Answered by:
FrontendTransport Receive Connector not allowing for Authenticated User ms-Exch-SMTP-Accept-Any-Sender

Question
-
We are transitioning from Exchange 2010 with a targeted relay connector and clients connecting over port 25 & 587.
On the Exchange 2016 server we have setup and configured a new FrontendTransport receive connector scoped to our internal sever IPs. We added the following extended permissions to the new connector to allow AUTHENTICATED service accounts to connect from the designated IPs and send messages FROM ANY address (including accepted domains):
"NT AUTHORITY\Authenticated Users" -ExtendedRights ms-Exch-SMTP-Accept-Authoritative-Domain-Sender
"NT AUTHORITY\Authenticated Users" -ExtendedRights ms-Exch-SMTP-Accept-Any-SenderWhen testing, the result is 5.7.60 SMTP; Client does not have permissions to send as this sender
It appears that the frontendTransport proxies to the "Client Proxy" HubTransport connector, which results in not honoring the frontendTransport permissions. Anonymous sending works fine, as it proxies traffic to the "Default" HubTransport connector.
Has anyone been able to configure a receive connector, scoped to specific IPs, to allow AUTHENTICATED users to send from ANY address?
Marc Hauge
Friday, October 21, 2016 8:57 PM
Answers
-
Hi Marc,
Based on my knowledge, the ms-Exch-SMTP-Accept-Any-Sender permission is used to allow the session to bypass the sender address spoofing check, not allow the "Send As" permission.
If you want the connector to send as any sender, I think anonymous relay would be a solution you are looking for, you can run the following command to add "
ms-Exch-SMTP-Accept-Any-Recipient" permission on this
frontend receive connector and check again:Get-ReceiveConnector -Identity "new FrontendTransport" |Add-ADPermission -User "NT AUTHORITY\ANONYMOUS LOGON" -ExtendedRights "Ms-Exch-SMTP-Accept-Any-Recipient"
Since you had only scoped to your internal sever IPs, this connector only used in internal.
Hope this helps,
Best regards,
Niko Cheng
TechNet Community Support
Please remember to mark the replies as answers if they help and unmark them if they provide no help.
If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.- Proposed as answer by Niko.Cheng Monday, October 31, 2016 9:54 AM
- Marked as answer by Niko.Cheng Monday, November 7, 2016 1:48 AM
Wednesday, October 26, 2016 10:12 AM
All replies
-
Hi,
I would suggest to remove "offer basic authentication only after starting TLS" from basic authentication section if you selected this option. And test again. The below is a guideline for create new receive connector but you must create it through Power Shell because the option is grayed out in Console.
http://www.techrid.com/exchange-server-2010/mailflow/configuring-receive-connector-in-exchange-2016/
Thanks
Prabodha
Saturday, October 22, 2016 8:50 AM -
Here's a nice article for you on this scenario :
- http://exchangeserverpro.com/exchange-2016-smtp-relay-connector/
Regards,
Gilles Tremblay
MCSE Server and Desktop Infrastructures
MCSE Messaging, Collaboration, Productivity, Mobility, Cloud Platform and Infrastructure- Proposed as answer by Gilles Tremblay Monday, October 24, 2016 12:37 PM
Saturday, October 22, 2016 9:07 AM -
Hi Marc,
The 5.7.60 SMTP error indicates that the device is trying to send an email from an address that doesn’t match the logon credentials.
Please run the following command and post the result:
Get-ReceiveConnector -Identity "new FrontendTransport " |fl Auth*,bindings,permissiongroups,enabled
Best Regards,
Niko Cheng
TechNet Community Support
Please remember to mark the replies as answers if they help and unmark them if they provide no help.
If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.- Proposed as answer by Gilles Tremblay Monday, October 24, 2016 12:37 PM
Monday, October 24, 2016 8:30 AM -
@Niko Cheng:
That is correct. We would like to configure the frontend receive connector to allow to send as ANY sender. We need to use port 25/587, as we have many services configured to use them and it would be a real pain to reconfigure all the clients.
The server has both the CAS and Mailbox roles installed, so the frontendtransport and hubtransport receive connectors all exist on the server. I have to be consciousness of the ports, as 25/587 are bound to the frontendtransport by default and cannot be bound to the hubtransport as well.
I have successfully sent a test message by bypassing the frontendtransport and setting the permissions on a new hubtransport connector. However, this is not desirable because we do not want to modify the default connectors.
Here us the results of the requested command:
AuthMechanism : Tls, Integrated, BasicAuth
Bindings : {0.0.0.0:25}
PermissionGroups : AnonymousUsers, ExchangeUsers, ExchangeLegacyServers, Custom
Enabled : True
Marc Hauge
- Edited by mhauge Monday, October 24, 2016 2:51 PM
Monday, October 24, 2016 2:32 PM -
@Prabodha:
Thank you for your response, but the "offer basic authentication only after starting TLS" is not currently checked.
