FrontendTransport Receive Connector not allowing for Authenticated User ms-Exch-SMTP-Accept-Any-Sender

All replies

• 

  

  0

  Sign in to vote

  Hi,

  I would suggest to remove "offer basic authentication only after starting TLS" from basic authentication section if you selected this option. And test again. The below is a guideline for create new receive connector but you must create it through Power Shell because the option is grayed out in Console.

  http://www.techrid.com/exchange-server-2010/mailflow/configuring-receive-connector-in-exchange-2016/ 

  Thanks

  Prabodha

  Saturday, October 22, 2016 8:50 AM
• 

  

  0

  Sign in to vote

  Here's a nice article for you on this scenario :

  • http://exchangeserverpro.com/exchange-2016-smtp-relay-connector/

  Regards,

  ---

  Gilles Tremblay
  MCSE Server and Desktop Infrastructures
  MCSE Messaging, Collaboration, Productivity, Mobility, Cloud Platform and Infrastructure
  

  • Proposed as answer by Gilles Tremblay Monday, October 24, 2016 12:37 PM

  Saturday, October 22, 2016 9:07 AM
• 

  

  0

  Sign in to vote

  Hi Marc,

  The 5.7.60 SMTP error indicates that the device is trying to send an email from an address that doesn’t match the logon credentials.

  Please run the following command and post the result:

  Get-ReceiveConnector -Identity "new FrontendTransport " |fl Auth*,bindings,permissiongroups,enabled

  
  

  Best Regards,

  ---

  Niko Cheng
  TechNet Community Support

  
  Please remember to mark the replies as answers if they help and unmark them if they provide no help.
  If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

  • Proposed as answer by Gilles Tremblay Monday, October 24, 2016 12:37 PM

  Monday, October 24, 2016 8:30 AM
• 

  

  0

  Sign in to vote

  @Niko Cheng:

  That is correct.  We would like to configure the frontend receive connector to allow to send as ANY sender.  We need to use port 25/587, as we have many services configured to use them and it would be a real pain to reconfigure all the clients.

  The server has both the CAS and Mailbox roles installed, so the frontendtransport and hubtransport receive connectors all exist on the server.  I have to be consciousness of the ports, as 25/587 are bound to the frontendtransport by default and cannot be bound to the hubtransport as well.

  I have successfully sent a test message by bypassing the frontendtransport and setting the permissions on a new hubtransport connector.  However, this is not desirable because we do not want to modify the default connectors.

  Here us the results of the requested command:

  AuthMechanism    : Tls, Integrated, BasicAuth
  Bindings         : {0.0.0.0:25}
  PermissionGroups : AnonymousUsers, ExchangeUsers, ExchangeLegacyServers, Custom
  Enabled          : True

  ---

  Marc Hauge

  
  

  • Edited by mhauge Monday, October 24, 2016 2:51 PM

  Monday, October 24, 2016 2:32 PM
• 

  

  0

  Sign in to vote

  @Prabodha:

  Thank you for your response, but the "offer basic authentication only after starting TLS" is not currently checked. 

  Also, your response is off base, as I have already created the connector and the question explicitly  asks about Authenticated Users.  The directions instruct an individual to create a connector for Authority\ANONYMOUS LOGON, which I already have working.

  ---

  Marc Hauge

  
  

  • Edited by mhauge Monday, October 24, 2016 2:53 PM

  Monday, October 24, 2016 2:35 PM
• 

  

  0

  Sign in to vote

  @Gilles:

  Thanks. I have skimmed that article prior to posting. The issue I am encountering is that after I create the new frontend receive connector, the ms-Exch-SMTP-Accept-Any-Sender permission for Authenticated Users is ignored. It appears to be because the frontend connector proxies to the "Client Proxy" HubTransport connector, where the send is denied, thus ignoring the permission set on the frontend connector.

  As configured, Anonymous Users can send to the connector all day long as any address, including accepted domains.

