POP3 and IMAP

Receive Connector:Client EX0

Get-ReceiveConnector "Client EX0" | fl Permission*

PermissionGroups : ExchangeUsers

The actual extended permissions are:

NT AUTHORITY\Authenticated Users {ms-Exch-SMTP-Accept-Any-Recipient}
NT AUTHORITY\Authenticated Users {ms-Exch-Accept-Headers-Routing}
NT AUTHORITY\Authenticated Users {ms-Exch-Bypass-Anti-Spam}
NT AUTHORITY\Authenticated Users {ms-Exch-SMTP-Submit}

The ms-Exch-SMTP-Accept-Any-Recipient permission is for relay.

Get-ReceiveConnector "Client EX0" | fl auth*,bind*

AuthMechanism : Tls, Integrated, BasicAuth, BasicAuthRequireTLS
Bindings : {0.0.0.0:587}

For clients, such as Thunderbirds, you must the outgoing SMTP to use port 587 with TLS because of BasicAuthRequireTLS authentication method.

Because I have only one Exchange server, the Default EX0 receiving connector is configured with Anonyous Users.

As seen below, I remove the BasicAuthRequireTLS.

Get-ReceiveConnector "Default EX0" | fl auth*,bind*,permission*

AuthMechanism : Tls, Integrated, BasicAuth, ExchangeServer
Bindings : {0.0.0.0:25}
PermissionGroups : AnonymousUsers, ExchangeUsers, ExchangeServers, ExchangeLegacyServers

Everyone can send email to my host domains because of ANONYMOUS USERS assignment.

NT AUTHORITY\ANONYMOUS LOGON {ms-Exch-SMTP-Accept-Authoritative-Domain-Sender}
NT AUTHORITY\ANONYMOUS LOGON {ms-Exch-SMTP-Accept-Any-Sender}
NT AUTHORITY\ANONYMOUS LOGON {ms-Exch-SMTP-Submit}
NT AUTHORITY\ANONYMOUS LOGON {ms-Exch-Accept-Headers-Routing}

Authenticated Users (Exchange Users) can send email to other domains (relay).

NT AUTHORITY\Authenticated Users {ms-Exch-Accept-Headers-Routing}
NT AUTHORITY\Authenticated Users {ms-Exch-Bypass-Anti-Spam}
NT AUTHORITY\Authenticated Users {ms-Exch-SMTP-Submit}
NT AUTHORITY\Authenticated Users {ms-Exch-SMTP-Accept-Any-Recipient}

To support our internal users for easier configuration, a dedicated receiving connector:ReceiveRelay is created.

NT AUTHORITY\ANONYMOUS LOGON {ms-Exch-SMTP-Accept-Any-Sender}
NT AUTHORITY\ANONYMOUS LOGON {ms-Exch-SMTP-Accept-Any-Recipient}
NT AUTHORITY\ANONYMOUS LOGON {ms-Exch-SMTP-Accept-Authoritative-Domain-Sender}
NT AUTHORITY\ANONYMOUS LOGON {ms-Exch-Accept-Headers-Routing}
NT AUTHORITY\ANONYMOUS LOGON {ms-Exch-SMTP-Submit}

NT AUTHORITY\Authenticated Users {ms-Exch-Bypass-Anti-Spam}
NT AUTHORITY\Authenticated Users {ms-Exch-Accept-Headers-Routing}
NT AUTHORITY\Authenticated Users {ms-Exch-SMTP-Submit}
NT AUTHORITY\Authenticated Users {ms-Exch-SMTP-Accept-Any-Recipient}

Get-ReceiveConnector "receiveRelay" | fl auth*,bind*,permission*

AuthMechanism : Tls, BasicAuth
Bindings : {0.0.0.0:25}
PermissionGroups : AnonymousUsers, ExchangeUsers, Custom

Get-ReceiveConnector "receiveRelay" | fl remote*

RemoteIPRanges : {191.121.0.0-191.121.30.255}

The 191.121.0.0-191.121.30.255 is our internal IP addresses.

You have to configure the IP Allow List.

Add-IPAllowListEntry -IPRange 191.121.0.0/17

If you miss the configuration, the clients configured with outgoing smtp without authentication can not send out email because the Anti SPAM content filter blocks it unless you turn off content filter.

My internal clients can use outgoing SMTP with or without authentication and the standard port:25 is used without TLS.