Receive-ConnectorObjectClass : {top, msExchSmtpReceiveConnector}WhenChanged : 11/25/2009 4:29:46 PMWhenCreated : 11/25/2009 9:46:41 AMOriginatingServer : DC.INTERNAL.comIsValid : True 3. helo250 EXCH.INTERNAL.com Hello [192.168.7.96]mail from:test@internal.com250 2.1.0 Sender OKrcpt to:<test@yahoo.com>550 5.7.1 Unable to relay However, if I enter internal user e-mail in rcpt to: I am receiving this test message (see below).250 2.6.0 <4c908e2f-7a2b-48e3-a3f5-cdc7b86fd497@EXCH.INTERNAL.com> Queued mailfor delivery

helo250 EXCH.INTERNAL.com Hello [192.168.7.96]mail from:test@internal.com250 2.1.0 Sender OKrcpt to:<test@yahoo.com>550 5.7.1 Unable to relayThat 250 response Hello [192.168.7.96] means you are connecting from 192.168.7.96.Since the app server is 192.168.9.157, you should be testing from that ip address instead.AlsoFor the Default Recieve Connector you have:PermissionGroups : AnonymousUsers, ExchangeUsers, Exchan geServers, CustomThe Default for the Default Connector is: ExchangeUsers, ExchangeServers, ExchangeLegacyServers. Also, on both the Default and Client recieve connectors, you have:: {0.0.0.0-255.255.255.255, 192.168.9.0 /24, 192.168.7.1-192.168.7.255}You should remove the 192.168.x networks from those connectors. (0.0.0.0-255.255.255.255 means ANY)

If I uncheck AnonymousUsers for the Default connector exchange server is not receiving external e-mails for some reason. Actually, I removed the 192.168.x networks from those connectors per your advice. I accidentally copied the telnet results from hub server. Here are results that I got from Application server: 220 [192.168.7.96] ESMTP service helo 250 [192.168.7.96] talking to [192.168.9.157] mail from:test@internal.com 250 2.1.0 Sender OK rcpt to:<test@yahoo.com> 550 5.7.1 Unable to relay If Rcpt to:test@internal.com 250 2.6.0 <2752923d-3db7-444b-bd01-ed2791ac770a@EXCH.internal.com> Queued mail for delivery

Shouldn't your default connector only be listenting on 7.97? It looks like it is bound to both IPs.

You are right, the default connector should be bounded to 7.97 because 7.96 is for receive connector.However, I am still fighting with unable to relay issue

Did you remove 7.96 from your default connector and restart the Transport service? If that IP is bound to the default connector, you won't be able to do any anonymous relaying.

After I removed 7.96 from default connector and restarted the Transp service our Application cannot connect to Exchange server (please see error)Could not connect to SMTP host: 192.168.7.96, port: 25, response: 421

Have you given access to App server's IP in the new receive connector? If you add that IP restart Transport service.

I added App IP address to Remote IP address on app receive connector since I created that connector

Sounds like smtp is not available on that connector now. Make sure the transport service is still running and if you have a chance, you may need to reboot.

Hi, Thanks for your response. Looks like the Receive Connector is configured correctly to allow the application server to relay. Nevertheless, I have some questions regarding the telnet result. From you Hub server telnet locallyresult, you can see: helo 250 EXCH.INTERNAL.com Hello [192.168.7.96] mail from:test@internal.com 250 2.1.0 Sender OK rcpt to:<test@yahoo.com> 550 5.7.1 Unable to relay Nevertheless, from your telnet result from Application Server: 220 [192.168.7.96] ESMTP service helo 250 [192.168.7.96] talking to [192.168.9.157] mail from:test@internal.com 250 2.1.0 Sender OK rcpt to:<test@yahoo.com> 550 5.7.1 Unable to relay Based on your configuration, the Banner is not set on all the Receive Connectors. Therefore, when you telnet to Exchange Server, you should get banner like below: 220 [Receive Connector FQDN] Microsoft ESMTP MAIL Service ready at [time] In addition, when the client type helo, the server should response like 250 Server helo <Client IP>. Nevertheless, from your output, the application server is not able to get desired response when telnet to 192.168.7.96. Based on current situation, I suggest you perform following steps to troubleshoot the issue: 1. Add the 192.168.7.96 as the remote IP Address of the Receive Connector App Relay) Note: I assume the 192.168.7.96 is the IP address of Hub Server. 2. Change Banner of the Receive Connector App Relay such as App Relay Receive Connector Note: Please restart the Transport Service after changing the configuration 3. On the Hub Server, telnet locally to hub server (192.168.7.96) and attempt to send email to an external recipient. Whether is the same error received? Whether you get banner App Relay Receive Connector after telnet to Hub server locally. ~~~~~~~~~~~~~~~~ Mike Shen TechNet Subscriber Support in forum If you have any feedback on our support, please contact tngfb@microsoft.com ~~~~~~~~~~~~~~~~