  Here are the permissions on the connector in question:

  User                                                        ExtendedRights
  ----                                                        --------------
  DOMAIN\ExchangeLegacyInterop                                {ms-Exch-Accept-Headers-Forest}
  DOMAIN\ExchangeLegacyInterop                                {ms-Exch-Accept-Headers-Organization}
  NT AUTHORITY\ANONYMOUS LOGON                                {ms-Exch-SMTP-Accept-Authoritative-Domain-Sender}
  NT AUTHORITY\ANONYMOUS LOGON                                {ms-Exch-SMTP-Submit}
  NT AUTHORITY\ANONYMOUS LOGON                                {ms-Exch-Accept-Headers-Routing}
  NT AUTHORITY\ANONYMOUS LOGON                                {ms-Exch-SMTP-Accept-Any-Sender}
  NT AUTHORITY\Authenticated Users                            {ms-Exch-SMTP-Accept-Authoritative-Domain-Sender}
  NT AUTHORITY\Authenticated Users                            {ms-Exch-SMTP-Submit}
  NT AUTHORITY\Authenticated Users                            {ms-Exch-Bypass-Anti-Spam}
  NT AUTHORITY\Authenticated Users                            {ms-Exch-Accept-Headers-Routing}
  NT AUTHORITY\Authenticated Users                            {ms-Exch-SMTP-Accept-Any-Recipient}
  NT AUTHORITY\Authenticated Users                            {ms-Exch-SMTP-Accept-Any-Sender}
  DOMAIN\ExchangeLegacyInterop                                {ms-Exch-SMTP-Accept-Authentication-Flag}
  DOMAIN\ExchangeLegacyInterop                                {ms-Exch-SMTP-Accept-Authoritative-Domain-Sender}
  DOMAIN\ExchangeLegacyInterop                                {ms-Exch-Accept-Headers-Routing}
  DOMAIN\ExchangeLegacyInterop                                {ms-Exch-SMTP-Submit}
  DOMAIN\ExchangeLegacyInterop                                {ms-Exch-Bypass-Message-Size-Limit}
  DOMAIN\ExchangeLegacyInterop                                {ms-Exch-SMTP-Accept-Any-Recipient}
  DOMAIN\ExchangeLegacyInterop                                {ms-Exch-Bypass-Anti-Spam}
  DOMAIN\ExchangeLegacyInterop                                {ms-Exch-SMTP-Accept-Exch50}
  DOMAIN\ExchangeLegacyInterop                                {ms-Exch-SMTP-Accept-Any-Sender}
  DOMAIN\Delegated Setup                                      {Send-As}
  DOMAIN\Delegated Setup                                      {Receive-As}
  DOMAIN\Delegated Setup
  DOMAIN\Exchange Servers                                     {ms-Exch-Store-Constrained-Delegation}
  DOMAIN\Exchange Servers                                     {ms-Exch-Store-Transport-Access}
  DOMAIN\Exchange Servers                                     {ms-Exch-Store-Read-Access}
  DOMAIN\Exchange Servers                                     {ms-Exch-Store-Read-Write-Access}
  NT AUTHORITY\NETWORK SERVICE                                {ms-Exch-EPI-Token-Serialization}
  DOMAIN\exchange$
  DOMAIN\Delegated Setup
  NT AUTHORITY\SYSTEM
  NT AUTHORITY\NETWORK SERVICE
  DOMAIN\Exchange Servers                                     {Receive-As}
  DOMAIN\Organization Management                              {ms-Exch-Recipient-Update-Access}
  DOMAIN\Public Folder Management                             {ms-Exch-Recipient-Update-Access}
  DOMAIN\Exchange Recipient Administrators                    {ms-Exch-Recipient-Update-Access}
  DOMAIN\Exchange Public Folder Administrators                {ms-Exch-Recipient-Update-Access}
  NT AUTHORITY\SYSTEM                                         {ms-Exch-Recipient-Update-Access}
  DOMAIN\Domain Admins                                        {Send-As}
  DOMAIN\Enterprise Admins                                    {Send-As}
  DOMAIN\exadmin                                              {Send-As}
  DOMAIN\Organization Management                              {Send-As}
  DOMAIN\ExchangeAdmins                                       {Send-As}
  DOMAIN\Exchange Organization Administrators                 {Send-As}
  DOMAIN\DomainAdmin                                          {Send-As}
  DOMAIN\EnterpriseAdmin                                     {Send-As}
  DOMAIN\Domain Admins                                        {Receive-As}
  DOMAIN\Enterprise Admins                                    {Receive-As}
  DOMAIN\exadmin                                              {Receive-As}
  DOMAIN\Organization Management                              {Receive-As}
  DOMAIN\ExchangeAdmins                                       {Receive-As}
  DOMAIN\Exchange Organization Administrators                 {Receive-As}
  DOMAIN\DomainAdmin                                          {Receive-As}
  DOMAIN\EnterpriseAdmin                                      {Receive-As}
  DOMAIN\Domain Admins                                        {ms-Exch-EPI-Impersonation}
  DOMAIN\Schema Admins                                        {ms-Exch-EPI-Impersonation}
  DOMAIN\Enterprise Admins                                    {ms-Exch-EPI-Impersonation}
  DOMAIN\Organization Management                              {ms-Exch-EPI-Impersonation}
  DOMAIN\Exchange Organization Administrators                 {ms-Exch-EPI-Impersonation}
  DOMAIN\Domain Admins                                        {ms-Exch-EPI-Token-Serialization}
  DOMAIN\Schema Admins                                        {ms-Exch-EPI-Token-Serialization}
  DOMAIN\Enterprise Admins                                    {ms-Exch-EPI-Token-Serialization}
  DOMAIN\Organization Management                              {ms-Exch-EPI-Token-Serialization}
  DOMAIN\Exchange Organization Administrators                 {ms-Exch-EPI-Token-Serialization}
  DOMAIN\Domain Admins                                        {ms-Exch-Store-Constrained-Delegation}
  DOMAIN\Enterprise Admins                                    {ms-Exch-Store-Constrained-Delegation}
  DOMAIN\Domain Admins                                        {ms-Exch-Store-Transport-Access}
