In this article, we are going to take a look at just how easy it can be to copy an anonymous receive connector from one server to another using PowerShell.
This is especially important in scenarios where a receive connector may have dozens–if not hundreds–of IPs. Adding each IP using the graphical user interface would be insanely time-consuming. It would also be prone to human error. This challenge only multiplies if you have many servers to repeat this process on. With PowerShell, we can cut this task down to mere seconds.
The first part of this article is a primer on how to configure an anonymous receive connector. If you are just interested in how to copy all IPs from one connector to another jump to the section titled Copying an Anonymous “Relay” Connector between servers.
Note: While this article focuses on moving an anonymous receive connector it can be adapted for any custom receive connector you have created.
A quick primer on anonymous receive connectors
Before we explore how to move a receive connector let’s take a refresher on how we create a receive connector with PowerShell. For this task, we use the New-ReceiveConnector cmdlet. For example, to create an anonymous receive connector our command might look like this.
C:\> New-ReceiveConnector -Name "Anonymous Relay" -Server EX16-01 -Usage Custom -TransportRole FrontEndTransport -PermissionGroups AnonymousUsers -Bindings 0.0.0.0:25 -RemoteIPRanges 10.0.0.25, 10.0.0.26, 10.0.0.50-10.0.0.59
In this command, we create a receive connector named “Anonymous Relay”. We use the -Server parameter to identify which server we want the connector to be created on. We identify that the -Usage of the connector will be Custom. Custom is one of five connector types and is used for anonymous relays.
The -TransportRole identifies whether this connector should be a FrontEndTransport or a HubTransport. Front-end transport is a connector that accepts messages from client connections. When I say client connections this is anything external to the Exchange servers coming in. Hub transport is designed solely to accept messages from another Exchange server. Whenever configuring a relay you will always go with FrontEndTransport.
The -PermissionGroups identifies what type of connections this connector will accept. For the purposes of our relay, we went with AnonymousUsers. Assigning this permission grants the NT Authority\Anonymous Logon account several permissions to the connector, including ms-Exch-SMTP-Accept-Any-Sender. For a full list of connector permissions and permission groups check out this article from TechNet.
The -Bindings parameter configures the IP and port number Exchange server should listen on. Specifying a string of zeroes instructs Exchange to listen on all its assigned IPs. We left the port number at 25 as this is the default for SMTP. However, it is possible to configure your relay on a custom port.
The -RemoteIPRanges lists all the IPs that will be permitted to relay through this connector. You can specify individual IPs or IP ranges. This parameter will accept a comma-separated list of IPs and IP ranges. In our example, we went with two individual IPs and one IP range.
If you want your anonymous receive connector to be able to relay to email addresses outside your organization you will need to add one additional permission. This is MS-Exch-SMTP-Accept-Any-Recipient.
C:\> Get-ReceiveConnector "EX16-01\Anonymous Relay" | Add-ADPermission -User 'NT AUTHORITY\Anonymous Logon' -ExtendedRights MS-Exch-SMTP-Accept-Any-Recipient Identity User Deny Inherited -------- ---- ---- --------- EX16-01\Anonymous Relay NT AUTHORITY\ANONYMOUS LOGON False False
Copying an Anonymous “Relay” Connector between servers
While PowerShell is certainly much easier than adding IPs via the graphical user interface the previous example is still cumbersome. In this section, we will take New-ReceiveConnector to the next level. But first, let’s take a look at the Get-ReceiveConnector cmdlet.
Get-ReceiveConnector allows us to return all attributes from a specific receive connector. To examine the connector we just created our command would look like this. Remember that if the name of your connector has spaces you will need to enclose it in quotation marks.
C:\> Get-ReceiveConnector -Identity "EX16-01\Anonymous Relay" | Format-List
If we wanted to return just the information on the IP addresses we could issue a command such as this.
C:\> (Get-ReceiveConnector -Identity "EX16-01\Anonymous Relay").RemoteIPRanges LowerBound : 10.0.0.50 UpperBound : 10.0.0.59 Netmask : CIDRLength : RangeFormat : LoHi Size : ::a Expression : 10.0.0.50-10.0.0.59 LowerBound : 10.0.0.26 UpperBound : 10.0.0.26 Netmask : CIDRLength : RangeFormat : SingleAddress Size : ::1 Expression : 10.0.0.26 LowerBound : 10.0.0.25 UpperBound : 10.0.0.25 Netmask : CIDRLength : RangeFormat : SingleAddress Size : ::1 Expression : 10.0.0.25
The output of the previous command can be used as the source data for a new connector on another server.
To do this we will embed the Get-ReceiveConnector command with New-ReceiveConnector.
For example, to create a new receive connector on server EX16-02, using all remote IP data from EX16-01 our command would look as follows.
C:\> New-ReceiveConnector -Name "Anonymous Relay" -Server EX16-02 -Usage Custom -TransportRole FrontEndTransport -PermissionGroups AnonymousUsers -Bindings 0.0.0.0:25 -RemoteIPRanges (Get-ReceiveConnector "EX16-01\Anonymous Relay").RemoteIPRanges Identity Bindings Enabled -------- -------- ------- EX16-02\Anonymous Relay {0.0.0.0:25} True
In this command, you can see we replace the comma-separated list of IPs and IP ranges with our Get- cmdlet. We can confirm all IPs came across by rerunning the Get-ReceiveConnector cmdlet against the new server. You can repeat this command for each server you need to copy this connector.
Don’t forget that if you need your anonymous relay to be able to send an email outside your organization you will need to add the MS-Exch-SMTP-Accept-Any-Recipient permission.
C:\> Get-ReceiveConnector "EX16-02\Anonymous Relay" | Add-ADPermission -User 'NT AUTHORITY\Anonymous Logon' -ExtendedRights MS-Exch-SMTP-Accept-Any-Recipient
Further Reading
Here are some articles I thought you might like:
- Install Exchange 2016 in your lab (7-part series)
- Renew a Certificate in Exchange 2016
- Extend, Prepare and Verify Active Directory for Exchange 2016
- Configure Kemp Load Balancer for Exchange 2016
How have you copied anonymous relays to other servers? Join the conversation on Twitter @SuperTekBoy.
Stefano says
Tried the command to copy a receive connector but got the error message
Cannot process argument transformation on parameter ‘RemoteIPRanges’. Cannot convert value “172.22.0.0/16
172.21.0.0/16” to type “Microsoft.Exchange.Data.MultiValuedProperty`1[Microsoft.Exchange.Data.IPRange]”. Error:
“Cannot convert value “172.22.0.0/16” to type “Microsoft.Exchange.Data.IPRange”. Error:
“SerializationTypeConverter.DeserializeObject(Microsoft.Exchange.Data.IPRange). Type is not allowed for custom
construction. Deserialization Failed Error: System.Exception: SerializationData is not signed.
at Microsoft.Exchange.Data.SerializationTypeConverter.VerifySerializationDataAndGetOriginalSerializationData(Byte[]
serializationData, Boolean mustVerify)
at Microsoft.Exchange.Data.SerializationTypeConverter.DeserializeObject(Object sourceValue, Type destinationType)””
+ CategoryInfo : InvalidData: (:) [New-ReceiveConnector], ParameterBindin…mationException
+ FullyQualifiedErrorId : ParameterArgumentTransformationError,New-ReceiveConnector