none
SMTP AUTH: Does Exchange offer MTA-level authentication as well as user-level authentication?

    Question

  • We have an MTA that needs to relay inbound mail to an Exchange server.  I found that when the MAIL FROM address matches the username in the AUTH credentials, Exchange accepts the email.  However, when they don't match, Exchange rejects the email with an error like this: 

    550 5.7.1 Client does not have permissions to send as this sender

    Our MTA only allows us to specify one set of credentials; all emails, regardless of the sender, must be relayed to the Exchange server using the same set of authentication (AUTH) credentials.  

    Is this possible?  I hope it is, because this requirement is coming from my Director. 

    Tuesday, March 15, 2016 10:15 PM

Answers

  • We have an MTA that needs to relay inbound mail to an Exchange server.  I found that when the MAIL FROM address matches the username in the AUTH credentials, Exchange accepts the email.  However, when they don't match, Exchange rejects the email with an error like this: 

    550 5.7.1 Client does not have permissions to send as this sender

    Our MTA only allows us to specify one set of credentials; all emails, regardless of the sender, must be relayed to the Exchange server using the same set of authentication (AUTH) credentials.  

    Is this possible?  I hope it is, because this requirement is coming from my Director. 


    Either send the messages anonymously so no auth is required, or grant that set of credentials SEND as perms to all the mailboxes. There is rarely any reason to authenticate however if the server is under your control.

    Blog:    Twitter:   

    Tuesday, March 15, 2016 10:27 PM
  • You could treat it like a blackberry service account:

    http://support.blackberry.com/kb/articleDetail?ArticleNumber=000002276

    To grant the Active Directory Send As permission on a single account for all BlackBerry smartphone users in a Microsoft Active Directory domain or container, complete the following steps:

    Note: This permission can also be applied via Windows PowerShell. For instructions, see the Additional Information section.

    1. Open Active Directory Users and Computers.
    2. On the View menu, select the Advanced Features option.
      Note: If Advanced Features is not selected, the Security tab will not be visible for domain and container objects.
    3. Right-click the appropriate domain or container, and then click Properties.
    4. On the Security tab, click Advanced.
    5. If the BlackBerry Enterprise Server service account that requires the Send As permission is not listed, click Add and then select the BlackBerry Enterprise Server service account name.
    6. Click OK.
    7. Double-click the BlackBerry Enterprise Server service account name.
    8. Select User Objects or Descendant User Objects (Windows Server 2008) in the Applies Onto list.
    9. Select the Send As check box.
    10. Click Apply, and then click OK.
    11. Close the Properties window, and then close Active Directory Users and Computers.


    Blog:    Twitter:   

    • Marked as answer by echawkes Wednesday, March 16, 2016 10:40 PM
    Wednesday, March 16, 2016 10:14 PM

All replies

  • We have an MTA that needs to relay inbound mail to an Exchange server.  I found that when the MAIL FROM address matches the username in the AUTH credentials, Exchange accepts the email.  However, when they don't match, Exchange rejects the email with an error like this: 

    550 5.7.1 Client does not have permissions to send as this sender

    Our MTA only allows us to specify one set of credentials; all emails, regardless of the sender, must be relayed to the Exchange server using the same set of authentication (AUTH) credentials.  

    Is this possible?  I hope it is, because this requirement is coming from my Director. 


    Either send the messages anonymously so no auth is required, or grant that set of credentials SEND as perms to all the mailboxes. There is rarely any reason to authenticate however if the server is under your control.

    Blog:    Twitter:   

    Tuesday, March 15, 2016 10:27 PM
  • Granting SEND permissions for the set of credentials sounds like the approach I'm looking for.  Can you give me a pointer to where I can find this setting on Exchange?  
    Wednesday, March 16, 2016 9:44 PM
  • You could treat it like a blackberry service account:

    http://support.blackberry.com/kb/articleDetail?ArticleNumber=000002276

    To grant the Active Directory Send As permission on a single account for all BlackBerry smartphone users in a Microsoft Active Directory domain or container, complete the following steps:

    Note: This permission can also be applied via Windows PowerShell. For instructions, see the Additional Information section.

    1. Open Active Directory Users and Computers.
    2. On the View menu, select the Advanced Features option.
      Note: If Advanced Features is not selected, the Security tab will not be visible for domain and container objects.
    3. Right-click the appropriate domain or container, and then click Properties.
    4. On the Security tab, click Advanced.
    5. If the BlackBerry Enterprise Server service account that requires the Send As permission is not listed, click Add and then select the BlackBerry Enterprise Server service account name.
    6. Click OK.
    7. Double-click the BlackBerry Enterprise Server service account name.
    8. Select User Objects or Descendant User Objects (Windows Server 2008) in the Applies Onto list.
    9. Select the Send As check box.
    10. Click Apply, and then click OK.
    11. Close the Properties window, and then close Active Directory Users and Computers.


    Blog:    Twitter:   

    • Marked as answer by echawkes Wednesday, March 16, 2016 10:40 PM
    Wednesday, March 16, 2016 10:14 PM