Home / server / Questions / 520530
Accepted
john
Asked: 2013-07-04 05:10:28 +0800 CST

Grant relay to servers based on AD security group membership

  • 772

We're moving our relay from an Exchange 2003 server to an Exchange 2010 server. I was hoping the "Grant or deny relay permissions to specific users or groups" option would still be available in some form, but I can't find out how to do it. I've read up on recieve connectors and so far I can't get it to work. I have edited the security on the Recieve Connector to allow the following extended rights to the group and added computer accounts to that group:

  • Accept Routing Headers
  • Bypass Anti-spam
  • Submit to Server
  • Accept any Sender
  • Accept any Recipient

Then I suddenly realised while testing... How would the receive connector resolve the permission to a particular AD object, maybe a reverse DNS lookup? What I'd like to know is if what I'm trying to achieve is possible, and how it would be possible.

I would rather not revert to an IP-based list as this is not as manageable, and I'm trying to avoid creating static IPs/reservations for a number of workstations that would otherwise not need them.

active-directory

2 Answers

  1. Best Answer

    Based on your comments on @Noor's answer I am suspecting that what you're looking for is:

    • Make a given computer's AD account a member of some "Allowed to Relay" group
    • Have programs running on that computer magically be able to relay SMTP through Exchange because of the group membership of the computer's AD account

    If that is what you're looking for there's no way to do it unless all the SMTP clients on the given computer are capable of authenticating to Exchange with the machine's AD computer account. Most SMTP clients aren't (in fact, I can't think of one of a single one that can). The source IP address of an incoming SMTP connection to Exchange doesn't not cause any authentication to happen and does not build a security token that Exchange can query for group memberships. IP addresses and security principals are orthogonal.

    The better way to do this would be to generate service credentials (with whatever granularity of accounts you're comfortable with-- one for every SMTP client is my preference) and grant those credentials rights to relay. Then you can configure each SMTP client to authenticate and relaying will be allowed based on the credentials.

    • 2

  2. There are extra security setting that you can edit using the PowerShell, you can't edit those using the GUI, you can tell exchange who should be using the connector by using this PowerShell command:

    • Get-ReceiveConnector "Receive Connector Name" | Add-ADPermission -User "Account/Group Name"

    As an example, I usually use this command to allow the Anonymous access to a connector:

    • Get-ReceiveConnector "Receive Connector Name" | Add-ADPermission -User "NT AUTHORITY\ANONYMOUS LOGON" -ExtendedRights "ms-Exch-SMTP-Accept-Any-Recipient"

    More information can be found here: http://help.globalscape.com/help/me3/configuring_authenticated_access_to_exchange.htm

    • 0