Auditing Allowed Relays

Today's post will be a brief discussion of how to audit the systems that have been granted permissions to relay through Exchange (Exchange Management Shell > Server Configuration > Hub Transport > Relay Connector properties > Network tab > "Receive mail from remote servers..."). If your organization is like mine, you may have a pretty lengthy list of IP addresses that have been granted access (we have over 100 entries), and you may need to perform periodic audits to make sure you have a good handle on exactly what systems have the ability to send through your Exchange environment. My original research into this topic led me here, and I adapted what I found for use in our environment and made sure to understand what I was reading.

The basic process is to run an Exchange Management Shell (EMS) command to extract the desired information from Exchange, clean up the output, and then use a utility (and detective work) to figure out what hosts are behind the IP addresses. I will present the EMS command (which will probably work without any changes), but I will also go into detail about the how and why - and as always, I welcome any feedback that might help me improve on my methods.

(Get-ReceiveConnector "Relay Connector").RemoteIPRanges | fl LowerBound > C:\Temp\RelayList.txt

Piece by piece, here is what you are seeing:

• Get-ReceiveConnector: This will help you to get the name of your relay connector (which for us is "Relay Connector" - go figure!)
• RemoteIPRanges: If you perform the part of the command above in the parenthesis and add "| fl" (pipe symbol followed by "fl"), you'll get the data stored within the Relay Connector, and you'll see that the IP addresses that have been granted access are stored in the RemoteIPRanges value - unfortunately, the list may be too long for EMS to show in this simple output
• LowerBound: If you continue with connecting the dots, the output of the command leading up to the "|" (pipe symbol) will give you detail regarding the IPs in the relay list - but now we have the problem of too much information. Unless you actually granted access to a range (we did not), you just need either the LowerBound IP or the UpperBound IP (which should match since access has been granted on a per-IP basis). Pick whichever value (or both?) works for you.

Ultimately, the EMS command above gets you a text file with the list of IP addresses that have relay access, but as I mentioned, you'll need to clean up the text file by removing  all of the excess blank lines and the "LowerBound : " at the beginning of every line (Notepad++, anyone? See my previous post for further detail regarding using Notepad++ to do some of this cleanup). Now that you have a list of nothing but IP addresses, this list can be plugged into FastResolver (or your IP resolution software of choice) to get the hostnames of the systems. You will likely get several results that don't resolve, so work with your network team or do your detective work to determine what these systems are.

Finally, with all of this useful data in hand, create yourself a spreadsheet or other document to keep track of this information, and for extra credit, be good about keeping the information up to date!