To permit specific applications and devices to relay to external recipients we need to configure a new receive connector.
In the Exchange Admin Center navigate to Mail Flow -> Receive Connectors.
Select the server that you wish to create the receive connector on. Remember, the server should be either a multi-role server or a Client Access server. Click the + icon to create a new receive connector.

Give the new connector a name. Exchange names the various default connectors using a standard of “Purpose SERVER NAME”, for example “Client Front-end Relay DCCServer”.

So I tend to stick with that convention. If the server you chose is multi-role you’ll need to select the Front-end Transport role. If the server is CAS-only then Front-end Transport will already be selected. Leave the Type set to Custom, and then click Next For servers with a single network adapter the default binding will usually be fine. For the remote network settings, click the – icon to remove the default IP address range.

Then click the + icon and add at least one IP address of an application server or device that requires external SMTP relay access. Click Finish to create the new receive connector.

Next we need to configure some additional settings for the receive connector. Highlight the connector and click the “pencil” icon to edit its settings. Select Security and tick the Anonymous Users box. Click Save to apply the settings.

The final step involves granting anonymous users (such as the unauthenticated SMTP connections coming from applications and devices on your network) the ability to send to external recipients. In the Exchange Management Shell run the following command, substituting the name of your receive connector.

 

>Get-ReceiveConnector "DCCServer" | Add-ADPermission -User 'NT AUTHORITY\Anonymous Logon' -ExtendedRights MS-Exch-SMTP-Accept-Any-Recipient Result Display Identity User Deny Inherited -------- ---- ---- --------- DCCServer\Relay DCCServer NT AUTHORITY\ANON...

All tested by our Exchange 2016 Server Consultants.