Setting up relay for Exchange 2007 is done on the Receive connector. It can be locked down to certain IP addresses & Users. Here’s an example, to setup a receive connector which allows connections from a list of specific IP addresses, on the Edge Transport server or Hub Transport server run the following command:

New-ReceiveConnector –Name "Anonymous Relay" -Usage Custom -PermissionGroups AnonymousUsers, ExchangeServers -Bindings 0.0.0.0:25 –AuthMechanism Tls, ExternalAuthoritative -RemoteIpRanges 149.171.135.0/24, 149.171.130.128/26, 149.171.130.192/26, 149.171.131.75,149.171.131.81, 149.171.130.23, 149.71.70.0/24, 149.171.62.0/24, 149.171.130.32, 149.171.130.22, 129.94.41.94

PermissionGroups – AnonymousUsers, ExchangeUsers, ExchangeServers, LegacyExchangeServers, Partners

Bindings – 0.0.0.0:25

AuthMechanism – Tls, ExternalAuthoritative

From the image above, ticking the Anonymous Users box grants the following permissions to the Anonymous Logon security principal on the Receive connector:

• Ms-Exch-Accept-Headers-Routing
• Ms-Exch-SMTP-Accept-Any-Sender
• Ms-Exch-SMTP-Accept-Authoritative-Domain-Sender
• Ms-Exch-SMTP-Submit

However, to allow anonymous relay on this Receive connector, you have to also grant the following permission to the Anonymous Logon security principal on the Receive connector:

• Ms-Exchange-SMTP-Accept-Any-Recipient

This is done by running the following command:

Get-ReceiveConnector "Anonymous Relay" | Add-ADPermission -User "NT AUTHORITY\ANONYMOUS LOGON" -ExtendedRights "Ms-Exch-SMTP-Accept-Any-Recipient"