By default Exchange 2010 is configured to only accept SMTP email for domains it is authoritative for, and will only relay email onto other domains for authenticated local users. This is the best practice. So nobody like spammers can send mail to external people from your mail domain. But when you have an application that must relay mail. You should think about what you want to do for your relay permissions. For security reasons I should always make a new special Receive Connector and lock down so only that wants needed is open. But how we do it. We want that the application can authenticate. Because we want to send mail to distribution list with the option “Require that all senders are authenticated”


Like its predecessor, Exchange 2010 is configured to accept and relay email from hosts that authenticate by default. Both the “Default” and “Client” receive connectors are configured this way out of the box. Authenticating is the simplest method to submit messages, and preferred in many cases.

The Permissions Group that allows authenticated users to submit and relay is the “ExchangeUsers” group. The permissions that are granted with this permissions group are:

NT AUTHORITY\Authenticated Users {ms-Exch-SMTP-Submit} NT AUTHORITY\Authenticated Users {ms-Exch-Accept-Headers-Routing} NT AUTHORITY\Authenticated Users {ms-Exch-Bypass-Anti-Spam} NT AUTHORITY\Authenticated Users {ms-Exch-SMTP-Accept-Any-Recipient}

Here are the equivalent options for how to configure this in Exchange 2010.


The next screen you must specify on with local ip and port this receive connector must listen. I’ve chosen all available ip addresses on port 26.


The next screen you must pay particular attention to is the “Remote Network settings”. This is where you will specify the IP ranges of servers that will be allowed to submit mail. You definitely want to restrict this range down as much as you can. In this case, I want my application server, 172.16.16.24 to be allowed to relay.


The next step is to create the connector, and open the properties. Now you have two options, which I will present. The first option will probably be the most common.

Option 1: User permissions

We must select what permission is set to this connector. Because we want the application to authenticate. We select Exchange Users.


Next, continue to the authentication mechanisms page and add the Basic Authentication with TLS and Integrated Windows euthentication.


The connector is Ready. If you are authenticated you can send mail like you do from your outlook client. Now we want to give the specified user that right rights mail can relayed.

Add the right permissions to the receive connector.

[PS] Get-ReceiveConnector -Identity “HubServer”\Relay_ReceiveConnector | add-ADPermission -user Relay_User -ExtendedRights “Ms-Exch-Accept-Headers-Routing”,”Ms-Exch-SMTP-Accept-Any-Sender”,”Ms-Exch-SMTP-Accept-Authoritative-Domain-Sender”,”Ms-Exch-SMTP-Submit”,”Ms-Exch-SMTP-Accept-Any-Recipient”

Ms-Exch-SMTP-Accept-Any-Sender
Ms-Exch-SMTP-Accept-Authoritative-Domain-Sender
Ms-Exch-SMTP-Submit
Ms-Exch-SMTP-Accept-Any-Recipient
Ms-Exch-SMTP-Accept-Authentication-Flag

Basically you are telling Exchange to ignore internal security checks because you trust these user. The nice thing about this option is that it is simple and grants the common rights that most people probably want.

Option 2: Grant the relay permission to Anonymous on your new scoped connector

This option grants the minimum amount of required privileges to the submitting application.

Taking the new scoped connector that you created, you have another option. You can simply grant the ms-Exch-SMTP-Accept-Any-Recipient permission to the anonymous account. Do this by first adding the Anonymous Permissions Group to the connector.


This grants the most common permissions to the anonymous account, but it does not grant the relay permission. This step must be done through the Exchange shell:

[PS] Get-ReceiveConnector “Relay_ReceiveConnector” | Add-ADPermission -User “NT AUTHORITY\ANONYMOUS LOGON” -ExtendedRights “ms-Exch-SMTP-Accept-Any-Recipient”

