Home » Exchange Server » How to Add Remote IP Addresses to Existing Receive Connectors

How to Add Remote IP Addresses to Existing Receive Connectors

The Exchange Management Shell provides the Set-ReceiveConnector cmdlet for modifying settings on Hub Transport server Receive Connectors. This can include the RemoteIPRanges setting, which is the multivalued list of IP addresses on the network that are allowed to use that Receive Connector to send mail.

Most Exchange environments will include at least one Receive Connector that is configured to allow certain hosts and applications to relay email. Over time this may build up a lengthy RemoteIPRanges IP address list. When it comes time to add additional IP addresses to the list it seems logical to use Set-ReceiveConnector, however this cmdlet will overwrite the existing setting with the new IP address specified.

For example, look at the current IP addresses:

Note: if the list of IP addresses is too long and is being truncated in the shell output see this tip for extending the enumeration limit.

Now use Set-ReceiveConnector with a new IP of 10.0.0.99:

And whoops, we’ve overwritten all of the previous IP addresses!

If you were just adding one new IP address the Management Console would do the job, but that can be slow for remote servers and is not as efficient if the change is being applied to multiple servers or involves adding multiple IP addresses.

Fortunately with the Exchange Management Shell we can easily add IP addresses to existing Receive Connectors.

To add a single IP address to an existing Receive Connector:

Now we can see that 10.0.0.99 has been added to the Receive Connector.

To add multiple IP addresses at once use this command sequence:

Sometimes the list of IPs being added is too long to type out. To add multiple IP addresses from a text file called newips.txt use this command sequence instead:

Paul is a Microsoft MVP for Office Servers and Services. He works as a consultant, writer, and trainer specializing in Office 365 and Exchange Server. Paul is a co-author of Office 365 for IT Pros and several other books, and is also a Pluralsight author.
Category: Exchange Server

54 comments

  1. Jim M says:

    Hello,
    I liked the script above but when I hit exactly 863 ip’s in a receive connector I can no longer add any more IPs. I receive the error below. Has anyone ran into this error? I get the same thing when adding an additional entry in the GUI as well. I’ve read it is a limitation of Active Directory.

    Set-ReceiveConnector : Active Directory operation failed on c15088dc3001.mydomain.
    com. This error is not retriable. Additional information: The administrative li
    mit for this request was exceeded.
    Active directory response: 00002024: SvcErr: DSID-02080490, problem 5008 (ADMIN
    _LIMIT_EXCEEDED), data -1112
    At line:1 char:32

    Is the only workaround adding another receive-connector? I am not in the position of adding a range, because it’s an anonymous POP3 Connector.

    • Well having never added 863 IP’s to a Receive Connector I can’t say I’ve ever hit that limit 🙂

      I guess either add another connector so you can add more IP’s. Or try to make some or all of them authenticated connections instead so you don’t have to limit by IP address.

      One other (maybe not so good) idea would be to restrict the IP’s using a firewall rule instead, and just leave the Receive Connector open, but that would not be my ideal choice.

  2. Jim M says:

    It looks like it’s an Active Directory thing. AD2000 has ~800 limit, and AD2003 has ~1300. I think we’re on a functional 2000 domain.

    http://social.technet.microsoft.com/Forums/en/exchangesvrmigration/thread/538f9e35-9901-40cf-b9fa-1e4895c13a68

    All of these entries are for printers that scan and email. Maybe an easier way would be to make an authenticated receive connector and just change the printer settings to authenticate with a generic account. Sounds a little easier huh….

