How to Determine Which Receive Connectors are External Relay Connectors

Tuesday, October 1, 2013
There are times, particularly during an Exchange migration, when you want to determine which Exchange receive connectors are configured as external relays. External relay receive connectors allow connections (usually from anonymous users) to be relayed to another external domain. When these connectors accept connections from anonymous users they are sometimes called "open relay"connectors. A common use case for this is to allow internal application servers to send emails to external users.

In the course of an Exchange migration, you will usually create new receive connectors on the new Exchange servers that have the same settings as the old Exchange servers. Most of these settings are easy to see and copy, but the ability of a receive connector to perform as an external relay is configured using the ms-Exch-SMTP-Accept-Any-Recipient extended AD permissions which is not so visible.

The following EMS one-liner is useful to determine which receive connectors in the organization are open relay connectors so you can configure the new ones likewise:
Get-ReceiveConnector | Get-ADPermission | Where {$_.User -Like '*anon*' -And $_.ExtendedRights -Like 'ms-Exch-SMTP-Accept-Any-Recipient'} | ft Identity, User, ExtendedRights
If your existing external relay receive connectors use a specific account rather than anonymous (NT AUTHORITY\ANONYMOUS LOGON) users, change '*anon*' to the specific account name.

See the following articles for more information about Exchange receive connectors:


No comments:

Post a Comment

Thank you for your comment! It is my hope that you find the information here useful. Let others know if this post helped you out, or if you have a comment or further information.