none
exchange "550 5.7.1 Client does not have permissions to send as this sender"

    Question

  • Hi everybody,

    I recently have removed an user from the enterprise administrator group and since then, he can't send any email with smtp client... all he got is the following error : "550 5.7.1 Client does not have permissions to send as this sender".

    He can still send mail with owa and he receive his mails just fine using imap or owa.

    I double checked his groups and permission but didn't find anything wrong with it.

    I made a search on the web but didn't find the solution yet.

    The server is working just fine for all our other customers :/

    Thanks in advance.
    Monday, August 25, 2008 3:02 PM

Answers

  •  

    Dear customer:

     

    Based on my test, User NT AUTHORITY\SELF should have the following permission. Please try to remove send-as permission for NT AUTHORITY\SELF via Remove-MailboxPermission command, and check the effect.

     

    AccessRights    : {FullAccess, ReadPermission}

    Deny            : False

    InheritanceType : All

    User            : NT AUTHORITY\SELF

    Identity        : 144771DC.com/Users/mary

    IsInherited     : False

    IsValid         : True

    ObjectState     : Unchanged

     

    For more information about Remove-MailboxPermission, please refer to the following article:

     

    http://technet.microsoft.com/en-us/library/bb125153(EXCHG.80).aspx

    Remove-MailboxPermission

     

    If above steps doesn’t resolve the issue, please back up the e-mail and delete the mailbox and recreate it, and check the effect.

     

    Hope it helps. If anything is unclear, please feel free to let me know.

    Rock Wang - MSFT

    Friday, August 29, 2008 6:52 AM

All replies

  • Hi,

     

    Does this happen when the users tries to send mail from his own box or another. If another please check that the user has the send as permission.

     

    Have a look at the following KB article how to set this up:

     

    http://technet.microsoft.com/en-us/library/aa998291(EXCHG.80).aspx

     

    Regards,

     

    Johan

     

    visit my site: www.johanveldhuis.nl

     

    Monday, August 25, 2008 9:15 PM
  • Does the SELF object not have the same rights to the mailbox as your other accounts in AD?  It appears they were using the previously-gratned Administrative rights in order to use their own mailbox.  Some non-default permissions are clearly set on the user object and/or mailbox.

     

    Monday, August 25, 2008 10:51 PM
  • Dear customer:

     

    The issue seems doesn’t have relationship with removing the user from the enterprise administrator group.

     

    To proper assist you to troubleshoot the issue, please help collect to the following information:

     

    1. Did the user send e-mail form his mailbox or other mailbox?
    2. What version is your Exchange server? Is it Exchange Server 2007?
    3. Send the complete NDR to the forum for analyze.
    4. Does the recipient is local user/group or external recipient?
    5. if your Exchange server is 2007, run the following command in EMS and post the result into the forum for analyze:

     

    get-mailboxpermission –identity username | fl

     

    Thanks for your cooperation.

     

    Rock Wang - MSFT

     

    Tuesday, August 26, 2008 3:21 AM
  • Hi,

    1. From his mailbox, he don't need the "send as" right at all.
    2. It's indeed exchange 2007 (version 8.00.0685.018)
    3. Can you tell me what's the NDR ?
    4. The recipient is local.
    5.

    ________________________________________________
    ________________________________________________
    [PS] C:\>get-mailboxpermission -identity "[user name]" | fl


    AccessRights    : {FullAccess, SendAs, ReadPermission}
    Deny            : False
    InheritanceType : All
    User            : NT AUTHORITY\SELF
    Identity        : [enterprise name].com/[enterprise name]/support/[user name]
    IsInherited     : False
    IsValid         : True
    ObjectState     : Unchanged

    AccessRights    : {FullAccess}
    Deny            : False
    InheritanceType : All
    User            : [DOMAIN]\[userlogin]
    Identity        : [enterprise name].com/[enterprise name]/support/[user name]
    IsInherited     : False
    IsValid         : True
    ObjectState     : Unchanged

    AccessRights    : {FullAccess}
    Deny            : False
    InheritanceType : All
    User            : S-1-5-21-xxxxxxxxxxx-xxxxxxxxxxxxxxxxxx-xxxx
    Identity        : [enterprise name].com/[enterprise name]/support/[user name]
    IsInherited     : False
    IsValid         : True
    ObjectState     : Unchanged

