In the course of an Exchange migration, you will usually create new receive connectors on the new Exchange servers that have the same settings as the old Exchange servers. Most of these settings are easy to see and copy, but the ability of a receive connector to perform as an external relay is configured using the ms-Exch-SMTP-Accept-Any-Recipient extended AD permissions which is not so visible.
The following EMS one-liner is useful to determine which receive connectors in the organization are open relay connectors so you can configure the new ones likewise:
Get-ReceiveConnector | Get-ADPermission | Where {$_.User -Like '*anon*' -And $_.ExtendedRights -Like 'ms-Exch-SMTP-Accept-Any-Recipient'} | ft Identity, User, ExtendedRightsIf your existing external relay receive connectors use a specific account rather than anonymous (NT AUTHORITY\ANONYMOUS LOGON) users, change '*anon*' to the specific account name.
See the following articles for more information about Exchange receive connectors:
- Receive Connectors: Exchange 2013 (TechNet)
- Receive Connector Permissions: Exchange 2013 (TechNet)
- How Anonymous Relay Works in Exchange 2013 (Elan Shudnow)
No comments:
Post a Comment
Thank you for your comment! It is my hope that you find the information here useful. Let others know if this post helped you out, or if you have a comment or further information.