My SBS 2008 environment needs to accommodate a couple of non-standard email requirements:
- I use cloud-based email filtering, and I only want to allow incoming email from the IP addresses of those service providers.
- My PBX in a Flash machine is set up to send email through the SBS server. Rather than figure out how to do authenticated email from Linux, I just wanted to allow anonymous senders inside the local intranet. Same for my classic ASP site, installed directly on the SBS server, that sends email using ASPEmail.
These settings are all made under Exchange 2007 Server Configuration > Hub Transport section.
Allow Authenticated Access
For receiving email from the Internet, I use hosted services from Postini and MailFoundry (for different domains). This allows me to restrict incoming mail to a limited number of IP addresses. I seem to recall that I had to remove the “catchall” IP address range of 0.0.0.0-255.255.255.255 from the default Windows SBS Internet Receive connector. That connector now looks like this:
Now I want to allow authenticated Exchange users (clients) to send email no matter where they are. I’m using Outlook and decided to allow authenticated SMTP on port 587. (This Microsoft Exchange Team Blog article helped here.) For that, I set up a new Receive Connector called Receive Authenticated SMTP on Port 587 from Exchange Clients. This is the only connector with the “catchall” IP address range of 0.0.0.0-255.255.255.255. Here are the relevant settings:
Allow Anonymous Sending from the Intranet
Finally I went to the Default SBS connector. It is configured to only accept connections from the internal network, excluding the router, e.g.
It allows lots of authentication:
But I had to tell it to also allow Anonymous users:
Can’t Anonymously Send External Email
Once I had made those changes, the internal PBX server was sending me its daily status email with no problem.
However, when the ASP application tried to send an email to a recipient outside the network, it failed with a 5.7.1 error:
The Persits knowledge base has a helpful article identifying the problem: it means that “the SMTP server you are using is configured to reject messages sent to outside email addresses and originating from unauthorized IP addresses or users.”
So it’s a separate setting to be able to send mail outside the organization?
Yup, and for some reason it can only be enabled from the Exchange Management Shell, not from the Console. Once I found and executed the command at the bottom of this Petri article, sending mail to external recipients worked as well:
Get-ReceiveConnector "Default SBS" | Add-ADPermission -User "NT AUTHORITY\ANONYMOUS LOGON" -ExtendedRights "ms-Exch-SMTP-Accept-Any-Recipient"
Never in a million years would I have figured that one out. Thanks Mr. Petri!
Update 8/7/2010: Had to re-run the Internet connection wizard today. It unfortunately overwrote most of the above settings, and my mail wasn’t going out. So either don’t run that wizard, or make a note of your Exchange Hub Transport settings first.