allowing anonymous email in Exchange 2010 (Printer/Fax device)

Say you have a network fax/printer/copier that generates PDF files and emails them out via SMTP.  Many of these devices lack the ability to authenticate to a SMTP host (some only can do plain old non-encrypted communication also), so what do you do?

If you’ve looked at the SMTP receive connector from the Internet to your Exchange 2010 server in the Exchange Management Console (EMC), you’ve got 90% of what you want for your printers:  Create a new Receive Connector using the wizard – call it Fax/Printers, for intended use choose custom,

fax1

list all your public facing (or routed) network addresses (defaults to All Available IPv4) on port 25 and the FQDN

fax2

IMPORTANT: on the remote network settings make your list of discrete devices or the minimum subnet mask to allow your printer/fax/copiers without exposing this connector to *ANY* Internet addresses (if you are NAT/Private addresses) and no more than your stupid fax/printer device/s.

fax3

Finish the wizard by clicking new then open the properties of your newly created Fax/Printer Receive Connector.  For the Authentication tab there is nothing required (check TLS if you want).  On the Permission Groups tab check only Anonymous Users.

fax4

That got me to the point where an email generated from the device might make it to an internal email address (destination mailbox was inside our Exchange organization) but probably ended up in the Junk E-mail folder.  This is likely because of Exchange Content Filtering.  If you are sending authenticated to the SMTP host, your mail bypasses content filtering – otherwise Exchange examines and if you have a similar situation to the Konica/Minolta that I ran into it thinks a message with no body, and a PDF attachment is likely spam.

Here is a good and extensive flow chart of how messages are handled by Exchange 2010’s Anti-Spam and Anti-Virus

Understanding Anti-Spam and Antivirus Mail Flow

Next, I want email processed through this SMTP connector to not be subject to content filtering.  Exchangepedia.com solved this for me:

Disable Antispam agents on a Receive Connector

In my case the PowerShell line is: Get-ReceiveConnector "Fax/Printer" | Add-ADPermission -User "NT Authority\Anonymous Logon" -AccessRights ExtendedRight -ExtendedRights ms-exch-bypass-anti-spam

So now I can send mail to internet/organizational mailboxes and it is delivered to their inboxes.  Finally I want to be able to deliver email outside of the organization – aka relay.  Open SMTP relays are a bad hangover from the early 2000s – and rightfully Microsoft has banished the opportunity for otherwise bored sysadmins to go click-happy on things they shouldn’t touch.  That is to say that allow relay is no longer in the GUI EMC, you’ll need power shell for that.

Allow Anonymous Relay on a Receive Connector

The power shell cmd: Get-ReceiveConnector "Fax/Printer" | Add-ADPermission -User "NT AUTHORITY\ANONYMOUS LOGON" -ExtendedRights "Ms-Exch-SMTP-Accept-Any-Recipient"

This entry was posted in Uncategorized. Bookmark the permalink.

Leave a Reply