We have a scanner in our office which can send scanned documents to any email address specified. After our migration to Exchange 2010 this did not work anymore.
I created a new receive connector. Specified the IP addresses which we’re allowed to relay to external, and then checked the anonymous checkbox.
The scanner was able to send scanned documents to internal email addresses, but it could not send to any external domain.
It turns out that when you place a checkmark in the “anonymous users” checkbox the following permissions are given to the “Anonymous Logon” group:
We are missing the “Ms-Exch-SMTP-Accept-Any-Recipient” , this is preventing the scanner to relay off the exchange server. You can add this permission by opening the EMS (Exchange Management Shell” and issuing the command:
Get-ReceiveConnector "<Receive Connector name>" | Add-ADPermission -User "NT AUTHORITY\ANONYMOUS LOGON" -ExtendedRights "Ms-Exch-SMTP-Accept-Any-Recipient"
Fantastic! I’ve been trying for two days to work out why our 2010 server wouldn’t relay externally, when all the settings looked correct.
A two minute fix after reading this.
Thanks
Thanks! This fixed my issue aswell-
I’m trying to do the same, what did you set for the Authentication tab? the rest of the steps i’ve done
Hi Greg,
Authentication tab:
TLS is checked (and not enable domain security) and exchange server authentication
Check your network tab.. if there isn’t any rule preventing the server to connect (option: receive mail from remote servers that have these IP addresses)
worked for me as well. Thanks for your help.
How can we verify which rights anonymous users hold before executing this command ?
@Bal, you control it using the IP-addresses in the connectors settings.
According to Microsoft you can only do 1 way or the other. Here is a simple solution using DNS for MX Record resolution that will allow 1 Send Connector to Send Mail to Everyone including Intra-Org email.
Get your exchange server back to a single SendConnector that is set with the basic internet settings:
DNSRoutingEnabled $True, SMTP:*;1, 0.0.0.0
Once you have that, you need to change the transport server configuration to include your internal and external DNS Server IP Addresses:
Set-TransportServer –Identity ‘TransportServerName’ -InternalDNSServers ‘ServerOneIP’,’ServerTwoIP’
Set-TransportServer –Identity ‘TransportServerName’ -ExternalDNSServers ‘ServerOneIP’,’ServerTwoIP’
Once you have changed the Transport Server, change the Send Connector to use External DNS
Set-SendConnector –Identity SendConnectorName –UseExternalDNSServersEnabled $True
Now try to send mail to internal and external user in the same message. This is working on our system now.
If you installed your systems in german language, the command will fail.
Use the following command instead:
Get-ReceiveConnector “” | Add-ADPermission -User “NT-AUTORITÄT\ANONYMOUS-ANMELDUNG” -ExtendedRights “ms-Exch-SMTP-Accept-Any-Recipient”
Thank you!!! Been messing with this for days. This issue was my exact problem and this fixed it!