Hi Mike, Thank you for your response. Actually the banner also appeared from the telnet results from Hub Server. Probably, I did not copy all content of telnet output. Below are telnet results from Hub Server 220 EXCH.INTERNAL.com Microsoft ESMTP MAIL Service ready at Thu, 3 Dec 2009 11 :01:42 -0500 helo 250 EXCH.INTERNAL.com Hello [192.168.7.96] mail from:test@internal.com 250 2.1.0 Sender OK rcpt to:test@yahoo.com 550 5.7.1 Unable to relay

I believe Mike wants you to change the specific banner for the App Relay receive connector so you can see if that is the connector you are connecting to.You can do this with Set-ReceiveConnector http://technet.microsoft.com/en-us/library/bb125140.aspxExample:Set-ReceiveConnector -Identity "App Relay" -Banner "This is the App Relay Receive Connector"

If I uncheck AnonymousUsers for the Default connector exchange server is not receiving external e-mails for some reason. Actually, I removed the 192.168.x networks from those connectors per your advice. I accidentally copied the telnet results from hub server. Here are results that I got from Application server: 220 [192.168.7.96] ESMTP service helo 250 [192.168.7.96] talking to [192.168.9.157] mail from:test@internal.com 250 2.1.0 Sender OK rcpt to:<test@yahoo.com> 550 5.7.1 Unable to relay If Rcpt to:test@internal.com 250 2.6.0 <2752923d-3db7-444b-bd01-ed2791ac770a@EXCH.internal.com> Queued mail for delivery Ah, so you receive email directly from the internet to the Hub Transports.

Our problem is fixed (see steps below) but I am not sure if our exchange is secured Could you please advice? 1. We created a new receive connector (added all exchange server IP addresses to Local IP addresses; (even we have a default receive connector);for the remote IP addresses we entered all 192.168.x networks; We set Auth to Externally secured and Permissions to Exchange Servers and Legacy Exchange Servers2. Then on created receive connector for application - enabled only "Externally Secured

Hi, Thanks for your response. After setting Auth to "Externally secured", all the message which submitted to this Receive Connector will bypass Anti-spam check and the sender address will be resolved. Neverthless, based on your configuration, only client whose IP address belongs to 192.168.x network is able to submit message to the Receive Connector. Regarding your previous post, I believe that Banner is correct when you telnet to Hub Server locally. Nevertheless, based on your information, the Banner is incorrect when you telnet to Hub server from the Application Server: 220 [192.168.7.96] ESMTP service (You should get banner like 220 EXCH.INTERNAL.com Microsoft ESMTP MAIL Service ready at Thu, 3 Dec 2009 11) helo 250 [192.168.7.96] talking to [192.168.9.157] (You should get response like 250 EXCH.INTERNAL.com Hello [192.168.7.96]) mail from:test@internal.com 250 2.1.0 Sender OK rcpt to:<test@yahoo.com> 550 5.7.1 Unable to relay ~~~~~~~~~~~~~~~~ Mike Shen TechNet Subscriber Support in forum If you have any feedback on our support, please contact tngfb@microsoft.com ~~~~~~~~~~~~~~~~

Hi,Thank you For all your Help