locked
Exchange 2007 'Client does not have permissions to send as this sender' (smarthost=smtp.outlook.com(MS365) port=587 Basic Authentication over TLS) RRS feed

  • Question

  • Title = Exchange 2007 'Client does not have permissions to send as this sender' (smarthost=smtp.outlook.com(MS365) port=587 Basic Authentication over TLS)

    Win Server
    2008
    Standard FE 6.0.6001 SP1 (SBS2008)

    with

    Exchange 2007 -
    Version
    8.2 (Build 176.2)

    Problem with
    new
    smarthost settings --- Problem = All users are not able to
    send
    outbound mail and get the error “pod51002.outlook.com
    #550
    5.7.1 Client does not have permissions to send as this sender
    ##
    ”.
    This is with one exception, the user used for the TLS
    authentication
    is able to send outbound mail.

    BT have recently
    moved
    our email accounts over to MS365 (from btconnect pop3). BT
    support,
    indicate we need to change our outbound email to use :-

    SMTP
    setting

    *
    Server name: smtp.outlook.com
    * Port: 587
    *
    Encryption
    method: TLS (if no option for TLS then select SSL)


    In
    the
    outgoing authentication settings the option should be selected to
    use
    the same settings as the incoming server.

    The screen shot
    below
    shows the changes in place (Note: I have used the EMC to set
    the port
    to 587)

    I have used
    telnet
    against smtp.outlook.com 587 and issued the EHLO

    The output shows
    the
    server has AUTH set, so I understand its mandatory to
    authenticate
    with this server

    {

    220
    pod51013.outlook.com
    Microsoft ESMTP MAIL Service ready at Mon, 4 Mar
    2013 2

    0:47:52 +0000

    EHLO

    250-pod51013.outlook.com
    Hello
    [88.104.33.113]

    250-SIZE 36700160

    250-PIPELINING

    250-DSN

    250-ENHANCEDSTATUSCODES

    250-STARTTLS

    250-AUTH

    250-8BITMIME

    250-BINARYMIME

    250 CHUNKING

    }

    So I need some
    help
    with the smarthost settings when using smtp.outlook.com

    Can you please assist ?

    Thanks

    Ian

    Monday, March 4, 2013 11:27 PM

Answers

  • On Wed, 6 Mar 2013 09:42:45 +0000, Ian-55AA wrote:
     
    >I have recently found that article also but we do not have admin portal access to the o365 exchange server we are on – so I can not create a group relating to the o365 side or perform any other exchange admin functions as I can on the on-premis server – I assume our o365 email accounts are on a general use exchange server in the MS cloud but I have not been given access to this.
     
    You need to find out who DOES have the access and ability to
    accomplish that.
     
    >History summary --- ) We (in the past) had user@btconnect.com pop3 accounts ) My admin portal access to the @btconnect.com pop3 accounts was via the portal myoffice.bt.com ) The on-premis exchange servers smarthost went out to smtp.btconnect.com with no authentication --- ) BT then moved us over to o365 --- and suggested we move to smtp.outlook.com 587 TLS ) Basic admin (add/delete email accounts) is still possible via myoffice.bt.com (but BT support confirmed to me yesterday that group creation is not possible via the myoffice.bt.com portal)
     
    So your ISP is selling you a service that's different to the one you
    used to use, but it doesn't work the same way and they won't help you?
    Geeze.
     
    Why not look into a service like http://dyn.com for SMTP relay? Their
    SMTP relay works the way you expect it to.
     
    >Having said all that, in summary,,,,
    >
    >I think our problem is the receive connector rules on smtp.outlook.com seem to say that 'the senders email address must = the email address used for authentication'.
     
    Almost. It's actually "the sender's e-mail address must be one of
    those belonging to the security principal used for authentication".
    Thus the mail-enabled security group with multiple e-mail addresses.
     
    >Also 'authenticate is mandatory' as far as I can see on this smtp server.
     
    Correct.
     
    >So we need a Microsoft smtp server with receive connector rules that say 'ok you have authenticated with a valid o365 account so I will send the email without looking who the sender is'
    >
    >Do you know if MS have an alternative smtp server with no authentication or one with less restrictive receive connector rules. I can use this as an interim whilst I continue the true fix?
     
    No, I don't. If you ran your own Exchange server I could tell you how
    to do it, but MS isn't going to allow you to manage their servers.
     
    You could, I suppose, look into subscribing to FOPE. I believe you can
    manage your own domain with that.
     
