none
SMTP authentication from a seperate server running IIS SMTP service RRS feed

  • Question

  • I am trying to set up Sharepoint 2010 authentication (it defaults as anonymous meaning distribution lists in 2010 by default will reject the email!).  To do this you set up SMTP service in IIS on the Sharepoint 2010 server.  This has been done and it forwards email on via the SMTP service fine if I leave it anonymous (the distribution groups still reject mail so I need to get authentication turned on rather than go through each dist group and remove the require authentication tick box).

    I have edited the SMTP server outbound security to be Integrated and also tried plain authentication and TLS - none work.  I can see the SMTP server make a connection to the default Exchange 2010 connector but the message is never sent.  The SMTP server appears to just sit with the connection open to Exchange.

    Now, could this be because of the following:

    1. In Sharepoint you set the FROM address... does this have to match a service account that will be used for authentication, or can the SMTP secure connection use any domain account to authenticate?
    2. The tick boxes for authentication on Exchange 2010 receive connector only appear to have Exchange Users, Exchange Servers, etc so I assume the Sharepoint service account HAS to have a mailbox?  Is there a way round this?  Will an Exchange contact be OK or simply putting the email address on the account in AD?  I would prefer the service account to not have a mailbox.  What about a mail enabled user?  Is this enough?
    3. I have tried doing number 1 but it appears to not work when I give the service account a mailbox.  Does the service account need the PRIMARY SMTP to match that of the outgoing email request?

    How do people normally set up an SMTP server with authentication against an INTERNAL exchange 2010 server?  Do you use Integrated Authentication option or just the plain text outbound security option?

    Monday, August 20, 2012 9:02 PM

Answers

  • On Mon, 20 Aug 2012 21:02:11 +0000, Exchange D wrote:
     
    >I am trying to set up Sharepoint 2010 authentication (it defaults as anonymous meaning distribution lists in 2010 by default will reject the email!). To do this you set up SMTP service in IIS on the Sharepoint 2010 server. This has been done and it forwards email on via the SMTP service fine if I leave it anonymous (the distribution groups still reject mail so I need to get authentication turned on rather than go through each dist group and remove the require authentication tick box).
    >
    >I have edited the SMTP server outbound security to be Integrated and also tried plain authentication and TLS - none work. I can see the SMTP server make a connection to the default Exchange 2010 connector but the message is never sent. The SMTP server appears to just sit with the connection open to Exchange.
     
    You can use the SMTP Receive protocol logs on the HT server to see
    what's happening (they're a LOT better to work with than than the IIS
    SMTP protocol logs).
     
    Have you modified either of the two recieve connectors on the HT
    server? IIRC, the default receive connector doesn't accept "exchange
    users" (i.e. authenticated connections). The "client" receive
    connector does, but that listens on port 587, not port 25.
     
    I'd suggest you add a third receive connector to your HT role and
    restrict it to accepting connections only from specific IP addresses
    and then set the "Permission Groups" on that connector to just
    "Exchange users" (you can also allow anonymous users).
     
    >Now, could this be because of the following: 1. In Sharepoint you set the FROM address... does this have to match a service account that will be used for authentication, or can the SMTP secure connection use any domain account to authenticate?2. The tick boxes for authentication on Exchange 2010 receive connector only appear to have Exchange Users, Exchange Servers, etc so I assume the Sharepoint service account HAS to have a mailbox? Is there a way round this? Will an Exchange contact be OK or simply putting the email address on the account in AD? I would prefer the service account to not have a mailbox. What about a mail enabled user? Is this enough?3. I have tried doing number 1 but it appears to not work when I give the service account a mailbox. Does the service account need the PRIMARY SMTP to match that of the outgoing email request?
    >
    >How do people normally set up an SMTP server with authentication against an INTERNAL exchange 2010 server? Do you use Integrated Authentication option or just the plain text outbound security option?
     
    Sticking with basic authentication is usually easier.
     
    ---
    Rich Matheisen
    MCSE+I, Exchange MVP
     

    --- Rich Matheisen MCSE+I, Exchange MVP
    Tuesday, August 28, 2012 12:23 AM
  • On Tue, 28 Aug 2012 04:33:50 +0000, Exchange D wrote:
     
    >Thanks. With regards to the "Exchange users" permission on the receive connector, what exactly does this refer to. Technet says it is authenticated users, but do these users need to be mailbox-enabled users or just plain AD accounts?
     
    http://technet.microsoft.com/en-us/library/aa996395.aspx
     
     
    Permission Groups
    --------------------------------------------------------------------------------
    A permission group is a predefined set of permissions that's granted
    to well-known security principals and assigned to a Receive connector.
    Security principals include users, computers, and security groups. A
    security principal is identified by a security identifier (SID). . .
     
