Checking Exchange 2010 for Open Relay Configuration

There is plenty of information on the web that instructs us how to configure Exchange 2010 (or 2007) to allow for relay of SMTP to external recipients (Open Relay). For example, Microsoft has posted these instructions.

However, I couldn’t easily find any information about how to check if this was already configured. This could be handy in verifying that a recent configuration was successful or with troubleshooting an open relay issue. The following PowerShell command checks all Receive Connectors on all Exchange servers (2007 & 2010) and returns any Receive Connectors that have been granted the ability to relay to external recipients.

[ps light=”1″]
Get-ReceiveConnector | get-ADPermission -User "NT AUTHORITY\ANONYMOUS LOGON" | Where {$_.ExtendedRights -like "Ms-Exch-SMTP-Accept-Any-Recipient"}

Limit MAPI client access to Exchange by version

This article describes a feature that you can use to disable MAPI client access to a computer that is running Microsoft Exchange Server 2007, Microsoft Exchange Server 2003, or Microsoft Exchange 2000 Server based on the version number of the Emsmdb32 file. This feature was introduced in Microsoft Exchange 2000 Server Service Pack 1 (SP1).

The below information was obtained from Microsoft TechNet website. This is not the complete article, that can be found at the following URL:

Build numbers and corresponding MAPI version numbers for relevant versions of Outlook

Version Build number MAPI number
Exchange 2003 or Exchange 2000 6.1.0–6.9999.0 6.x
Outlook 2003 11.0.5604.0 11.5604
Outlook 2002 SP3 10.0.6515.0 10.0.6515
Outlook 2002 10.0.2627.1 10.0.2627
Outlook 2000 SP3 5.5.3165.0 5.3165.0
Outlook 2000 SR1a 5.5.3121.0 5.3121.0
Outlook 98, with security update installed 5.5.2652.57 5.2652.57
Outlook 98 5.5.2178.0 5.2178.0

To help protect against all outdated versions of Outlook (Outlook 98 with no security update installed, and earlier versions), disallow all versions of Outlook with build numbers equal to or less than 5.5.2178.0 from connecting to Exchange. The value data as specified in the Microsoft Knowledge Base article 288894 are the following:

Value name: Disable MAPI ClientsValue type: REG_SZValue data: -5.2178.0

If you are blocking ranges of Outlook clients, be sure to leave the 6.0 range open for Exchange administration. Specifically, do not block any values from 6.1.0 to 6.9999.0. All versions of Exchange 2000 and later use a 6.0.0 range for administration. The following table shows the registry key value to enter to block specific ranges of Outlook clients against computers running Exchange 2000 or later.

Registry key values to block ranges of
Outlook clients

To allow Set the registry key to
Only Outlook 2003 -6.0.0;10.0.0-11.5603.0
Outlook 2002 SP3 and later -6.0.0;10.0.0-10.0.6514;11.0.0-11.5603.0
Outlook 2000 SP3 and later -5.3164.0;10.0.0-10.0.6514;11.0.0-11.5603.0
Outlook 98 with security update installed and later -5.2652.56;5.3000.0-5.3164.0;10.0.0-10.0.6514;11.0.0-11.5603.0

Microsoft Product Support Services does not support Outlook clients that are earlier than Outlook 2000 SP3. Outlook 2000 SP3 contains the Outlook 2000 security update. Exchange 2000 servers require that the store process be restarted after a change is made to this registry value. However, in the original released version of Exchange 2003 and later versions, implementation of this parameter is dynamically applied within 15 minutes of the change.