In most Exchange Server 2010 environments there will be the need to allow relaying for certain hosts, devices or applications to send email via the Exchange server.  This is common with multi-function devices such as network attached printer/scanners, or applications such as backup software that send email reports.

SMTP communication is handled by the Hub Transport server in an Exchange organization.  The transport service listens for SMTP connections on it’s default Receive Connector. However, this connector is secured by default to not allow anonymous connections (ie, the type of connection most non-Exchange systems will be making).

You can see this in effect if you telnet to the server on port 25 and try to initiate unauthenticated SMTP communications.

220 EX3.exchangeserverpro.local Microsoft ESMTP MAIL Service ready at Wed, 18 Au
g 2010 19:42:27 +1000
250 EX3.exchangeserverpro.local Hello []
mail from:
530 5.7.1 Client was not authenticated

For some Hub Transport servers that are internet-facing, anonymous connections may already be enabled.  In those cases relay would still be denied but will behave differently than the first example.

220 EX3.exchangeserverpro.local Microsoft ESMTP MAIL Service ready at Wed, 18 Au
g 2010 20:01:44 +1000
250 EX3.exchangeserverpro.local Hello []
mail from:
250 2.1.0 Sender OK
rcpt to:
550 5.7.1 Unable to relay

You’ll note that relay is denied if I try to send from an address to an address, because neither is a valid domain for the Exchange organization. But with Anonymous Users enabled on the Receive Connector I can send from an address to a valid local address.

220 EX3.exchangeserverpro.local Microsoft ESMTP MAIL Service ready at Wed, 18 Au
g 2010 20:05:54 +1000
250 EX3.exchangeserverpro.local Hello []
mail from:
250 2.1.0 Sender OK
rcpt to: alan.reid@exchangeserverpro.local
250 2.1.5 Recipient OK
354 Start mail input; end with .
250 2.6.0  [In
ternalId=2] Queued mail for delivery

However if I try to relay out to an external recipient, the Exchange server does not allow it.

220 EX3.exchangeserverpro.local Microsoft ESMTP MAIL Service ready at Wed, 18 Au
g 2010 20:11:27 +1000
250 EX3.exchangeserverpro.local Hello []
mail from:
250 2.1.0 Sender OK
rcpt to:
550 5.7.1 Unable to relay

To permit a non-Exchange server to relay mail we can create a new Receive Connector on the Hub Transport server. Launch the Exchange Management Console and navigate to Server Management, and then Hub Transport. Select the Hub Transport server you wish to create the new Receive Connector on, and from the Actions pane of the console choose New Receive Connector.

How to Configure a Relay Connector for Exchange Server 2010

Give the new connector a name such as “Relay ” and click Next to continue.

How to Configure a Relay Connector for Exchange Server 2010

You can leave the local network settings as is, or optionally you can use a dedicated IP address for this connector if one has already been allocated to the server. Using dedicated IP addresses for each connector is sometimes required if you need to create connectors with different authentication settings, but for a general relay connector it is not necessary to change it.

How to Configure a Relay Connector for Exchange Server 2010

Highlight the default IP range in the remote network settings and click the red X to delete it.

How to Configure a Relay Connector for Exchange Server 2010

Now click the Add button and enter the IP address of the server you want to allow to relay through the Exchange server. Click OK to add it and then Next to continue.

How to Configure a Relay Connector for Exchange Server 2010

Click the New button to complete the wizard.

The Receive Connector has now been created but is not yet ready to allow the server to relay through it.  Go back to the Exchange Management Console, right-click the newly created Receive Connector and choose properties.

Select the Permission Groups tab and tick the Exchange Servers box.

How to Configure a Relay Connector for Exchange Server 2010

Select the Authentication Tab and tick the Externally Secured box.

How to Configure a Relay Connector for Exchange Server 2010

Apply the changes and the Receive Connector is now ready for the server to relay through.

220 EX3.exchangeserverpro.local Microsoft ESMTP MAIL Service ready at Wed, 18 Au
g 2010 20:31:00 +1000
250 EX3.exchangeserverpro.local Hello []
mail from:
250 2.1.0 Sender OK
rcpt to:
250 2.1.5 Recipient OK
354 Start mail input; end with .
250 2.6.0 <924bab1e-0f07-4054-8700-d121577993b4@EX3.exchangeserverpro.local> [In
ternalId=3] Queued mail for delivery

Because the remote IP range has been secured to that single IP address, any other servers on different IP addresses still won’t be able to relay through the Exchange Server. From any other IP address not included in the remote IP range on the Receive Connector relay will be denied.

220 EX3.exchangeserverpro.local Microsoft ESMTP MAIL Service ready at Wed, 18 Au
g 2010 20:46:06 +1000
250 EX3.exchangeserverpro.local Hello []
mail from:
250 2.1.0 Sender OK
rcpt to:
550 5.7.1 Unable to relay

You can later add more IP addresses, IP ranges, subnets, or even add multiple IP addresses to the Receive Connector using a script if necessary.

About the Author

Paul Cunningham

Paul is a former Microsoft MVP for Office Apps and Services. He works as a consultant, writer, and trainer specializing in Office 365 and Exchange Server. Paul no longer writes for


  1. Nicolene


    I have a SP server on which we build a service desk. We also have exchange online, we are trying to setup a connector to exchange to allow staff to log calls to the service desk which is residing on the SP server. We are having trouble trying to set this gateway up. Is there any advise on how we could possibly go about doing this? So my understanding is that you cant connect the the SP server to exchange online?

  2. Mamie Bowker

    Undeniably believe that that you said. Your favorite justification seemed to be at
    the internet the simplest factor to take note of. I say to you, I definitely get annoyed while
    folks think about issues that they plainly don’t realize about.
    You managed to hit the nail upon the top and also outlined out the whole thing with no
    need side-effects , other folks can take a
    signal. Will likely be back to get more. Thanks!

  3. Sharyl Lonon

    Nice post. I learn something new and challenging on blogs I stumbleupon every day.

    It’s always exciting to read through content from other authors and use a
    little something from their sites.

  4. Ollie

    Hi Paul,

    Interesting article, I just have a question will the above configuration work in a hybrid scenario? Currently I have an Exchange Server 2010 to Office365, or is there another method to go about this?

  5. Muthu

    Hey Paul

    we have an situation like current exchange 2010 server encountered the issues with DNS. So we need to redirect all the traffic through other exchange server, from the application side the host name remains same .
    Is there way to achieve that?

  6. clementine


    why choose TLS authentication and externally secured why not basic authentication

  7. Gaurav

    Hi Paul,

    So here is the thing. This is what I am trying to do. Below users were able to scan to external email from MFP but now it’s not working. Getting error 550 5.7.1 Unable to relay as mentioned in here.

    So I went to one of HT server and created new receive connector. Under Network tab I have all available IPv4 (to receive email) and have added 3 internal IP addresses. 2 IP’s are for MFP’s itself and 1 IP is for other HT server.

    Coming to Auth tab I have got top one TLS ticked without Mutual Auth TLS) and also Externally Secured is ticked.

    For permissions group I have tried anonymous, exchange users and exchange servers. I tried all of these and still gives me unable to relay. Currently all of these 3 are ticked which probably is not ideal. For the IP addresses I believe it has to be from other Exchange servers and can’t be MFP itself, right?

    Bit confused here. The goal is to allow these MFP’s send email to external domains which isn’t working at the moment. What do I need to do?

  8. Saji

    Hello Paul,

    # #SMTP# , Do you know why this error occurring ? as it has been configure with relay connector. internal mail is working fine, out side domain mail is not working.
    Can you advise me on this please.

  9. Gary Basque

    Is there a max number of relay entries that can be allowed in Exchange 2010?

    1. Avatar photo
      Paul Cunningham

      Probably, but I’ve never hit it. I imagine it’s a big number.

  10. Chinh

    Dear Paul, I have problem when send email to external user.

    My application server ( using IP NAT ( to connect exchange server port 25. Internal user can receive email but cannot send to external user.

    I already configure receive connector with my IP range The problem still there.

    Please give me some advice,

    Thank you

    1. Avatar photo
      Paul Cunningham

      If you’re saying that the application server is behind a NAT IP address, then you would need to add the NAT IP address to the receive connector’s remote IP range.

      If you’re unsure, turn on protocol logging for the receive connector and look at the IP address that the connections from your app server are coming from.

  11. Tomaz

    Just want to say thanks. Helped me a lot!

  12. glenn

    *first post went missing*
    My goal: an external supplier needs to send mail to our customers as if it originates from our server.

    I tried to implement an relay on our SBS2011/Exchange 2010 server -following your instructions “…permit a non-Exchange server to relay mail…”

    if the telnet session (commands below) is started at the office (local domain), the send is successful.
    If however the telnet session originates from a remote pc, the send fails with this error:
    554 5.4.4 Unable to route due to invalid recipient address
    telnet 26
    mail from:
    rcpt to:
    subject: test send


    1. Avatar photo
      Paul Cunningham

      Sounds like the remote PC’s IP address hasn’t been added as a remote IP on the connector. If the remote PC is behind a NAT device you’ll need to add the NAT IP, not the source IP.

      1. glenn

        Hi Paul,
        Thanks for replying so quickly.
        I’ve added the nat ip to the connector too, but sadly no change.

        I have a feeling I’m confusing something simple.

        What I need, is for exchange to act as an smtp server **with authentication** for the outside world.
        F.e. for use with a simple smtp sender like this (link removed)

        an article seems to indicate I need IIS and a virtual smtp server to accomplish this.
        I feel Exchange already has everything necessary in place?

          1. glenn

            I will check that out immediately.
            thank you for the help.

          2. glenn

            Sadly no luck.
            in sbs 2011 that connector is not available. I recreate it with the info from the technet link.
            now I am back at “5.4.4 Unable to route due to invalid recipient address”

            an internet message on the same subject states an extra step is needed “set up a new send connector in the Exchange console, configured for secure SMTP.” sadly without further details.
            The current send connector does not offer such an option.
            the Partner intended use doesn’t seem apprioriate.

          3. Avatar photo
            Paul Cunningham

            SBS loves to be a special case. I don’t know why that connector isn’t there for you, or if it might be there under a different name. You could look at the port bindings for the connectors that do exist, and see if one has that port binding. Maybe it wasn’t necessary for you to create it, or you’ve created it with the wrong settings. Either way, I don’t have an SBS server to compare to.

          4. glenn

            Thank you for the help.
            Sadly I must declare defeat.
            I read through the technet articles. I’m pretty sure I followed them correctly.
            The problem is with routing the message, not with the connector itself.

            Somewhere/somehow our SBS/exchange has locked down remote authenticated users sending to external addresses.
            I’m at this now for three weeks – I am just going outside and may be some time. 🙂

          5. glenn

            too cold outside 😀
            I think the root of my problem is the dns configuration of sbs.
            I found the nameserver for the domain is pointing at an isp instead of the sbs server itself.
            This seems not to perturb regular mail , only mail sent via smtp
            off to read up dns setting hoping not break it further

  13. glenn

    Supplement to previous post:
    I just discovered the external relay send works if and only the “mail from:” address is NOT local to the domain *
    But I need the messages to be from…

    This seems to point to the hub transport definitions under organization config.
    no obvious setting there…

  14. Sanjeet Prasad

    Thanks…this worked for me

  15. Martin Lavoie

    Hi Paul,
    Is this possible to DENY only one IP from an IP range?
    I let a range ip to use the relay anonymously, but one of theme are a network scanner an see the “open port” for this relay. All the stats are wrong. I need to block this IP to use the relay, but allow the others. I can’t add one by one and skip this one. Thanks for your info.