  3. Liran Zamir says:

    Strangest thing
    Exchange 2010 SP1+Rollup 4. When running the import with a text file containing a list of IP addresses
    the following error occurs for each IP address:

    [PS] C:Windowssystem32>Get-Content .iplist.txt | foreach {$RecvConn.RemoteIPRanges += “$_”}
    Exception setting “RemoteIPRanges”: “Cannot convert value “System.Object[]” to type “Microsoft.Exchange.Data.MultiValue
    dProperty1[Microsoft.Exchange.Data.IPRange]". Error: "The value '1.1.1.1' is already present in the collection.""
    At line:1 char:47
    + Get-Content .iplist.txt | foreach {$RecvConn. <<<< RemoteIPRanges += "$_"}
    + CategoryInfo : InvalidOperation: (:) [], RuntimeException
    + FullyQualifiedErrorId : PropertyAssignmentException

    Exception setting "RemoteIPRanges": "Cannot convert value "System.Object[]" to type "Microsoft.Exchange.Data.MultiValue
    dProperty
    1[Microsoft.Exchange.Data.IPRange]". Error: "The value '10.4.10.210' is already present in the collection.""
    At line:1 char:47
    + Get-Content .iplist.txt | foreach {$RecvConn. <<<< RemoteIPRanges += "$_"}
    + CategoryInfo : InvalidOperation: (:) [], RuntimeException
    + FullyQualifiedErrorId : PropertyAssignmentException

    Can someone assist ???

      • Liran Zamir says:

        Thanks, I managed.
        None of the IP addresses were already present. The trick for me to get it to work was to specify
        In the first line the full connector name (including the server name) instead of only the connector name.

        Thanks!

      • Rodney Ferretti says:

        I notice that if you have an error like “The value ‘xx.xx.xx.xxx’ is already present in the collection.””, the script stops.
        Anyone knows how can I make the script still running and putting the rest of the IPs to the receive connector even with some errors ?
        Tks in advance.

  4. aaron says:

    Hey Paul,

    My list of receive connectors is truncated … Even when results outputted to .txt file. Is there a way to have it show the entire list

    [PS] C:\>Get-ReceiveConnector “internal relay” |fl remoteipranges >C:UsersuwhadminDocumentsoutputremoteip.txt

    RemoteIPRanges : {10.150.12.21, 10.150.31.63, 10.150.21.35, 10.0.10.13, 10.30.15.27, 10.0.1.7, 10.150.11.14, 10.150.50.191, 10.150.53.196, 10.150.53.197, 10.150.50.195, 10.150.52.197, 10.150.50.192, 10.150.50.193, 10.150.11.62, 10.0.1.24…}

  5. Holt Satterfield says:

    Hey, Paul —

    We just built an Exchange 2010 and migrated all the mailboxes from the old 2003 Exchange box. My integrator says he usually adds ALL the IP addresses (and in our case, all the subnet ranges) into the Relay Connector. This is opposed to just devices that usually send mail — scanners, copiers, accounting/equitrac servers.

    What say you about adding all my IP ranges into the Exchange 2010 Relay Connector?
    Thanks.

    • It is a “low effort” approach. I’ve permitted entire IP ranges in some cases before, usually for things like desktop apps that need direct SMTP relay but the pc’s are on a DHCP range without reservations (reservations might sound like a logical solution to that, but they add “yet another thing” to manage and will of course break if the user gets a new pc or logs on to a different one).

      I wouldn’t do it on insecure networks, eg wireless where a guy in his car outside the building uses your server to relay spam.

      And as long as they aren’t creating an open relay that can be exploited from the internet then it’s probably fine.

  6. Joakim says:

    Hi,

    We migrated from exchange 2003 to 2010. We have many servers and application using the old server, so I had to put one by one the ip address of these application server to the new Relay connector on the new exchange 2010 so they can send email. Every thing is working fine, but only one server could not telnet this relay server. I’ve already add the IP on the list. It can telnet the exchange 2003 not the 2010.
    I got the error below
    Connecting To mgprelay01…Could not open connection to the host, on port 25: Connect failed

    Could you help please?
    Thanks

    • Can you ping the server? Not a simple routing issue?

      I’ve seen firewalls (both network and client firewalls) as well as some antivirus products cause problems like that (eg preventing outbound SMTP from the server because it looks like a worm/trojan). So check for those.

      What you can also do is enable Protocol Logging on the Receive Connector on the server you’re trying to telnet to, then inspect the protocol logs after trying to make the connection to see whether the traffic is hitting it or not.

