Master Exchange 2007

powershell, automation & more…

Exchange 2007 allow relay authenticated users or printers or scanners or other device

Posted by shauncroucher on October 29, 2009


The Microsoft Exchange development team have documented the procedure for allowing an internal server to relay through Exchange. I won’t be covering this in any more detail as I believe the article is complete and I wouldn’t be able to add any extra value.

http://msexchangeteam.com/archive/2006/12/28/432013.aspx

However, I would like to include a couple of useful cmdlet’s that I have used a few times to add specific relay rights for users who authenticate to the receive connector from outside the organisation.

First of all, you need to make sure that the external users have a way of authenticating to the appropriate receive connector. In the ‘Permissions’ tab, ensure Exchange Users is selected and also ensure that the Authentication tab has an authentication mechanism they can use (such as Basic Auth)

Allow authenticated users to relay using anyalias@yourdomain.com

Get-ReceiveConnector “RECEIVECONNECTORID” | Add-ADPermission -User ‘NT AUTHORITY\Authenticated Users’ -ExtendedRights “ms-Exch-SMTP-Accept-Authoritative-Domain-Sender”

Allow authenticated users to relay using anyalias@anydomain.com

Get-ReceiveConnector “RECEIVECONNECTORID” | Add-ADPermission -User ‘NT
AUTHORITY\Authenticated Users’ -ExtendedRights “ms-Exch-SMTP-Accept-Any-
Sender”

CAUTION: Make sure you only do this for Authenticated Users and not Anonymous logon, because you can easily turn your server into an Open Relay using these commands with the wrong group.

As always,  make sure you have a good, complex password policy if you are allowing authentication to your Exchange server.

Shaun

Advertisements

3 Responses to “Exchange 2007 allow relay authenticated users or printers or scanners or other device”

  1. MxToolBox said

    Shaun,

    Thanks for visiting our forums and helping answer questions from our users! We thought this article was great so we went ahead and tweeted it to our followers.

    Thanks again for the help!
    Wendy

    • shauncroucher said

      Hi Wendy,

      Thanks very much for the feedback, you provide some very useful tools for users who are troubleshooting mail flow issues, so I thought I might give a little back.

      Thanks again,

      Shaun

  2. Tum said

    I follow the instuction above and all user account can authenticate relay.

    but only domain admin account cannot authenticate relay.
    have you test on domain admin account ?

    is it because inherit deny permission on domain admin group ?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: