How to Use your Exchange server as an SMTP relay

relay_symbolLook around your infrastructure. Notice all those printer/scanners? Do they scan to email? What about your monitoring and alerting systems? Do they offer the option of sending out alerts via email? How does your vendor supported SAN notify the monitoring center of issues? The common service all of these things rely upon is an SMTP relay. We discussed how to use the Microsoft IIS SMTP service as a relay late last year, and if you would prefer to deploy a dedicated SMTP relay, you can see how to do that here . However, your Exchange Hub Transport server is perfectly capable of serving this role, and it is pretty easy to set up.

Newer systems, high-end scanners, and well written scripts can all use an authenticated SMTP/TLS connection, and if that is all you are dealing with, you need read no further. Configure them to use the SMTP/TLS listener already running on your Hub Transport server and call it a day. However, older (but still fully functional) scanners, many monitoring packages on NEW SANs, and simple scripts will all benefit from an SMTP relay that just works. If you would like to see how to do this, keep reading.

The Hub Transport server role listens on TCP port 25 for SMTP connections, but by default, these will be authenticated connections from other servers in your Exchange infrastructure, like your Edge Transport server. To configure your Hub Transport server to accept unauthenticated SMTP connections from things like printer/scanners, SANs, etc. you need to do a little homework, and you might want to reassign some ip.addrs. This is not required, but will make it easier to define the client ranges for the new listener you are about to set up.

Before we begin, open a telnet connection to your Hub Transport server on port 25, and try to send some email through it using the commands we covered in this post . If you get a 550 5.7.1, then you’re just where we expect you to be…ready to reconfigure your Hub Transport server.

We will use a combination of Exchange Management Shell (EMS) and the Exchange Management Console (EMC) to set this up. You could do it all from the EMS but it’s a little easier to do some of this with a GUI. Here’s how to set it all up.

  1. Identify the ip.addrs for all of your Exchange servers that are currently communicating with your Hub Transport server. Identify all of the ip.addrs that cover your printers, SAN management interfaces, monitoring solutions, etc. that will need to do SMTP relay without authentication. These two ranges will need to be mutually exclusive so get this right. Failure to do will lead to very bad things!
  2. Log on to your Hub Transport server using an administrator account.
  3. Launch the Exchange Management Console.
  4. Browse down to Server Configuration, Hub Transport.
  5. Edit the properties of the receive connector. This will be called Default Servername unless you renamed it previously.
  6. In the properties dialog, go to the Network tab, and at the bottom, edit the IP range so that it includes only your Exchange servers, but not any ip.addrs that cover the clients who need to use SMTP relay. You can use CIDR, start to end ranges, or individual ip.addrs as needed.
  7. Click OK.
  8. Now open an Exchange Management Shell.
  9. In the command example below, we are creating a new connector named SMTPRelay, we are binding the listener to the ip.addr 192.168.100.25 on TCP port 25, we are setting the server’s 220 banner to display the name “server.example.com,” and we are setting the connector to all hosts between 192.168.100.50 and 192.168.100.254 to relay, and we are setting things up for anonymous relay without authentication. Change the values as necessary to cover your situation.
    New-ReceiveConnector –Name SMTPRelay -usage Custom -Bindings ’192.168.100.25:25′ -fqdn server.example.com -RemoteIPRanges 192.168.100.50–192.168.100.254 –permissiongroups AnonymousUsers –AuthMechanism none
  10. In this next command, we are actually setting the connector to allow the AnonymousUsers group to relay.
    Get-ReceiveConnector SMTPRelay | Add-ADPermission -User “NT AUTHORITY\ANONYMOUS LOGON” -ExtendedRights “ms-Exch-SMTP-Accept-Any-Recipient”
  11. (Optional) We can set a custom SMTP banner, like I go over in this post, with this command. You can have your banner say anything you like, but make sure you start the banner text with 220 or it will fail. We are also setting a 15 minute connection timeout. This may seem high, but I have seen some slow scan to email printers process large jobs, and fail when this timeout is set too low.
    Set-ReceiveConnector -Identity “SMTPRelay” -Banner “220 Tread softly, and email responsibly, for we are watching.” -ConnectionTimeout 00:15:00

And you’re done. You can do further configuration if necessary using the Exchange Management Console. If you have several ranges to define for the new connector, you may find it easier to set just one range in the EMS command, and then add the additional ranges through the EMC. Do let me know in a comment below if you find this helpful.

Written by Ed Fisher

An InfoTech professional, aficionado of capsaicin, and Coffea canephora (but not together,) I’ve been getting my geek on full-time since 1993, and have worked with information technology in some capacity since 1986. Stated simply, if you need to get information securely from a to b, I’m your guy. I’m like "The Transporter," but for data, and without the car. And with a little more hair.

3 Comments

  1. Derrick Burch · March 9, 2011

    For the ability to scan into email alone, I think this is a fantastic solution. My only question is if there is any reliable way to safely speed up the window of the connection timeout. Is it a question of equipment, or connection speed?

    I just don’t want to have to wait 15 minutes for a document.

  2. Dave · March 23, 2012

    What if your devices support username and password authentication but not TLS? At the moment mine will connect but cannot send to external recipients.

  3. Casper Manes · March 30, 2012

    The above steps set up an anonymous relay; no auth required and no TLS. If you want auth but not TLS, you can do that. Edit the properties of the connector and set Basic auth and Exchange users, but remember you will be sending creds in cleartext!

Leave A Reply