Exchange 2007: How to allow relay exceptions

Although allowing unfettered relaying of e-mail through your Exchange 2007 server should be avoided, there are situations in which allowing relaying is desirable.

For example, suppose you have an HVAC system that reports to operations when a building's air handling system strays outside preset parameters. These systems typically handle their reporting via e-mail and don't authenticate with your SMTP server. The system simply needs your SMTP server in order to correctly route the message. In Exchange 2007, relay is made available through the use of a custom SMTP receive connector. I should note that, by default, Exchange 2007 does support relaying of mail for systems that authenticate. Today's tip focuses on relaying from an unauthenticated system.

Before you get started, you should add another IP address to the network adapter on your Exchange server. An SMTP receive connector is akin to a SMTP virtual server from Exchange 2003 and requires a unique IP address/SMTP port combination. It’s easier to tell a third-party system to use a different IP address for relay than it is to provide it with a different port to use for SMTP. I’ve assigned the IP address to my system.

Step by step guide to allowing relay

To allow individual systems to relay mail through your Exchange 2007 system, perform the following steps:

1. Start the Exchange Management Console.

2. Browse to Microsoft Exchange > Server Configuration > Hub Transport.

3. Select the Hub Transport server through which you would like to allow another system to relay mail.

4. From the Actions pane, choose New Receive Connector (Figure A). Figure A


5. On the first page of the New SMTP Receive Connector wizard, type a name for the connector and choose the connector’s intended use. In this case, choose Custom (Figure B). Figure B Choose a use for this connection

Type a name and choose a use for this connector.

6. Choose Next.

7. On the Local Network Settings page, click the Add button

8. On the Local Network settings page, click the Add button and, in the Add Receive Connector Binding window, type in the new IP address that you gave to the network adapter. Leave the SMTP port at 25 (Figure C).

9. Choose OK.

10. Under Local IP address(es), select All Available and click the red X to delete this selection.

Figure C

Determine local IP address and port

Decide which IP address and port combination to use for the new connector.

11. Choose Next.

12. On the Remote Network Settings window, indicate which systems or range of IP addresses should be allowed to relay through this connector. In the example shown in Figure D, the host system with IP address and any system with an IP address in the range to will be allowed to relay through this connector. Figure D

Choose system with rights to relay

Indicate the systems with rights to relay through this connector.

13. Choose Next.

14. On the summary screen, click the New button to create the connector.

15. Open the properties page of the new connector. To do so, right click the new connector and choose Properties.

16. From the connector’s Properties page, choose the Permission Groups tab (Figure E).

17. Select the checkbox next to “Exchange Servers”.

Figure E

Select Exchange servers

Select Exchange Servers. You must do this before you continue.

18. From the connector’s Properties page, choose the Authentication tab (Figure F).

19. Select the checkbox next to “Externally Secured (for example, with IPsec)”.

Figure F

Select External Secured

Select External Secured to tell Exchange that the third party device somehow manages it own permissions.

20. Choose OK.

At this point, you should be able to relay from the third party system.


Since 1994, Scott Lowe has been providing technology solutions to a variety of organizations. After spending 10 years in multiple CIO roles, Scott is now an independent consultant, blogger, author, owner of The 1610 Group, and a Senior IT Executive w...


Something must be wrong/different in my setup. Everytime I try this, all inbound and outbound email shut down. Any helpful thoughts as to what would cause this?


Stupid question, but which Exchange 2007 machine or IP address (CAS, Hub, Mailbox, Edge) are the mailing apps supposed to point to once you get this done?


Do I need to setup an e-mail address for it to use? If so, can it be a shared mailbox?


I've got a 3rd party appliation (mail list controller) which uses pop3/smtp to send/receive emails. I set up this connector as suggested but a spammer hijacked my exchange and started spamming - how do I have this connector without opening up myself to spammers - how can I secure it more?


Are there best practices or have any gurus out there found proven tools that work?

Photogenic Memory
Photogenic Memory

Thanks for posting this. This is really useful. I've never experienced the features of Exchange 2007. It seems really maleable. I'm not a fan of Microsoft OS's but they do make some decent programs. I wonder what other cool things you can do? Can you do this with an Exhange demo?

Editor's Picks