Also, your response is off base, as I have already created the connector and the question explicitly asks about Authenticated Users. The directions instruct an individual to create a connector for Authority\ANONYMOUS LOGON, which I already have working.
Marc Hauge
- Edited by mhauge Monday, October 24, 2016 2:53 PM
Monday, October 24, 2016 2:35 PM -
@Gilles:
Thanks. I have skimmed that article prior to posting. The issue I am encountering is that after I create the new frontend receive connector, the ms-Exch-SMTP-Accept-Any-Sender permission for Authenticated Users is ignored. It appears to be because the frontend connector proxies to the "Client Proxy" HubTransport connector, where the send is denied, thus ignoring the permission set on the frontend connector.
As configured, Anonymous Users can send to the connector all day long as any address, including accepted domains.
Here are the permissions on the connector in question:
User ExtendedRights
---- --------------
DOMAIN\ExchangeLegacyInterop {ms-Exch-Accept-Headers-Forest}
DOMAIN\ExchangeLegacyInterop {ms-Exch-Accept-Headers-Organization}
NT AUTHORITY\ANONYMOUS LOGON {ms-Exch-SMTP-Accept-Authoritative-Domain-Sender}
NT AUTHORITY\ANONYMOUS LOGON {ms-Exch-SMTP-Submit}
NT AUTHORITY\ANONYMOUS LOGON {ms-Exch-Accept-Headers-Routing}
NT AUTHORITY\ANONYMOUS LOGON {ms-Exch-SMTP-Accept-Any-Sender}
NT AUTHORITY\Authenticated Users {ms-Exch-SMTP-Accept-Authoritative-Domain-Sender}
NT AUTHORITY\Authenticated Users {ms-Exch-SMTP-Submit}
NT AUTHORITY\Authenticated Users {ms-Exch-Bypass-Anti-Spam}
NT AUTHORITY\Authenticated Users {ms-Exch-Accept-Headers-Routing}
NT AUTHORITY\Authenticated Users {ms-Exch-SMTP-Accept-Any-Recipient}
NT AUTHORITY\Authenticated Users {ms-Exch-SMTP-Accept-Any-Sender}
DOMAIN\ExchangeLegacyInterop {ms-Exch-SMTP-Accept-Authentication-Flag}
DOMAIN\ExchangeLegacyInterop {ms-Exch-SMTP-Accept-Authoritative-Domain-Sender}
DOMAIN\ExchangeLegacyInterop {ms-Exch-Accept-Headers-Routing}
DOMAIN\ExchangeLegacyInterop {ms-Exch-SMTP-Submit}
DOMAIN\ExchangeLegacyInterop {ms-Exch-Bypass-Message-Size-Limit}
DOMAIN\ExchangeLegacyInterop {ms-Exch-SMTP-Accept-Any-Recipient}
DOMAIN\ExchangeLegacyInterop {ms-Exch-Bypass-Anti-Spam}
DOMAIN\ExchangeLegacyInterop {ms-Exch-SMTP-Accept-Exch50}
DOMAIN\ExchangeLegacyInterop {ms-Exch-SMTP-Accept-Any-Sender}
DOMAIN\Delegated Setup {Send-As}
DOMAIN\Delegated Setup {Receive-As}
DOMAIN\Delegated Setup
DOMAIN\Exchange Servers {ms-Exch-Store-Constrained-Delegation}
DOMAIN\Exchange Servers {ms-Exch-Store-Transport-Access}
DOMAIN\Exchange Servers {ms-Exch-Store-Read-Access}
DOMAIN\Exchange Servers {ms-Exch-Store-Read-Write-Access}
NT AUTHORITY\NETWORK SERVICE {ms-Exch-EPI-Token-Serialization}
DOMAIN\exchange$
DOMAIN\Delegated Setup
NT AUTHORITY\SYSTEM
NT AUTHORITY\NETWORK SERVICE
DOMAIN\Exchange Servers {Receive-As}
DOMAIN\Organization Management {ms-Exch-Recipient-Update-Access}
DOMAIN\Public Folder Management {ms-Exch-Recipient-Update-Access}
DOMAIN\Exchange Recipient Administrators {ms-Exch-Recipient-Update-Access}
DOMAIN\Exchange Public Folder Administrators {ms-Exch-Recipient-Update-Access}
NT AUTHORITY\SYSTEM {ms-Exch-Recipient-Update-Access}
DOMAIN\Domain Admins {Send-As}
DOMAIN\Enterprise Admins {Send-As}
DOMAIN\exadmin {Send-As}
DOMAIN\Organization Management {Send-As}
DOMAIN\ExchangeAdmins {Send-As}
DOMAIN\Exchange Organization Administrators {Send-As}