    1. Avatar photo
      Paul Cunningham

      You can’t deny, but you can use IP ranges.


  16. Chandan Diwakar

    Hi we are using an application from one of our branch office which will sent bulk emails to our customer through SMTP replay. as per your article we have setup the relay connector but when our application sends bulk email it gets bounce email saying “550 No such user here – AD”

    1. Avatar photo
      Paul Cunningham

      Is it being bounced by your server or the recipient’s server? If it’s your server then it sounds like you have recipient filtering enabled.

  17. Chuck

    Sorry Paul,

    That first sentence should read “I tested again this morning and I can now see logs on both sides, which support the NDR I receive when sending a test email from EXCHDOMAIN2 to an external user.”

  18. Chuck

    Hello Paul,

    I tested again this morning and I can now see logs on both sides, which support the NDR I receive when sending a test email from EXCHDOMAIN2 to EXCHDOMAIN1.

    The specific error is:

    Delivery has failed to these recipients or groups: (
    Your message wasn’t delivered due to a permission or security issue. It may have been rejected by a moderator, the address may only accept e-mail from certain senders, or another restriction may be preventing delivery.

    The following organization rejected your message: EXCHDOMAIN1.COM

    Diagnostic information for administrators:

    Generating server: EXCHSERVER.EXCHDOMAIN2.COM
    EXCHSERVER.EXCHDOMAIN1.COM #550 5.7.1 Unable to relay ##

  19. Chuck

    Hello Paul,

    Very interesting article, it helped with some of my configuration but I have an issue that I would appreciate your guidance on.

    We have an internet facing company that relays access for a back-end company, both companies have independent active directory forest with their own Exchange 2010 servers in their own email domains – let’s call these EXCHDOMAIN1 and EXCHDOMAIN2.

    EXCHDOMAIN1 (internet facing) is configured with EXCHDOMAIN2 as an Accepted Domain, with the Internal Relay Domain option. It also has a Send Connector to route email to EXCHDOMAIN2 and a Receive Connector to accept email from EXCHDOMAIN2; and EXCHDOMAIN2 is configured with its default Send/Receive Connectors.

    I can send emails from an external user to both EXCHDOMAIN1 and EXCHDOMAIN2 recipients, and users in both EXCHDOMAIN1 and EXCHDOMAIN2 can send emails to each other. Users in EXCHDOMAIN1 can send emails to external recipients, however users in EXCHDOMAIN2 cannot, the email is being rejected by the Exchange server at EXCHDOMAIN1 (550 5.7.1 Unable to relay).

    I am certain the issue lies with the Permissions/Authentication settings on the Receive Connector configured atEXCHDOMAIN1 to accept email from EXCHDOMAIN2.

    Your kind assistance is greatly appreciated.

    1. Avatar photo
      Paul Cunningham

      Turn on protocol logging for all receive connectors on EXCHDOMAIN1. Look at the logs to see which connector is handling the connections from the EXCHDOMAIN2 server.

      1. Chuck

        Hi Paul,

        I already turned on Verbose logging on all the connectors in both EXCHDOMAIN1 and EXCHDOMAIN2 as part of my troubleshooting before posting here, I can see activity on logs from the EXCHDOMAIN2 server when I send a test email, but nothing on the EXCHDOMAIN1 server.

        1. Avatar photo
          Paul Cunningham

          So the send protocol logs on the sending server show the connection attempts? Do they also show the “unable to relay” response?

          If the connections are hitting the receiving server, there must be receive protocol log entries. Is there a NAT device in between the two servers?

          1. Chuck

            Yes, there are logs on the sending EXCHDOMAIN2 server showing the ‘550 5.7.1 Unable to relay’ response, additionally the NDR received by the sender states that the EXCHDOMAIN1 server rejected the message. There are however no logs on the receiving EXCHDOMAIN1 server, which doesn’t add up since the NDR clearly identifies the EXCHDOMAIN1 server is rejecting the email.

            I will check the logs again and post any further findings when I get to the office in the morning.

            Thanks for your support thus far!

  20. Andrew

    I am attempting to get a receive connector on an Exchange 2013 Edge server. (No EdgeSync)

    The Edge Server is being used to facilitate servers in the DMZ that require a mail relay. I have created a new receive-connector (via EMS).
    I have disabled the default receive connector to ensure the connection is being made to the correct receive connector.

    Auth is set to TLS
    PermissionGroups is AnonymousAcccess
    RemteIpRange is set to the server in the DMZ (single IP)

    When I attempt a TELNET connection it accepts the MAIL from (

    RCPT TO:

    I then receive 550 5.7.1 Unable to Relay

    Any ideas?

    1. Andrew

      Interesting it is now working by adding the following command to the receive connector

      Add-ADPermission -User “NT AUTHORITYANONYMOUS LOGON” -ExtendedRights “Ms-Exch-SMTP-Accept-Any-Recipient”

      However this should this be needed if the intended email was a recipient in the local domain?

      1. Avatar photo
        Paul Cunningham

        You said no EdgeSync though, right? So Edge has no awareness of what is and isn’t a local domain for the org.

        1. Andrew

          ah I see. So had Edgesync been enabled (in my lab) The chances are that the email would have been accepted without the need to explicitly add the AD-Permission.

          This makes sense. Thanks Paul.

          P.S it wasn’t much fun creating those connectors in the shell 🙂
          I was fortunate to have an exchange 2010 Edge server which I used to check the configuration and copied the Powershell commands.



  21. cliff l


    If I have a distribution group with “Require That All Senders are Authenticated” checked, will the DG receive emails from printer/scanner, backup server etc?

  22. Santhosh Nair

    Thank you so much for this amazing support…!!!

  23. Injur Junior

    This worked out fine for us. Thank you..

  24. Chandan


    My org name is & using MFP printer and i want to send email to through smtp mail relay. is there any way where i can define that i will only send email to and denied all email domain including too. Please suggest..

  25. JuanK

    Hello Paul,
    you can configure a connector to a remote public ip?


    regards from Perú

    1. Avatar photo
      Paul Cunningham

      Not sure if I understand your question, but I think the answer is yes.

  26. ajendra

    Hi Paul,

    I have a scnerio where i have 4 PC out of 4 pc one PC has only internet connectivity i want to all other pc to send and receive the mail without giving the internet access as my mail server is in another location so client need internet connection to reach my Exchange Server 2010.

  27. Kashif

    thank you Paul, this article is really helpful, i was working on this issue for last one week. thanks once again

    1. narasimha k

      I have Hitachi storage and I configured to receive email alerts internally working fine but on the same configuration external vendor (Hitachi) not receiving alerts. I have created the receive connector and added Hitachi server IP.

      I am able to send mails Hitachi successfully.

      Narasimha K

  28. edi munoz

    Hi Paul, have a nice day thank for your time, i want to ask if this is possible, im totally new to exchange server, so i have in my company exchange serve 2010 enterprise, and the domain is but we got a new domain and is the first one its email server is locally in our company but the second one is in an online webhost server, and i want to know if is posible to use the new domain server as a back up of my first exchange server like if anything goes wrong with the local server all users still get emails store in the web host email server? i hope i explain well thank you in advance

    1. Avatar photo
      Paul Cunningham

      Not the way you’ve described, no. But there are business continuity services you can use if that’s what you need.

  29. Ed Bangle

    Is Exchange 2010 compatible with Classic ASP SMTP using CDOSYS????

  30. Joe

    Please excuse me for posting here but I have not been able to find this info anywhere and this article comes close. Can you please tell me where I might find instructions on configuring relay on exchange 2010 so that I can send email that comes from the internet for a particular email address or set of addresses gets relayed to another internal server that is not an exchange server?


    1. Avatar photo
      Paul Cunningham

      You can configure forwarding on the mailbox, in the delivery options.

      1. Joe

        Hi Paul.

        Unfortunately, all I can find is how to forward to another email address on the same Exchange Server. Do you remember which setting allows forwarding to another server?



        1. Avatar photo
          Paul Cunningham

          You can forward to a contact, and the contact can have an email address on any other server or organization you want.

  31. Ahmed


    IS it possible to use as public IP as source (remote server) in the receive connector? Can I allow a particular server on the internet to relay through my exchange server? I tried to put a public IP but when i try to send still get relay denied. How can I do this?

    1. Avatar photo
      Paul Cunningham

      Yes it is, but the source IP might look different if the connections are passing through various firewalls, proxies, load balancers, etc. You should use your protocol logs on the receive connector to dig into that further.

  32. Rob Pelletier

    The PC running the application (StorageCraft ImageManager) is located outside the Exchange Server’s LAN. This program, when you set up the email notifications, has a Test Email button. It either works or it doesn’t. There is no error message, nothing in the event logs (of either the PC or the Exchange Server) – it either arrives or it doesn’t.
    Also, it has a dynamic IP address. So, it’s somewhere in the address range. The world is already using that range and port 25, so would this particular app be able to find the connector that allows it?
    For a laugh, I tried to create a unique Rec. Connector using a different port. Created it, allowed ONLY Exchange users, used port 2525, created a forwarding rule on the router, tested it with and without credentials.
    Worked like a dream, but only when credentials are included (which, of course, is what I wanted.)
    Nothing wrong with your article, Paul. I’m just a dummy!


    1. Avatar photo
      Paul Cunningham

      Being outside of the Exchange server’s subnet doesn’t matter. When you say dynamic IP I assume you mean an IP within a DHCP range that you control, and not “any IP address on the entire planet”?

      So one possibility is to reserve an IP for that PC, so that you know which IP address needs to be permitted to relay.

      But, as you’ve found, if the app can authenticate there’s no need for additional connectors to be created. The connector you created on port 2525 shouldn’t even be required, as there is already a Client connector that Exchange creates during setup.

  33. Rob Pelletier

    I realize this stuff is all about security, but what good is having a mail server that is so hard to actually use? I need to use an Exchange 2010 server as an SMTP server. The “client” is a backup program running on a computer OUTSIDE of the Exch2010 server’s LAN. I want to send email notifications, both to users in the server’s mail domain and to outside users. Not secure to allow this anonymously, but why should it be so difficult to allow this for a program, providing credentials are provided?
    I can’t be the only person wanting to use his own server to relay mail (people do it with their Internet Providers’ servers all the time) – why can’t I even find anything that explains this?
    What am I missing?

    1. Avatar photo
      Paul Cunningham

      If your app that is sending email is able to authenticate, then there is already a receive connector set up by default in Exchange for that. It is the “Client” receive connector, listening on port 587, often used by POP/IMAP clients for mail submission.

      Other than that, I’m not sure what you see as difficult about setting up a relay connector for specific IPs to be able to use SMTP.

  34. Don

    Grateful post, it works fine.

    Thank you!

  35. Elnur

    Thx Thx thx Thx Thx thx Thx Thx thx Thx Thx thx Thx Thx thx 🙂

  36. Max

    Thanks so much! I was getting stuck on the “Externally Secured” setting. We needed this connector for our new printer for Scan to Email settings. I needed this setting to send to external domains (internal was working ok).

  37. khalil

    Dear Paul,

    Thank you for the article , we have an issue our exchange is on open SMTP Relay , now anyone can do the telnet from the inside the organization and send email ?! we would like to stop this and no one should be able to do telnet the hubs both Internally and externally. I would appreciate your support on this , we need to send and receive both from internally and externally from customers in the meanwhile we want to secure our HUBs and exchange server.

    Appreciate your support on this,


  38. ivo

    My exchange server 2010 can send receive form other mail services like yahoo, gmail, hotmail.. but i cant not reply back to those emails types. it works well only inside my domain. I just tried working with exchange for like 1 week now i have never done this before pls any ideas ?
    thanks and waiting

  39. Sandy

    Sorry, I meant:

    Does these steps should we perform in each forest?

