Exchange

Exchange 2013 – How to add Relay Connector from PowerShell

Adding new receiving connector is standard procedure available via GUI on Exchange 2010 / Exchange 2013 or Exchange 2016. However with special settings required for Relay Connector and lots of additional options that come useful it's often simpler to do it via PowerShell. Below method is showing how to create New Receive Connector with Relay options in PowerShell.

Solution

Following script allows quick creation of relay connector on Exchange Server based on couple of settings with relay hosts populated from the text file.

$ReceiveConnector = "SMTP Relay" # Name of the connector
$Server = "MAIL2" # Name of the server (if you have more than one you just rerun the script
$ReceiveConnectorFQDN = "relay.domain.pl" # FQDN of connector (must much available certificates for TLS to work)
$ServerReceiveConnector = "$Server\$ReceiveConnector"
$ReceiveConnectorBinding = "172.16.50.36:25" # Binding of Relay Connector
$ReceiveConnectorRange = "127.0.0.1" # Hosts allowed to relay. Will be overwritten by hosts from file
$ReceiveConnectorRangeFromFile = "C:\ExchangeScripts\Create-NewConnector.txt" # file with relay hosts

New-ReceiveConnector -Server $Server -Name $ReceiveConnector -Usage Custom -Bindings $ReceiveConnectorBinding -RemoteIPRanges $ReceiveConnectorRange

# Set required and useful settings for relay connector
Set-ReceiveConnector -Identity $ServerReceiveConnector -Bindings $ReceiveConnectorBinding
Set-ReceiveConnector -identity $ServerReceiveConnector -AuthMechanism "TLS","ExternalAuthoritative" -PermissionGroups AnonymousUsers,ExchangeServers
# The default "AnonymousUsers" permissions are as follows:
<# Ms-Exch-SMTP-Submit Ms-Exch-SMTP-Accept-Any-Sender Ms-Exch-SMTP-Accept-Authoritative-Domain-Sender Ms-Exch-Accept-Headers-Routing #>
# The default "Externally Secured" permissions are as follows:
<# MS Exchange\Externally Secured Servers {ms-Exch-SMTP-Accept-Authoritative-Domain} MS Exchange\Externally Secured Servers {ms-Exch-Bypass-Anti-Spam} MS Exchange\Externally Secured Servers {ms-Exch-Bypass-Message-Size-Limit} MS Exchange\Externally Secured Servers {ms-Exch-SMTP-Accept-Exch50} MS Exchange\Externally Secured Servers {ms-Exch-Accept-Headers-Routing} MS Exchange\Externally Secured Servers {ms-Exch-SMTP-Submit} MS Exchange\Externally Secured Servers {ms-Exch-SMTP-Accept-Any-Recipient} MS Exchange\Externally Secured Servers {ms-Exch-SMTP-Accept-Authentication-Flag} MS Exchange\Externally Secured Servers {ms-Exch-SMTP-Accept-Any-Sender} This makes sure emails are treated as sent internally (secured, authenticated) and can be sent to internal groups only as well. #>
Set-ReceiveConnector -identity $ServerReceiveConnector -TarpitInterval 00:00:00
Set-ReceiveConnector -identity $ServerReceiveConnector -ConnectionTimeout 00:30:00
Set-ReceiveConnector -identity $ServerReceiveConnector -ConnectionInactivityTimeout 00:20:00
Set-ReceiveConnector -identity $ServerReceiveConnector -MaxAcknowledgementDelay 00:00:00
Set-ReceiveConnector -identity $ServerReceiveConnector -MaxInboundConnection 10000
Set-ReceiveConnector -identity $ServerReceiveConnector -MaxInboundConnectionPercentagePerSource 100
Set-ReceiveConnector -identity $ServerReceiveConnector -MaxInboundConnectionPerSource unlimited
Set-ReceiveConnector -Identity $ServerReceiveConnector -Fqdn $ReceiveConnectorFQDN
Set-ReceiveConnector -Identity $ServerReceiveConnector -ProtocolLoggingLevel Verbose

# Set true Relay options
Get-ReceiveConnector -Identity $ServerReceiveConnector | Add-ADPermission -User "NT AUTHORITY\ANONYMOUS LOGON" -ExtendedRights "ms-Exch-SMTP-Accept-Any-Recipient"
Get-ReceiveConnector -Identity $ServerReceiveConnector | Add-ADPermission -User "NT AUTHORITY\ANONYMOUS LOGON" -ExtendedRights "ms-exch-bypass-anti-spam"

# Set ip addresses (overwrites current setup)
Get-ReceiveConnector -Identity $ServerReceiveConnector | Set-ReceiveConnector -RemoteIPRanges ($_.RemoteIPRanges+ (Get-Content $ReceiveConnectorRangeFromFile) | Sort -Unique)

Text file with hosts should consists of one entry per line (make sure no spaces before/after ip):

172.16.1.1

172.16.1.2

85.200.11.20-85.200.11.25

Since running the script in ISE causes issues with Get-AdPermission as described in one of our blog posts, make sure to run it in Exchange Management Shell.

This post was last modified on March 20, 2016 12:24

Przemyslaw Klys

System Architect with over 14 years of experience in the IT field. Skilled, among others, in Active Directory, Microsoft Exchange and Office 365. Profoundly interested in PowerShell. Software geek.

Share
Published by
Przemyslaw Klys

Recent Posts

Upgrade Azure Active Directory Connect fails with unexpected error

Today, I made the decision to upgrade my test environment and update the version of…

2 months ago

Mastering Active Directory Hygiene: Automating Stale Computer Cleanup with CleanupMonster

Have you ever looked at your Active Directory and wondered, "Why do I still have…

3 months ago

Active Directory Replication Summary to your Email or Microsoft Teams

Active Directory replication is a critical process that ensures the consistent and up-to-date state of…

7 months ago

Syncing Global Address List (GAL) to personal contacts and between Office 365 tenants with PowerShell

Hey there! Today, I wanted to introduce you to one of the small but excellent…

12 months ago

Active Directory Health Check using Microsoft Entra Connect Health Service

Active Directory (AD) is crucial in managing identities and resources within an organization. Ensuring its…

1 year ago

Seamless HTML Report Creation: Harness the Power of Markdown with PSWriteHTML PowerShell Module

In today's digital age, the ability to create compelling and informative HTML reports and documents…

1 year ago