 Summary Extended Rights 

Permission Display name
ms-Exch-SMTP-Submit Submit Messages to Server
ms-Exch-SMTP-Accept-Any-Recipient Submit Messages to any Recipient
ms-Exch-SMTP-Accept-Any-Sender Accept any Sender
ms-Exch-SMTP-Accept-Authoritative-Domain-Sender Accept Authoritative Domain Sender
ms-Exch-SMTP-Accept-Authentication-Flag Accept Authentication Flag
ms-Exch-Accept-Headers-Routing Accept Routing Headers
ms-Exch-Accept-Headers-Organization Accept Organization Headers
ms-Exch-Accept-Headers-Forest Accept Forest Headers
ms-Exch-SMTP-Accept-Exch50 Accept Exch50
ms-Exch-SMTP-Send-Exch50 Send Exch50
ms-Exch-Send-Headers-Routing Send Routing Headers
ms-Exch-Send-Headers-Organization Send Organization Headers
ms-Exch-Send-Headers-Forest Send Forest Headers
ms-Exch-Bypass-Message-Size-Limit Bypass Message Size Limit
ms-Exch-Bypass-Anti-Spam Bypass Anti-Spam

 Full description Extended Rights

ms-Exch-SMTP-Submit If the SMTP receive session does not have this permission, it will fail to submit messages. It will fail both the “MAIL FROM” and “AUTH” command. The “AUTH” command will also fail as the credential might have been correct, but the authenticated user or computer will have no chance to do anything useful with the session.

ms-Exch-SMTP-Accept-Any-Recipient If the SMTP receive session does not have this permission, the server will reject the “RCPT TO” command if the recipient domain does not match any accepted domain. You could call this permission also the Relay permission.

ms-Exch-SMTP-Accept-Any-Sender If the SMTP receive session does not have this permission, the server will check sender address spoofing. If the spoofing check fails, the message gets rejected at either “MAIL FROM” or EOD (End Of Data), depending on which sender

(envelop or message/header) was found to be spoofed.

ms-Exch-SMTP-Accept-Authoritative-Domain-Sender If the SMTP receive session does not have this permission, the server will reject “MAIL FROM” if the specified address is at an authoritative domain. (An authoritative domain is an administrative domain with at least one mail server responsible for the final delivery of messages addressed to that domain.)

ms-Exch-SMTP-Accept-Authentication-Flag If the SMTP receive session does not have this permission, the server will ignore the AUTH= option that was specified on the “MAIL FROM” command. (Internally, Exchange Servers transfer anonymous messages using “AUTH=<>”.)

ms-Exch-Accept-Headers-Routing If the SMTP receive session does not have this permission, the server will strip all “Received:” headers. Note: This should only happen for client message submissions over SMTP, which is why by default ExchangeUsers do not get this permission. (See RFC 2476.)  

ms-Exch-Accept-Headers-Organization If the SMTP receive session does not have this permission, the server will strip all organization headers. Those headers all start with “X-MS-Exchange-Organization-”.  

ms-Exch-Accept-Headers-Forest If the SMTP receive session does not have this permission, the server will strip all forest headers. Those headers all start with “X-MS-Exchange-Forest-”.  

ms-Exch-SMTP-Accept-Exch50 If the SMTP receive session does not have this permission, the server will not accept the “XEXCH50″ command. Note: This command is necessary for interoperability with Exchange2000 and Exchange2003. In an environment with only Exchange2007 servers, the “XEXCH50″ command won’t be used once disabled.  

ms-Exch-SMTP-Send-Exch50 If the SMTP send session does not have this permission, the server will not send the “XEXCH50″ command.  

ms-Exch-Send-Headers-Routing If the SMTP send session does not have this permission, the server will strip all “Received:” headers.  

ms-Exch-Send-Headers-Organization If the SMTP send session does not have this permission, the server will strip all organization headers. Those headers all start with “X-MS-Exchange-Organization-”.  

ms-Exch-Send-Headers-Forest If the SMTP send session does not have this permission, the server will strip all organization headers. Those headers all start with “X-MS-Exchange-Forest-”.  

ms-Exch-Bypass-Message-Size-Limit If the SMTP receive session has this permission, the server will skip message size restrictions at the protocol level.  

ms-Exch-Bypass-Anti-Spam If the SMTP receive session has this permission, the server will pass this permission to anti spam agents, as to skip this message for anti-spam checks.