Exchange 2007: How to allow relay exceptions

Although allowing unfettered relaying of e-mail through your Exchange 2007 server should be avoided, there are situations in which allowing relaying is desirable.

For example, suppose you have an HVAC system that reports to operations when a building's air handling system strays outside preset parameters. These systems typically handle their reporting via e-mail and don't authenticate with your SMTP server. The system simply needs your SMTP server in order to correctly route the message. In Exchange 2007, relay is made available through the use of a custom SMTP receive connector. I should note that, by default, Exchange 2007 does support relaying of mail for systems that authenticate. Today's tip focuses on relaying from an unauthenticated system.

Before you get started, you should add another IP address to the network adapter on your Exchange server. An SMTP receive connector is akin to a SMTP virtual server from Exchange 2003 and requires a unique IP address/SMTP port combination. It's easier to tell a third-party system to use a different IP address for relay than it is to provide it with a different port to use for SMTP. I've assigned the IP address to my system.

Step by step guide to allowing relay

To allow individual systems to relay mail through your Exchange 2007 system, perform the following steps:

1. Start the Exchange Management Console.

2. Browse to Microsoft Exchange > Server Configuration > Hub Transport.

3. Select the Hub Transport server through which you would like to allow another system to relay mail.

4. From the Actions pane, choose New Receive Connector (Figure A). Figure A


5. On the first page of the New SMTP Receive Connector wizard, type a name for the connector and choose the connector's intended use. In this case, choose Custom (Figure B). Figure B Choose a use for this connection

Type a name and choose a use for this connector.

6. Choose Next.

7. On the Local Network Settings page, click the Add button

8. On the Local Network settings page, click the Add button and, in the Add Receive Connector Binding window, type in the new IP address that you gave to the network adapter. Leave the SMTP port at 25 (Figure C).

9. Choose OK.

10. Under Local IP address(es), select All Available and click the red X to delete this selection.

Figure C

Determine local IP address and port

Decide which IP address and port combination to use for the new connector.

11. Choose Next.

12. On the Remote Network Settings window, indicate which systems or range of IP addresses should be allowed to relay through this connector. In the example shown in Figure D, the host system with IP address and any system with an IP address in the range to will be allowed to relay through this connector. Figure D

Choose system with rights to relay

Indicate the systems with rights to relay through this connector.

13. Choose Next.

14. On the summary screen, click the New button to create the connector.

15. Open the properties page of the new connector. To do so, right click the new connector and choose Properties.

16. From the connector's Properties page, choose the Permission Groups tab (Figure E).

17. Select the checkbox next to "Exchange Servers".

Figure E

Select Exchange servers

Select Exchange Servers. You must do this before you continue.

18. From the connector's Properties page, choose the Authentication tab (Figure F).

19. Select the checkbox next to "Externally Secured (for example, with IPsec)".

Figure F

Select External Secured

Select External Secured to tell Exchange that the third party device somehow manages it own permissions.

20. Choose OK.

At this point, you should be able to relay from the third party system.


Since 1994, Scott Lowe has been providing technology solutions to a variety of organizations. After spending 10 years in multiple CIO roles, Scott is now an independent consultant, blogger, author, owner of The 1610 Group, and a Senior IT Executive w...

Editor's Picks