I'm trying to set up my Exchange 2010 Server to receive external emails, but the only way I have gotten this to work is by enabling anonymous authentication in my receive connector, which causes the server to be an open relay. This then results in my server getting blacklisted and then used by spammers. I've tried looking for solutions to enable receive of external mail, but they all state I should just do the above. The spam messages filled my message queue up so much, its just killed the server so that is not an option. I'll continue looking for a solution, but any help from here would be greatly appreciated. Thanks

By default ticking the anonymous access on the receive connector will not make the server an anonymous relay. Could you please type the following and post the results Get-ReceiveConnector | FL This will give us a better idea of how the connector is set up and why it is acting as a relay.Matt Cline - MCSE+M, MCITP: EA | EMA (2007, 2010) | Lync 2010 Blog: exchangeadventures.com

Here are two connectors I have. Sorry for the horrible formatting. But note, this is with Anonymous log in turned OFF to prevent the server from being an open relay. [PS] C:\Windows\system32>Get-ReceiveConnector | FL RunspaceId : 0aa65e2a-2114-43ad-beab-ed39e25ea294 AuthMechanism : Tls, Integrated, BasicAuth, BasicAuthRequireTLS, ExchangeServer Banner : BinaryMimeEnabled : True Bindings : {:::25, 0.0.0.0:25} ChunkingEnabled : True DefaultDomain : DeliveryStatusNotificationEnabled : True EightBitMimeEnabled : True DomainSecureEnabled : False EnhancedStatusCodesEnabled : True LongAddressesEnabled : False OrarEnabled : False SuppressXAnonymousTls : False AdvertiseClientSettings : False Fqdn : XXXX Comment : Enabled : True ConnectionTimeout : 00:10:00 ConnectionInactivityTimeout : 00:05:00 MessageRateLimit : unlimited MessageRateSource : IPAddress MaxInboundConnection : 5000 MaxInboundConnectionPerSource : unlimited MaxInboundConnectionPercentagePerSource : 100 MaxHeaderSize : 64 KB (65,536 bytes) MaxHopCount : 30 MaxLocalHopCount : 8 MaxLogonFailures : 3 MaxMessageSize : 10 MB (10,485,760 bytes) MaxProtocolErrors : 5 MaxRecipientsPerMessage : 5000 PermissionGroups : ExchangeUsers, ExchangeServers, ExchangeLegacyServers PipeliningEnabled : True ProtocolLoggingLevel : None RemoteIPRanges : {::-ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff, 0.0.0.0-255.255.255.255} RequireEHLODomain : False RequireTLS : False EnableAuthGSSAPI : False LiveCredentialEnabled : False Server : WIN-XXXXXX SizeEnabled : EnabledWithoutValue TarpitInterval : 00:00:05 MaxAcknowledgementDelay : 00:00:30 AdminDisplayName : ExchangeVersion : 0.1 (8.0.535.0) Name : Default WIN-XXXXXXXXXX DistinguishedName : CN=Default WIN-XXXXXXXXXX,CN=SMTP Receive