none
FrontendTransport Receive Connector not allowing for Authenticated User ms-Exch-SMTP-Accept-Any-Sender

    Question

  • We are transitioning from Exchange 2010 with a targeted relay connector and clients connecting over port 25 & 587.

    On the Exchange 2016 server we have setup and configured a new FrontendTransport receive connector scoped to our internal sever IPs.  We added the following extended permissions to the new connector to allow AUTHENTICATED service accounts to connect from the designated IPs and send messages FROM ANY address (including accepted domains):

    "NT AUTHORITY\Authenticated Users" -ExtendedRights ms-Exch-SMTP-Accept-Authoritative-Domain-Sender
    "NT AUTHORITY\Authenticated Users" -ExtendedRights ms-Exch-SMTP-Accept-Any-Sender

    When testing, the result is 5.7.60 SMTP; Client does not have permissions to send as this sender

    It appears that the frontendTransport proxies to the "Client Proxy" HubTransport connector, which results in not honoring the frontendTransport permissions.  Anonymous sending works fine, as it proxies traffic to the "Default" HubTransport connector.

    Has anyone been able to configure a receive connector, scoped to specific IPs, to allow AUTHENTICATED users to send from ANY address?


    Marc Hauge

    Friday, October 21, 2016 8:57 PM

Answers

  • Hi Marc,

    Based on my knowledge, the ms-Exch-SMTP-Accept-Any-Sender permission is used to allow the session to bypass the sender address spoofing check, not allow the "Send As" permission. 

    If you want the connector to send as any sender, I think anonymous relay would be a solution you are looking for, you can run the following command to add "ms-Exch-SMTP-Accept-Any-Recipient" permission on this frontend receive connector and check again:

    Get-ReceiveConnector -Identity "new FrontendTransport" |Add-ADPermission -User "NT AUTHORITY\ANONYMOUS LOGON" -ExtendedRights "Ms-Exch-SMTP-Accept-Any-Recipient"

    Since you had only scoped to your internal sever IPs, this connector only used in internal.

    Hope this helps,

    Best regards,


    Niko Cheng
    TechNet Community Support


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, October 26, 2016 10:12 AM
    Moderator

All replies

  • Hi,

    I would suggest to remove "offer basic authentication only after starting TLS" from basic authentication section if you selected this option. And test again. The below is a guideline for create new receive connector but you must create it through Power Shell because the option is grayed out in Console.

    http://www.techrid.com/exchange-server-2010/mailflow/configuring-receive-connector-in-exchange-2016/ 

    Thanks

    Prabodha

    Saturday, October 22, 2016 8:50 AM
  • Here's a nice article for you on this scenario :

    • http://exchangeserverpro.com/exchange-2016-smtp-relay-connector/

    Regards,


    Gilles Tremblay
    MCSE Server and Desktop Infrastructures
    MCSE Messaging, Collaboration, Productivity, Mobility, Cloud Platform and Infrastructure

    Saturday, October 22, 2016 9:07 AM
  • Hi Marc,

    The 5.7.60 SMTP error indicates that the device is trying to send an email from an address that doesn’t match the logon credentials.

    Please run the following command and post the result:

    Get-ReceiveConnector -Identity "new FrontendTransport " |fl Auth*,bindings,permissiongroups,enabled

    Best Regards,


    Niko Cheng
    TechNet Community Support


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, October 24, 2016 8:30 AM
    Moderator
  • @Niko Cheng:

    That is correct.  We would like to configure the frontend receive connector to allow to send as ANY sender.  We need to use port 25/587, as we have many services configured to use them and it would be a real pain to reconfigure all the clients.

    The server has both the CAS and Mailbox roles installed, so the frontendtransport and hubtransport receive connectors all exist on the server.  I have to be consciousness of the ports, as 25/587 are bound to the frontendtransport by default and cannot be bound to the hubtransport as well.

    I have successfully sent a test message by bypassing the frontendtransport and setting the permissions on a new hubtransport connector.  However, this is not desirable because we do not want to modify the default connectors.

    Here us the results of the requested command:

    AuthMechanism    : Tls, Integrated, BasicAuth
    Bindings         : {0.0.0.0:25}
    PermissionGroups : AnonymousUsers, ExchangeUsers, ExchangeLegacyServers, Custom
    Enabled          : True


    Marc Hauge


    • Edited by mhauge Monday, October 24, 2016 2:51 PM
    Monday, October 24, 2016 2:32 PM
  • @Prabodha:

    Thank you for your response, but the "offer basic authentication only after starting TLS" is not currently checked. 