    AccessRights    : {FullAccess}
    Deny            : True
    InheritanceType : All
    User            : [DOMAIN]\[backup exec account]
    Identity        : [enterprise name].com/[enterprise name]/support/[user name]
    IsInherited     : True
    IsValid         : True
    ObjectState     : Unchanged

    AccessRights    : {FullAccess, DeleteItem, ReadPermission, ChangePermission, ChangeOwner}
    Deny            : False
    InheritanceType : All
    User            : [DOMAIN]\[backup exec account]
    Identity        : [enterprise name].com/[enterprise name]/support/[user name]
    IsInherited     : True
    IsValid         : True
    ObjectState     : Unchanged

    AccessRights    : {ReadPermission}
    Deny            : False
    InheritanceType : All
    User            : [DOMAIN]\[exchange server name]$
    Identity        : [enterprise name].com/[enterprise name]/support/[user name]
    IsInherited     : True
    IsValid         : True
    ObjectState     : Unchanged

    AccessRights    : {FullAccess}
    Deny            : False
    InheritanceType : All
    User            : [DOMAIN]\[blackberry account]
    Identity        : [enterprise name].com/[enterprise name]/support/[user name]
    IsInherited     : True
    IsValid         : True
    ObjectState     : Unchanged

    AccessRights    : {FullAccess}
    Deny            : True
    InheritanceType : All
    User            : [DOMAIN]\Exchange Servers
    Identity        : [enterprise name].com/[enterprise name]/support/[user name]
    IsInherited     : True
    IsValid         : True
    ObjectState     : Unchanged

    AccessRights    : {FullAccess}
    Deny            : True
    InheritanceType : All
    User            : [DOMAIN]\administrator
    Identity        : [enterprise name].com/[enterprise name]/support/[user name]
    IsInherited     : True
    IsValid         : True
    ObjectState     : Unchanged

    AccessRights    : {FullAccess}
    Deny            : True
    InheritanceType : All
    User            : [DOMAIN]\Domain Admins
    Identity        : [enterprise name].com/[enterprise name]/support/[user name]
    IsInherited     : True
    IsValid         : True
    ObjectState     : Unchanged

    AccessRights    : {FullAccess}
    Deny            : True
    InheritanceType : All
    User            : [DOMAIN]\Enterprise Admins
    Identity        : [enterprise name].com/[enterprise name]/support/[user name]
    IsInherited     : True
    IsValid         : True
    ObjectState     : Unchanged

    AccessRights    : {FullAccess}
    Deny            : True
    InheritanceType : All
    User            : [DOMAIN]\Exchange Organization Administrators
    Identity        : [enterprise name].com/[enterprise name]/support/[user name]
    IsInherited     : True
    IsValid         : True
    ObjectState     : Unchanged

    AccessRights    : {FullAccess}
    Deny            : False
    InheritanceType : All
    User            : [DOMAIN]\Exchange Domain Servers
    Identity        : [enterprise name].com/[enterprise name]/support/[user name]
    IsInherited     : True
    IsValid         : True
    ObjectState     : Unchanged

    AccessRights    : {FullAccess}
    Deny            : False
    InheritanceType : All
    User            : [DOMAIN]\Exchange Servers
    Identity        : [enterprise name].com/[enterprise name]/support/[user name]
    IsInherited     : True
    IsValid         : True
    ObjectState     : Unchanged

    AccessRights    : {FullAccess, DeleteItem, ReadPermission, ChangePermission, ChangeOwner}
    Deny            : False
    InheritanceType : All
    User            : [DOMAIN]\administrator
    Identity        : [enterprise name].com/[enterprise name]/support/[user name]
    IsInherited     : True
    IsValid         : True
    ObjectState     : Unchanged

    AccessRights    : {ReadPermission}
    Deny            : False
    InheritanceType : All
    User            : [DOMAIN]\Exchange Domain Servers
    Identity        : [enterprise name].com/[enterprise name]/support/[user name]
    IsInherited     : True
    IsValid         : True
    ObjectState     : Unchanged

    AccessRights    : {ReadPermission}
    Deny            : False
    InheritanceType : All
    User            : [DOMAIN]\[some other user]
    Identity        : [enterprise name].com/[enterprise name]/support/[user name]
    IsInherited     : True
    IsValid         : True
    ObjectState     : Unchanged

    AccessRights    : {ReadPermission}
    Deny            : False
    InheritanceType : All
    User            : [DOMAIN]\[blackberry admin account]
    Identity        : [enterprise name].com/[enterprise name]/support/[user name]
    IsInherited     : True
    IsValid         : True
    ObjectState     : Unchanged