     
     
    >
    >By the way may thanks for your assistance so far – appreciated
    >
    >Ian
     
    ---
    Rich Matheisen
    MCSE+I, Exchange MVP
     

    --- Rich Matheisen MCSE+I, Exchange MVP
    • Marked as answer by Ian-55AA Thursday, March 7, 2013 4:10 PM
    Thursday, March 7, 2013 3:06 AM

All replies

  • On Mon, 4 Mar 2013 23:27:08 +0000, Ian-55AA wrote:
     
    >
    >
    >Title = Exchange 2007 'Client does not have permissions to send as this sender' (smarthost=smtp.outlook.com(MS365) port=587 Basic Authentication over TLS)
    >
    >Win Server 2008 Standard FE 6.0.6001 SP1 (SBS2008)
    >
    >with
    >
    >Exchange 2007 - Version 8.2 (Build 176.2)
    >
    >Problem with new smarthost settings --- Problem = All users are not able to send outbound mail and get the error “pod51002.outlook.com #550 5.7.1 Client does not have permissions to send as this sender ##”. This is with one exception, the user used for the TLS authentication is able to send outbound mail.
    >
    >BT have recently moved our email accounts over to MS365 (from btconnect pop3). BT support, indicate we need to change our outbound email to use :-
    >
    >SMTP setting * Server name: smtp.outlook.com * Port: 587 * Encryption method: TLS (if no option for TLS then select SSL) In the outgoing authentication settings the option should be selected to use the same settings as the incoming server.
     
    Port 587 is the SMTP Submission port. It's not intended for use by a
    SMTP server.
     
    Your problem is that your connector is authenticating with account "X"
    that has a SMTP asddress of X@domain.com. Howver, the message being
    sent has an sender's address different to that.
     
    I don't think O365 is going to let you modify their Receive Connectors
    to accomdate this. Why not just use anonymous SMTP on port 25?
     
    ---
    Rich Matheisen
    MCSE+I, Exchange MVP
     

    --- Rich Matheisen MCSE+I, Exchange MVP
    Tuesday, March 5, 2013 4:31 AM
  • Hi Rich, this server seems to require AUTH ?

    The screen shot is a telnet on port 25

    I tried to send a test email (by hand) using telnet smtp.outlook.com 25

    but got the error --- "530 5.7.1 Client was not authenticated"

    I may be missing somthing simple here?

    I would be happy to get this working without outbound security (TLS/SSL) but only as an interim work around.

    Thanks

    Ian


    • Edited by Ian-55AA Tuesday, March 5, 2013 10:05 AM
    Tuesday, March 5, 2013 9:58 AM
  • On Tue, 5 Mar 2013 09:58:40 +0000, Ian-55AA wrote:
     
    >
    >
    >Hi Rich, this server seems to require AUTH ?
    >
    >The screen shot is a telnet on port 25
    >
    >
    >
    >I tried to send a test email (by hand) using telnet smtp.outlook.com 25
    >
    >but got the error --- "530 5.7.1 Client was not authenticated"
    >
    >I may be missing somthing simple here?
    >
    >I would be happy to get this working without outbound security (TLS/SSL) but only as an interim work around.
     
    You should be able to use this as a guide:
    http://support.microsoft.com/kb/2600912
     
    Right after the "How to support multiple email addresses", see "Method
    1" and set up the necessary mail-enabled security group in Office 365.
     
    ---
    Rich Matheisen
    MCSE+I, Exchange MVP
     

    --- Rich Matheisen MCSE+I, Exchange MVP
    Wednesday, March 6, 2013 2:52 AM
  • Hi,

    I appreciate your understanding that this is Exchange server forum. For Office 365 related issue, it is best if you submit a new thread in Off365 forums here: http://community.office365.com/en-us/default.aspx. You would receive better suggestion there.


    Fiona Liao
    TechNet Community Support


    • Edited by Fiona_Liao Wednesday, March 6, 2013 7:55 AM
    Wednesday, March 6, 2013 7:55 AM
  • Hi Rich, thanks for that

    I have recently found that article also but we do not have admin portal access to the o365 exchange server we are on – so I can not create a group relating to the o365 side or perform any other exchange admin functions as I can on the on-premis server – I assume our o365 email accounts are on a general use exchange server in the MS cloud but I have not been given access to this.

    History summary ---
    ) We (in the past) had user@btconnect.com pop3 accounts
    ) My admin portal access to the @btconnect.com pop3 accounts was via the portal myoffice.bt.com
    ) The on-premis exchange servers smarthost went out to smtp.btconnect.com with no authentication
    ---
    ) BT then moved us over to o365 --- and suggested we move to smtp.outlook.com 587 TLS
    ) Basic admin (add/delete email accounts) is still possible via myoffice.bt.com (but BT support confirmed to me yesterday that group creation is not possible via the myoffice.bt.com portal)

    Having said all that, in summary,,,,

    I think our problem is the receive connector rules on smtp.outlook.com seem to say that 'the senders email address must = the email address used for authentication'. Also 'authenticate is mandatory' as far as I can see on this smtp server.

    So we need a Microsoft smtp server with receive connector rules that say 'ok you have authenticated with a valid o365 account so I will send the email without looking who the sender is'

    Do you know if MS have an alternative smtp server with no authentication or one with less restrictive receive connector rules. I can use this as an interim whilst I continue the true fix?

