Creating an Exchange 2010 & 2007 SMTP Relay Connector with No Authentication

Adam Jones - Systems Engineer

Last week I was tasked with creating a receive connector for relaying email messages from a group of computers in a remote office running an emergency alert messaging program through a Microsoft Exchange 2010 server. My goal was to limit the scope of machines allowed to send through the connector to a specific range of addresses that contained trusted, protected computers for this task. Since the software did not support SMTP authentication and the group of machines were trusted and members of the same domain, my preference and only real option was to configure the connector for no authentication. Easy, right? It turns out, at least for now, that’s not the case!

After poking around the authentication tab for a “No Authentication” (or similar) option I was stunned and quite sure I was missing something. There seemed to be no suitable option! I turned my focus to the support site for the messaging software thinking that there must be a way to enable authentication in their application only to hit another roadblock!

Now for the trick! After skimming a couple of lengthy TechNet articles and deciphering a few Exchange shell commands I realized that the answer was right in front of me. On the “Authentication” tab inside the connector’s properties, there is a handy option titled “Externally Secured”.  What I did not know beforehand is that this option essentially tells the Exchange server not to worry about authentication because there is some other method authenticating this connection for me. The catch is that if you do not provide that alternative external method, there is no authentication happening!

This is a good tip to know for two reasons. One being that this is your ticket to setting up a simple SMTP relay on your network for a trusted server with no authentication required. Two being that you need to be certain that your external authentication method such as a VPN link or IPSEC is properly configured and secured before using this option as your only method.

 *See this note from MS TechNet article bb1738161:

Configuring a Receive connector as externally secured without using an Externally Secured authentication method is functionally equivalent to configuring the Receive connector as an open relay for the external SMTP server. The messages that originate from the external SMTP server are treated as authenticated messages. The messages bypass anti-spam checks and message size limit checks. The external SMTP server is allowed to submit messages as if they originated from internal senders within your Exchange organization.