    Also, your response is off base, as I have already created the connector and the question explicitly  asks about Authenticated Users.  The directions instruct an individual to create a connector for Authority\ANONYMOUS LOGON, which I already have working.


    Marc Hauge


    • Edited by mhauge Monday, October 24, 2016 2:53 PM
    Monday, October 24, 2016 2:35 PM
  • @Gilles:

    Thanks. I have skimmed that article prior to posting. The issue I am encountering is that after I create the new frontend receive connector, the ms-Exch-SMTP-Accept-Any-Sender permission for Authenticated Users is ignored. It appears to be because the frontend connector proxies to the "Client Proxy" HubTransport connector, where the send is denied, thus ignoring the permission set on the frontend connector.

    As configured, Anonymous Users can send to the connector all day long as any address, including accepted domains.

    Here are the permissions on the connector in question:

    User                                                        ExtendedRights
    ----                                                        --------------
    DOMAIN\ExchangeLegacyInterop                                {ms-Exch-Accept-Headers-Forest}
    DOMAIN\ExchangeLegacyInterop                                {ms-Exch-Accept-Headers-Organization}
    NT AUTHORITY\ANONYMOUS LOGON                                {ms-Exch-SMTP-Accept-Authoritative-Domain-Sender}
    NT AUTHORITY\ANONYMOUS LOGON                                {ms-Exch-SMTP-Submit}
    NT AUTHORITY\ANONYMOUS LOGON                                {ms-Exch-Accept-Headers-Routing}
    NT AUTHORITY\ANONYMOUS LOGON                                {ms-Exch-SMTP-Accept-Any-Sender}
    NT AUTHORITY\Authenticated Users                            {ms-Exch-SMTP-Accept-Authoritative-Domain-Sender}
    NT AUTHORITY\Authenticated Users                            {ms-Exch-SMTP-Submit}
    NT AUTHORITY\Authenticated Users                            {ms-Exch-Bypass-Anti-Spam}
    NT AUTHORITY\Authenticated Users                            {ms-Exch-Accept-Headers-Routing}
    NT AUTHORITY\Authenticated Users                            {ms-Exch-SMTP-Accept-Any-Recipient}
    NT AUTHORITY\Authenticated Users                            {ms-Exch-SMTP-Accept-Any-Sender}
    DOMAIN\ExchangeLegacyInterop                                {ms-Exch-SMTP-Accept-Authentication-Flag}
    DOMAIN\ExchangeLegacyInterop                                {ms-Exch-SMTP-Accept-Authoritative-Domain-Sender}
    DOMAIN\ExchangeLegacyInterop                                {ms-Exch-Accept-Headers-Routing}
    DOMAIN\ExchangeLegacyInterop                                {ms-Exch-SMTP-Submit}
    DOMAIN\ExchangeLegacyInterop                                {ms-Exch-Bypass-Message-Size-Limit}
    DOMAIN\ExchangeLegacyInterop                                {ms-Exch-SMTP-Accept-Any-Recipient}
    DOMAIN\ExchangeLegacyInterop                                {ms-Exch-Bypass-Anti-Spam}
    DOMAIN\ExchangeLegacyInterop                                {ms-Exch-SMTP-Accept-Exch50}
    DOMAIN\ExchangeLegacyInterop                                {ms-Exch-SMTP-Accept-Any-Sender}
    DOMAIN\Delegated Setup                                      {Send-As}
    DOMAIN\Delegated Setup                                      {Receive-As}
    DOMAIN\Delegated Setup
    DOMAIN\Exchange Servers                                     {ms-Exch-Store-Constrained-Delegation}
    DOMAIN\Exchange Servers                                     {ms-Exch-Store-Transport-Access}
    DOMAIN\Exchange Servers                                     {ms-Exch-Store-Read-Access}
    DOMAIN\Exchange Servers                                     {ms-Exch-Store-Read-Write-Access}
    NT AUTHORITY\NETWORK SERVICE                                {ms-Exch-EPI-Token-Serialization}
    DOMAIN\exchange$
    DOMAIN\Delegated Setup
    NT AUTHORITY\SYSTEM
    NT AUTHORITY\NETWORK SERVICE
    DOMAIN\Exchange Servers                                     {Receive-As}
    DOMAIN\Organization Management                              {ms-Exch-Recipient-Update-Access}
