🔷 Introduction
SMTP Relay is a critical component in modern messaging environments. It enables applications, devices, and services to send emails through an Exchange server without requiring a full mailbox.
In Exchange Server 2019, SMTP Relay can be configured securely using:
✅ Anonymous Relay (IP-based)
✅ Authenticated Relay (username/password-based with TLS)
This article explains the complete architecture, configuration, validation, and best practices.
🔷 What is SMTP Relay?
SMTP Relay is the process of forwarding email messages from one system to another through an SMTP server.
Instead of sending mail directly to recipients, applications or devices send messages to an Exchange server, which then relays them to internal or external recipients.
🔷 Purpose of SMTP Relay
SMTP Relay is used for:
- Application email notifications (ERP, monitoring tools)
- Devices like printers, scanners, network appliances
- Bulk email testing
- Hybrid mail flow validation
- Automation scripts and alerting systems
🔷 How SMTP Relay Works in Exchange 2019
Exchange 2019 uses a two-layer transport architecture:
🔹 Frontend Transport
- Accepts incoming SMTP connections
- Handles authentication
- Routes connection internally
🔹 Backend Transport
- Processes and delivers messages
✅ Flow Overview
Client/Application
↓
Receive Connector (Frontend)
↓
Authentication / IP validation
↓
Frontend Proxy
↓
Backend Transport
↓
Mailbox / Send Connector
↓
Delivery
🔷 Types of SMTP Relay in Exchange
🔹 1. Anonymous Relay (IP-Based)
- No authentication required
- Access controlled by IP restriction
- Used for applications and devices
🔹 2. Authenticated Relay (SMTP AUTH)
- Requires username & password
- Enforces TLS security
- Supports Send-As scenarios
🔷 PART 1 — Anonymous SMTP Relay Configuration (Port 2526)
✅ Step 1: Create Receive Connector
New-ReceiveConnector -Name "SMTP Relay Script" -Server CMHYBD01 -TransportRole FrontendTransport -Usage Custom -Bindings 0.0.0.0:2526 -RemoteIPRanges 192.168.1.13
✅ Step 2: Enable Anonymous Access
Set-ReceiveConnector "SMTP Relay Script" -PermissionGroups AnonymousUsers
✅ Step 3: Allow Relay Permission
Get-ReceiveConnector "SMTP Relay Script" | Add-ADPermission -User "NT AUTHORITY\ANONYMOUS LOGON" -ExtendedRights "Ms-Exch-SMTP-Accept-Any-Recipient"
✅ Test Anonymous Relay
Send-MailMessage -From "test@cloudmonkeys.xyz" -To "user@cloudmonkeys.xyz" -Subject "Anonymous Test" -Body "Test" -SmtpServer CMHYBD01 -Port 2526
✅ Validation
Run Message Tracking:
Get-MessageTrackingLog -Start (Get-Date).AddMinutes(-10)
Expected:
- AuthSource = Anonymous
- Connector = SMTP Relay Script
🔷 PART 2 — Authenticated SMTP Relay Configuration (Port 587)
✅ Step 1: Create Connector
New-ReceiveConnector -Name "SMTP Auth Relay Script" -Server CMHYBD01 -TransportRole FrontendTransport -Usage Custom -Bindings 0.0.0.0:587 -RemoteIPRanges 192.168.1.13
✅ Step 2: Enable Authentication
Set-ReceiveConnector "SMTP Auth Relay Script" -AuthMechanism Tls,BasicAuth,BasicAuthRequireTLS -PermissionGroups ExchangeUsers
✅ Step 3: Enforce TLS
Set-ReceiveConnector "SMTP Auth Relay Script" -RequireTLS $true
✅ Step 4: Service Account Setup
Create service account:
svc-mailer@cloudmonkeys.xyz
Grant Send-As:
Add-ADPermission -Identity smb1 -User svc-mailer -ExtendedRights "Send As"
✅ Test Authenticated Relay
$cred = Get-Credential
Send-MailMessage -From "smb1@cloudmonkeys.xyz" -To "raghu@cloudmonkeys.xyz" -Subject "Auth Test" -Body "Test" -SmtpServer CMHYBD01 -Port 587 -UseSsl -Credential $cred
✅ Expected Result
- Authentication successful
- Sender = smb1 (Send-As)
- Mail delivered
🔷 Key Difference: Anonymous vs Authenticated
| Feature | Anonymous | Authenticated |
|---|---|---|
| Authentication | ❌ No | ✅ Yes |
| Security | Medium | ✅ High |
| TLS | Optional | ✅ Mandatory |
| Sender control | ❌ Limited | ✅ Full (Send-As) |
| Use case | Apps/devices | Secure apps |
🔷 Validation Techniques
✅ 1. Message Tracking Logs (Primary)
Check:
- Sender
- Recipient
- Connector path
Example:
Get-MessageTrackingLog -Start (Get-Date).AddMinutes(-10)
✅ 2. Protocol Logs (Advanced)
Location:
C:\Program Files\Microsoft\Exchange Server\V15\TransportRoles\Logs\FrontEnd\ProtocolLog\SmtpReceive
✅ What to look for:
Authenticated flow:
- STARTTLS
- AUTH LOGIN
- MAIL FROM
- RCPT TO
⚠️ Important Note
In Exchange 2019:
- AUTH appears only after STARTTLS
- Logs may show Client Proxy instead of connector
- Multiple sessions may be present (probes + actual traffic)
✅ 3. Security Validation
Test from another server:
❌ Anonymous relay should fail:
Port 2526 → blocked
❌ Auth connector without credentials:
Port 587 → 5.7.57 error
✅ Auth connector with credentials:
Port 587 → success
🔷 Common Issues & Fixes
| Issue | Cause | Fix |
|---|---|---|
| AUTH not visible | No TLS | Use STARTTLS |
| Certificate error | FQDN mismatch | Use correct hostname |
| Open relay risk | Broad IP range | Restrict RemoteIPRanges |
| Send-As not working | Permission delay | Reapply & restart services |
| Cannot connect | DNS issue | Fix resolution or use hosts file |
🔷 Best Practices
✅ Use separate ports (2526 vs 587)
✅ Always enforce TLS for authentication
✅ Use service accounts (not shared mailbox login)
✅ Restrict IP ranges tightly
✅ Use FQDN (not server name)
✅ Enable protocol logging for troubleshooting
✅ Avoid open relay configurations
🔷 Final Architecture
Anonymous Flow:
Application → 2526 → SMTP Relay Connector → Exchange → Delivery
Authenticated Flow:
Application → 587 → AUTH + TLS → SMTP Auth Connector → Proxy → Transport → Delivery
🚀 Conclusion
SMTP Relay in Exchange 2019 provides a flexible and secure way to handle application and device-based email traffic.
By implementing:
✅ Anonymous relay for controlled systems
✅ Authenticated relay for secure communication
You achieve:
- Strong security posture
- Controlled mail flow
- Scalable architecture
- Enterprise-grade email relay design
Comments
Post a Comment