How to configure an internal relay connector in Exchange 2013
Go to the webpage of the exchange management page (https://exchangeserver/ecp)
Go to the Mail flow > Receive Connectors > + for add a new connector.
Enter a name for the connector
Select role (Hub Transport) and type (Custom) click on Next
Additional note. If you want to relay outside your organization than you need to select Frontend Transport role instead of the Hub Transport role. (Information from the command’s below)
Leave the setting below unchanged.
Remove the IP address which are shown in the picture below.
You get an error that the field is required. (click on the + to add a new range)
Enter a single IP address or a local LAN address which is allowed to email via the exchange server.
The remote network settings will show the list like below.
When clicked on finished. You have to edit the relay connector and go to security tab.
Select the option “Anonymous users”
Click on Save..
now you have to open a powershell CLI of exchange on the exchange server ( with administrative rights )
Get-ReceiveConnector “Receive Connector Name” | Add-ADPermission -User “NT AUTHORITY\ANONYMOUS LOGON” -ExtendedRights “Ms-Exch-SMTP-Accept-Any-Recipient”
(Now you should be able to send a email message form another server or application located on another server)
To test your settings from an other server you can use QuickMail: http://www.freddejonge.nl/files/QuickMail.zip
I followed these direction exactly and Exchange 2013 is acceptin emails from my application for internal users but will not allow relay to an external address.
Sorry, I can’t remember if I have tested to an external address or not.
You need to use powershell to add a specific permission for anonymous users to relay, after you create the connector:
Get-ReceiveConnector “CONNECTORNAME” | Add-ADPermission -User “NT AUTHORITY\ANONYMOUS LOGON” -ExtendedRights “Ms-Exch-SMTP-Accept-Any-Recipient”
as per: http://technet.microsoft.com/en-us/library/bb232021(v=exchg.141).aspx
(instructions are for Exchange 2010 but they work with 2013; just tried it myself.)
@Jeff: I tried your solution and my printers send emails, but after enabling the relay-connector , all external emails are blocked. Same problem as Quinton discribes…does anyone have a solution yet?
I already added a second NIC and IP address in my VM and create a relay connector for this NIC. This works, but I want to do it with only one NIC.
Thanks in advance
I have the same Problem as Rogier.
You might have to enable the relay-connector first and than change the security which Jeff posted. ( just a try worth )
If you use this, you will break exchange. FrontEnd is the correct transport
Article has been changed with the extra information.
Thank you very much!
It was too easy to assume that ticking the Anonymous box in the receive connector was enough. Stuck on this for 2 days until now.
I had Rogier’s problem too before I found this article. When I disabled my attempted relay connector mail flow was fixed (www.testexchangeconnectivity.com) then I found this article and it fixed everything.
The key change for mwe was using the CIDR notation (192.168.0.0:24) any attempts by me to reference specific IP addresses broke incoming mail.
If your running client services & mailbox services on the same Exchange server then Frontend Transports use port 25 for SMTP and Hub Transport use port 2525 for SMTP. All you are doing is causing a port listening conflict?
What I meant to say was you cannot use port 25 in a Hub Transport if port 25 is already being used by the Frontend Transports, in these case the Hub Transports use port 2525,
I finally test on my own set up exchange server and you need to add teh powershell command to the configuration. if you uses quickmail (recently added to the post) you can test your server from an other server to see if it works. if you use an external email address to receive the mail you will see that you are able to receive mail from that server or workstation..
if you use Get-Queue you will see the queue of the exchange server. if the mail is gone after several seconds / minutes than it’s good.
i rund my exchange in multimode (Frontend and the hub on the same server you don’t need to change the ports to sent mail.)
I would highly recommend changing the relay connector to use the FrontEnd Hub Transport.
I configured my relay connectors this way and Exchange stopped accepting external/internet emails shortly after. Restarting the Transport service would fix this TEMPORARILY. I called MS Support and they advised changing it to FrontEnd. Have not had any issues since doing this.
If you look through MSDN forums, you will see dozens of people experienced the same behavior.
