locked
smtp authenticated emails to distribution groups RRS feed

  • Question

  • Hi, we have recently moved our SMTP receive connectors and relay connectors to Exchange 2016.
    I'm having issues with users sending SMTP emails via their apps to our distribution groups.

    Remote Server returned '550 5.7.133 RESOLVER.RST.SenderNotAuthenticatedForGroup; authentication required; Delivery restriction check failed because the sender was not authenticated when sending to this group'

    I know the fix for this is to uncheck the box and allow unauthenticated senders to send.
    However i do want to fix this properly, otherwise all our groups can receive external email.

    Users are connecting through the default receive connector via ntlm and authenticating. However when they try to send to a group, it bounces back with the above ndr.
    The strange thing is when they send via the Exchange 2010 default connector, they are able to authenticate.

    What i can see is the difference is the header in Exchange 2010 and 2016 is different.

    Exchange 2016: X-MS-Exchange-Organization-AuthAs Anonymous

    Exchange 2010: X-MS-Exchange-Organization-AuthAs Internal

    This is when i use powershell to send an email. I can see in the frontend smtpreceive logs that i am authing via ntlm.

    why am i still shown as anonymous?

    Tuesday, October 1, 2019 6:52 AM

All replies

  • Hello

    "Externally secured (for example, with IPsec)" enble in receive connector not help?


    sorry my english


    • Edited by Sneff_Gabor Tuesday, October 1, 2019 8:38 AM
    Tuesday, October 1, 2019 8:37 AM
  • Hi,

     

    You could configure the connections as externally secured. Please check you have added the Exchange servers (ExchangeServers) permission group and the Externally secured (ExternalAuthoritative) authentication mechanism to the Receive connector. For detailed steps, see the link below:

     

    Configure the connections as externally secured

     

    Regards,

    Kelvin Deng


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com


    Wednesday, October 2, 2019 3:06 AM
  • If i do that then they're not really authenticating. I also cant add this to the frontend default connector as it will conflict with other authentication mechanisms.

    When i use an Exchange online mailbox to send, it fails. I've even tried manually adding my account to the AD permissions of the connector.

    I just tested this and it seems to work when i use an on-prem mailbox to send. 



    Thursday, October 3, 2019 12:59 AM
  • Hi,

    After my further research, since the complexity of the issue, and support resource limit in our forum, I suggest you refer to the following link and open a ticket, the engineers will provide professional support with you.

     

    https://support.microsoft.com/en-sg/hub/4343728/support-for-business

     

    Thanks for your patience and understanding.

     

    Regards,

    Kelvin Deng


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com


    • Proposed as answer by ThinkCenter Monday, October 14, 2019 3:20 AM
    Monday, October 7, 2019 9:14 AM
  • Hi,

     

    I am writing here to confirm with you how the thing going now?

     

    If you need further help, please provide more detailed information, so that we can give more appropriate suggestions.

     

    Regards,

    Kelvin Deng


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com


    Monday, October 14, 2019 3:19 AM