    1. in DNS: MX records of ‘ACQUIRED.NET’ with IP address of Edge Server of ‘ACQUIRED.NET’ .
    2. Configure an accepted domain as an internal relay domain for ‘ACQUIRED.NET’
    3. Create receive connector on MBox Server: “Relay for ACQUIRED.NET ” with IP address of Edge Server of ‘ACQUIRED.NET’

    1. in DNS: MX records of ‘’ with IP address of Edge Server of ‘’.
    2. Configure accepted domain: OWNER.COM
    3. Create a new Send Connector to point to a smart host, to a public IP of Edge Server of OWNER.COM
    4. AddressBookPolicy to rewrite outbound address to ‘’ suffix.

    Please, correct me, if I am wrong?

  40. Sandy

    Dear Paul,

    Thank you for your article! The most clear explained why and how to create relay connector!
    But still I don’t understand some relationship in Exchange
    Please help if you can?

    I stuck on solution and can’t find a clear step-by-step instruction on Microsoft site. Even worse, I have found some conflicting information, that I become totally confused.

    Here in short:

    One company purchased another company. Let’s we name them ‘OWNER.COM’ (Ex2013) and ‘ACQUIRED.NET’ (Ex2013).

    We need to implement the address rewriting in the ‘ACQUIRED.NET’ forest to change the SMTP domain name ONLY for outbound emails to OWNER.COM shared SMTP domain name suffix.
    Also Helpdesk Application is centralized and need to use MBoxServer in as SMTP-relay to send email messages in both forests.

    Does these steps should we perform in each forest?

    1. in DNS: MX records of ‘ACQUIRED.NET’ Edge Server.
    2. Configure an accepted domain as an internal relay domain ‘ACQUIRED.NET’ on Edge Server or CAS Server.
    3. Create receive connector: “Relay for ACQUIRED.NET ”

    1. in DNS: MX records of ‘’ Edge Server
    2. Configure accepted domain: OWNER.COM
    3. Create a new Send Connector to point to a smart host, to a public IP of Edge Server of OWNER.COM
    4. AddressBookPolicy to rewrite outbound address to ‘’ suffix.

    Please, correct me, if I am wrong?

  41. Dariusz Bartoszewicz

    We configured SCOM to send e-mails w/ alerts to both internal and external e-mail addresses. Since we have no SMS configured, we wanted to use the PHONENUMBER@CARRIER.COM to push the notifications. We were receiving the internal e-mails via the relay just fine, but not at the external address for the text messages. Solution mentioned above did the trick for us, so THANK YOU very much for sharing, you just made my day!

  42. Matt

    It worked! Adding names so other people who search with a problem as rare as mine may find this.

    The setup was CopiTrak/Nuance managed MFD’s, sending faxes to the CopiTrak/Nuance server, which emails the fax to the Biscom Queue server, then the Biscom Queue emails the fax to their servers. The connection from the CopiTrak server to the Biscom server was not working until the properties were set as above.

  43. Alex Bahler

    Thank you for these instructions.
    Easy as..

  44. Luka Romih

    Hi Paul, thanks for these instructions. I have a little different question: is it possible to set basic authentication on the connector so that you could prevent possible spamming programs on the network but a legit app with (basic) U/P could still send emails? MAPI connection isn’t possible here – it’s a custom app.

  45. Alan Lunghusen

    Best set of instructions I have ever seen.
    Very clear and well documented – Thanks

  46. Cody

    Paul, is it by design that Exchange 2010 allows any non-domain user on the network to telnet to the Exchange HUB server, and send an email from any user account to any other user account (local to local, non relay)?

    I have my default receive connector setup to allow anonymous connections so our org can receive email from gmail, hotmail, etc.

    I’d rather people not be able to send email from applications, printers, etc, without authentication or without being on the list of IP addresses in the connector.

    Right now someone from Microsoft is telling me this isn’t relay and is allowed. I was never able to send emails through Exchange before from third-party applications on the network without adding their IP addresses in the appropriate receive connector.

    I have screen shots posted here:

    We use Symantec MessageLabs as our security gateway. We have no Exchange edge role. Right now only the MessageLabs gateway can send SMTP email to our Exchange server from the internet.

    In the past if I even tried to telnet to my Exchange server and didn’t have the IP in the list it would get rejected. I’m unsure what’s changed. We just applied SP3 RU6 to 2010. That’s the only recent change I can think of.


    1. Avatar photo
      Paul Cunningham

      Yes that is normal with your configuration. It isn’t relay, it is in fact how your internet email is able to successfully deliver to you. If you want to lock that down create new receive connectors specifically for incoming internet email and only allow them to be used by your incoming mail filtering server/appliance.

  47. Al

    Will this work for PDF attachments? We have an Exchange 2010 Server that we are using as a relay and it works for emails with TXT file attachments but doesn’t work if the email has a PDF attachment. Any idea why?

    1. Avatar photo
      Paul Cunningham

      What does “doesn’t work” mean? The emails are rejected? The emails arrive but without attachments? Something else?

  48. Joerg Renggli

    Hi Paul,

    Is that true, if we you don’t add the ip address under Remote Network settings, Exchange will allow it through the (Internet facing) default receive connector? With that behaving we have no control, which smtp-device (printer, ups, etc.) can send mails and which one not.

    Our goal is, if the ip address is not added under Remote Network settings, then the device shouldn’t be able to send mails. This is because we have a lot of little offices connected with vpn to the main office and we want to have under control, who is using our exchange server.

    Someone mentioned this:
    “Ensure option “Exchange servers” under permission group & option “Externally secure” should be unchecked for “Default Receive Connector”. ”

    Could that be the solution?

    Thank you

    1. Avatar photo
      Paul Cunningham

      Yes, the default connector allows any sender to send to *internal* recipients, because that is how email from the internet works.

      So yes, any device on your network that can reach port TCP 25 on the server will be able to send to *internal* recipients. Is that such a bad thing?

      1. Joerg Renggli

        No it is not that bad. We are just confused, because we all thought (for years) that we need a special receive connector with “Externally secure” enabled, to send mails to ’internal’ recipients.
        It seems we were all wrong 🙂

        Thank you for your help and all your blogs.

        1. Avatar photo
          Paul Cunningham

          The default connectors in Exchange 2010 did not allow unauthenticated SMTP connections to do anything. People would often enable anonymous auth on the default connector when it was the internet-facing transport server, which also had the effect of allowing anyone to send to internal recipients.

  49. Robin Wenham

    Hi, I’m still accessing this article to refresh my memory. We have an SBS 2008 (Exchange 2007?) We are trying to relay messages from an iSeries through Exchange to both an internal and external e-mail address.

    We have set up the Receive Connector as specified and as far as I can tell it is working – after a fashion:

    1) The iSeries has been unable to relay messages externally, although they appear internally.
    2) I added my laptop to the allowed IP Addresses and used telnet on port 25 to simulate message delivery. The SMTP response confirmed that I had the right connector. When i set the “from” address to be one that does not exist on the Exchange server, the message did not get delivered. Didn’t even appear in the message tracking logs.
    3) When I set the “from” address to match the adminstrator account the message got delivered.

    Is this expected behaviour?

    I’m trying to confirm what actually works because the iSeries guys are really struggling.

    Thanks in advance.

  50. Raúl González

    That’s a bad new, anyway, if there’s nothing to do, no worries, I’ll try to explain it to my boss the best way I can. Thanks again Paul!

  51. Raúl González

    Ok, so there’s no way to stop it, right? We will migrate to Exchange Server 2013 so I hope this can be solved over there =) I appreciate your help Paul! Have a great day!

    1. Avatar photo
      Paul Cunningham

      You’re going to see the same situation with Exchange 2013 because the default connectors allow any sender to send to any internal recipient (because that is how incoming internet email works).

      If you’re worried about people doing internal spam/scam emails then the message headers as well as message tracking logs will help you track where the email came from in your network.

  52. Raúl González

    Hi Paul,

    About the connector issue. Thanks you very much for your help! I deleted the connector since yesterday and two of our systems stopped working, they weren’t able to send emails, but I was stil able to send emails as other users without authentication. I recreated the connector with only those two IPs and it’s working again. It seems like that connector wasn’t causing it T_T

    I don’t know if our Default and Client Connectors are configured as they should be. Could that be the issue?


    1. Avatar photo
      Paul Cunningham

      I just want to make sure I understand your scenario properly.

      Lets say your domain is

      You’re concerned that anyone can connect to SMTP on the server (for example by telnet directly to the server, not via any load balancers or other devices) from any other computer on your network, and send an email from to

      1. Raúl González

        Exactly! Right now anyone can do that without any password or authentication. But only if they’re in our network.

        1. Avatar photo
          Paul Cunningham

          That is normal when the Anonymous Users permission group is enabled on a “Default” receive connector. Any sender can connect to port TCP 25 and send to internal recipients. Because that is how incoming internet email works as well.

  53. Raúl González

    Hi Paul,

    I hope you can help me. I’m performing some tests in my organization. It seems like I can send emails from any computer connected to our network to anyone from any email address without authentication! What means that someone can even send an email from the CEO email address to someone outside saying whatever they want without credentials.

    I’m using a very simple PHP app where I can modify “From”, “To”, “Subject” and “Message” for the mail; and for authentication I can modify “Account”, “Password”, “Port”, “With or without SSL” and “Server”.

    For example, if I send from “ceo@*****.com” to “rgonzalez@*****.com” but for authentication I enter anything (like zxcfvgeucnscj) as account and password, without SSL, on port 25 and the correct server I receive the message!

    Anyone within our network can do that on their computers. How can we stop it???

    Thanks in advance!

    1. Avatar photo
      Paul Cunningham

      Sounds like you’ve got a receive connector configured on the server that allows your internal IP range to relay mail.

      1. Raúl González

        I’m pretty new in Exchange, and who configured it, is not around anymore, so, I don’t know if how they’re configured is how they should be configured.

        I have three Receive Connectors configured:

        Client Connector – Network
        Use these local IP addresses to receive mail
        [All available IPv4 addresses] 587
        [All available IPv6 addresses] 587
        Receive mail from remote servers that have these IP addresses

        Client Connector – Authentication
        – Transport Layer Security (TLS)
        – Basic Authentication
        – Offer Basic Authentication only after starting TLS
        – Exchange Server Authentication
        – Integrated Windows Authentication

        Client Connector – Permission Groups
        – Exchange Users

        Default Connector – Network
        Use these local IP addresses to receive mail
        [All available IPv4 addresses] 25
        [All available IPv6 addresses] 25
        Receive mail from remote servers that have these IP addresses

        Default Connector – Authentication
        – Transport Layer Security (TLS)
        – Enable Domain Security (Muthual Auth TLS)
        – Basic Authentication
        – Offer Basic Authentication only after starting TLS
        – Exchange Server Authentication
        – Integrated Windows Authentication

        Default Connector – Permission Groups
        – Anonymous Users
        – Exchange Users
        – Exchange Servers
        – Legacy Exchange Servers

        Apps Connector – Network
        Use these local IP addresses to receive mail
        [All available IPv4 addresses] 25
        Receive mail from remote servers that have these IP addresses

        Apps Connector – Authentication
        – Transport Layer Security (TLS)
        – Externally Secured (for example, with IPsec)

        Apps Connector – Permission Groups
        – Exchange Servers

        Any help will be highly appreciated!