  7. Joakim says:

    Thanks for replying, Yes it can ping the server normally (with hostname and ip address). For the antivirus, I’m not really sure it block the outbound SMTP because it can telnet the old exchange 2003 server as well.
    I’ll enable the Protocol Logging on the RC to see if it works.

    Thanks again

  8. vadim says:

    Helpful article (and following comments). One question – talking about text file used for importing IPs, what exactly is the format of records in the file? Just type in all IPs row by row, comma delimited, one IP per line? Or else?

  9. vadim says:

    Ok, thanks. Will try. In the past I had some troubles of getting the properly formatted text file to be used with Win PowerShell for input. Maybe thats how I made it work – putting records in line by line.

  10. Dave says:

    I have a question on doing the converse – removing one or more IP’s from a Receive connector for a situation when a relay server is decommissioned. Would that simply involve changing the += below to a -= ?

    Get-Content .newips.txt | foreach {$RecvConn.RemoteIPRanges += “$_”}

  11. David Lockridge says:

    I figured out a loop for multiple Rec Connectors. It throws and error, but still adds the new IPs and keeps the old ones. In my environment, I have “Internal Only” and “External Allowed” connectors on multiple servers.

    $INTRecConns = Get-ReceiveConnector |Where {$_.Name -like “*Internal*”}
    $File = “C:TempNewINTIps.txt”

    Foreach ($Conn in $INTRecConns) {
    $i = Get-ReceiveConnector $Conn
    Get-Content $File |foreach {$i.RemoteIPRanges += “$_”}
    Set-ReceiveConnector $i -RemoteIPRanges $i.RemoteIPRanges
    }
    }

    • Liran Zamir says:

      Hi Tim

      The answer is yes.
      In the text file you can add subnets and ranges like this:
      10.10.139.0/24
      10.2.193.1-10.2.193.102

      Liran

  12. Eddie says:

    When adding or removing an ip address to our smtp relay connector we receive this error:
    “Starting acommand on remote server failed with the following error message: The WinRM client sent a request to the remote WS-Management service and was notified that the request size exceeded the configured MaxEnvelopeSize Quota. For more information, see the about_Remote_Troubleshooting Help topic.”

    The MaxEnvelopeSizekb settings is default at “500”, and increasing it to 700 doesn’t solve this problem. Does someone have an idea how to and where to look for, its not the MaxEnvelopeSize in my opion.

    • Greg Powlin says:

      Eddie,

      Did you get an answer on this? I have a similar issue and increasing to 700 did help, but didn’t resolve issue for larger queries.

      Thanks,

  13. CMRamos says:

    Great post with clear and concise instructions for importing, BUT what about exporting the “RemoteIPRanges” to a single column LIST IP’s, Ranges and Subnets already in the relay? Something that we can more easily read, imported into a spreadsheet, and reconciled to update the permitted hosts as you outlined above?

    i.e. We want the TXT output to list

    192.168.1.1-192.168.1.125
    192.168.1.200
    192.168.1.220
    10.10.1.0/25

    And NOT…
    192.168.1.1-192.168.1.125,192.168.1.200,192.168.1.220,10.10.1.0/25

    • Michael H. says:

      $RemoteIPs=@()
      $IPs=(Get-ReceiveConnector “ExchangeServerDefault ExchangeServer”).RemoteIPRanges
      foreach($IP in $IPs) {
      Switch ($IP.RangeFormat) {
      “SingleAddress” {$RemoteIPs += $IP.LowerBound.ToString()}
      “LoHi” {$RemoteIPs += ($IP.LowerBound.ToString() + “-” + $IP.UpperBound.ToString())}
      “CIDR” {$RemoteIPs += ($IP.LowerBound.ToString() + “/” + $IP.CIDRLength.ToString())}
      }
      }
      $RemoteIPs | Out-File RemoteIPRanges.txt

  14. TED says:

    Thanks for the info… but I need remove multiples IP from the connector and I’m not sure how is the command for remove a multiple IP.