    ---
    Rich Matheisen
    MCSE+I, Exchange MVP
     

    --- Rich Matheisen MCSE+I, Exchange MVP
    Tuesday, August 28, 2012 2:52 PM

All replies

  • Hi ,

    From address
    Alerts and notifications are sent from an administrative account on the server farm. This account is probably not the one you want to be displayed in the From field of an e-mail message. The address that you use does not need to correspond to an actual e-mail account; it can be a simple friendly address that is recognizable to an end user. For example, "Site administrator" might be an appropriate From address.

    Please check if the configuration is correct and the following articles for your reference.

    Plan outgoing e-mail (SharePoint Server 2010):

    http://technet.microsoft.com/en-us/library/cc262844.aspx

    Configure outgoing e-mail (SharePoint Server 2010):

    http://technet.microsoft.com/en-us/library/cc263462.aspx

    How to configure Incoming and Outgoing emails in SharePoint Server 2010:

    http://blogs.msdn.com/b/pareshg/archive/2010/04/23/how-to-configure-incoming-and-outgoing-emails-in-sharepoint-server-2010.aspx


    Wendy Liu

    TechNet Community Support


    Wednesday, August 22, 2012 7:34 AM
    Moderator
  • Thanks, but none of the articles advise how to set up SMTP authentication.  I can't use anonymous authentication against the Exchange server.
    Monday, August 27, 2012 11:50 PM
  • On Mon, 20 Aug 2012 21:02:11 +0000, Exchange D wrote:
     
    >I am trying to set up Sharepoint 2010 authentication (it defaults as anonymous meaning distribution lists in 2010 by default will reject the email!). To do this you set up SMTP service in IIS on the Sharepoint 2010 server. This has been done and it forwards email on via the SMTP service fine if I leave it anonymous (the distribution groups still reject mail so I need to get authentication turned on rather than go through each dist group and remove the require authentication tick box).
    >
    >I have edited the SMTP server outbound security to be Integrated and also tried plain authentication and TLS - none work. I can see the SMTP server make a connection to the default Exchange 2010 connector but the message is never sent. The SMTP server appears to just sit with the connection open to Exchange.
     
    You can use the SMTP Receive protocol logs on the HT server to see
    what's happening (they're a LOT better to work with than than the IIS
    SMTP protocol logs).
     
    Have you modified either of the two recieve connectors on the HT
    server? IIRC, the default receive connector doesn't accept "exchange
    users" (i.e. authenticated connections). The "client" receive
    connector does, but that listens on port 587, not port 25.
     
    I'd suggest you add a third receive connector to your HT role and
    restrict it to accepting connections only from specific IP addresses
    and then set the "Permission Groups" on that connector to just
    "Exchange users" (you can also allow anonymous users).
     
    >Now, could this be because of the following: 1. In Sharepoint you set the FROM address... does this have to match a service account that will be used for authentication, or can the SMTP secure connection use any domain account to authenticate?2. The tick boxes for authentication on Exchange 2010 receive connector only appear to have Exchange Users, Exchange Servers, etc so I assume the Sharepoint service account HAS to have a mailbox? Is there a way round this? Will an Exchange contact be OK or simply putting the email address on the account in AD? I would prefer the service account to not have a mailbox. What about a mail enabled user? Is this enough?3. I have tried doing number 1 but it appears to not work when I give the service account a mailbox. Does the service account need the PRIMARY SMTP to match that of the outgoing email request?
    >
    >How do people normally set up an SMTP server with authentication against an INTERNAL exchange 2010 server? Do you use Integrated Authentication option or just the plain text outbound security option?
     
    Sticking with basic authentication is usually easier.
     
    ---
    Rich Matheisen
    MCSE+I, Exchange MVP
     

    --- Rich Matheisen MCSE+I, Exchange MVP
    Tuesday, August 28, 2012 12:23 AM
  • Thanks.  With regards to the "Exchange users" permission on the receive connector, what exactly does this refer to.  Technet says it is authenticated users, but do these users need to be mailbox-enabled users or just plain AD accounts?
    Tuesday, August 28, 2012 4:33 AM
  • On Tue, 28 Aug 2012 04:33:50 +0000, Exchange D wrote:
     
    >Thanks. With regards to the "Exchange users" permission on the receive connector, what exactly does this refer to. Technet says it is authenticated users, but do these users need to be mailbox-enabled users or just plain AD accounts?
     
    http://technet.microsoft.com/en-us/library/aa996395.aspx
     
     
    Permission Groups
    --------------------------------------------------------------------------------
    A permission group is a predefined set of permissions that's granted
    to well-known security principals and assigned to a Receive connector.
    Security principals include users, computers, and security groups. A
    security principal is identified by a security identifier (SID). . .
     
    ---
    Rich Matheisen
    MCSE+I, Exchange MVP
     

    --- Rich Matheisen MCSE+I, Exchange MVP
    Tuesday, August 28, 2012 2:52 PM