When an application or device needs to send emails externally from Exchange Server, configuring SMTP relay is essential. This is especially the case for printers, scanners, or server monitoring tools that need to send notification emails. However, if configured incorrectly, it can become a potential open relay for spam, so careful setup is crucial. In this post, I will walk you through how to safely configure SMTP relay in an Exchange Server environment, step by step.

 

 

1. Choose Relay Type

Type	Recipients	Authentication	Port	Use Case
Internal Relay	Internal only	Not required	25	Default configuration
External Relay (Anonymous)	Internal + External	Not required	25	Printers, server alerts
External Relay (Authenticated)	Internal + External	Required	587	Applications

 

 

2. Anonymous SMTP Relay Configuration (Most Common)

2-1. Exchange Admin Center (EAC) Method

Step 1: Create Relay Connector

1. Access EAC → Mail flow → Receive connectors
2. Click + → Create new connector
3. Settings:
   • Name: SMTP Relay
   • Role: Frontend Transport
   • Type: Custom
4. Network settings:
   • Adapter bindings: Keep default (All available IPv4, port 25)
   • Remote network: Delete default range 0.0.0.0-255.255.255.255
   • Add only allowed IPs (e.g., 192.168.1.50)

Step 2: Security Configuration

1. Select created connector → Edit
2. Security tab:
   • Authentication: Select Anonymous users
   • TLS: Uncheck

2-2. PowerShell Method (Recommended)

# 1. Create relay connector
New-ReceiveConnector -Name "SMTP Relay" -Server "ExchangeServerName" -TransportRole FrontendTransport -Custom -Bindings 0.0.0.0:25 -RemoteIpRanges 192.168.1.50

# 2. Set anonymous permissions
Set-ReceiveConnector "SMTP Relay" -PermissionGroups AnonymousUsers

# 3. Grant relay permissions
Get-ReceiveConnector "SMTP Relay" | Add-ADPermission -User "NT AUTHORITY\ANONYMOUS LOGON" -ExtendedRights "Ms-Exch-SMTP-Accept-Any-Recipient"

# 4. Verify configuration
Get-ReceiveConnector "SMTP Relay" | Format-List RemoteIPRanges,PermissionGroups

2-3. IP Address Management

Add Single IP

Set-ReceiveConnector "SMTP Relay" -RemoteIPRanges 192.168.1.50

Add Multiple IPs

Set-ReceiveConnector "SMTP Relay" -RemoteIPRanges 192.168.1.50,192.168.1.51,192.168.1.52

Add IP Range

Set-ReceiveConnector "SMTP Relay" -RemoteIPRanges 192.168.1.50-192.168.1.60

Add Subnet

Set-ReceiveConnector "SMTP Relay" -RemoteIPRanges 192.168.20.0/24

Add New IP to Existing Range

Set-ReceiveConnector "SMTP Relay" -RemoteIPRanges @{Add="192.168.2.100"}

 

 

3. Authenticated SMTP Relay Configuration

3-1. TLS Certificate Setup

# Check certificates
Get-ExchangeCertificate

# Apply TLS certificate
$cert = Get-ExchangeCertificate -Thumbprint "CertificateThumbprint"
$tlscertificatename = "<i>$($cert.Issuer)<s>$($cert.Subject)"
Set-ReceiveConnector "Client Frontend ExchangeServerName" -Fqdn mail.contoso.com -TlsCertificateName $tlscertificatename

3-2. Application Configuration

Setting	Value
SMTP Server	mail.contoso.com
Port	587
Security	STARTTLS
Authentication	Username/Password

 

 

4. Exchange Online SMTP Relay

4-1. Create Inbound Connector

1. Exchange Online admin center → Mail flow → Connectors
2. Create new connector From your organization’s email server
3. Configuration:
   • Connection security: Identify partner organization by sender IP address
   • Sender IP addresses: Add on-premises server IP
   • Accepted domains: Set organization domains

4-2. PowerShell Connector Creation

# Connect to Exchange Online
Connect-ExchangeOnline

# Create inbound connector
New-InboundConnector -Name "OnPremises Relay" -ConnectorType OnPremises -ConnectorSource Default -SenderIPAddresses 203.0.113.10 -RequireTls $false