        1. Avatar photo
          Paul Cunningham

          The “Apps connector” is not one of the defaults installed with Exchange, so I would say that is your culprit. If you read the article above and look at your settings for the “App connector” you’ll see that the two IP addresses and are allowed to relay mail through that connector.

  54. rajkarthik

    Thanks paul and instant reponse
    its working perfect

  55. rajkarthik

    Hello Paul

    I just downloaded all your scripts (Test Exchange server Health, Mailbox Report and DAG Health) Apart from 3 scripts 2 (Test exchange server health and DAG Health) is working perfect, but it wiil not trigger the mails while I’m running the scripts.
    Please assist on this at earliest

    1. Avatar photo
      Paul Cunningham

      Have you modified the SMTP settings in the scripts to set your own email address/SMTP server etc?

      When you run the scripts do you see an error in your PowerShell window?

      1. rajkarthik

        Thanks paul fro your instant response.

        Yes, we modified the SMTP settings and we didn’t get any error message while running the scripts.
        We also checked that, we can able to send test message using power shell.

        1. Avatar photo
          Paul Cunningham

          Then I would suggest checking your message tracking logs to trace the message. If nothing is in message tracking logs, then check protocol logs for the receive connector to see what is happening there.

  56. Deanne Barton

    Hi Paul
    I’ve read through all these postings and have tried the different scenarios, but all to no avail.

    I’m running Exchange 2010, ver 14.02.0318.004, created a new receive connector, specified the local IP Address. Authentication has TLS ticked and Externally Secured, with Anonymous users and Exchange servers.

    I have enabled verbose logging but I’m not finding anything in the logs?

    We are trying to get our Printer server to email wihen scan selected.

    Any other assistance you can offier would be great?

  57. Ravikiran

    Great, Thank you so much for this post

  58. Floyd Lekoma

    Thanks Paul

    This has worked jus perfect.

  59. Jovin

    Hi Paul,

    We are presently having Exchange 2007 in co-existence with E2013. Mailboxes have been migrated already. I’m planning to migrate smtp relay clients to E2013.Let’s say my E2007 host is and IP is Can I just configure an additional NIC on 2013 mailbox server with,create a similar receive connector and just shutdown ex-hub machine?

    Will SMTP clients automatically authenticate with the additional E2013 connector and relay mails? Is there a specific configuration you can mention here for doing this ? Do I have to put as my EHLO?

    Thanks in advance,

    1. Avatar photo
      Paul Cunningham

      1. Can you just move the IP and shut down the 2007 HT server? No. Or maybe. But the best answer is no. The 2007 HT needs to be properly uninstalled and decommissioned. I recommend using a DNS alias for your SMTP service, eg, so that when it comes time to move all your SMTP devices/apps across to 2013 it is just a DNS change.

      2. Tutorial for setting up a relay connector on 2013 here:

      Read that carefully and note that you may not even need one if the various devices/apps only need to send to internal recipients.

  60. James

    HI Paul,

    I have a HUB and an ETS setup with an edge subscription between them. I have the outbound (to the internet) send connector disabled and i can see mail sitting in my queue as expected (and wanted). My question is, how do I restrict who can send to that relay from the get-go?


      1. James

        Hi Paul,

        Thanks for the reply, but I figured it out 🙂

        I created an SMTP relay in Exchange 2010 that had no IP restrictions but had a restriction on what users could send to it. I achieved this by using Integrated Windows Authentication on the receive connector on the ETS.

        My setup:

        A public IP that NATs to a Load Balanced VIP listening only on port 25 with the Edge Transport Server behind it, also listening only on port 25, using “Integrated Windows Authentication” on the receive connector. For our “test” we actually have the send connector that would send mail out to the internet disabled so we can see the mail pile up in the queue. Once we deploy this to Production, that will be enabled.

  61. David

    Hi Paul.

    I have configured the separate receive connector and apps servers are sending email via this connector. now i want to restrict the apps server to not send email to external domain but should send only to internal users.

    Could you please advice how to achieve this

    Many thaks

    1. Avatar photo
      Paul Cunningham

      Instead of using a relay connector for that you can simply use the default receive connector and tick the anonymous users box.

  62. David Macfarlan

    Hi Paul,

    We would like to utilize this method to send email from via their email relay functionality.

    When sending emails from Salesforce they contain a via “” which gets marked as SPAM in many cases.

    In order to remove the 3rd party Salesforce information we can send the emails using email relaying feature in Salesforce.

    Sales force does not offer SMTP Authentication so we need a way to securely do this.

    Your method here seems like it will work if we can find a server to use.

    Do you know of any hosted Exchange servers or other method to accomplish this?

    Thank you,

  63. AlexQC

    Since I installed the Rollup 4 for Exhange 2010 SP3, the relay is not working anymore.
    Any idea?
    Please help!

    1. Avatar photo
      Paul Cunningham

      I don’t know of anything in RU4 that would break a connector. I think you should turn on protocol logging and do some troubleshooting.

      1. AlexQC

        You may laught (I did) but I installed rollup 5 yesterday and it restarted to work!

    2. Jim Mueller

      We have the same problem, see my unanswered post from 4/24. Our workaround was to add the web farms client NAT IP address as a receive connector on all our HT servers. Protocol logs would seem to indicate that it was broken in our previous build and ‘fixed’ in a subsequent build. We hope that a better solution is found, however, as now anyone sho sends e-mail to the client NAT IP address becomes a trusted sender (see Sam’s post from 4/29).

  64. Sam

    Hi Paul,

    I currently have a client for whom their receive connector is set up just like this to allow MFDs and other servers to relay through Exchange. However, someone has raised the point that this can expose the organisation in that a person or malware with access to one of the servers in the allowed list could use Exchange for spoofing.

    When using a solution such as this to allow internal servers to relay through Exchange, do you know of any way to force the relay to only allow emails sent using only the domains in the Accepted Domains list?

    My argument is that even if if it possible to restrict the from address to, Exchange could still be used for sending spam from so the key is ensuring the application servers, etc are properly secured.

  65. Jim Mueller

    Hi Paul,

    We recently upgraded from Exchange 2010 SP2UR4v2 to SP3UR5. The relaying from our scan-to-email copiers and at least one of our application servers seems to have become intermittent after the upgrade.

    The copiers had previously been configured to relay to, which resolves to a internal client NAT IP address ( associated with a hardware load balancer server farm. If we change the relay address from to, no change. If we change it to one of the IP’s directly on the HT servers, it seems to work reliably.

    I already had protocol logging enabled on one of the HT servers, and I just now enabled it on the other. I can’t see log detail on the copiers, but if I telnet direct to one of the HT servers and create an Unable to Relay situation, I’m not seeing that session in the receive connector protocol log. Do I need to restart a service or wait a period of time for it to recognize the logging change?

    Our Default HT receive connectors have the default wide open IP range for IPv4 & IPv6, and we have a number of additional receive connectors for various internal devices. These additional receive connectors all reference the specific IP(s) for the type of devices. Without seeing the connection being logged I don’t know if it’s picking the correct connector.

    Any other ideas you may have which would help me find the problem? Thank you for your time.

  66. Kyle Bunch

    This worked perfectly and really helped me out. Thanks for posting this info.

  67. Efrain

    I configured the binding as suggested and still nothing.
    However, I got it to work.
    It ended up being a routing issue.
    Thanks for the assistance Paul!

    Keep up the good work!

  68. Efrain

    Hello Paul and thanks for yet another great article!

    I’m having an issue with one of my Windows 2008 R2 FSRM Server.
    I have 2 FSRM servers configured to use a new SMTP relay connector (configured as you suggested on this article).
    One of my files servers works great!

    However the second one isn’t. It’s giving me the : 5.7.1 Client does not have permissions to send as this sender error.
    I already added the IP of this second server to the allowed remote IP networks. This IP is on a different subnet by the way.
    When I telnet (on port 25) to the IP of the mail server connector, and do an EHLO command, it responds with the correct name but defaults to the NLB IP address. From this telnet session I’m able to send only within my organization.

    When I perform the same tests from the working server, it also responds with the name of the mail server connector but with the IP of this File Server (as opposed to the NLB IP). This mails fine from inside and outside the organization which is what we want…

    We have 3 other connectors on our Exchange Servers for other methods of relaying and they have the CAS’s IP addresses in them as well as the same FQDN name as the new connector created.

    Any insight is appreciated!

    1. Avatar photo
      Paul Cunningham

      Where does NLB come into this? Are you using NLB for your Exchange servers to load balance SMTP?

      1. Efrain

        Correct. We’re using NLB to load balance our CAS servers (2 in this scenario).
        However, the SMTP Relay in question is configured only to use CAS1 only. so we’re using that specific CAS’s FQDN.


        1. Avatar photo
          Paul Cunningham

          Check the binding for the receive connector. If it is configured to allow it to bind to any IP address it might be grabbing the NLB IP. You may need to explicitly bind it to the server IP.

  69. Edwin

    I’m having trouble understanding the following:
    2 2010 Edge servers in a DMZ
    2 SharePoint servers in a DMZ that send out emails to customers through the Edge servers via a specific receive connector.
    The mail often gets stuck in the spam filter of the customer because of the name that it has in the header:

    sending email adres

    and here it gets funny: helo= SR-XXXXX.ourcompany.dmz

    Where does the .dmz tld name come from and why doesn’t it say .nl?
    I don’t understand where this comes from, please advise.

    1. Avatar photo
      Paul Cunningham

      In the settings of the Send Connector(s) that the Edge Transports send outbound mail with you can set the FQDN that they will use in their SMTP connections with other servers.

  70. Mike Rochford

    Paul, we’re having an issue with SMTP relay after setting up a relay connector, but can’t figure out if it’s related. The crux of the issue is that a relayed message which includes multiple recipients fails for all recipients if one internal address is invalid. Previously, the message was delivered to the valid recipients with a NDR for the failures. Is there a setting which controls this that might have been changed as we did our work?

    1. Avatar photo
      Paul Cunningham

      Turn on protocol logging and look at the logs for those connection attempts. In the past I’ve seen cases where the sending system/application itself was terminating the SMTP connection without sending the email after too many invalid recipient addresses were attempted.

  71. Dammy

    Thanks so much. you made my day…

  72. Aneei

    Hi, Thanks paul for this great details. This is really helpful.
    I have one query that if any script send mail on port 25 to internal users. the connector will not stop them. how can we restrict those user also to not to run any script to even can’t send any mail to internal users?

    Thanks in advanced.

    1. Avatar photo
      Paul Cunningham

      If you don’t want them connecting to port 25 you could firewall those client subnets so they can’t get through on that port.

      Or just restrict the distribution lists you’re worried about so that only some people can send to them.

  73. Shaptoni

    Hi Paul
    You are right that if we remove the Exchange Servers mail flows normally.
    However, we need to add them in order to send the Powershell reports, and AV reports etc.
    Without them we see 5.7.1 errors
    Do you know another way?

    1. Avatar photo
      Paul Cunningham

      A relay connector isn’t required if you’re only sending the mail reports to internal recipients. All that would be required is the default receive connector with anonymous users enabled.

      Or if you wanted to use a relay connector still, consider binding the relay connector to an additional IP address on the server, one that is not registered in DNS, and then use a DNS alias to reference it.

  74. shaptoni

    In our Exchange 2007 environment this solution worked. Once we introduced 2013 and added 2013 servers mail stops flowing with:
    4.4.0 Primary target IP address responded with: “451 5.7.3 Cannot achieve Exchange Server authentication.” Attempted failover to alternate host, but that did not succeed. Either there are no alternate hosts, or delivery failed to all alternate hosts.

    So I think we now need to select Exchange Server authentication as well

    1. Avatar photo
      Paul Cunningham

      Check that the remote IP ranges on the connector do not include the IP of any Exchange servers.

