I recently worked on a project where my customer had a load balanced vip for SMTP. There were two Exchange 2010 cas-hub servers included in the vip. And the 2010 servers had a relay connector for anonymous access configured for applications like scan to email and HR applications. So how do we move this service to our lovely new Exchange 2016 servers.
- Create the fronted transport service relay connectors on both Exchange 2016 servers called ‘Relay’
- Then run this script to copy all of the relay ips to the new Exchange 2016 relay connectors
- Then on Exchange 2016 server 1 we run these commands
Servers are contso1 & contoso2
Set-ReceiveConnector “contso1\Relay” -PermissionGroups AnonymousUsers,Exchangeservers -DomainController FSMO DCGet-ReceiveConnector “contso1\Relay” | Add-ADPermission -User ‘NT AUTHORITY\Anonymous Logon’ -ExtendedRights MS-Exch-SMTP-Accept-Any-Recipient -DomainController FSMO DCSet-ReceiveConnector “contso2\Relay” -PermissionGroups AnonymousUsers,Exchangeservers -DomainController FSMO DCGet-ReceiveConnector “contso2\Relay” | Add-ADPermission -User ‘NT AUTHORITY\Anonymous Logon’ -ExtendedRights MS-Exch-SMTP-Accept-Any-Recipient -DomainController FSMO DC
- Add a server IP like the ad connect server into the relay connector scope on both contoso1 and contoso2
- Then run this command from the AD Connect server to each of the Contoso servers
telnet SMTP VIP 25
Test from Sean.
- Once the email comes through we can then remove the Exchange 2010 server from the SMTP VIP and disable the relay connector on the Exchange 2010 servers.
Finally a lot of my customers do not trust Exchange Online Protection and use services like Mimecast , Proofpoint, Cisco Cloud Email Security and once the SPF records for the domains matches the service it can normally be much easier to set up smtp relay via these saas services.