none
SMTP Anonymous Relay to a Restricted Mail-enabled Security Group

    Question

  • We have a mail-enabled security group configured in our on-premise Exchange 2013 server. In this case, we'll call it "Group1". The delivery management restrictions for this group are "Senders inside and outside of my organization" and specific groups/users who can send messages to the group.

    We also have an application which sends SMTP emails using a receive connector configured to allow Anonymous Relay to various mailboxes and groups. The receive connector is scoped to particular IP addresses and the application server is configured. While other recipients receive emails from the application, members of "Group1" do not. I can only assume this is due to the delivery management restrictions placed on the group.

    At first, I thought this was a simple case of configuring a mail-enabled user account in Active Directory whose credentials the application could use when connecting via SMTP (port 25). However, this did not work, and a failed logon was recorded by the application. I decided to test this via Telnet Client using the AUTH LOGIN command following HELO/EHLO and received a "504 5.7.4 Unrecognized authentication type" error message.

    This would suggest to me that I do not have a receive connector configured that allows the authentication type I am trying to use (whatever that is). Is this correct? We have the usual "Default" and "Client Frontend" receive connectors configured which allow Basic Authentication and Integrated Windows Authentication from Exchange Users so I am at a loss why this is a problem.

    Without removing the restrictions on "Group1" how do I allow this application to email recipients within this group? Apologies in advance, my knowledge of Exchange is somewhat of a novice level.

    Sunday, November 5, 2017 9:55 PM

Answers

  • Thanks for your information.

    It's not related the authentication in SMTP, it's recommended to specify each member of Group1 in the email from the Application cause by the restriction in this group.


    Regards,

    Jason Chao


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, November 8, 2017 7:26 AM
    Moderator

All replies

  • Hi Mark,

    Thanks for contacting our forum.

    From your description, the members in Group1 cannot receive the emails from the Application. Any NDR messages do you receive? Please post out in detail if exist.

    Per my experience, the restriction of Group1 do not affect the app send mails to the separate users in this group.

    Please check if any transport rule or inbox rules of the users in this group are blocking the messages from the App account.

    Hope it helps.


    Regards,

    Jason Chao


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, November 6, 2017 6:15 AM
    Moderator
  • Hi Jason, thank you for your reply.

    We do not receive any feedback/NDR in the application - all that we know is the recipient within "Group1" did not receive the email, while all other recipients did. I've also sent a test email from an authorised sender to "Group1" and the recipients confirmed receipt.

    I've been looking through the Message Tracking Logs and found some information that may prove helpful...

    Searching the logs for the sender (reply to) address around the time of the last failure, I can see an explicit FAIL in ROUTING.

    Looking at this FAIL event more closely I see 5.7.1 RESOLVER.RST.NotAuthorizedToGroup; not authorized to send to the distribution list message. This is what I would expect when "Group1" has specific groups/users configured who can send to the group.

    I've also double-checked this by looking at the group in question using Get-DistributionGroup cmdlet. The points below are important.

    • AcceptMessagesOnlyFrom                 : {}
    • AcceptMessagesOnlyFromDLMembers        : {xxxx.xxx/Groups/xxxx/xxxx}
    • AcceptMessagesOnlyFromSendersOrMembers : {xxxx.xxx/Groups/xxxx/xxxx}
    • RejectMessagesFrom                     : {}
    • RejectMessagesFromDLMembers            : {}
    • RejectMessagesFromSendersOrMembers     : {}
    • RequireSenderAuthenticationEnabled     : False

    So "Group1" does not require sender to be authenticated, yet sender must be in the "AcceptMessagesOnlyFrom..." value. However this is impossible because the sender is anonymous.

    This screams to me that I need a receive connector that allows authentication in SMTP. The question is, how should it be configured and why do my other default connectors not allow this? If this is such a truly difficult issue to resolve, then we either (a) remove the sending restrictions on "Group1", or (b) specify each recipient in "Group1" individually in the email from the application.

    I appreciate any advice you have to offer.

    Regards

    Mark

    Monday, November 6, 2017 11:48 PM
  • Thanks for your information.

    It's not related the authentication in SMTP, it's recommended to specify each member of Group1 in the email from the Application cause by the restriction in this group.


    Regards,

    Jason Chao


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, November 8, 2017 7:26 AM
    Moderator
  • Hello

    tip: Create new receive connector add only application serv ip to scope, copy all settings /relay, etc/ and  enable Externally secured (for example, with IPsec)


    sorry my english


    • Edited by Sneff_Gabor Wednesday, November 8, 2017 7:13 PM
    Wednesday, November 8, 2017 7:13 PM