    DOMAIN\Public Folder Management                             {ms-Exch-Recipient-Update-Access}
    DOMAIN\Exchange Recipient Administrators                    {ms-Exch-Recipient-Update-Access}
    DOMAIN\Exchange Public Folder Administrators                {ms-Exch-Recipient-Update-Access}
    NT AUTHORITY\SYSTEM                                         {ms-Exch-Recipient-Update-Access}
    DOMAIN\Domain Admins                                        {Send-As}
    DOMAIN\Enterprise Admins                                    {Send-As}
    DOMAIN\exadmin                                              {Send-As}
    DOMAIN\Organization Management                              {Send-As}
    DOMAIN\ExchangeAdmins                                       {Send-As}
    DOMAIN\Exchange Organization Administrators                 {Send-As}
    DOMAIN\DomainAdmin                                          {Send-As}
    DOMAIN\EnterpriseAdmin                                     {Send-As}
    DOMAIN\Domain Admins                                        {Receive-As}
    DOMAIN\Enterprise Admins                                    {Receive-As}
    DOMAIN\exadmin                                              {Receive-As}
    DOMAIN\Organization Management                              {Receive-As}
    DOMAIN\ExchangeAdmins                                       {Receive-As}
    DOMAIN\Exchange Organization Administrators                 {Receive-As}
    DOMAIN\DomainAdmin                                          {Receive-As}
    DOMAIN\EnterpriseAdmin                                      {Receive-As}
    DOMAIN\Domain Admins                                        {ms-Exch-EPI-Impersonation}
    DOMAIN\Schema Admins                                        {ms-Exch-EPI-Impersonation}
    DOMAIN\Enterprise Admins                                    {ms-Exch-EPI-Impersonation}
    DOMAIN\Organization Management                              {ms-Exch-EPI-Impersonation}
    DOMAIN\Exchange Organization Administrators                 {ms-Exch-EPI-Impersonation}
    DOMAIN\Domain Admins                                        {ms-Exch-EPI-Token-Serialization}
    DOMAIN\Schema Admins                                        {ms-Exch-EPI-Token-Serialization}
    DOMAIN\Enterprise Admins                                    {ms-Exch-EPI-Token-Serialization}
    DOMAIN\Organization Management                              {ms-Exch-EPI-Token-Serialization}
    DOMAIN\Exchange Organization Administrators                 {ms-Exch-EPI-Token-Serialization}
    DOMAIN\Domain Admins                                        {ms-Exch-Store-Constrained-Delegation}
    DOMAIN\Enterprise Admins                                    {ms-Exch-Store-Constrained-Delegation}
    DOMAIN\Domain Admins                                        {ms-Exch-Store-Transport-Access}
    DOMAIN\Enterprise Admins                                    {ms-Exch-Store-Transport-Access}
    DOMAIN\Domain Admins                                        {ms-Exch-Store-Read-Access}
    DOMAIN\Enterprise Admins                                    {ms-Exch-Store-Read-Access}
    DOMAIN\Domain Admins                                        {ms-Exch-Store-Read-Write-Access}
    DOMAIN\Enterprise Admins                                    {ms-Exch-Store-Read-Write-Access}
    NT AUTHORITY\Authenticated Users
    DOMAIN\Organization Management                              {ms-Exch-Create-Top-Level-Public-Folder}
    DOMAIN\Public Folder Management                             {ms-Exch-Create-Top-Level-Public-Folder}
    DOMAIN\Exchange Public Folder Administrators                {ms-Exch-Create-Top-Level-Public-Folder}
    DOMAIN\Organization Management                              {ms-Exch-Store-Visible}
    DOMAIN\Public Folder Management                             {ms-Exch-Store-Visible}
    DOMAIN\Exchange View-Only Administrators                    {ms-Exch-Store-Visible}
    DOMAIN\Exchange Public Folder Administrators                {ms-Exch-Store-Visible}
    DOMAIN\Organization Management                              {ms-Exch-Store-Admin}