  DOMAIN\Enterprise Admins                                    {ms-Exch-Store-Transport-Access}
  DOMAIN\Domain Admins                                        {ms-Exch-Store-Read-Access}
  DOMAIN\Enterprise Admins                                    {ms-Exch-Store-Read-Access}
  DOMAIN\Domain Admins                                        {ms-Exch-Store-Read-Write-Access}
  DOMAIN\Enterprise Admins                                    {ms-Exch-Store-Read-Write-Access}
  NT AUTHORITY\Authenticated Users
  DOMAIN\Organization Management                              {ms-Exch-Create-Top-Level-Public-Folder}
  DOMAIN\Public Folder Management                             {ms-Exch-Create-Top-Level-Public-Folder}
  DOMAIN\Exchange Public Folder Administrators                {ms-Exch-Create-Top-Level-Public-Folder}
  DOMAIN\Organization Management                              {ms-Exch-Store-Visible}
  DOMAIN\Public Folder Management                             {ms-Exch-Store-Visible}
  DOMAIN\Exchange View-Only Administrators                    {ms-Exch-Store-Visible}
  DOMAIN\Exchange Public Folder Administrators                {ms-Exch-Store-Visible}
  DOMAIN\Organization Management                              {ms-Exch-Store-Admin}
  DOMAIN\Public Folder Management                             {ms-Exch-Store-Admin}
  DOMAIN\Exchange Public Folder Administrators                {ms-Exch-Store-Admin}
  DOMAIN\Organization Management                              {ms-Exch-Store-Create-Named-Properties}
  DOMAIN\Public Folder Management                             {ms-Exch-Store-Create-Named-Properties}
  DOMAIN\Exchange Public Folder Administrators                {ms-Exch-Store-Create-Named-Properties}
  DOMAIN\Organization Management                              {ms-Exch-Modify-PF-ACL}
  DOMAIN\Public Folder Management                             {ms-Exch-Modify-PF-ACL}
  DOMAIN\Exchange Public Folder Administrators                {ms-Exch-Modify-PF-ACL}
  DOMAIN\Organization Management                              {ms-Exch-Mail-Enabled-Public-Folder}
  DOMAIN\Public Folder Management                             {ms-Exch-Mail-Enabled-Public-Folder}
  DOMAIN\Organization Management                              {ms-Exch-Modify-Public-Folder-Quotas}
  DOMAIN\Public Folder Management                             {ms-Exch-Modify-Public-Folder-Quotas}
  DOMAIN\Exchange Public Folder Administrators                {ms-Exch-Modify-Public-Folder-Quotas}
  DOMAIN\Organization Management                              {ms-Exch-Modify-PF-Admin-ACL}
  DOMAIN\Public Folder Management                             {ms-Exch-Modify-PF-Admin-ACL}
  DOMAIN\Exchange Public Folder Administrators                {ms-Exch-Modify-PF-Admin-ACL}
  DOMAIN\Exchange Servers                                     {ms-Exch-EPI-Token-Serialization}
  DOMAIN\Organization Management                              {ms-Exch-Modify-Public-Folder-Expiry}
  DOMAIN\Public Folder Management                             {ms-Exch-Modify-Public-Folder-Expiry}
  DOMAIN\Exchange Public Folder Administrators                {ms-Exch-Modify-Public-Folder-Expiry}
  DOMAIN\Organization Management                              {ms-Exch-Modify-Public-Folder-Replica-List}
  DOMAIN\Public Folder Management                             {ms-Exch-Modify-Public-Folder-Replica-List}
  DOMAIN\Exchange Public Folder Administrators                {ms-Exch-Modify-Public-Folder-Replica-List}
  DOMAIN\Organization Management                              {ms-Exch-Modify-Public-Folder-Deleted-Item-Retention}
  DOMAIN\Public Folder Management                             {ms-Exch-Modify-Public-Folder-Deleted-Item-Retention}
  DOMAIN\Exchange Public Folder Administrators                {ms-Exch-Modify-Public-Folder-Deleted-Item-Retention}
  DOMAIN\Organization Management                              {ms-Exch-Create-Public-Folder}
  DOMAIN\Public Folder Management                             {ms-Exch-Create-Public-Folder}
  DOMAIN\Exchange Public Folder Administrators                {ms-Exch-Create-Public-Folder}
  DOMAIN\Exchange Servers
  DOMAIN\Exchange Servers
  DOMAIN\Exchange Servers
  DOMAIN\Exchange Servers
  DOMAIN\Exchange Servers
  DOMAIN\Exchange Servers
  DOMAIN\Exchange Domain Servers
  DOMAIN\Exchange Servers
  DOMAIN\Exchange Servers
  DOMAIN\Exchange Servers
  DOMAIN\Exchange Servers
  DOMAIN\Exchange Servers
  DOMAIN\Exchange Servers
  DOMAIN\Exchange Servers
  DOMAIN\Exchange Servers
  DOMAIN\Exchange Servers
  DOMAIN\Exchange Servers
  DOMAIN\Exchange Domain Servers
  DOMAIN\Exchange Servers
  DOMAIN\Exchange Domain Servers
  DOMAIN\Exchange Servers
  DOMAIN\Exchange Servers
  DOMAIN\Exchange Servers
  DOMAIN\Exchange Servers
  DOMAIN\Exchange Servers
  DOMAIN\Exchange Servers
  DOMAIN\Exchange Servers
  DOMAIN\Exchange Servers
  DOMAIN\Exchange Domain Servers
  Everyone                                                    {ms-Exch-Store-Create-Named-Properties}
  NT AUTHORITY\ANONYMOUS LOGON                                {ms-Exch-Store-Create-Named-Properties}
  Everyone                                                    {ms-Exch-Create-Public-Folder}
  NT AUTHORITY\ANONYMOUS LOGON                                {ms-Exch-Create-Public-Folder}
  Everyone
  NT AUTHORITY\ANONYMOUS LOGON
  Everyone
  NT AUTHORITY\ANONYMOUS LOGON
  DOMAIN\Exchange Servers
  DOMAIN\Exchange Domain Servers
  DOMAIN\Organization Management
  DOMAIN\Public Folder Management
  DOMAIN\Managed Availability Servers
  DOMAIN\Exchange Public Folder Administrators
  NT AUTHORITY\SYSTEM
  DOMAIN\Exchange Domain Servers
  DOMAIN\Exchange Servers
  DOMAIN\Exchange View-Only Administrators
  DOMAIN\exchangeadmin
  DOMAIN\Organization Management
  DOMAIN\ExchangeAdmins
  DOMAIN\Exchange Organization Administrators
  DOMAIN\Exchange Trusted Subsystem
  DOMAIN\Domain Admin
  DOMAIN\Enterprise Admin
  DOMAIN\Enterprise Admins
  DOMAIN\Domain Admins

