I recently worked on a project where my customer had a load balanced vip for SMTP. There were two Exchange 2010 cas-hub servers included in the vip. And the 2010 servers had a relay connector for anonymous access configured for applications like scan to email and HR applications. So how do we move this service to our lovely new Exchange 2016 servers.

1. Create the fronted transport service relay connectors on both Exchange 2016 servers called ‘Relay’
2. Then run this script to copy all of the relay ips to the new Exchange 2016 relay connectors
   Credit:https://gallery.technet.microsoft.com/office/Copy-a-receive-connector-b20b9bef
3. Then on Exchange 2016 server 1 we run these commands
   Servers are contso1 & contoso2
   Set-ReceiveConnector “contso1\Relay” -PermissionGroups AnonymousUsers,Exchangeservers -DomainController FSMO DCGet-ReceiveConnector “contso1\Relay” | Add-ADPermission -User ‘NT AUTHORITY\Anonymous Logon’ -ExtendedRights MS-Exch-SMTP-Accept-Any-Recipient -DomainController FSMO DCSet-ReceiveConnector “contso2\Relay” -PermissionGroups AnonymousUsers,Exchangeservers -DomainController FSMO DCGet-ReceiveConnector “contso2\Relay” | Add-ADPermission -User ‘NT AUTHORITY\Anonymous Logon’ -ExtendedRights MS-Exch-SMTP-Accept-Any-Recipient -DomainController FSMO DC
4. Add a server IP like the ad connect server into the relay connector scope on both contoso1 and contoso2
5. Then run this command from the AD Connect server to each of the Contoso servers
   telnet SMTP VIP 25
   Helo
   mail from:sean@contoso.com
   rcpt to:sean.ofarrell@yahoooooo.com
   data
   Test from Sean.
6. Once the email comes through we can then remove the Exchange 2010 server from the SMTP VIP and disable the relay connector on the Exchange 2010 servers.

Finally a lot of my customers do not trust Exchange Online Protection and use services like Mimecast , Proofpoint, Cisco Cloud Email Security and once the SPF records for the domains matches the service it can normally be much easier to set up smtp relay via these saas services.