I was recently helping out a colleague at another school as they were having difficulty in a specialised application sending e-mails to external addresses. After a bit of investigating we found that the send connector configured for internet e-mail wasn’t allowing anonymous connections to it (which is dangerous) but since this particular application didn’t allow us to specify authentication details we were forced to enable anonymous relay for this connector.
I will first show you the PowerShell command that we used to grant the anonymous permissions for the connector that you specify:
Get-ReceiveConnector “Default SBSSERVER” | Add-ADPermission -User “NT AUTHORITY\ANONYMOUS LOGON” -ExtendedRights “Ms-Exch-SMTP-Accept-Any-Recipient”
Now the above is really one command getting piped into another, so first of all we are specifying a particular receive connector, in this case Default SBSSERVER (change this to reflect the connector you want to modify). We are then simply giving rights to anonymous logons (anyone) telling exchange to accept any recipient.
Now as for securing this connector, I would strongly suggest creating a separate one for this particular application (for example Sales App Connector). We then add incoming IP restrictions, by editing the properties of the receive connector and adding entries to Receive mail from remote servers that have these IP addresses using either specific IP addresses or IP ranges in CIDR notation (so 10.1.0.0/16).
And there you have it, allowing anonymous connections / relay for internal applications to use.