Second this recommendation. I had the exact same problem. Things have changed quite a bit since Exchange 2010.
I too had to enable this as a front-end connector to get it to work, I assume also as I was using a VM. Works perfectly other than that
SWEET! No more hair-pulling! Now, how do I configure this to use the send connector that everything else uses that routes through my symantec cloud smart host?
change the sent connector for outside instead to * you point it to you smart host server or cloud solution.
Bind the internal relay connector to the frontend Transport role and you don’t will have Problems whit mails from external!
Hi Fred,
For internal users you can use the standard connector “Default Frontend SERVERNAME”
(Create a internal DNS like SMTP.domain.local)
Add Anonymous to the connector.
This is all there is for internal needs, like a MFP scanner.
For externe e-mail ou need to create a connector like the setup above.
(Also create a internal DNS like SMTP.domein.local)
Place the IP adres of the sending application server/MFP in this new connector.
More info at :
http://exchangeserverpro.com/exchange-2013-configure-smtp-relay-connector/
This article worked like a charm, thanx!
what if you have a dag ? would you point the SMTP dns to the DAG or to on f the host?
Good question I’ve not yet worked with a DAG. I can’t answer your question maybe some one else who reads the this post.
Hello,
Great article. I am however a little confused on what the difference is on creating a receive/relay connector on CAS vs. creating on Mailbox. Can you help clarify a few things?
If you wanted to relay and send mail to external recipients for device/application notifications, I would imagine you would want to create the connector using the Front-End Transport role on CAS, correct? Would relaying external also work if connector was created on Mailbox? What’s the difference??? Is the only advantage of using the mailbox server for the receive connector is for the option of having the mail queued?
What if I only wanted to relay internally? Which server or role should I use?
Lastly, what if the applications needing to relay external use different ports other than port 25? Does it matter where it gets created or same procedure?
If you want to really to external also you need the front-end. How ever i noticed if you have an internal relay connector used for example an additional mailserver. The transport services with quit time to time and you have to restart it.
But if you have no intention to mail outside of your organisation than you can use the hub-transport.
You can use a different port than 25. It’s the same procedure only you use the front end.
Additional note: test it in case you get some issues. I might be easier to have 1 internal-relay connector which can also send mail outside your organisation than walking into issues which could have been avoided in the first place.
Good luck with it 🙂
So what i’m getting is that you are saying to use front-end for external relay. I was under the impression that for internal relay you didnt need a separate connector. If you do in fact need a separate connector for internal relay, where would you put it (cas or mailbox)? Keep in mind my CAS is a separate server from the Mailbox server.
Also i am aware of the port 25 conflicts if you have a Hub Transport role specified on a receive connector created on a cas/mb multi-role server if thats what you were meaning.
I would say on the mailbox server. Currently i’ve only deployed servers where the cas and mailbox role are on the same server. With the sat up you talking about I’m not familiar with.
Yeah, I have multiple Client Access servers along with a few Mailbox servers. There are no “multi-role” servers. I guess what I was getting at was would it work the same having it created on the mailbox server vs. using CAS Front-End Role. Wish there was a documented or correct procedure on which server to use.
I agree it’s hard to find well documented information about some installations. However now you may don’t have a blog or any other way to express it to the world, but now it gives you the opportunity to figure it out and share it to the world. if you like to do that.
if you are using localized versions of windows server then you need to translate “NT authoriy\anonymous logon” in the last powershell command. So for dutch example in dutch version that would become “NT authoriy\anonieme logon”.
Hi Hans, just tried this and it will not work, you need to change it to: “NT AUTHORITY\ANONIEME LOGON”.
hi there just just the localised command as “virtualpimp” saidand this worked fine.
worked great for me after ad replicated the change out
make sure to create a new recieve connector using front end transport
These instructions worked for me but as Phil said, I had to use it as a FrontEnd transport, even though it is all internal. The Hub Transport did not work for me.
Thanks much. Worked flawlessly with these instructions (for fax/scanning relay)
Pingback: Exchange 2013 | how to configure an internal relay connector – Jax VN