Connectors,CN=Protocols,CN=WIN- XXXXXXXXXX,CN=Servers,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Adm inistrative Groups,CN=Mail for XXXXXXXX,CN=Microsoft Exchange,CN=Services,C N=Configuration,DC=XXXXXXXXXX,DC=com Identity : WIN-XXXXXXXXXX\Default WIN-XXXXXXXXXX Guid : fe4ff855-b13b-4f20-9ac7-70f37a7db92e ObjectCategory : XXXXXXXXXX.com/Configuration/Schema/ms-Exch-Smtp-Receive-Connector ObjectClass : {top, msExchSmtpReceiveConnector} WhenChanged : 3/26/2012 5:06:43 PM WhenCreated : 2/6/2012 4:23:43 PM WhenChangedUTC : 3/26/2012 11:06:43 PM WhenCreatedUTC : 2/6/2012 10:23:43 PM OrganizationId : OriginatingServer : XXXXXXXXXXXXXXXx IsValid : True RunspaceId : 0aa65e2a-2114-43ad-beab-ed39e25ea294 AuthMechanism : Tls, Integrated, BasicAuth, BasicAuthRequireTLS Banner : BinaryMimeEnabled : True Bindings : {:::587, 0.0.0.0:587} ChunkingEnabled : True DefaultDomain : DeliveryStatusNotificationEnabled : True EightBitMimeEnabled : True DomainSecureEnabled : False EnhancedStatusCodesEnabled : True LongAddressesEnabled : False OrarEnabled : False SuppressXAnonymousTls : False AdvertiseClientSettings : False Fqdn : XXXXXXXXXXXXXXXXXXXXXx Comment : Enabled : True ConnectionTimeout : 00:10:00 ConnectionInactivityTimeout : 00:05:00 MessageRateLimit : 5 MessageRateSource : User MaxInboundConnection : 5000 MaxInboundConnectionPerSource : 20 MaxInboundConnectionPercentagePerSource : 2 MaxHeaderSize : 64 KB (65,536 bytes) MaxHopCount : 30 MaxLocalHopCount : 8 MaxLogonFailures : 3 MaxMessageSize : 10 MB (10,485,760 bytes) MaxProtocolErrors : 5 MaxRecipientsPerMessage : 200 PermissionGroups : ExchangeUsers, ExchangeServers PipeliningEnabled : True ProtocolLoggingLevel : None RemoteIPRanges : {::-ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff, 0.0.0.0-255.255.255.255} RequireEHLODomain : False RequireTLS : False EnableAuthGSSAPI : True LiveCredentialEnabled : False Server : WIN-XXXXXXXXXX SizeEnabled : Enabled TarpitInterval : 00:00:05 MaxAcknowledgementDelay : 00:00:30 AdminDisplayName : ExchangeVersion : 0.1 (8.0.535.0) Name : Client WIN-XXXXXXXXXX DistinguishedName : CN=Client WIN-XXXXXXXXXXXX,CN=SMTP Receive Connectors,CN=Protocols,CN=WIN- XXXXXXXXXXXX,CN=Servers,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Admi nistrative Groups,CN=Mail for XXXXXXXXXXX,CN=Microsoft Exchange,CN=Services,CN =Configuration,DC=XXXXXX,DC=com Identity : WIN-XXXXXXXXXXXXXXX\Client WIN-XXXXXXXXXXx Guid : 3851651c-2d18-467b-81dc-a40b1af4822b ObjectCategory :XXXXXXXXXXX.com/Configuration/Schema/ms-Exch-Smtp-Receive-Connector ObjectClass : {top, msExchSmtpReceiveConnector} WhenChanged : 3/23/2012 9:53:17 AM WhenCreated : 2/6/2012 4:23:43 PM WhenChangedUTC : 3/23/2012 3:53:17 PM WhenCreatedUTC : 2/6/2012 10:23:43 PM OrganizationId : OriginatingServer : XXXXXXXXXXXXx IsValid : True

