I recently setup some SMTP Receive Connectors and realised quite quickly that internal anonymous users where unable to send externally. You could argue that they shouldn’t be allowed to do so and should be authenticated to be able to do this. That wasn’t the case here though.
The quickest way to test the ability for a system to send external is through a telnet client, find a system with a telnet client (Putty will do) and add the IP address to the connector in which you are testing.
Open the telnet client and enter the IP address and port of the Exchange server and the Port in which the connector is listening on.
*Note that if you type the incorrect word and backspace it includes your mistakes, so you will need to hit enter, wait until after the error and type with no mistakes.
Type HELO to initiate a session with the Exchange Server ***Take note of the IP that the Exchange Server comes back with, it thinks that you are that IP, if you are sat behind a firewall then you will have to put the returned IP address in the Receive Connector!****
Enter MAIL FROM:email@example.com
Type RCPT TO:someone@ExternalDomain.com
If the error 550 5.7.1 Unable to relay is returned, then this confirms that the connector cannot send externally.
What we need to do is to give the connector the correct permissions to send externally, this can be completed through PowerShell as below.
Log into an Exchange Management Shell and use the command below to get the receive connector and pipe it to an Add-ADPermission command for the Anonymous permission.
Get-ReceiveConnector "Receive Connector" | Add-ADPermission -User "NT AUTHORITY\Anonymous Logon" -ExtendedRights MS-Exch-SMTP-Accept-Any-Recipient
Test the relay again through the telnet session and if all is well you will see returned a 250 2.1.5 Recipient OK
Hope this helps!