Enable unauthenticated internal device to send to restricted distribution list?


  • Exchange 2013:

    I have a distribution group which is set to only accept messages from senders inside my organization (RequireSenderAuthenticationEnabled = $True)

    I have internal IP device which has no means of sending authenticated email to be able to send messages to this group.

    I set up a dedicated receive connector, set the correct IP scope, and set the appropriate permission groups and flags (as fas as I can tell) but all messages from this device are blocked by the Transport service: {[{LRT=};{LED=550 5.7.1 RESOLVER.RST.AuthRequired; authentication required};{FQDN=};{IP=}]}

    These are the permissions for the Anonymous permission group (the only selected group for the connector security):

    NT AUTHORITY\ANONYMOUS LOGON {ms-Exch-Accept-Headers-Routing} 
    NT AUTHORITY\ANONYMOUS LOGON {ms-Exch-Create-Public-Folder} 
    NT AUTHORITY\ANONYMOUS LOGON {ms-Exch-SMTP-Accept-Any-Sender} 
    NT AUTHORITY\ANONYMOUS LOGON {ms-Exch-SMTP-Accept-Authentication-Flag} 
    NT AUTHORITY\ANONYMOUS LOGON {ms-Exch-SMTP-Accept-Authoritative-Domain-Sender} 
    NT AUTHORITY\ANONYMOUS LOGON {ms-Exch-Store-Create-Named-Properties} 

    I was led to believe that the ms-Exch-SMTP-Accept-Authentication-Flag needed to be set, so why are these messages being classed as unauthenticated?

    Tuesday, May 1, 2018 1:03 PM


  • I guess this is one of those problems that get fixed just by relentlessly banging away at it.

    Anyhow, I got the result I wanted, not that I really understand why Exchange Servers needed to be in the Permission Groups:

    New-ReceiveConnector -Server MailServer01 -Name "Unauthenticated devices" -TransportRole FrontendTransport -Bindings -AuthMechanism ExternalAuthoritative -PermissionGroups AnonymousUsers, ExchangeServers -RemoteIpRanges {IP address of trusted device}

    • Marked as answer by AndyChips Wednesday, May 2, 2018 10:15 AM
    Wednesday, May 2, 2018 10:15 AM