You need anonymous on there so that Exch will accept emails from the outside world, other you wont receive email. Select anonymous, this wont make your server an open relay. This is the default permission. It's only open relay if you allow this add permission. - http://technet.microsoft.com/en-us/library/bb232021.aspx Sukh

You need anonymous on there so that Exch will accept emails from the outside world, other you wont receive email. Select anonymous, this wont make your server an open relay. This is the default permission. It's only open relay if you allow this add permission. - http://technet.microsoft.com/en-us/library/bb232021.aspx Sukh If I do that in the Server Configurations > Hub Transport > Default > and click it. Instantly when I check my mail server status with mxtoolbox.com, it reports my server to be an open relay. When I unchecked it, it reports it all as being OK. Am I missing something else?

Have you checked that add permission in that KB I provided. You could always create a new connector using the wizard for the internet, disable the existing and test again, this would have the default permissions - http://technet.microsoft.com/en-us/library/bb125159.aspxSukh

I tried creating a new basic one for the internet. But it never completed because it said it was the same as my default connector. I tried to ensure the permission was removed by typing: Get-ReceiveConnector "Default Connector" | Remove-ADPermission -User "NT AUTHORITY\ANONYMOUS LOGON" -ExtendedRights "Ms-Exch-SMTP-Accept-Any-Recipient" But I got an error saying ACE isn't present. Invalid Operation I did just delete my default connector, and may a new one according to your instructions here:http://technet.microsoft.com/en-us/library/bb125159.aspx. Pretty much just set the default values for the Internet option. When I created it and checked my mxtoolbox.com, the site still reported my site as having a possibility of being an open relay.

Can you relay, telnet from the outside world and try.Sukh

Can you relay, telnet from the outside world and try. Sukh With the Anonymous Users UNchecked, I can the following message MAIL FROM:user@gmail.com 530 5.7.1 Client was not authenticated With the Anonymous User option in my receive connector check, I get a successful message, so it looks like I can relay. MAIL FROM:test@gmail.com 250 2.1.0 Sender OK RCPT TO:test@huawei.com 250 2.1.5 Recipient OK DATA 354 Start mail input; end with <CRLF>.<CRLF> test is a test . 250 2.6.0 <ba623e62-59d5-4a9b-b4fd-135eb6c87f02@WIN-XXXX.XXXXcom> [InternalId=49] Queued mail for delivery exit

Just a quick advise http://www.mxtoolbox.com can do the smtp relay test for you, just to verify that it's not open for relay Jonas Andersson | Microsoft Community Contributor Award 2011 | MCITP: EMA 2007/2010 | Blog: http://www.testlabs.se/blog | Follow me on twitter: jonand82

Just a quick advise http://www.mxtoolbox.com can do the smtp relay test for you, just to verify that it's not open for relay Jonas Andersson | Microsoft Community Contributor Award 2011 | MCITP: EMA 2007/2010 | Blog: http://www.testlabs.se/blog | Follow me on twitter: jonand82 Thanks, I use that site all the time. Which brings me to my problem. I want to be able to sent and receive emails from external users (ie gmail, yahoo, etc). I can send to them fine. When I check Anonymous Users in my receive connectors, I can receive external emails but mxtoolbox reports me as being an open relay. When I uncheck it, my server is no longer an open relay, but I am unable to receive emails from external users.

MAIL FROM:test@gmail.com 250 2.1.0 Sender OK RCPT TO:test@huawei.com Is @huawei.com your internal domain?Sukh

No, its also external.

Get an output of the all the permissions on that connector, double check the permission thereSukh

hi, Use the cmd: get-adpermission -identity your receive connector name | select identity,user,extendedrights,deny >C:\file name.txt. You will get all the permission about the connector. Check the permission:NT AUTHORITY\ANONYMOUS LOGON" -ExtendedRights "Ms-Exch-SMTP-Accept-Any-Recipient" See whether it is true or appear in the txt file. If the permission isn't true, the open relay should be closed. hope can help you thanks,CastinLu TechNet Community Support

hi, Use the cmd: get-adpermission -identity your receive connector name | select identity,user,extendedrights,deny >C:\file name.txt. You will get all the permission about the connector. Check the permission:NT AUTHORITY\ANONYMOUS LOGON" -ExtendedRights "Ms-Exch-SMTP-Accept-Any-Recipient" See whether it is true or appear in the txt file. If the permission isn't true, the open relay should be closed. hope can help you thanks, CastinLu TechNet Community Support When I have Anonymous users checked, I do not see that permission in my file. These are the only NT Authority\Anonymous Logons I see XXXXXXXXXXXXXXX\Internet R... NT AUTHORITY\ANONYMOUS LOGON {ms-Exch-SMTP-Accept-Autho... False XXXXXXXXXXXXXXX\Internet R... NT AUTHORITY\ANONYMOUS LOGON {ms-Exch-SMTP-Accept-Any-S... False XXXXXXXXXXXXXXX\Internet R... NT AUTHORITY\ANONYMOUS LOGON {ms-Exch-SMTP-Submit} False XXXXXXXXXXXXXXX\Internet R... NT AUTHORITY\ANONYMOUS LOGON {ms-Exch-Accept-Headers-Ro... False I tried to add it with the following command: Get-ReceiveConnector -Identity Internet Relay | Add-ADPermission -User NT AUTHORITY\ANONYMOUS LOGON -ExtendedRights Ms-Exch-SMTP-Accept-Any-Recipient. But I get an error saying, A Position parameter cannot be found that accepts argument 'ExtendedRights'/ *CategoryInfo: Invalid Argument: (:) ]Add-ADPermission, ParameterBindingExceptions *FullyQualifiedErrorId: PositionalParameterNotFound,Add-Permission