  75. Luke Brynycz

    Thanks a LOT for this. Just a heads up, if you still can’t get it working guys, make sure you only enable Exchange Servers in the auth box. If you tick them all, it still doesn’t work for some reason!

  76. Joe

    I have two types of MFDs one works with NTLMv2 authentication the other doesn’t work because it doesn’t support it. I was thinking I could setup another receive connector and lesson the authentication and add the IP addresses of the MFPs to that connector but we don’t want it to be able to relay outside the domain just local email. How would I do this ?


  77. Bisi

    Hi EK,

    I am sending to user not Distribution list/Group. It is a user mailbox

    I thought once you test with telnet and the mail delivers, it automatically works with SharePoint workflow.

    So I am confused where the issue is coming from, is it Exchange 2010 or SharePoint? All my settings/configuration has been checked and reviewed times without number but still the mail that the workflow is supposed to trigger is not dropping.

    So I need help on how to troubleshoot properly where the problem is coming from. It is now strange to me that telneting drops email but it still will not work in sharepoint workflow.



    1. EK

      Hi Bisi,

      Is the sender a valid user mailbox or a dummy email address only? If it is valid user mailbox, you need to include user authentication in your sharepoint workflow. If the sender address is a dummy account, you need to add your sharepoint server IP address in Exchange Receive Connector.

      In SharePoint, we encounter issue group email fail to receive email sent from Sharepoint. After few hours of troubleshooting, found out it was actually due to the Group Type in AD. We changed from Distribution to Security and got the issue resolved.

      Hope you can resolve your issue as well.

  78. Bisi

    Hi Paul,

    I configured SharePoint server as SMTP to relay message to Exchange 2010 so that my workflow in SharePoint can send mail to users.

    When I tested the mail delivery on SharePoint server through telnet, the mail delivered.

    However, when I run the normal process in SharePoint, it did not return any email.

    This is really disturbing.

    Any help will be appreciated.



    1. EK

      Hi Bisi,

      Please check whether you send an email to individual user or a group of users (DL). If you are send to a group of users, you need to set the Group type in AD from Distribution group to Security Group. Sharepoint only support Security group and not Distribution group. Give a try

  79. francisco

    Paul, Thank you very much for your input, this has been a great help for me.

  80. Ahmed

    Hi Paul,

    I am having exchange 2010 SP3 and I have configured the receive connector relay as well as give permission to relay outside but still I am getting the same error even if I enabled anonymous.

    any clue

    1. Avatar photo
      Paul Cunningham

      Turn on protocol logging on the connectors. Then review the protocol logs to see which connector is actually handling the connections you’re interested in. If the wrong connector is handling the connections then you’ll likely need to review the IP addresses in the remote network settings of the connectors.

  81. Andrew Moss


    This post was helpful with a situation we experience this morning. A client was using a third party tool, TELNETTing to port 25 of our corporate server ,and trying to send an email to an outside recipient. He received a 5.7.1 unable to relay error. We asked him to try sending to someone local in our org, and he was successful sending with no errors. I typed the 5.7.1 error into Google and your site showed up with the correct answer on how to configure for relaying.

    Thanks for the solution. I am a subscriber in any event of your newsletters.


  82. John Clemmons

    Hi Paul, I want to know I could do something similar with SBS 2003? Customer has an off site fax machine that can convert a received fax to PDF and then email the PDF. Problem is the fax machine does not have the ability to use a port other than 25 and cannot do SSL.

  83. Mahipati Desai

    Hi Paul, thanks for the excellent article. Really appreciate the great work 🙂

    I’ve a scenario wherein, there are more than 50+ applications that were using standard port 25 w/o any authentication and we used to use individual application names as the From Alias for auto-mailing. However with exchange 2010 and the new security concerns, we would like to achieve the following: Can you pl help me with the required configuration that we need to do? Thanks in advance.

    1. Across all 50+ applications we’d like to use one single ID for auth.
    2. However each of the application will need to use its own Alias Name and Alias Email ID (this email ID need not be physically present on my exchange server) as the outbound servers are informational only. No inbound mails are expected.
    3. We’d like to use port 587 instead of standard 25 – but the catch here is that exchange expects the auth ID to be used for sending out the mal and the mail output carries the Auth ID instead of application name (alias id).

    Pl let me know if there are any ways and means to achieve the end result. Thanks in advance.


  84. David

    Great Article! I have an Windows SBS 2011 server running Exchange 2010. I am running a backup program locally on the SBS 2011 server that needs to send email notifications both internally and externally. What is your recommendation on how to accomplish? Do I modify the main server Relay Connector or create a new Receive Connector using the procedure described above? My concern is modifying the existing connector by enabling Anonymous access may lead to Relay abuse however, I am also unsure if creating a new Receive Connector on the main Exchange server using the IP may also have unintended consequences. Please advise and let me know what your approach would be in this situation. Thank you in advance.

  85. Scott Granado

    no no no… just because this works, its not the right way to do it… Please see:

    Make the change in the Exchange Shell to allow relay for anon user:
    Get-ReceiveConnector “Anonymous Relay” | Add-ADPermission -User “NT AUTHORITYANONYMOUS LOGON” -ExtendedRights “Ms-Exch-SMTP-Accept-Any-Recipient”

    1. Avatar photo
      Paul Cunningham

      That article presents two solutions, either of which will work, and both of which are correct ways to do it.

  86. Charles

    Hi Paul

    Followed your article, great work!

    In my environment, both the default receiver and custom relay connector has Anonymous user ticked, and email is working fine. As soon as I un-tick Anonymous user in the default receiver, incoming external email stopped with the error – 530 Validating Sender: 5.7.1 Client was not authenticated

    I must be missing something here. I thought since all external email go through our email appliance, and the appliance is added to the remote network setting, email should still come through the relay connector.

    The reason to un-tick Anonymous user is due to remote user connect to our Exchange Server and spam us.

    Any suggestions please?

    1. Avatar photo
      Paul Cunningham

      Whichever receive connector is processing the emails coming from your email appliance will need Anonymous ticked.

  87. Brad

    I followed your article to get this relay setup for a FSRM we have setup but I still keep getting these errors in the event log and no emails flowing:

    A File Server Resource Manager Service email action could not be run.

    Running email action.
    Quota threshold reached.
    Processing File Server Resource Manager event

    Action type: Email Action
    Mail-from address: left blank to protect the innocent
    Mail-reply-to address: left blank to protect the innocent
    Mail-to address: left blank to protect the innocent
    Mail-CC address:
    Mail-BCC address:
    Mail subject: 90% quota threshold exceeded
    Mail message text: email message I wont bore you with.

    Thank you.
    Quota path: D:
    Threshold percent: 90

    Error-specific details:
    Error: IMessage::Send – cdoAnonymous, 0x8004020f, The server rejected one or more recipient addresses. The server response was: 550 5.7.1 Unable to relay

    Error: IMessage::Send – cdoNTLM, 0x80040211, The message could not be sent to the SMTP server. The transport error code was 0x800ccc13. The server response was not available

    Any suggestions?

    1. Brad

      Never mind. Turns out, when M$ says to separate email addresses with a “;” they actually mean “; ” (note the space). :-/

  88. Bhupi

    Hi Paul I just want to say thanks for this informative article, i am struggling to configure mobile devices of the user’s and they can’t able to send any emails from their iphone’s, just configured another receive connector as per as your instructions and voila all good 🙂

    Thanks heaps

    1. Avatar photo
      Paul Cunningham

      iPhone users shouldn’t need a relay connector set up if they are using ActiveSync.

      If your iPhone users are using SMTP to send email, and they are doing so from outside of the corporate firewall, I suspect you may have set up an open relay which is going to cause you some serious problems.

      If you’re not sure what I mean about ActiveSync here is some reading to start with:

  89. Christopher Hughes

    Hello Mr. Cunningham,

    Our Exchange 2010 server has been up and running for a while now, in huge part to this article and your help, but one thing we have not been able to do as of current is get rid of the old Exchange 2003. I tried to uninstall Exchange 2003, but it didn’t work completely. What I saw, it looked like it did a partial uninstall. I have tried using the disc uninstall tool to do this. The disc we have is 2003 SP2. I’ve read in other forums/websites you need the original non Service Pack 2003 disc to uninstall successfully, but we do not have it anymore and I cannot find it on the web to download. Is there another way to uninstall Exchange 2003 or to get the original 2003 disc?

    Some extra information:
    We have had the server with Exchange 2003 shut down for a few weeks to see what would happen. Overall, most things are working correctly, but on occasion something seems to go wrong. One thing I’ve noticed is that we seem to be having issues when trying to create users through Exchange 2010, while this server is down. I am not sure if that has something to do with not fully uninstalling Exchange 2003 though.

    Thanks for all your help,

    Christopher Hughes

    1. Avatar photo
      Paul Cunningham

      This is not really related to the topic of this article. But in short, yes you need to cleanly uninstall the legacy Exchange servers or you will face all kinds of little problems in future, and yes that requires the media or files to be available. If you can’t find your own copy I suggest you start asking around your network of friends and colleagues, someone is bound to have a copy somewhere.

      1. Christopher Hughes

        I’m sorry I put it in the wrong topic. Unfortunately I’ve checked with everyone and no one has it. I appreciate the info.


  90. ryan max


    Does relaying cause email headers to contain the “on behalf of” text?
    if so how can this be avoided?

    some information about my current situation. We have an IBM iSeries machine sending SMTP traffic to our exchange server. the exchange server then sends this to the recipient.
    however the recipient can see the “on behalf of” string in the header.
    also when sending emails to external accounts the email-name is split up like this: “someone@ (”

    how can i correct this?

    Kind regards

  91. Juan

    Excelente documento, me ayudo a aclarar mis dudas sobre este tema.


  92. Koay

    Good job Paul,

    Quality article with details explanation!

  93. Steve


    Thanks for this article, exactly what i needed to combat some very lazy and multi-faceted programming on a few of our application servers.

    One question, the being a fully open relay, I assume (as we haven’t gone live with this yet) that there is no requirement to add the ADPermission for NT AuthorityAnonymous Logon – accept-any-recipient extended right, as per an Anonymous Relay?



  94. Misha Verhoeven

    Hey Paul,

    On our Exchange 2010 servers we have 2 nic’s configured, one for the client network and one for the replication network (DAG).

    On our NIC for the client network we have 3 IP addresses.configured : 1 for the clients 2 for different connectors.

    All 3 IP’s are registered in DNS.
    Must we use skipassource=true for the 2 additional ip addresses to prevent DNS registration of those addresses??


      1. Misha Verhoeven

        Thanks for the quick response Paul.

        Regards Misha

  95. Step

    Hey Paul,

    This may have been answered previously, but I was hoping you could clarify. I have a backup solution running on the two Mailbox Servers in my 2010 DAG. At the end of the Backup it tries to send a notification email but is currently failing (authentication required). I have seen issues in the past when custom receive connectors contain the IPs of the Exchange Servers. I have already created a Receive connector as you have described to allow other application servers to relay mail. However, I just want to clarify that it will be OK to add the two DAG members IPs to the Remote IP Ranges of the Relay connector you describe? i.e. It would still allow it to route normail client email?


    1. Avatar photo
      Paul Cunningham

      Not sure. You don’t have another Hub Transport that isn’t also a DAG member? Or maybe send it via a load balancer?

      1. Step

        Hi Paul, thanks for the reply. Our DAG members only have the Mailbox Server role installed. We have two HTs on seperate servers. However, I thought it may cause issues adding the Mailbox servers to the Custom Receive Connector? But you’re saying that this should be OK?