  15. Gary Jackson says:

    I’m trying to reduce my exposure of my internal relay connector. My issue is though I have ranges included throughout in addition to IPs. How can I gather logs and determine which actual IPs are hitting my connector so I can remove these ranges after adding the IPs? I had feeling like I’m over exposed. Thanks!
    Gary

  16. Sven Minor says:

    In Exchange Server 2016. I go into EAC –> MailFlow –>Receive Connectors –> Relay –>Scoping –>*Remote network settings: Receive mail from servers that have these remote IP addresses. Do you know of any way to bulk add specific IP addresses into the remote Network Settings?

  17. Koen says:

    Hi Paul… I know it’s not the correct collum too ask.
    But we have reach the maximum of the RemoteIPRanges of our RecieveConnector.
    Is there a parameter to extend above the 1250 items?
    Koen

  18. rino19ny says:

    hi, i got mine like this:

    $ReceiveConnector = Get-ReceiveConnector “cas2Allow Relay External Emails”
    Get-Content d:list.txt | foreach {$ReceiveConnector.RemoteIPRanges += “$_”}
    Set-ReceiveConnector $ReceiveConnector.Identity -RemoteIPRanges $ReceiveConnector.RemoteIPRanges

    and got error message:

    Cannot process argument transformation on parameter ‘RemoteIPRanges’. Cannot convert value “192.168.1.10 198.168.1.11 192.168.1.12…”

  19. Stewart Petersen says:

    Would something like this work for removing an IP from the remote IP range.
    —-
    $rc = Get-ReceiveConnector “Relay Connector”
    $relay = “IP to be removed”
    $Array = @()
    $ips = $rc.RemoteIPRanges
    foreach($ip in $ips){
    if ($ip -eq $relay){Write-Host Cleared}
    else {$Array += $ip}
    }
    Set-ReceiveConnector “Relay Connector” -RemoteIPRanges $Array

      • Stewart Petersen says:

        I tested it today.
        A simple version would look like this.
        ——-
        $ip = “IP”
        $rc = Get-ReceiveConnector “Relay Connector”
        $NewRange = @()
        $OldRange = $rc.RemoteIPRanges
        foreach ($rip in $OldRange){
        if ($rip -eq $ip) {Write-Host “$ip Cleared”}
        else {$NewRange += $rip}
        }
        Set-ReceiveConnector “Relay Connector” -RemoteIPRanges $NewRange
        ——-

        What I am actually using is a bit different. I added few prompts, and entry checks. I am also using mine to add to 4 servers at once. So it looks closer to this:
        ————–
        #Prompt for IP
        $run = {
        $ip = Read-Host -Prompt “Enter Server IP”
        #Confrim IP entery is a Valid IP
        $test = ($ip -as [ipaddress]) -as [bool]
        #get RC
        $rc = Get-ReceiveConnector “Relay Connector”
        If ($test -eq $false){
        Write-Host “$ip is not a valid IP Address” -ForegroundColor Red
        &$run
        }
        Else {
        #check if IP exsist
        $check = “”
        $check = $rc | fl | where {$rc.RemoteIPRanges -Contains “$ip”}
        if ($check.Length -eq 0) {Write-Host “$ip Does Not Exist on this Server” -ForegroundColor red}
        else {
        $ip = Read-Host -Prompt “Enter Server IP”
        $rc = Get-ReceiveConnector “Relay Connector”
        $NewRange = @()
        $OldRange = $rc.RemoteIPRanges
        foreach ($rip in $OldRange){
        if ($rip -eq $ip) {Write-Host “$ip Cleared”}
        else {$NewRange += $rip}
        }
        Set-ReceiveConnector “Relay Connector” -RemoteIPRanges $NewRange
        }
        $andanotherone = Read-Host “Would You Like to Add Another Relay?”
        if ($andanotherone -eq “y”) {&$Run}
        Else {Exit}
        }
        &$run
        ————–

Leave a Reply

Your email address will not be published. Required fields are marked *