 

 

5. Security Hardening

5-1. Connection Limits

# Message size limit (10MB)
Set-ReceiveConnector "SMTP Relay" -MaxMessageSize 10MB

# Concurrent connection limit
Set-ReceiveConnector "SMTP Relay" -MaxInboundConnection 20

# Connection timeout
Set-ReceiveConnector "SMTP Relay" -ConnectionTimeout 00:10:00

5-2. Logging Configuration

# Enable protocol logging
Set-ReceiveConnector "SMTP Relay" -ProtocolLoggingLevel Verbose

# Check log configuration
Get-ReceiveConnector "SMTP Relay" | Format-List ProtocolLoggingLevel

 

 

6. Testing Methods

6-1. Telnet Testing

telnet ExchangeServerIP 25

# Command sequence
HELO test.contoso.com
MAIL FROM: <sender@contoso.com>
RCPT TO: <recipient@gmail.com>
DATA
Subject: Test

Test message
.
QUIT

6-2. PowerShell Testing

# Anonymous relay test
Send-MailMessage -SmtpServer "ExchangeServerIP" -From "test@contoso.com" -To "external@gmail.com" -Subject "Relay Test" -Body "Test message" -Port 25

# Authenticated relay test
$credential = Get-Credential
Send-MailMessage -SmtpServer "mail.contoso.com" -Credential $credential -From "user@contoso.com" -To "external@gmail.com" -Subject "Auth Test" -Port 587 -UseSsl

 

 

7. Troubleshooting

7-1. Common Errors

Error Message	Cause	Solution
550 5.7.54 Unable to relay	IP not in allowed range	Add sender IP to RemoteIPRanges
550 Relay not permitted	Missing permissions	Run Add-ADPermission command
530 Authentication required	Authentication config issue	Set PermissionGroups AnonymousUsers

7-2. Diagnostic Commands

# Check connector configuration
Get-ReceiveConnector "SMTP Relay" | Format-List

# Verify permissions
Get-ReceiveConnector "SMTP Relay" | Get-ADPermission | Where-Object {$_.User -like "*Anonymous*"}

# Check logs
Get-MessageTrackingLog -Recipients "external@gmail.com" -Start (Get-Date).AddHours(-1)

 

 

8. Deploy to Multiple Servers

# Copy existing connector settings
$SourceConnector = Get-ReceiveConnector "EX01\SMTP Relay"
$RemoteIPs = $SourceConnector.RemoteIPRanges

# Create connector on new server
New-ReceiveConnector -Name "SMTP Relay" -Server "EX02" -TransportRole FrontendTransport -Custom -Bindings 0.0.0.0:25 -RemoteIpRanges $RemoteIPs -PermissionGroups AnonymousUsers

# Set permissions
Get-ReceiveConnector "EX02\SMTP Relay" | Add-ADPermission -User "NT AUTHORITY\ANONYMOUS LOGON" -ExtendedRights "Ms-Exch-SMTP-Accept-Any-Recipient"

 

 

9. Best Practices

9-1. Security Considerations

• Restrict IP ranges: Never use 0.0.0.0-255.255.255.255
• Monitor usage: Enable protocol logging for audit trails
• Regular review: Check connector logs for unauthorized usage
• Certificate validation: Use TLS certificates for authenticated connections

9-2. Performance Optimization

# Set appropriate connection limits
Set-ReceiveConnector "SMTP Relay" -MaxInboundConnectionPerSource 10
Set-ReceiveConnector "SMTP Relay" -MaxInboundConnectionPercentagePerSource 50

# Configure message throttling
Set-ReceiveConnector "SMTP Relay" -TarpitInterval 00:00:05

9-3. Migration Considerations

When upgrading Exchange versions or migrating to Exchange Online:

1. Document current settings: Export connector configurations
2. Test connectivity: Verify all applications work with new settings
3. Monitor logs: Check for failed relay attempts during transition
4. Update DNS: Point applications to new server FQDNs