        Thanks again,


        1. Avatar photo
          Paul Cunningham

          That should be fine. The problems mainly arise with adding other Hub Transport IP’s to a custom connector.

          I think you’ll be fine but of course you should keep an eye on it after making the change just in case something else causes a problem.

        2. Step

          Awesome! Thanks Paul. I’ll give it a shot and keep an eye on things.

  96. Andrew Ho

    Thanks for reply, Paul,

    After searching several sites what I mean is “ms-exch-smtp-accept-authoritative-domain-sender”, To prevent anonymous senders from sending mail using my own domain in MAIL FROM, we need to remove the ms-exch-smtp-accept-authoritative-domain-senderpermission assigned to them.

    I apply it in recieve connector on Edger server:

    Get-ReceiveConnector “My Internet ReceiveConnector” | Get-ADPermission -user “NT AUTHORITYAnonymous Logon” | where {$_.ExtendedRights -like “ms-exch-smtp-accept-authoritative-domain-sender”} | Remove-ADPermission

    Do you have any topic to solve this problem? I heard that we can apply SPF record on public DNS to let Edge server check this, but how about internal user, can we apply SPF for internal DNS or just use the command above?

    Thanks you again

    1. Christopher Hughes

      Good morning,

      I actually have this issue too. Did you ever figure it out? If so, can you tell me what you did? Or send me a link to whatever helped you out. I did try running the command you have above, but it didn’t seem to work for me. Gave an error about pipes not being allowed to be used with that command. (I tried running it with “My Internet ReceiveConnector” and the actual name of our Receive Connector) I appreciate it.


  97. Andrew Ho

    HI Paul,

    Thanks for this topic. But in my scenario is not the same like yours. But I can’t search in any where.
    I have Edge Server is internet facing, user can’t relay mail to external domain by default. But the internal user can use Edge server to relay internal domain we have( like they can send email to that domain for spam. How can I config on Receive Connector to restrict the internal anonimous smtp access? Because if I disable Anonymous option on Default receive connector on Edge server, I can’t receive emails that sent from internet

    Thanks you.

    1. Avatar photo
      Paul Cunningham

      I don’t understand your scenario. Why are your users trying to relay mail directly through the Edge Transport server?

      The Edge Transport server should be set up with an Edge Subscription.

  98. mark


    our everyday internet connection has gone down

    we have a separate server connected to a different connection using hmailer that i send mailshots from as not to clog the line

    would i be able to set this up for this purpose, our IT providers are arguing between themselves as whats best

  99. Trevor

    Thanks, done the trick

  100. sunil

    Thanks for your update Paul.

  101. sunil

    Is there any limitation with No.of Non Exchange server IP address can be added in single Non-Auth SMTP relay connector (Exchange 2010).

  102. Doug

    Thanks! Worked perfectly. So many of these articles are near impossible to follow. This was simple. Thanks for taking the time. Its people like you that make Microsoft bearable.

  103. Jeremy Martin

    Hi Paul,

    I came across your article here and am wondering if you could help

    I’m having an issue properly configuring my receive connector in Exchange 2010.

    This weekend I changed our spam filtering service to McAfee SaaS Email Protection & Continuity, but they are not allowing me to use the outgoing service because they detect an open relay on my exchange server.

    As far as my firewall is concerned, everything is good. I have a Sonicwall NSA 240 and have the WAN > LAN incoming SMTP locked down to only the MxLogic IP addresses. I’ve confirmed this by doing about 3 open relay tests from websites which fail because they can’t access port 25.

    The problem is that because MxLogic has access to port 25 when they do a relay test it succeeds.

    All I really need to do is ensure that MxLogic can connect successfully but that no relaying is allowed.

    Any assistance would be greatly appreciated 🙂

    1. Jeremy Martin

      Never mind. I actually found a couple snippets of command shell that helped me resolve the issue. Thanks.

  104. Sunit Kumar


    i am facing problem to send the mail only one particular domain. my mail stuck in Queue with the message 451 4.4.0 primary target ip address responded with “554 transaction failed” i don’t know what is the reason that mail is getting failure on this domain.


    1. Lucas Librandi

      Hello Sunit. Have you checked the logs on the server? Either on your Hub or Edge server,, it is usually here:
      C:Program FilesMicrosoftExchange ServerV14TransportRolesLogsProtocolLogSmtpSend
      This is usually related to DNS problems on your end. One workaround is to hard-code the IP address of the MX record for the domain being stuck in the hosts file on your sending server. Permanent solution is to have your DNS settings correctly configured.

  105. Christopher Hughes

    Got it fixed. Everything seems to be working now. Thanks for all your help.

    P.S. For anyone who reads this later, the expected 220, actual 500 error was fixed by altering the authentication settings for the internet receive connector in exchange 2010. If you have this issue, try adding them until you get the one that fixes it for you.

    1. Avatar photo
      Paul Cunningham

      Yes, the internet-facing receive connector (which is just the default receive connector for a lot of people) needs to have Anonymous Users ticked.

  106. Christopher Hughes

    Hello Mr. Cunningham,

    I swapped our exchange 2003 server to a new server running exchange 2010. Everything is working fine right now, but I have to keep the exchange 2003 server running for this to be the case. If I shut the 2003 server down or stop the SMTP service on it, then anyone getting mail from the exchange 2010 server will not receive mail from outside the domain, such as from Yahoo, Google, or Hotmail. I have done countless hours/days of research trying to figure out what’s wrong and have been unable to find a solution that has worked. The Exchange 2010 server is currently setup with 3 receive connectors. The first connector has all IPv6 and IPv4 and all IP addresses on Network, authen for TLS, Basic, and Integrated, and perm group for Exchange Users. The second connector has All IPv6 and IPv4 with all IP addresses, authen for TLS, Basic, Offer Basic, and Integrated, and perm group for Anon, Exchange users and servers, and Legacy. The third connector has all IPv4 with all IP addresses, authen TLS, and perm anon. To verify, SMTP is setup on the exchange 2010 server. Do you have any ideas how to get our system working with just the exchange 2010 server running/shutting down the exchange 2003 server? Please get back to me as soon as you’re able to.

    Overall issue: Can’t receive email from outside domain unless old server SMTP service is running.

    Thanks for any help you can provide.

    Have a nice day,

    1. Avatar photo
      Paul Cunningham

      Incoming email connections hit your firewall on TCP port 25, and your firewall determines where that IP and port are NATed to. My assumption, based on your problem description, is that you haven’t changed your firewall rule to NAT the incoming TCP 25 connections to the Exchange 2010 server.

      Outgoing email from Exchange 2010 depends on a Send Connector. By the sounds of it you have not created a Send Connector to route outbound email from Exchange 2010, therefore it takes the only available route which is via the Exchange 2003 server.

      I will also mention that when you fix those problems and decide to decom your Exchange 2003 server, don’t just shut it down, you have to actually uninstall it properly or you’ll have problems in future with your Exchange org.

      1. Christopher Hughes

        Thank you for the information Mr. Cunningham.

        I checked just now and TCP port 25 is being NATed/allowed into our Exchange 2010 server. Currently it seems to be setup to allow and direct things to both the Exchange 2003 and Exchange 2010 server. Would being setup in this way cause an issue?

        I’m sorry if I misworded this earlier, but outgoing e-mail is working as intended/correctly. The only issue is with incoming e-mail when the exchange 2003 server’s SMTP isn’t working. Thank you for the extra information though. I appreciate your time and help. If there is anything else you can think of that might fix this issue, please let me know.

        I was not aware that Exchange 2003 needed to be uninstalled. We were planning to just shut the server down when we were done. Thanks for mentioning this extra tip.

        1. Avatar photo
          Paul Cunningham

          You’re saying that your firewall is NATing the same IP address on port 25 to two different internal hosts? I wouldn’t expect that to work.

        2. Christopher Hughes

          Sorry about that. I checked with my boss to make sure. I misunderstood him the first time. He said port 25 is only being NATed to one IP address/our Exchange 2010 server’s external IP address.

        3. Avatar photo
          Paul Cunningham

          Doesn’t make sense that taking down Ex2003 would impact inbound email flow then.

          I’d suggest double checking that your MX record points to the correct external address. Also go to and run the inbound email test. When the test emails arrive take the headers from them and use the header analyzer at to see which server the emails actually came in through.

        4. Christopher Hughes

          Thanks a ton. Having me do that check has shown us some very interesting information. We have several different emails and it seems some have the MX record/DNS setup correctly, but others do not. On the one that passed we got a warning with out Exchange 2010 server. I will paste the warning below. If you know what it means, please let me know.

          “Analyzing SMTP Capabilities for server
          The test passed with some warnings encountered. Please expand the additional details.

          Additional Details
          Unabled to determine SMTP capabilities. Reason: Unexpected SMTP server response. Expected: 220, actual: 500, whole response: 500 5.3.3 Unrecognized command ”

          I appreciate everything you’re doing to help me with this.

        5. Avatar photo
          Paul Cunningham

          Do you use Trend Micro’s cloud email security service? If so then I’d say that is theirs.

        6. Christopher Hughes

          I don’t believe we do. As for Trend4, it’s one of our servers. The expected 220, actual 500 part is what I don’t know/understand. Though, it doesn’t seem to stop e-mail from coming in/going out.

  107. Consultant

    Hi Paul,

    I am not able to add single ip address in relay connector. If I add single ip address for e.g. it takes full ip range Please tell me what is the issue.


      1. Consultant

        Thanks Paul

  108. Nick

    Thank a million!

    Been struggling to get my CRM Exchange settings fixed for hours. These two screenshots did the trick!

  109. Alex Robinson

    Hello Paul,

    I was going over our server settings and our receive connector’s permissions are set to allow anonymous users? We were getting ndr’s in our messages queue lately. Could this be the reason? Should I uncheck that?

    Thanks in advance,

    1. Avatar photo
      Paul Cunningham

      If you’re using a Hub Transport as the internet-facing server for receiving inbound email, then it needs that anonymous users box ticked.

      It depends on the NDRs you’re seeing. If a spammer sends an email to your network with a spoofed From address, and your server tries to send back an NDR but can’t because the domain or email address doesn’t exist, then that NDR will sit in your queue for a while until it expires. The best way to combat that would be better spam/connection filtering.

      Eg here is how to setup Spamhaus for an Exchange 2010 transport server (instructions are for Edge Transport but same steps apply to Hub Transport if you first install the anti-spam agents on the Hub Transport)

      1. Alex Robinson

        Thanks for the info. I set this up on our servers this morning. Could I still implement this even though we use Postini as a smarthost?

        Thanks again,

  110. Paul Lemonidis

    Hi Paul

    Many thanks. This clearly works but I have on question. what happens if you have a mix of authenticated and non-authenticaed servers that need to relay. Will I need to setup multiple connectors based on the IP addresses? I had a server that autheictad using basic authentication. Changing to thse settings broke that but the thing is that turning off the authentication on the server does not stop the error.

    Many thanks in advance.


    Paul L

    1. Avatar photo
      Paul Cunningham

      This article describes how to set up an unauthenticated relay connector.

      If you have servers/apps that can do basic auth then you can try configuring them to use the Client Receive Connector (runs on a different port) or configure a dedicated receive connector for basic auth (I’ve had to do this for customers in the past).

  111. Chris Daykin


    I keep getting the error 421 4.3.2 Service not available when i run Test-SMTPconnector against my relay connector, but it appears to be relaying messages fine. What could be wrong?

  112. Katherine Bargas

    Hi Paul, I can’t find any information on a powershell script that can be used to remove a bunch of IP address from multiple receive connectors. Instead of having to do it manually via the EMC.

