Setting Up Email Connectors in SBS 2008

My SBS 2008 environment needs to accommodate a couple of non-standard email requirements:

  • I use cloud-based email filtering, and I only want to allow incoming email from the IP addresses of those service providers.
  • My PBX in a Flash machine is set up to send email through the SBS server. Rather than figure out how to do authenticated email from Linux, I just wanted to allow anonymous senders inside the local intranet. Same for my classic ASP site, installed directly on the SBS server, that sends email using ASPEmail.

These settings are all made under Exchange 2007 Server Configuration > Hub Transport section.

Allow Authenticated Access

For receiving email from the Internet, I use hosted services from Postini and MailFoundry (for different domains). This allows me to restrict incoming mail to a limited number of IP addresses. I seem to recall that I had to remove the “catchall” IP address range of from the default Windows SBS Internet Receive connector. That connector now looks like this:

Exchange 2007 Anonymous Access 4

Exchange 2007 Anonymous Access 5

Exchange 2007 Anonymous Access 6

Now I want to allow authenticated Exchange users (clients) to send email no matter where they are. I’m using Outlook and decided to allow authenticated SMTP on port 587. (This Microsoft Exchange Team Blog article helped here.) For that, I set up a new Receive Connector called Receive Authenticated SMTP on Port 587 from Exchange Clients. This is the only connector with the “catchall” IP address range of Here are the relevant settings:


Exchange 2007 Anonymous Access 1

Exchange 2007 Anonymous Access 2

Exchange 2007 Anonymous Access 3

Allow Anonymous Sending from the Intranet

Finally I went to the Default SBS connector. It is configured to only accept connections from the internal network, excluding the router, e.g.

It allows lots of authentication:

Exchange 2007 Anonymous Access 7

But I had to tell it to also allow Anonymous users:

Exchange 2007 Anonymous Access 8

Can’t Anonymously Send External Email

Once I had made those changes, the internal PBX server was sending me its daily status email with no problem.

However, when the ASP application tried to send an email to a recipient outside the network, it failed with a 5.7.1 error:

Exchange 2007 Anonymous Access 9

The Persits knowledge base has a helpful article identifying the problem:  it means that “the SMTP server you are using is configured to reject messages sent to outside email addresses and originating from unauthorized IP addresses or users.”

So it’s a separate setting to be able to send mail outside the organization?

Yup, and for some reason it can only be enabled from the Exchange Management Shell, not from the Console. Once I found and executed the command at the bottom of this Petri article, sending mail to external recipients worked as well:

Get-ReceiveConnector "Default SBS" | Add-ADPermission -User "NT AUTHORITY\ANONYMOUS LOGON" -ExtendedRights "ms-Exch-SMTP-Accept-Any-Recipient"

Never in a million years would I have figured that one out. Thanks Mr. Petri!

Update 8/7/2010:  Had to re-run the Internet connection wizard today. It unfortunately overwrote most of the above settings, and my mail wasn’t going out. So either don’t run that wizard, or make a note of your Exchange Hub Transport settings first.

Leave a Reply

Your email address will not be published. Required fields are marked *

Notify me of followup comments via e-mail. You can also subscribe without commenting.

This site uses Akismet to reduce spam. Learn how your comment data is processed.