Import Exchange Relay Connector IP-Addresses to IIS SMTP instance

For one of our customers, who’s moving away from their On-Premise Exchange 2016 server, I needed to move all the relay connectors (Used by legacy applications, appliances, and hardware) to an IIS SMTP instance. Pretty straightforward, but typing the long list of addresses myself… No πŸ™‚ In this blog post, I will show you a way to easily migrate the IP-Addresses from a Receive Connector into an IIS SMTP instance.

How the script works

The script uses an export of the Receive Connector as input for the relay allow list in the IIS SMTP instance, but there are a few limitations in the current version of this script:

  • It overwrites the current relay list, use this script on a new IIS SMTP instance only!
  • It can import all host IP addresses, but not IP ranges.

For the IP ranges, you can check the export and manually add them. I hope there are not that many because adding complete ranges (And only using a few addresses in them) is not that secure in my opinion.

Running the script

Exporting current Receive Connector IP-Addresses

First, you must create an export file, you can do this by running:

(Get-ReceiveConnector SERVERNAME\RelayConnectorName).Remoteipranges | Export-Csv -Path c:\temp\relay.csv -NoTypeInformation -Encoding UTF8 -Delimiter ';'

Importing the exported IP-Addresses

You can run this on your IIS SMPT server to import the host IP-Addresses from the relay.csv that you have exported in the previous step by running:

Set-IISSMTPRelayRestrictions -CSVFile C:\temp\relay.csv

You should see this output after running the script:

C:\temp\relay.csv found, continuing...


Path          : \\localhost\root\MicrosoftIISv2:IIsSmtpServerSetting="SmtpSvc/1"
RelativePath  : IIsSmtpServerSetting="SmtpSvc/1"
Server        : localhost
NamespacePath : root\MicrosoftIISv2
ClassName     : IIsSmtpServerSetting
IsClass       : False
IsInstance    : True
IsSingleton   : False

Added the IP-Adresses to the Relay Restrictions list

In the IIS SMTP settings this looks like this:

(I always uncheck the “Allow all computers which…” check box)

The script

The script is below, copy/paste and save it to a c:\scripts location for example and start it by running “. c:\scripts\Set-IISSMTPRelayRestrictions.ps1”. Afterward, you can follow the procedure listed above.

function Set-IISSMTPRelayRestrictions {
    param (
        [parameter(Mandatory = $true)][string]$CSVFile
    )
    
    #Check if CSV file is present and accessible
    try {
        $IPAddresses = Import-Csv -Path $CSVFile -Delimiter ';'
        write-host ("{0} found, continuing..." -f $CSVFile) -ForegroundColor Green
    }
    catch {
        Write-Warning ("{0} not found or not accessible, exiting..." -f $CSVFile)
        return
    }

    #Setting up variables needed
    $ipblock = @(24, 0, 0, 128,
        32, 0, 0, 128,
        60, 0, 0, 128,
        68, 0, 0, 128,
        1, 0, 0, 0,
        76, 0, 0, 0,
        0, 0, 0, 0,
        0, 0, 0, 0,
        1, 0, 0, 0,
        0, 0, 0, 0,
        2, 0, 0, 0,
        1, 0, 0, 0, 4, 0, 0, 0, 0, 0, 0, 0, 76, 0, 0, 128, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 255, 255, 255, 255)
    $ipList = @()
    $octet = @()

    #Loop through the list of Single IP-Adresses and add them to the Relay Restrictions
    foreach ($network in $IPAddresses | Where-Object RangeFormat -eq SingleAddress) {
        $ipList = $Network.Expression
        $octet += $ipList.Split(".")
        $ipblock[36] += 1
        $ipblock[44] += 1   
    }

    #Add the ip-adresses to the list
    $smtpserversetting = get-wmiobject -namespace root\MicrosoftIISv2 -computername localhost -Query "Select * from IIsSmtpServerSetting"
    $ipblock += $octet
    $smtpserversetting.RelayIpList = $ipblock
    $smtpserversetting.put()
    Write-Host ("Added the IP-Adresses to the Relay Restrictions list") -ForegroundColor Green

}

Download the script(s) from GitHubΒ here

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.