We have a scanner in our office which can send scanned documents to any email address specified. After our migration to Exchange 2010 this did not work anymore.

I created a new receive connector. Specified the IP addresses which we’re allowed to relay to external, and then checked the anonymous checkbox.

The scanner was able to send scanned documents to internal email addresses, but it could not send to any external domain.

It turns out that when you place a checkmark in the “anonymous users” checkbox the following permissions are given to the “Anonymous Logon” group:

We are missing the “Ms-Exch-SMTP-Accept-Any-Recipient” , this is preventing the scanner to relay off the exchange server. You can add this permission by opening the EMS (Exchange Management Shell” and issuing the command:

Get-ReceiveConnector "<Receive Connector name>" | Add-ADPermission -User "NT AUTHORITY\ANONYMOUS LOGON" -ExtendedRights "Ms-Exch-SMTP-Accept-Any-Recipient"