    By the way may thanks for your assistance so far – appreciated

    Ian

    Wednesday, March 6, 2013 9:41 AM
  • Hi Fiona, thanks for reading the post I will progress this
    Wednesday, March 6, 2013 9:42 AM
  • Hi Rich, thanks for that

    I have recently found that article also but we do not have admin portal access to the o365 exchange server we are on – so I can not create a group relating to the o365 side or perform any other exchange admin functions as I can on the on-premis server – I assume our o365 email accounts are on a general use exchange server in the MS cloud but I have not been given access to this.

    History summary ---
    ) We (in the past) had user@btconnect.com pop3 accounts
    ) My admin portal access to the @btconnect.com pop3 accounts was via the portal myoffice.bt.com
    ) The on-premis exchange servers smarthost went out to smtp.btconnect.com with no authentication
    ---
    ) BT then moved us over to o365 --- and suggested we move to smtp.outlook.com 587 TLS
    ) Basic admin (add/delete email accounts) is still possible via myoffice.bt.com (but BT support confirmed to me yesterday that group creation is not possible via the myoffice.bt.com portal)

    Having said all that, in summary,,,,

    I think our problem is the receive connector rules on smtp.outlook.com seem to say that 'the senders email address must = the email address used for authentication'. Also 'authenticate is mandatory' as far as I can see on this smtp server.

    So we need a Microsoft smtp server with receive connector rules that say 'ok you have authenticated with a valid o365 account so I will send the email without looking who the sender is'

    Do you know if MS have an alternative smtp server with no authentication or one with less restrictive receive connector rules. I can use this as an interim whilst I continue the true fix?

    By the way may thanks for your assistance so far – appreciated

    Ian

    Wednesday, March 6, 2013 9:42 AM
  • On Wed, 6 Mar 2013 09:42:45 +0000, Ian-55AA wrote:
     
    >I have recently found that article also but we do not have admin portal access to the o365 exchange server we are on – so I can not create a group relating to the o365 side or perform any other exchange admin functions as I can on the on-premis server – I assume our o365 email accounts are on a general use exchange server in the MS cloud but I have not been given access to this.
     
    You need to find out who DOES have the access and ability to
    accomplish that.
     
    >History summary --- ) We (in the past) had user@btconnect.com pop3 accounts ) My admin portal access to the @btconnect.com pop3 accounts was via the portal myoffice.bt.com ) The on-premis exchange servers smarthost went out to smtp.btconnect.com with no authentication --- ) BT then moved us over to o365 --- and suggested we move to smtp.outlook.com 587 TLS ) Basic admin (add/delete email accounts) is still possible via myoffice.bt.com (but BT support confirmed to me yesterday that group creation is not possible via the myoffice.bt.com portal)
     
    So your ISP is selling you a service that's different to the one you
    used to use, but it doesn't work the same way and they won't help you?
    Geeze.
     
    Why not look into a service like http://dyn.com for SMTP relay? Their
    SMTP relay works the way you expect it to.
     
    >Having said all that, in summary,,,,
    >
    >I think our problem is the receive connector rules on smtp.outlook.com seem to say that 'the senders email address must = the email address used for authentication'.
     
    Almost. It's actually "the sender's e-mail address must be one of
    those belonging to the security principal used for authentication".
    Thus the mail-enabled security group with multiple e-mail addresses.
     
    >Also 'authenticate is mandatory' as far as I can see on this smtp server.
     
    Correct.
     
    >So we need a Microsoft smtp server with receive connector rules that say 'ok you have authenticated with a valid o365 account so I will send the email without looking who the sender is'
    >
    >Do you know if MS have an alternative smtp server with no authentication or one with less restrictive receive connector rules. I can use this as an interim whilst I continue the true fix?
     
    No, I don't. If you ran your own Exchange server I could tell you how
    to do it, but MS isn't going to allow you to manage their servers.
     
    You could, I suppose, look into subscribing to FOPE. I believe you can
    manage your own domain with that.
     
     
     
    >
    >By the way may thanks for your assistance so far – appreciated
    >
    >Ian
     
    ---
    Rich Matheisen
    MCSE+I, Exchange MVP
     

    --- Rich Matheisen MCSE+I, Exchange MVP
    • Marked as answer by Ian-55AA Thursday, March 7, 2013 4:10 PM
    Thursday, March 7, 2013 3:06 AM
  • Hi Rich, thanks for the wise words

    Bit of a breakthrough today, I have continued to work alongside BT support today and we have a workaround based on pointing our exchange 2007 smarhost back through smtp.btconnect.com. A further config change was required at BT also. This is being tested now but all indications so far are good.

    This is a workaround but I am happy to close this post as fixed crediting members as required

    Many thanks for your assistance on this issue.

    Ian

    Thursday, March 7, 2013 4:07 PM