none
530 5.7.1 Client was not authenticated

    Question

  • Good day!

    We have Exchange 2010 sp2 who service domain => contoso.com.
    Everything always goes ok.
    If I try from inside the LAN make telnet on the 25th and then mail from: contoso.com a sender ok! and if I mail from: microsoft@microsoft.com sender ok! 

    ie can be sent as an authoritative domain on behalf of and on behalf of the fictional and that's fine.

    If you do the same regardless of the stage even before mail from going through skips spf checks and their own bases of anti-spam solutions 3rd paty firm that protects exchange.t.e. everything works as intended, to send letters on behalf of the authoritative domain can only be from the local network.

    The problem starts when I try to make a network of vnturi mail from: fabrika.com returns a response 530 5.7.1 Client was not authenticated
    This domain is real but is served by an external server, ie, in theory should have no problem with sending it. Nevertheless  have what i have.

    Reception at the default plugs Anonymous users are allowed.

    Question - how to understand the cause of spacing 530 5.7.1 in my case?

    I would appreciate your ideas!

    Thursday, May 31, 2012 7:17 AM

All replies

  • Anonymous is a permission group - a group of users who are allowed to use the connector.  This does not grant those people rights to relay without authenticating.  To do this, you would also need to set the connector to "externally secured".  Be careful with this however.  That would let ANYONE that can connect to that receive connector relay email to anywhere.  This is known as an open relay and can cause a lot of spam.

    What are you actually trying to accomplish?  



    Mike Crowley | MVP
    My Blog -- Planet Technologies

    Thursday, May 31, 2012 11:17 PM
  • Actually I already have one receive connector for my external servers. They can make relay through him.  This receive connector conection on 25 port only from a separate list of ip. In autentification tab I enable only Transport Layer Security (TLS). In permishion group I have only anonimous users enabled. 

    For test I try to add external ip of mail server who serv fabrika.com. No good result.

    Also I create another one receive connectorjust like relay connector before but thith only one exretnal ip of fabrika.com. After that I make cmdlet to him Get-ReceiveConnector "My-Server-Connector" | Add-ADPermission -User "NT AUTHORITY\ANONYMOUS LOGON" -ExtendedRights "Ms-Exch-SMTP-Accept-Any-Recipient". But steel no good result.

    In both cases I am reboot the server.

    So what I try to accomplish... right now I have only one problem. Then I try to make telnet from inside to my exchange to 25 port and make for example:

    MAIL FROM:gmail@gmail.com => Sender OK!

    MAIL FROM:microsoft@microsoft.com => Sender OK!

    MAIL FROM: any fictitious address dot any => Sender OK!

    But if I try to make

    MAIL FROM:test@fabrika.com => 530 5.7.1 Client was not authenticated

    So problem ONLY with this domain fabrika.com .

    As I right understand some time ago (before me) in this organization was install MS Exchange Server 2003 who served domain fabrika.com.

    Right now I do not now what happened bu maybe this server was not correctly uninstall.


    Friday, June 01, 2012 7:14 AM
  • On Fri, 1 Jun 2012 07:14:17 +0000, AlexunderG wrote:
     
    >
    >
    >Actually I already have one receive connector for my external servers. They can make relay through him. This receive connector conection on 25 port only from a separate list of ip. In autentification tab I enable only Transport Layer Security (TLS). In permishion group I have only anonimous users enabled.
    >
    >For test I try to add external ip of mail server who serv fabrika.com. No good result.
    >
    >Also I create another one receive connectorjust like relay connector before but thith only one exretnal ip of fabrika.com. After that I make cmdlet to him Get-ReceiveConnector "My-Server-Connector" | Add-ADPermission -User "NT AUTHORITY\ANONYMOUS LOGON" -ExtendedRights "Ms-Exch-SMTP-Accept-Any-Recipient". But steel no good result.
    >
    >In both cases I am reboot the server.
    >
    >So what I try to accomplish... right now I have only one problem. Then I try to make telnet from inside to my exchange to 25 port and make for example:
    >
    >MAIL FROM:gmail@gmail.com => Sender OK!
    >
    >MAIL FROM:microsoft@microsoft.com => Sender OK!
    >
    >MAIL FROM: any fictitious address dot any => Sender OK!
    >
    >But if I try to make
    >
    >MAIL FROM:test@fabrika.com => 530 5.7.1 Client was not authenticated
    >
    >So problem ONLY with this domain fabrika.com .
    >
    >As I right understand some time ago (before me) in this organization was install MS Exchange Server 2003 who served domain fabrika.com.
    >
    >Right now I do not now what happened bu maybe this server was not correctly uninstall.
     
    Check the SMTP receive protocol log and verify that the connection is
    using the Receive Connector you think it is. Also check the IP address
    of the sending server (in the SMTP log) and verify that it's the IP
    address you think it is.
     
    ---
    Rich Matheisen
    MCSE+I, Exchange MVP
     

    --- Rich Matheisen MCSE+I, Exchange MVP
    Saturday, June 02, 2012 1:40 AM
  • In logs I can see only this

    2012-06-04T06:53:26.166Z,ExServ\Default ExServ,08CF0D345C531279,7,external_ip,>,530 5.7.1 Not authenticated

    This is correct ip and correct conector. No any additional information in this log.