Just dump all the permissions and see if you can see the anonymous permission. Confirm you only have 2 receive connectors?Sukh

I have 2 receive connectors set up. The standard client one and then another for the internet. On the receive for the internet, when I have the anonymous user in the permission tab checked, I see this the following anonymous permissions in the logs: [IDENTITY]\Internet R... NT AUTHORITY\ANONYMOUS LOGON {ms-Exch-SMTP-Accept-Autho... False [IDENTITY]\Internet R... NT AUTHORITY\ANONYMOUS LOGON {ms-Exch-SMTP-Accept-Any-S... False [IDENTITY]\Internet R... NT AUTHORITY\ANONYMOUS LOGON {ms-Exch-SMTP-Submit} False [IDENTITY]\Internet R... NT AUTHORITY\ANONYMOUS LOGON {ms-Exch-Accept-Headers-Ro... False With the above, mxtoolbox reports my server as being an open relay. I don't see the Ms-Exch-SMTP-Accept-Any-Recipient for NT AUTHORITY\ANONYMOUS LOGON

Do you just have the 1 Exch server? Anything in front of your server like a Edge or Gateway?Sukh

Do you just have the 1 Exch server? Anything in front of your server like a Edge or Gateway? Sukh No, this is all on just a basic low traffic server running 2008RC2 with exchange 2010 installed on it.

Is this a SBS server?Sukh

Is this a SBS server? Sukh Just a standard Dell server. Not used for business, used for a lot of functionality testing.

hi, You have a lot of functionality on the server, so it should affect your exchange. Do you have another mail service on the server? It is not recommended that install exchange on that server. So my suggestion is that disable all function then see if you still meet the issue. hope can help you thanks,CastinLu TechNet Community Support

hi, You have a lot of functionality on the server, so it should affect your exchange. Do you have another mail service on the server? It is not recommended that install exchange on that server. So my suggestion is that disable all function then see if you still meet the issue. hope can help you thanks, CastinLu TechNet Community Support I currently have Exchanged, DNS, Active Directory Services, Fire Services, and IIS installed with no issues. Are you saying the problem I'm having is due to having to many functions on my server? Is the only solution to get another server to relay specifically off of?

When you run get-accepteddomain, what domains do you have listed? If you have a misconfiguration on your accepted domains list, such as *.com as an accepted domain, Exchange may act as an open relay.

hi, If you only have these functions on your server, it should not affect your exchange. At least it will not cause the issue. How about PS CL's suggestion, can it fix your issue? hope can help you thanks,CastinLu TechNet Community Support

When you run get-accepteddomain, what domains do you have listed? If you have a misconfiguration on your accepted domains list, such as *.com as an accepted domain, Exchange may act as an open relay. You were right. I checked my accepted domains and had an open * causing the relay. I took off that accepted domain and now I can receive emails from external addresses without being an open relay. Gmail is still blocking my IP, and yahoo isn't receive any of the mail now, but I feel like those are different issues. The Gmail one should correct itself now that my ip is no longer an open relay or on blacklist. Not sure why yahoo isn't accepting email but I can receive from yahoo. Hotmail accepts and Sends emails successfully. Thanks for the help guys