DOMAIN\DomainAdmin {Send-As}
DOMAIN\EnterpriseAdmin {Send-As}
DOMAIN\Domain Admins {Receive-As}
DOMAIN\Enterprise Admins {Receive-As}
DOMAIN\exadmin {Receive-As}
DOMAIN\Organization Management {Receive-As}
DOMAIN\ExchangeAdmins {Receive-As}
DOMAIN\Exchange Organization Administrators {Receive-As}
DOMAIN\DomainAdmin {Receive-As}
DOMAIN\EnterpriseAdmin {Receive-As}
DOMAIN\Domain Admins {ms-Exch-EPI-Impersonation}
DOMAIN\Schema Admins {ms-Exch-EPI-Impersonation}
DOMAIN\Enterprise Admins {ms-Exch-EPI-Impersonation}
DOMAIN\Organization Management {ms-Exch-EPI-Impersonation}
DOMAIN\Exchange Organization Administrators {ms-Exch-EPI-Impersonation}
DOMAIN\Domain Admins {ms-Exch-EPI-Token-Serialization}
DOMAIN\Schema Admins {ms-Exch-EPI-Token-Serialization}
DOMAIN\Enterprise Admins {ms-Exch-EPI-Token-Serialization}
DOMAIN\Organization Management {ms-Exch-EPI-Token-Serialization}
DOMAIN\Exchange Organization Administrators {ms-Exch-EPI-Token-Serialization}
DOMAIN\Domain Admins {ms-Exch-Store-Constrained-Delegation}
DOMAIN\Enterprise Admins {ms-Exch-Store-Constrained-Delegation}
DOMAIN\Domain Admins {ms-Exch-Store-Transport-Access}
DOMAIN\Enterprise Admins {ms-Exch-Store-Transport-Access}
DOMAIN\Domain Admins {ms-Exch-Store-Read-Access}
DOMAIN\Enterprise Admins {ms-Exch-Store-Read-Access}
DOMAIN\Domain Admins {ms-Exch-Store-Read-Write-Access}
DOMAIN\Enterprise Admins {ms-Exch-Store-Read-Write-Access}
NT AUTHORITY\Authenticated Users
DOMAIN\Organization Management {ms-Exch-Create-Top-Level-Public-Folder}
DOMAIN\Public Folder Management {ms-Exch-Create-Top-Level-Public-Folder}
DOMAIN\Exchange Public Folder Administrators {ms-Exch-Create-Top-Level-Public-Folder}
DOMAIN\Organization Management {ms-Exch-Store-Visible}
DOMAIN\Public Folder Management {ms-Exch-Store-Visible}
DOMAIN\Exchange View-Only Administrators {ms-Exch-Store-Visible}
DOMAIN\Exchange Public Folder Administrators {ms-Exch-Store-Visible}
DOMAIN\Organization Management {ms-Exch-Store-Admin}
DOMAIN\Public Folder Management {ms-Exch-Store-Admin}
DOMAIN\Exchange Public Folder Administrators {ms-Exch-Store-Admin}
DOMAIN\Organization Management {ms-Exch-Store-Create-Named-Properties}
DOMAIN\Public Folder Management {ms-Exch-Store-Create-Named-Properties}
DOMAIN\Exchange Public Folder Administrators {ms-Exch-Store-Create-Named-Properties}
DOMAIN\Organization Management {ms-Exch-Modify-PF-ACL}
DOMAIN\Public Folder Management {ms-Exch-Modify-PF-ACL}
DOMAIN\Exchange Public Folder Administrators {ms-Exch-Modify-PF-ACL}
DOMAIN\Organization Management {ms-Exch-Mail-Enabled-Public-Folder}
DOMAIN\Public Folder Management {ms-Exch-Mail-Enabled-Public-Folder}
DOMAIN\Organization Management {ms-Exch-Modify-Public-Folder-Quotas}
DOMAIN\Public Folder Management {ms-Exch-Modify-Public-Folder-Quotas}
DOMAIN\Exchange Public Folder Administrators {ms-Exch-Modify-Public-Folder-Quotas}
DOMAIN\Organization Management {ms-Exch-Modify-PF-Admin-ACL}
DOMAIN\Public Folder Management {ms-Exch-Modify-PF-Admin-ACL}
DOMAIN\Exchange Public Folder Administrators {ms-Exch-Modify-PF-Admin-ACL}
DOMAIN\Exchange Servers {ms-Exch-EPI-Token-Serialization}
DOMAIN\Organization Management {ms-Exch-Modify-Public-Folder-Expiry}
DOMAIN\Public Folder Management {ms-Exch-Modify-Public-Folder-Expiry}
DOMAIN\Exchange Public Folder Administrators {ms-Exch-Modify-Public-Folder-Expiry}
DOMAIN\Organization Management {ms-Exch-Modify-Public-Folder-Replica-List}