  113. Pascal

    Hi Paul,

    Try to verify your domain username password is correct. Also may be right to check the log files for this particular application for more information.

  114. Tony Bouttell

    Another solid article dude.
    You are fast becoming my go-to-site for all things Exchange.


  115. I have been searching for a couple of days for this, thank you so much.

    We have a new linux server providing database and other services for a new enterprise resource app and it needs to email from within our enterprise. Exchange 2010 (on sbs server 2011) did not allow it. I have been searching authentication and so on from a pretty much standing start. I had got as far as needing a recieve connector but no mix of settings worked, but these did.

    Thank you again,

    1. flyboy60

      It still not working for me. Protocol logging turned on. this started out as a decommission of old 2003 exchange server. we migrated to 2010 exchange. Disable all exchange services on 2003 exch server and changed port forwards in cisco router. Mail flowing great except for this one application that cannot relay no matter what I try.
      Protocol logging shows that i am hitting the right receive connector but destination is show!!!
      i have tried everything list here, anymore ideas or suggestions.

      1. Avatar photo
        Paul Cunningham

        Is the application running on the Exchange server itself? If so then may need to be added to the remote IP range on the relay connector.

  116. Jim M.

    Hi Paul,

    We used this article to get our random SMTP-enabled devices routing mail to external recipients just fine in the past. Now we need to do it with our Toshiba copiers and it’s not working. I have a pair of hub servers in a hardware load balanced array, and each has a receive connector which includes the IP’s of the copiers, verbose protocol logging, using only the Exchange servers permission and only the Externally Secured authentication. The copier only tells us ‘mailbox unavailable’ in it’s log.

    I’m not even finding the transaction in any of the Exchange logs even though when I test using an internal e-mail address the logs show all the events just fine. I also tried adding the anonymous permission group but no change.

    Any suggestions would be appreciated!


    1. Avatar photo
      Paul Cunningham

      “Mailbox unavailable”… you sure the devices aren’t trying to logon to mailboxes instead of just using SMTP?

      1. Jim M.

        Figured it out. We use hardware load balancers for the hub & cas arrays. Thus the IP was the client IP of the farm and not the actual IP of the copier. After adding the correct IP’s and reverting to the original connector settings, it tests fine.As always, thanks for your followup, Paul!

  117. Denis


    I have followed all of your instructions to the best of my ability and am still getting a “550 5.7.1 Unable to relay” message back when performing a telnet test with the “rcpt to:” line. Are there any other settings I can verify or permissions that are not in the GUI to help troubleshoot this issue?

    Thank you,

    – Denis

  118. Twan van Eijk

    Two days search in Exchange, and this is the solution.
    Thanks a lot Paul

  119. Jason Hauck

    Thanks for the article.

    Our internal org (2 HUB/CASs and 4 MBX servers) do not talk directly to the internet and they get their mail from Cisco IronPorts on the perimeter.

    Would we still be better creating new interfaces and new receive connectors or modifying the default ones already there?

    Thanks –

    1. Avatar photo
      Paul Cunningham

      Depends what mail you’re talking about. If its the incoming internet email (ie from external senders) then just modifying the default receive connectors to permit Anonymous Users would be fine.

      If you wanted to be more precise about it you could create a dedicated receive connector secured to just the IP address(es) of the Ironports and allow Anon Users on that one.

      1. Jason Hauck

        I should have been more clear. We only want to allow anonymous relay for inside systems like app servers, scanners, etc.
        Our plan right now is to give each Hub an extra NIC and IP and create new listeners per this article – I just don’t know if that is the way to go or if we should just modify the default ones since we’re not directly internet-facing.

        Thanks –

        1. Avatar photo
          Paul Cunningham

          Gotcha. Yes still do it the way this article suggests. Don’t modify the default one as internal Hub -> Hub traffic depends on it.

        2. Jason Hauck

          Thanks Paul.

        3. Greg H.

          We have the same scenerio as Jason. We simply enabled Anonomous on the default connector and specified the IronPort IP addresses to be able to connect. Seems to be working fine for us. For mail relayed out from internal apps we setup the additional connector as described in the article. No additional NIC or IP required here. Thanks for a great article!

  120. Dave Altree


    We needed a relay solution to mailshot ‘customers’ from mixed IP machines. We achieved this using the article above, but also using an open relay server (vm running xp and a ‘free’ LAN602 suite pop3 app). This allows our LAN clients to use their application to send messages through our exchange easily.


  121. Tim

    Hi Paul,
    Many thanks for your article it was very clear and concise. I have a situation where an Excel Macro is supposed to be emailing out to a bunch of external addresses. This excel application is used by a bunch of people not just located on one server or IP. I’m not a developer just an admin but from what I can see from the Macro code the excel application is trying to use the CDO commands to do this and can provide either basic or NTLM authentication from I have researched. Neither seem to work on the default receive connector. All credentials specified in the macro are correct and valid.
    Any ideas how I would go about finding out what information is being passed to the receive connector? I assume if it the exchange server gets sent a correct username and password from the macro then it should allow the mail out? I have enabled verbose logging on the connector and it seems to just shows the unable to relay but not why, e.g. wrong username or password.
    Any ideas?

    1. Avatar photo
      Paul Cunningham

      In the situation where you have an authenticated connection coming from multiple unpredictable IPs you have to create a separate Receive Connector, on its own dedicated IP address, and set the Authentication settings to Basic/Integrated (depending on which you want) instead of using the “externally secured” option.

      The remote network settings need to specify an IP range that will encompass the PC’s that will be sending the emails (us DHCP reservations for the PC’s if you want to narrow that down).

      You’ll also need to make sure the dedicated IP address for this connector is *not* registered in DNS for that server name, and that the Default Receive Connector (and an others) are reconfigured to use the server’s primary IP address instead of use any address, to prevent the connectors getting mixed up and not selecting the right one to handle the authenticated connection.

      Also be aware as you’re setting this up and tweaking/testing it can take several minutes for each change to kick in so give yourself a decent window of time (preferably out of hours) to implement and test it and be patient.

  122. Muhammad Usama

    Hi Paul,

    How are you? When I remove anonymous check from the receive connector to stop the open relay then I am unable to receive emails from hotmail, yahoo or any external domains. I just want to close an open relay but also want to receive emails from external domains to my managed domains. Kindly suggest. Thanks.

    1. Avatar photo
      Paul Cunningham

      To receive email from external sources such as Hotmail and Yahoo on a Hub Transport server you need to have that Anonymous tickbox ticked.

      Are you saying that your server was an open relay? How had you tested that?

  123. Ed Mead

    I’m running a store selling arts and crafts created by prisoners on a SBS 2011 machine located in my home. The store’s software is Zen Cart 1.5 and it sends SMTP notifications to buyers. Problem is, it only sends mail internally. I get the error message ” SMTP Error: The following recipients failed:” I followed your great article on creating a new receive connector, and when it did not work I lessened the security levels, which also failed. The Exchange Server and Zen Cart are on the same machine so they share the same NAT IP address (the public IP address is stored at the router). Any ideas?

    1. Avatar photo
      Paul Cunningham

      An application running on the server itself will be connecting to the Receive Connector *from* either the server’s IP (not the public IP, its real IP) or the loopback address ( I’ve seen apps behave both ways so you may need to test both scenarios.

      1. Ed Mead

        That fixed it. Thanks for getting back to me on this. Above and beyond.

  124. Russell

    Nice Article and very helpful
    thank you The Author! =)

  125. Lucas

    Hi, Paul. I need to configure Exchange to accept email from our currently running mail server (Linux box, i will use as the domain we are using), the idea is to have Linux accept mail from outside our organization and then route it to the Exchange mailboxes I will create. I have been testing with one account, but emails are not making it. I did add an “Accepted domain” for my . I created a receive connector for the Linux server, but I am not sure if I configured it right. I followed your instructions but it is not working. Any input for my setup?
    I appreciate your help

    1. Avatar photo
      Paul Cunningham

      Step 1 is doing the Accepted Domain, so that’s good.

      Step 2 is configuring a connector. In your case a relay connector is probably not the right one. What I recommend instead is creating a connector with the all the same settings as your Default Receive Connector, except specifiy the Linux box IP as the only remote IP address, and also tick Anonymous Users on the permission tab.

      That should do the trick, but let me know if it does not.

      1. Lucas

        Thanks for the tip Paul, checking the annonymous users box did the job.

  126. Muhammad Hasan

    Your help me to get my job done under huge pressure. thanks alot. May God Bless u for all your help.

  127. Iman

    Hi Paul,

    I have unticked Offer Basic Authentication below Basic Authentication checkbox and a third party email marketing tool can successfully login using its connectivity test, however upon testing sending email from it, email never came through either to my company’s address or internal address. Would you advise where I should start looking at.


    1. Avatar photo
      Paul Cunningham

      I suggest turning on Protocol Logging on each of your Receive Connectors, then look in the protocol logs which should show the connections being made by your third party tool and the resulting success/error codes.

  128. Evan

    Hi Paul (and others),
    Dumb question: when configuring the “remote sending device” (in my case its an in-house Linux server that emails our customer bills), should the SMTP settings for the billing system be configured with Exchange/AD username & password? I followed this great post and seem to still be having issues not being able to send from our SBS2011 Exchange 2010 box. The two servers are on the same LAN. THANKS!!

    1. Evan

      I should also note that that the bills get sent two an internal Domain user as well as external client emails (if that adds any complexity).

  129. Jamon Mason

    Hi Paul,

    We have an app that is running on an SBS 2011 server and we are trying to setup our system similar to what Robert Anderton did where the app can send emails to external recipients. I have setup the new connector according to the settings and I also did the following:

    “Ok so if you create a relay connector and set it so just the IP of the server can use it then you should be fine.”

    At this time we are still are not able to send from that app. In the Local IP address should that be the IP address of the server or leaving it at All Available IPv4 (only one IP address assigned to the NIC) and should the remote server only have the ip address of the server. Any help would be greatly appreciated!! Keep up the good work!!


  130. Javi Somo

    Hi Paul

    Great article.
    My send connector works without problems sending emails to an external server for certain domain using TLS. But I only can get it working when sending through exchange.
    If i try using telnet or vbscript (CDO.message) connecting to the CAS server it doesnt work.

    I’ve seen the following in the send connector logs…
    When doing through Outlook, the CAS connects to the external server sending this mail from line:
    MAIL FROM: SIZE=4147
    250 Sender OK

    Using telnet or vbscript:
    501 Usage: MAIL FROM: [SIZE=message_size],

    ¿Any idea to avoid the AUTH=?


    1. Javi Somo

      I mean But I only can get it working when sending through OUTLOOK

  131. Mac

    Thank you soo much it was really helpfull.. Thanks A LOTTTTT

  132. Chris

    Paul or anyone else.
    Is there a way for me to make Exchange 2010 work like 2003 is working in this sense:
    2003 destination: Telnet Exch2003Server 25
    mail from: Paul <<< at this point it adds the valid and accepts the mail
    2010 destination: Telenet Exch2010Server 25
    mail from: Paul <<< It fails with a 501 5.1.7. Invalid address error

    1. Avatar photo
      Paul Cunningham

      Why not just supply a valid address? Do you have a specific need for it to work the other way?

  133. vadim

    Ok, makes sense. Though its not a very pretty picture if one needs to build several receive connectors. Definitely not as smooth as it was in 2003 version. Which can be said though about 2010 as a whole (with exception of DAG). I wonder if there are restrictions to at least assign multiple IPs to the same NIC instead of sticking multiple NICs into every HUB server.

    And thanks for informative and prompt responses. That helps.

