Send-As anyone or Bypass Anti-Spam agents for a single mailbox using extended-rights with Exchange 2010

Posted on December 13, 2010

Roaming SMTP Solution for Exchange Servers

Looking for a quick and efficient method to allow roaming POP3 users or remote equipment to send e-mail from anywhere in the world? Typically ISPs block port 25 (SMTP) and force customers to send through their own SMTP servers to prevent spam, but realistically how painful is it to consistently find the new SMTP server information and change your settings every time you change networks? I think not ...

Our common solution for the roaming user is to open a separate SMTP port (generally 587 or 2525) and allow them to send from anywhere. As these users require authentication to send, you need to update the advanced settings on their POP3 profile to use the same username / password when sending, and change the SMTP port to either 587 or 2525 (which ever you chose). Simple and efficient.

What about network devices without actual mailboxes? For example: a network scanner or scheduled task which relies on no POP3 account?

Instead of creating a separate mailbox for every device, why not share one?
By default, if the incoming sender address does not match the address of the mailbox, you will be given "550 5.7.1 Client does not have permissions to send as this sender".
Here's how the fix that issue:

1) Forward external port 2525 or 587 on your firewall to port 25 on your exchange server
2) Create an exchange mailbox to be used for sending (ie. deviceSMTP) and use a complex password
3) Load the Exchange Management Shell
4) Choose the default receive connector for port 25

Get-ReceiveConnector

mailserver\Client Mailserver {0.0.0.0:2525, :::25, 0.0.0.0:25} True

4) Apply extended rights to the user you created to allow any-incoming authenticated users to send as an alternative address

Get-ReceiveConnector "mailserver\Client Mailserver" | Add-ADPermission -user "<user you created>" -ExtendedRights "Ms-Exch-SMTP-Accept-Any-Sender"

5) Set your network device to use authenticated SMTP, enter the username/password you created, select port 2525 or 587.

Happy sending!

Bypass Anti-Spam agents for a specific mailbox

If your organization has a mailbox that requires unfiltered/un-protected mail, you can use extended rights to bypass the spam agents.

Get-ReceiveConnector "mailserver\Client Mailserver" | Add-ADPermission -user "<mailboxname>" -ExtendedRights "ms-Exch-Bypass-Anti-Spam"