  ---

  Marc Hauge

  
  
  

  • Edited by mhauge Monday, October 24, 2016 4:44 PM

  Monday, October 24, 2016 2:50 PM
• 

  

  0

  Sign in to vote

  Hi Marc,

  Based on my knowledge, the ms-Exch-SMTP-Accept-Any-Sender permission is used to allow the session to bypass the sender address spoofing check, not allow the "Send As" permission. 

  If you want the connector to send as any sender, I think anonymous relay would be a solution you are looking for, you can run the following command to add "ms-Exch-SMTP-Accept-Any-Recipient" permission on this frontend receive connector and check again:

  Get-ReceiveConnector -Identity "new FrontendTransport" |Add-ADPermission -User "NT AUTHORITY\ANONYMOUS LOGON" -ExtendedRights "Ms-Exch-SMTP-Accept-Any-Recipient"

  Since you had only scoped to your internal sever IPs, this connector only used in internal.

  Hope this helps,

  Best regards,

  ---

  Niko Cheng
  TechNet Community Support

  
  Please remember to mark the replies as answers if they help and unmark them if they provide no help.
  If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

  • Proposed as answer by Niko.Cheng Monday, October 31, 2016 9:54 AM
  • Marked as answer by Niko.Cheng Monday, November 7, 2016 1:48 AM

  Wednesday, October 26, 2016 10:12 AM