Creating a Receive Connector to Use for Sending Email from PowerShell
Some of the PowerShell scripts I use and/or write send email to either users or myself. In order for that to work, a Hub Transport server has to allow the SMTP traffic from the script. So, we need a receive connector that will allow the email to be sent under the right conditions. Here’s how we can easily accomplish that.
I find it best to run scripts that send email right from a Hub Transport server. So we’ll create a new receive connector called “Internal Relay” using the New-ReceiveConnector cmdlet, and set it to allow mail from itself. This is done with the -RemoteIPRanges parameter. We’ll set it to 127.0.0.1, the loopback address for the server.
Since we don’t need to authenticate, we’ll set -AuthMechanism to ‘none’, and set the -PermissionsGroups to ‘AnonymousUsers’.
Last, we’ll set it to enabled, and configure which server it should be on. Remember, it needs to be on a server holding the Hub Transport role.
New-ReceiveConnector -Name "Internal Relay" -Bindings 0.0.0.0:25 -RemoteIPRanges 127.0.0.1 -AuthMechanism Tls -Enabled $true -Fqdn "myserver.mydomain.com" -PermissionGroups AnonymousUsers -Server mysever
Change the highlighted info to suit your needs. I use 127.0.0.1 if I’ll be running the scripts on the local Exchange server.
We allow anonymous users to actually relay by granting the ‘ms-Exch-SMTP-Accept-Any-Recipient’ extended right to the Anonymous Logon account using Add-AdPermission. This is done using:
Add-ADPermission -User "NT AUTHORITY\ANONYMOUS LOGON" -ExtendedRights "ms-Exch-SMTP-Accept-Any-Recipient"
We can also grant NT Authority\Anonymous Logon the right to bypass anti-spam agents using:
Add-ADPermission -User "NT AUTHORITY\ANONYMOUS LOGON" -ExtendedRights "ms-exch-bypass-anti-spam"
We can pipe all of the commands together into a one-liner. The finished script looks like this:
New-ReceiveConnector -Name "Internal Relay" -Bindings 0.0.0.0:25 -RemoteIPRanges 127.0.0.1 -AuthMechanism Tls -Enabled $true -Fqdn "myserver.mydomain.com" -PermissionGroups AnonymousUsers -Server mysever | Add-ADPermission -User "NT AUTHORITY\ANONYMOUS LOGON" -ExtendedRights "ms-Exch-SMTP-Accept-Any-Recipient, ms-exch-bypass-anti-spam"
This gives us a connector that we can use to send email from PowerShell. Verify it by using
Get-ReceiveConnector -Name "Internal Relay" | Get-ADPermission | ft User, ExtendedRights
In the coming posts, we’ll use this to our advantage.
First you say to configure the authmechanism with None, but write in your cmds Tls..
Second, you have an typo with -ExtendedRights “ms-Exch-SMTP-Accept-Any-Recipient, ms-exch-bypass-anti-spam”. Since this is not a STRING, you have to use it without “”.
Could you please help me with the following. I read your posts of powershell scheduled task, new-passwordreminder.ps1 script and this one. I have 1 problem and I just can’t figure it out. I try to run the script in a EMS prompt. However, it acts like it executes something but it doesn’t do anything. Once I fire up an elavated cmd prompt for the domain admin ( the account which was used to configure Exchange ) it does launch of the script. Do you perhaps know what I am doing wrong under my default account? I gues it is an access issue… Already search in the receive connect for permission mismatch but I realy am on a dead end.
Sorry, to be complete:
– I have 1 server which holds all roles without an edge role
– The script I am talking about is the script: new-passwordreminder.ps1 which I downloaded from you other forum.
Everything works as I am already live for 1 year.
On the scheduled task, is the checkbox for run with highest privileges checked? It should be.
Hi Pat,
Thanks for the reply.
First I was pretty scepticle when I read your comment as I thought that I wouldn’t be so stupid to forget that option.. but it turns out I did hahaha. Okay I enabled it, set the scheduled task to run every 3 days so I will confirm when everything works out.
Hi Pat,
Still no luck…
I am a domain admin at my domain so I think I should have the required rights, right?
Do you know how I can find out if I have the requested access?
If I run the script manually, open it in EMS it also doesn’t work with my account.
It does however work on another admin account ( the domain admin account which was used to set up exchange ).
I also manually followed your script and it received the following error why trying the send-mailmessage command from my domain admin account ( not the account originally used ):
Send-MailMessage : Mail cannot be sent because no SMTP server was specified.
Could you please help me out on this one.
I don’t mind creating a new account and set it up with the correct access rights if you now which access rights I require then I will add them.
Your help will be much appreciated.
Sorry to double post but i made a mistake in my last post, forgot the option -smtpserver X.X.X.X and I included it and it now says:
Send-MailMessage : Mailbox unavailable. The server response was: 5.7.1 Client d
oes not have permissions to send as this sender
Any idea how to get the required rights?
Already added the connector rights so I am able to send mail to people now. Only, I still can’t run the scheduled job with my account. It runs but it doesn’t send of any mail.
But we made progress 😀 I now can run it manually and the emails are being delivered 😀 when I do the following:
Start –> Run
c:\windows\system32\windowspowershell\v1.0\powershell.exe -psconsolefile “C:\Program Files\Microsoft\Exchange Server\V14\Bin\exshell.psc1”
Once loaded I do:
e:\website\new-passwordreminder.ps1
And that works.
I also have this in the schedules jobs, but that one doesn’t work.
Action: Start a program:
Program/Script: c:\windows\system32\windowspowershell\v1.0\powershell.exe
Add arguments(optional): -psconsolefile “C:\Program Files\Microsoft\Exchange Server\V14\Bin\exshell.psc1” -command “New-PasswordReminder.ps1”
Start in: E:\website
I copy past it so if I am missing quotes, please let me know.
Any ideas?