DOMAIN\Public Folder Management {ms-Exch-Modify-Public-Folder-Replica-List}
DOMAIN\Exchange Public Folder Administrators {ms-Exch-Modify-Public-Folder-Replica-List}
DOMAIN\Organization Management {ms-Exch-Modify-Public-Folder-Deleted-Item-Retention}
DOMAIN\Public Folder Management {ms-Exch-Modify-Public-Folder-Deleted-Item-Retention}
DOMAIN\Exchange Public Folder Administrators {ms-Exch-Modify-Public-Folder-Deleted-Item-Retention}
DOMAIN\Organization Management {ms-Exch-Create-Public-Folder}
DOMAIN\Public Folder Management {ms-Exch-Create-Public-Folder}
DOMAIN\Exchange Public Folder Administrators {ms-Exch-Create-Public-Folder}
DOMAIN\Exchange Servers
DOMAIN\Exchange Servers
DOMAIN\Exchange Servers
DOMAIN\Exchange Servers
DOMAIN\Exchange Servers
DOMAIN\Exchange Servers
DOMAIN\Exchange Domain Servers
DOMAIN\Exchange Servers
DOMAIN\Exchange Servers
DOMAIN\Exchange Servers
DOMAIN\Exchange Servers
DOMAIN\Exchange Servers
DOMAIN\Exchange Servers
DOMAIN\Exchange Servers
DOMAIN\Exchange Servers
DOMAIN\Exchange Servers
DOMAIN\Exchange Servers
DOMAIN\Exchange Domain Servers
DOMAIN\Exchange Servers
DOMAIN\Exchange Domain Servers
DOMAIN\Exchange Servers
DOMAIN\Exchange Servers
DOMAIN\Exchange Servers
DOMAIN\Exchange Servers
DOMAIN\Exchange Servers
DOMAIN\Exchange Servers
DOMAIN\Exchange Servers
DOMAIN\Exchange Servers
DOMAIN\Exchange Domain Servers
Everyone {ms-Exch-Store-Create-Named-Properties}
NT AUTHORITY\ANONYMOUS LOGON {ms-Exch-Store-Create-Named-Properties}
Everyone {ms-Exch-Create-Public-Folder}
NT AUTHORITY\ANONYMOUS LOGON {ms-Exch-Create-Public-Folder}
Everyone
NT AUTHORITY\ANONYMOUS LOGON
Everyone
NT AUTHORITY\ANONYMOUS LOGON
DOMAIN\Exchange Servers
DOMAIN\Exchange Domain Servers
DOMAIN\Organization Management
DOMAIN\Public Folder Management
DOMAIN\Managed Availability Servers
DOMAIN\Exchange Public Folder Administrators
NT AUTHORITY\SYSTEM
DOMAIN\Exchange Domain Servers
DOMAIN\Exchange Servers
DOMAIN\Exchange View-Only Administrators
DOMAIN\exchangeadmin
DOMAIN\Organization Management
DOMAIN\ExchangeAdmins
DOMAIN\Exchange Organization Administrators
DOMAIN\Exchange Trusted Subsystem
DOMAIN\Domain Admin
DOMAIN\Enterprise Admin
DOMAIN\Enterprise Admins
DOMAIN\Domain Admins
Marc Hauge
- Edited by mhauge Monday, October 24, 2016 4:44 PM
Monday, October 24, 2016 2:50 PM -
Hi Marc,
Based on my knowledge, the ms-Exch-SMTP-Accept-Any-Sender permission is used to allow the session to bypass the sender address spoofing check, not allow the "Send As" permission.
If you want the connector to send as any sender, I think anonymous relay would be a solution you are looking for, you can run the following command to add "
ms-Exch-SMTP-Accept-Any-Recipient" permission on this
frontend receive connector and check again:Get-ReceiveConnector -Identity "new FrontendTransport" |Add-ADPermission -User "NT AUTHORITY\ANONYMOUS LOGON" -ExtendedRights "Ms-Exch-SMTP-Accept-Any-Recipient"
Since you had only scoped to your internal sever IPs, this connector only used in internal.
Hope this helps,
Best regards,
Niko Cheng
TechNet Community Support
Please remember to mark the replies as answers if they help and unmark them if they provide no help.
If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.- Proposed as answer by Niko.Cheng Monday, October 31, 2016 9:54 AM
- Marked as answer by Niko.Cheng Monday, November 7, 2016 1:48 AM
Wednesday, October 26, 2016 10:12 AM