    AccessRights    : {FullAccess, DeleteItem, ReadPermission, ChangePermission, ChangeOwner}
    Deny            : False
    InheritanceType : All
    User            : [DOMAIN]\Exchange Services
    Identity        : [enterprise name].com/[enterprise name]/support/[user name]
    IsInherited     : True
    IsValid         : True
    ObjectState     : Unchanged

    AccessRights    : {ReadPermission}
    Deny            : False
    InheritanceType : All
    User            : [DOMAIN]\Exchange Servers
    Identity        : [enterprise name].com/[enterprise name]/support/[user name]
    IsInherited     : True
    IsValid         : True
    ObjectState     : Unchanged

    AccessRights    : {FullAccess, DeleteItem, ReadPermission, ChangePermission, ChangeOwner}
    Deny            : False
    InheritanceType : All
    User            : [DOMAIN]\Exchange Organization Administrators
    Identity        : [enterprise name].com/[enterprise name]/support/[user name]
    IsInherited     : True
    IsValid         : True
    ObjectState     : Unchanged

    AccessRights    : {ReadPermission}
    Deny            : False
    InheritanceType : All
    User            : [DOMAIN]\Exchange View-Only Administrators
    Identity        : [enterprise name].com/[enterprise name]/support/[user name]
    IsInherited     : True
    IsValid         : True
    ObjectState     : Unchanged

    AccessRights    : {FullAccess, DeleteItem, ReadPermission, ChangePermission, ChangeOwner}
    Deny            : False
    InheritanceType : All
    User            : [DOMAIN]\Enterprise Admins
    Identity        : [enterprise name].com/[enterprise name]/support/[user name]
    IsInherited     : True
    IsValid         : True
    ObjectState     : Unchanged

    AccessRights    : {FullAccess, DeleteItem, ReadPermission, ChangePermission, ChangeOwner}
    Deny            : False
    InheritanceType : All
    User            : [DOMAIN]\Domain Admins
    Identity        : [enterprise name].com/[enterprise name]/support/[user name]
    IsInherited     : True
    IsValid         : True
    ObjectState     : Unchanged
    ________________________________________________
    ________________________________________________

    I looked for diff with an other user and the only diff I've noticed are the absence of "SendAs" in the first right and the absence of the second right.

    Kind Regards.
    Tuesday, August 26, 2008 9:01 AM
  •  

    Dear customer:

     

    Non-delivery reports (NDRs) are a type of delivery status notification. NDRs are generated whenever a message cannot be delivered. If a server detects the reason for the delivery failure, it associates the reason to a status code and a corresponding error message is written.

     

    For more information about NDR, please refer to the following article:

    Understanding Non-Delivery Reports

    http://technet.microsoft.com/en-us/library/bb232118(EXCHG.80).aspx

     

    Rock Wang - MSFT

    Friday, August 29, 2008 6:29 AM
  •  

    Dear customer:

     

    Based on my test, User NT AUTHORITY\SELF should have the following permission. Please try to remove send-as permission for NT AUTHORITY\SELF via Remove-MailboxPermission command, and check the effect.

     

    AccessRights    : {FullAccess, ReadPermission}

    Deny            : False

    InheritanceType : All

    User            : NT AUTHORITY\SELF

    Identity        : 144771DC.com/Users/mary

    IsInherited     : False

    IsValid         : True

    ObjectState     : Unchanged

     

    For more information about Remove-MailboxPermission, please refer to the following article:

     

    http://technet.microsoft.com/en-us/library/bb125153(EXCHG.80).aspx

    Remove-MailboxPermission

     

    If above steps doesn’t resolve the issue, please back up the e-mail and delete the mailbox and recreate it, and check the effect.

     

    Hope it helps. If anything is unclear, please feel free to let me know.

    Rock Wang - MSFT

    Friday, August 29, 2008 6:52 AM
  • Hello Jerome,
    I have encountered similar symptoms as you. There were a user1 which (but only from some email clients) constantly received "Client does not have permissions to send as this sender" upon sending his messages. There were another user (user2), with almost identical configuration without such a problem. By comparing all possible parameters (email client settings, exchange account settings and permissions, domain account settings and permissions) i discovered that user2 (with working configuration) is member of domain admins group (user1 is not member of this group) For testing purposes I added user1 to domain admin group and since that send problem for user1 did not occur. Of course this is not possible resolution of this problem. p.s. sorry for my English. p.p.s. it is exchange2003.
    Tuesday, September 02, 2008 12:31 PM
  •  

    Dear customer,

     

    Have you solved your problem yet? If anything is unclear, please feel free to ask me.