    • Edited by AlexunderG Monday, June 04, 2012 7:48 AM
    Monday, June 04, 2012 7:01 AM
  • On Mon, 4 Jun 2012 07:01:33 +0000, AlexunderG wrote:
     
    >In logs I can see only this
    >
    >2012-06-04T06:53:26.166Z,ExServ\Default ExServ,08CF0D345C531279,7,external_ip,>,530 5.7.1 Not authenticated
    >
    >This is correct ip and correct conector. No any additional information in this log.
     
    Get-ReceiveConnector "ExServ\Default ExServ | fl
    PermissionGroups,AuthMechanism
     
    BTW, if you've restricted the AuthMechanism to only TLS do you see the
    negotiation of STARTTLS in the SMTP protocol log?
     
    Post the entire SMTP conversation, not just what you think is
    interesting.
     
    ---
    Rich Matheisen
    MCSE+I, Exchange MVP
     

    --- Rich Matheisen MCSE+I, Exchange MVP
    Monday, June 04, 2012 9:48 PM
  • Get-ReceiveConnector "ExServ\Default ExServ | fl PermissionGroups,AuthMechanism

    PermissionGroups : AnonymousUsers, ExchangeUsers, ExchangeServers, ExchangeLegacyServers, Custom

    AuthMechanism    : Tls, Integrated, BasicAuth, ExchangeServer

    About SMTP logs I see only this line: 2012-06-04T06:53:26.166Z,ExServ\Default ExServ,08CF0D345C531279,7,external_ip,>,530 5.7.1 Not authenticated

    about this conection. All other records is about othet conectons.

    Tuesday, June 05, 2012 8:30 AM
  • On Tue, 5 Jun 2012 08:30:39 +0000, AlexunderG wrote:
     
    >
    >
    >Get-ReceiveConnector "ExServ\Default ExServ | fl PermissionGroups,AuthMechanism
    >
    >
    >
    >PermissionGroups : AnonymousUsers, ExchangeUsers, ExchangeServers, ExchangeLegacyServers, Custom
    >
    >AuthMechanism : Tls, Integrated, BasicAuth, ExchangeServer
    >
    >
    >
    >About SMTP logs I see only this line: 2012-06-04T06:53:26.166Z,ExServ\Default ExServ,08CF0D345C531279,7,external_ip,>,530 5.7.1 Not authenticated
    >
    >about this conection. All other records is about othet conectons.
     
    That can't be true. You should see the beginning of the connection,
    you should see the HELO\EHLO from the client. You should see the
    exchange of certificate information if the client tries to use
    STARTTLS (which I believe is necessary if you've configured the
    Receive Connector to accept basic authentication only after a TLS
    session has been established).
     
    ---
    Rich Matheisen
    MCSE+I, Exchange MVP
     

    --- Rich Matheisen MCSE+I, Exchange MVP
    Tuesday, June 05, 2012 10:15 PM
  • ok. lets look.

    I make protocol logging level to verbose. And after I look to  \Exchange Server\V14\TransportRoles\Logs\ProtocolLog\SmtpReceive

    In this log I can see HELO\EHLO and other BUT only for other conections. For this conections I can see only that I post before. I even try to enable more deep logging. But result the same.

    So maybe I should enable something else ?

    Thursday, June 07, 2012 8:57 AM
  • On Thu, 7 Jun 2012 08:57:00 +0000, AlexunderG wrote:
     
    >to Rich Matheisen [MVP]
    >
    >
    >
    >ok. lets look.
    >
    >I make protocol logging level to verbose. And after I look to \Exchange Server\V14\TransportRoles\Logs\ProtocolLog\SmtpReceive
    >
    >In this log I can see HELO\EHLO and other BUT only for other conections. For this conections I can see only that I post before. I even try to enable more deep logging. But result the same.
    >
    >So maybe I should enable something else ?
     
    How have you configured this Receive Connector? Did you use only the
    EMC GUI or have you also used the EMS?
     
    Where did that "Custom" permission group come from?
     
    PermissionGroups : AnonymousUsers, ExchangeUsers, ExchangeServers,
    ExchangeLegacyServers, Custom
     
    ---
    Rich Matheisen
    MCSE+I, Exchange MVP
     

    --- Rich Matheisen MCSE+I, Exchange MVP
    Thursday, June 07, 2012 7:48 PM
  • I use only EMC GUI for this connector.

    About custom... have no idea now. Can please tell me how we can check this?

    Saturday, June 09, 2012 10:59 AM
  • On Sat, 9 Jun 2012 10:59:37 +0000, AlexunderG wrote:
     
    >
    >
    >I use only EMC GUI for this connector.
    >
    >About custom... have no idea now. Can please tell me how we can check this?
     
    Why not start by stating what you expect this Receive Connector to do?
    Using that as a guide, construct a new Receive Connector and leave the
    Default Receive Connector (""ExServ\Default ExServ") so it only works
    for transfers between other Exchange servers and for inbound,
    anonymous, SMTP connections.
     
    The new connector should:
     
    1. The connector should allow anonymous SMTP relay.
    2. The use of anonymous SMTP relay should be restricted
    to only certain IP addresses or networks.
     
    Add to that list any other requirements you have for this connector.
     
    ---
    Rich Matheisen
    MCSE+I, Exchange MVP
     

    --- Rich Matheisen MCSE+I, Exchange MVP
    Saturday, June 09, 2012 6:59 PM
  • About CUSTOM, then you create new connector via GUI wizard is asking you - Select the intended use for this Receive connector - and you can chose CUSTOM. Perhaps this is the answer.

    Before I already try to create another one receive connector (allow anonymous SMTP relay from only one ip of fabrika.com) result was the same.
    Wednesday, June 13, 2012 2:45 PM