  134. Janis

    Thanks. You saved me. This article helped me to set up mail routing from linux box.

  135. vadim

    Two quick questions – in the example above is it necessary to check ‘Exchange Servers’ under Permissions Group for connector used to relay from, say, scanners? They are not Exchange servers..

    Also, how would Exchange figure out which connector to use when, say, default connector and new ‘Relay’ connector are using the same local IP to receive? Or is it necessary to add additional IP on Nic for each new receive connector? Wont the shared IP screw up the whole receiving process?

    1. Avatar photo
      Paul Cunningham

      Yes. The “Exchange Servers” permission is what allows the IP addresses you specify in the remote IP range to relay email to recipients outside of the organization. So instead of thinking of them as “Exchange Servers” think of it as a group of permissions that allows another host to do certain things.

      Sharing IP’s works but is not best practice. It works because the receive connectors that share an IP work out which one should handle the incoming connection based on a “most specific match wins” approach – eg a connector with the exact IP of the connecting server will handle the request instead of one that only matches the IP by a broader range of IPs.

      You can run into problems if you start allowing entire IP subnets and they overlap with the IP addresses for Exchange servers within the org. If possible use a dedicated network interface with its own IP that is *not* registered in DNS for the relay connector.

      1. Woter

        Hi Paul,
        Thanks for the article. You say “Sharing IP’s works but is not best pratice”. Is this not what your steps are using as you “share” the same Remote Network Settings on both connectors.!!

        The connector works using Telnet SMTP tests (helo) and intermitant when the appliance tries to send external emails. We have two CAS servers and have identicle settings so the intermitancy is not caused by that.



        1. Avatar photo
          Paul Cunningham

          You can share the listening/local IP address and it will work, but you need to be careful not to cause unexpected behaviours by misconfiguring the remote IP settings (eg accidentally adding the same remote IP to two connectors, or specifying IP ranges that overlap or cause issues with Exchange Hub -> Hub traffic).

          Using dedicated IPs basically avoids a variety of potential problems.

          In your case if you’re getting intermittent results I recommend you turn on protocol logging on the receive connectors on that server, and then analyse the logs to see whether the correct receive connector is handling the incoming connections from that appliance. The protocol logs would also reveal another other SMTP “conversation” errors that may be occurring.

  136. Kevin

    Thanks for this, although I am unable to get Exchange to relay in my particular situation. Basically, I’ve got an application on a machine that simply can’t relay through the Exchange box. The only difference that I can see is that the problematic server is on a separate subnet, and it also isn’t in the AD domain of the Exchange box. I don’t see why that matters but it seems to as I can relay from other servers that are on the same subnet and domain as Exchange. Any ideas?

    1. Avatar photo
      Paul Cunningham

      Domain membership shouldn’t matter. You should start from the basics and verify that you can ping the Exchange server from the application server, telnet to the Exchange server on port 25 from the app server, and do some tests with protocol logging turned on for your receive connectors so you can inspect the logs if you need to (the telnet window will also give you some clues).

  137. Peter

    Very handy and useful. Just sold my issue of sending emails out externally from a helpdesk software install on one of our servers.


  138. Dev

    This works for me thanks it needed doe my email scanner and linux server to send via my exchanger 2010 server so i added both IP address on the same connector..

  139. Adonis

    Great article , is there a way to setup a connector using an host name such as instead of an IP address ? Just wondering I have a web app that relays from azure but the ip address could change at anytime

    1. Avatar photo
      Paul Cunningham

      No, remote systems/networks are identified by IP only, not name.

      You could look at using SMTP authentication instead, so that the Azure app makes an authenticated connection to a receive connector regardless of which source IP it is coming from.

  140. Tom Greendyk

    I just wanted to post a thank you for this great, easy-to-follow article. It saved my butt when I couldn’t get two scanners to scan to email. After fighting it for three days, I found this and voila! Away we go.

    Thanks again. Good stuff!


  141. SeanC

    Hi Paul

    Great Article and your solution was just what i was after. One quick question though. The program being used is a mail merge client which has Sender name, Senders email address and reply email address fields. When relaying though the new connector to external recipients the Sender name field is displayed properly, however when emails are sent internally the Senders Name is not displayed, only the email address.

    For Instance the Senders Name might have MyCo Mail out and the reply address of External receivers see the display name as being MyCo Mail with an email address of, Internal users however only see the display name as

    Any ideas on how to get internal users seeing the same Display Name and not the reply email address

    Many Thanks

  142. Duane

    How can I tell which of applications are currently using the Open Mail Relay, so that when I restrict it, I know which apps will be affected?


    1. Avatar photo
      Paul Cunningham

      Hi Duane, you can turn on Protocol Logging and use the resulting log file to identify what is using the receive connector.

  143. David

    With SP1 it works fine but when i change to SP2 i found this problem.

    Thanks for save my time.

  144. Warren

    Thanks – saved me hours!

  145. Jon S

    We are currently trying to merge our local account and our external accounts. The only catch is not everyone has external accounts, so we want to make sure that nothing local is routed outside the system. If possible, we’d like to eliminate the need for having to select which account we are sending from, and if at all possible, be able to send to both an internal or external contact simultaneously. Are these instructions on the right track? Is there anything else we may need to do?

  146. Daren Fredrickson

    Thank you for this post. Very helpful in simplifying the process of setting this up.
    As others above, SSRS was what we are using the relay for and now it works great!

  147. sean

    thanks!. I’ve been messing with this for the better part of the day. Your instructions were the most clear as to setting up

  148. Jeff Waska

    Paul, This works great for us, but I have been asked to add a second redundant HUB server for the list of relaying servers. Is there a way to do this without having to have lists of IPs to maintain on each HUB server, we have four.


    1. Avatar photo
      Paul Cunningham

      Hi Jeff,

      Firstly, you can clone the remote IP range from the existing connector to the new one you create by adapting this procedure:

      Now you’ve got two HT’s with relay connectors with the same remote IP range. Then, any time you want to update them, you can modify this procedure to apply the change to both:

      Just scale that process out to as many HT’s as you plan to configure with relay connectors.

      Hope that helps! 🙂

  149. Peter Andersen

    I did this, but it would work for a while and quit. Ended up putting in the ipaddress of the extra inside connector instead of the name of the mail server. Started working right away.

    1. Avatar photo
      Paul Cunningham

      Hi Peter, putting the relay connector on a dedicated IP is a good way to resolve issues where the wrong connector responds to SMTP connections on a shared IP.

  150. Greg

    Make sure you have Exchange Servers checked, not Exchange users.

  151. JK


    I have tried to follow your simple steps but encounter the following error when I tick Externally Secure (…) in Authentication tab

    “you must set the value for the permissiongroups parameter to exchangeservers when you set the authmechnism paramater to a value of Externalauthoritative”

    A red exclamation mark appears beside ‘Enable Domain Security (Mutual Auth TLS).

    Any idea why? Thank you.

    1. Avatar photo
      Paul Cunningham

      Hi JK, you’ve got to do the steps in the right order or you’ll run into that error. So first you’ve got to do the Permission Groups settings, then after that you can do the Authentication settings.

  152. Larry


  153. Joonyoung Park

    Dear Paul,

    First of all, thank you so much to post this article. I couldn’t figure it out how to relay email from our SQL Reporting Server to send emails through our main SBS 2011 server until I saw your article. It took me more than a month to research to find out the solution. Finally, thanks to your article, our Reporting Server can send emails to external users through our main Exchange 2010 server!! Your instruction was very helpful, and I setup the relay setting within 2~3 minutes.



  154. JuanRivera

    Great helpful, everything works fine, amazing !!!!

  155. Lucas

    Thanks for the Tutorial, Paul.

    So, basically, we’re fooling the Exchange Server to believe that an External Security exists in the Receive Connector, which then makes the server to allow untrusted connections. That is a nice “trick” that solve the problem, but maybe it’s a security risk to do that.

    Is there a more secure way to configure this kind of relay ?

    1. Avatar photo
      Paul Cunningham

      The only remote hosts allowed to relay through the connector are those you explicitly allow. There is naturally a risk if those remote hosts were compromised in some way, but other than that this is how it is done.

  156. brian

    Sounds like what we need, but tried this and still getting 5.7.1. from some systems. one is using IIS smtp, another proprietary smtp dll, another vendor system- who knows.
    So I need to restart Transport svc for this to take effect/

    1. Avatar photo
      Paul Cunningham

      Hi Brian, don’t normally need a restart but I’ve seen a few heavily loaded Transport servers in the wild not pick up the new config until the service was restarted.

      One thing you can also try is enabling protocol logging (set to Verbose) on the Receive Connector and then look at the log file it generates to see why the messages are getting rejected.

      1. brian

        no go. still get “5.7.1 Unable to relay for“. i have done the settings above for connectors on both Edge and Hub transports (just in case). I am assuming I am still missing a step? Other forums are inconsistent when referring to using Anon vs Exch Servers in the Perms Group tab.

      2. Avatar photo
        Paul Cunningham

        Anonymous is required for systems that need to send external email into your Exchange org without authenticating first (eg an @gmail user sending an email to somebody on your network).

        Exchange Servers is required for relay (eg an app or device relaying mail to an external domain via your server).

        It is possible that the wrong Receive Connector is accepting the connections. This can happen if the Remote Network Settings has overlapping IP’s or IP ranges (Exchange has a rule of “most specific wins” if this case).

        Have you tried turning on protocol logging? If you do that for all the Receive Connectors on the server it all gets logged into one file, but the log file entries tell you which Receive Connector accepted the connection.

      3. brian

        I got it working just after my post, yes it was adding Anon along with Exch Servers.Seemed I had tested this config before, however I did find a test connector on the Edge that must have conflicted.

  157. Tim Pillay

    we needed a 3rd party app that worked fine with relay on ex2003 but ex2010 kept giving us 5.7.1 and this was solved it in 5 minutes ! thanks ….quality guide/faq !

  158. Robert Anderton

    Hi Paul,

    This seems to have sorted it.

  159. Robert Anderton


    We are having the relay issue on a program that send messages to our clients, but we are on a small business server 2011, if I followed the above advice and add the IP address of the server into this connector would this work for us?
    Would this then also mean that our server is pretty much open to relay from any source?

    1. Avatar photo
      Paul Cunningham

      Hi Robert, is the app running on the SBS server itself or on another server/pc somewhere?

      1. Robert Anderton

        Its running on the same SBS server? its a VBscript that sends a smtp request to the exchange server, I have tried the above and added a new Receive Connector, but still get the same message ‘550 5.7.1 unable to relay’? any thoughts?

      2. Avatar photo
        Paul Cunningham

        Ok so if you create a relay connector and set it so just the IP of the server can use it then you should be fine. But just to be sure what you can do after you set it up is do the relay test at

      3. Nishit Patel

        How to resolve this warning:

        Additional Details
        Unabled to determine SMTP capabilities. Reason: Authentication failed to the SMTP server.
        Elapsed Time: 171 ms.

        1. Avatar photo
          Paul Cunningham

          You’ll need to describe in more detail what you’re trying to achieve.

  160. Greg

    Excellent! We have a backup server that sends notifications for successfull and failed jobs. Also needed to allow a Cisco voice router to send through it so users can have their voicemail sent to them in an attachment. Great post.

  161. Jeff

    Many thanks. We have and RS6000 that had to send mail internally to employees and externally to customers. Your instructinos were right on the money.

    1. Rajkumar

      Hi Paul,

      Good day,

      The document is good and easy to understand. But little afraid to check on exchange server. Because in order to follow your steps to enable relay. I am not able to enable view “server configuration” on EMC of exchange server. How to enable that?


Leave a Reply