     

    Rock Wang - MSFT

    Tuesday, September 02, 2008 12:34 PM
  • I am having a similar issue, however there's a twist. If I connect using an IMAP client on my machine sending works just fine. If I connect using a different machine same IMAP software, I cannot send and I get the "5.7.1 Client does not..." error.

     

    My machine is Windows Vista using Thunderbird 2.0 and the other machine is Windows XP using Thunderbird 2.0.

    Exchange 2007 SP1 and it does not matter whether I connect from inside the network or outside the network (internet).

     

    I've searched the forums and found messages talking about the error with a making mention of the session not having the ms-Exch-SMTP-Accept-Authoritative-Domain-Sender permission, but this is the same user connecting from 2 different machines.

     

    Any help would be greatly appreciated.

     

    Scott

    Tuesday, September 02, 2008 5:40 PM
  • I've been having a similar issue.  Turns out my users were members of the "Print Operators."  I just removed them and resolved the problem.  I did however come across this article which may help you.

     

    http://support.microsoft.com/?kbid=907434

     

    From what I've read it looks like it can happen even if users used to be part of a protected group and have been removed.

     

    Thursday, September 04, 2008 5:20 PM
  • I have the same issue.  User1 is a member of Domain Admins, User2 is not.  User1 doesn't have any send as permissions on his mailbox.  User2 had NT AUTHORITY\SELF as well as a few others.  Both users mailboxes/users were migrated from another domain and exchange.  User2 gets error cannot send as sender.

    How can I fix? 
    Saturday, October 10, 2009 8:44 AM
  • My problem was that my senders were using the edge server as the smtp server and by default it doesn't have authenticated users to send messages as the authoratative domain.  Once that permissions was added to the connector users were able to use smtp from it.
    Tuesday, October 20, 2009 3:09 AM
  • Well the discuss has been great, it is/was a combination of all the discussions that actually solves the problem for all.

     

    1) the NT_Authority\self resolution has more details than presented. Charlie on another forum gave this clue:

    go the the Exchange management console and select the user. Right Click, go to the send as permissions option.. check that User NT AUTHORITY\SELF is listed. If not add it.

     

    2) Another user identifed the following power shell as necessary

    [PS] C:\Windows\system32>add-adpermission "ConnectorName" -User "domain\user or group" -ExtendedRights ms-Exch-S
    MTP-Accept-Authoritative-Domain-Sender

    Note the double quotes when your connector has a space in it. aka "domain users"

    You have to perform this on both your internal and external connector, then restart the transport and hub services. These steps were left off many forums.

    Note the '-' in front of ExtendedRights. This was originally presented without this '-' and there is a command -AccessRights ExtendedRight which lead many to a goose chase.

    3) The discussion above is about one user having sendas on another. The topic was about the actual User1 not being able to send as 'User1' whereas the dialog was User2 sending as User1. The above steps are for User1 not being able to send as User1.

    4) If you get an error, it is necesary to remove the account or repair it within Outlook, or else the error will 'stick' until you do.

     

     

    Thanks for everyones help, I hope the above steps saves the next soul some hours.

     

     

     

     

     

     


    D-B-S
    • Proposed as answer by Bee07 Wednesday, April 25, 2012 5:26 AM
    Tuesday, July 20, 2010 4:31 PM
  • This resolved my issue, thank you.
    Tuesday, July 12, 2011 10:24 PM
  • 1) the NT_Authority\self resolution has more details than presented. Charlie on another forum gave this clue:

    go the the Exchange management console and select the user. Right Click, go to the send as permissions option.. check that User NT AUTHORITY\SELF is listed. If not add it.

    This one solved it for me - I had been temporarily in my admin group, removed myself, and then found I could not send mail from an smtp client (which uses and exchange connector as an authenticated relay). Resetting the NT_AUTHORY\SELF entry got it back working again

    /Bee

    Wednesday, April 25, 2012 5:31 AM
  • 1) the NT_Authority\self resolution has more details than presented. Charlie on another forum gave this clue:

    go the the Exchange management console and select the user. Right Click, go to the send as permissions option.. check that User NT AUTHORITY\SELF is listed. If not add it.


    This solution worked for me too.  Thanks a bunch.
    Friday, October 11, 2013 8:46 PM