    DOMAIN\Public Folder Management                             {ms-Exch-Store-Admin}
    DOMAIN\Exchange Public Folder Administrators                {ms-Exch-Store-Admin}
    DOMAIN\Organization Management                              {ms-Exch-Store-Create-Named-Properties}
    DOMAIN\Public Folder Management                             {ms-Exch-Store-Create-Named-Properties}
    DOMAIN\Exchange Public Folder Administrators                {ms-Exch-Store-Create-Named-Properties}
    DOMAIN\Organization Management                              {ms-Exch-Modify-PF-ACL}
    DOMAIN\Public Folder Management                             {ms-Exch-Modify-PF-ACL}
    DOMAIN\Exchange Public Folder Administrators                {ms-Exch-Modify-PF-ACL}
    DOMAIN\Organization Management                              {ms-Exch-Mail-Enabled-Public-Folder}
    DOMAIN\Public Folder Management                             {ms-Exch-Mail-Enabled-Public-Folder}
    DOMAIN\Organization Management                              {ms-Exch-Modify-Public-Folder-Quotas}
    DOMAIN\Public Folder Management                             {ms-Exch-Modify-Public-Folder-Quotas}
    DOMAIN\Exchange Public Folder Administrators                {ms-Exch-Modify-Public-Folder-Quotas}
    DOMAIN\Organization Management                              {ms-Exch-Modify-PF-Admin-ACL}
    DOMAIN\Public Folder Management                             {ms-Exch-Modify-PF-Admin-ACL}
    DOMAIN\Exchange Public Folder Administrators                {ms-Exch-Modify-PF-Admin-ACL}
    DOMAIN\Exchange Servers                                     {ms-Exch-EPI-Token-Serialization}
    DOMAIN\Organization Management                              {ms-Exch-Modify-Public-Folder-Expiry}
    DOMAIN\Public Folder Management                             {ms-Exch-Modify-Public-Folder-Expiry}
    DOMAIN\Exchange Public Folder Administrators                {ms-Exch-Modify-Public-Folder-Expiry}
    DOMAIN\Organization Management                              {ms-Exch-Modify-Public-Folder-Replica-List}
    DOMAIN\Public Folder Management                             {ms-Exch-Modify-Public-Folder-Replica-List}
    DOMAIN\Exchange Public Folder Administrators                {ms-Exch-Modify-Public-Folder-Replica-List}
    DOMAIN\Organization Management                              {ms-Exch-Modify-Public-Folder-Deleted-Item-Retention}
    DOMAIN\Public Folder Management                             {ms-Exch-Modify-Public-Folder-Deleted-Item-Retention}
    DOMAIN\Exchange Public Folder Administrators                {ms-Exch-Modify-Public-Folder-Deleted-Item-Retention}
    DOMAIN\Organization Management                              {ms-Exch-Create-Public-Folder}
    DOMAIN\Public Folder Management                             {ms-Exch-Create-Public-Folder}
    DOMAIN\Exchange Public Folder Administrators                {ms-Exch-Create-Public-Folder}
    DOMAIN\Exchange Servers
    DOMAIN\Exchange Servers
    DOMAIN\Exchange Servers
    DOMAIN\Exchange Servers
    DOMAIN\Exchange Servers
    DOMAIN\Exchange Servers
    DOMAIN\Exchange Domain Servers
    DOMAIN\Exchange Servers
    DOMAIN\Exchange Servers
    DOMAIN\Exchange Servers
    DOMAIN\Exchange Servers
    DOMAIN\Exchange Servers
    DOMAIN\Exchange Servers
    DOMAIN\Exchange Servers
    DOMAIN\Exchange Servers
    DOMAIN\Exchange Servers
    DOMAIN\Exchange Servers
    DOMAIN\Exchange Domain Servers
    DOMAIN\Exchange Servers
    DOMAIN\Exchange Domain Servers
    DOMAIN\Exchange Servers
    DOMAIN\Exchange Servers
    DOMAIN\Exchange Servers
    DOMAIN\Exchange Servers
    DOMAIN\Exchange Servers
    DOMAIN\Exchange Servers
    DOMAIN\Exchange Servers
    DOMAIN\Exchange Servers
    DOMAIN\Exchange Domain Servers
    Everyone                                                    {ms-Exch-Store-Create-Named-Properties}
    NT AUTHORITY\ANONYMOUS LOGON                                {ms-Exch-Store-Create-Named-Properties}
    Everyone                                                    {ms-Exch-Create-Public-Folder}
    NT AUTHORITY\ANONYMOUS LOGON                                {ms-Exch-Create-Public-Folder}
    Everyone
    NT AUTHORITY\ANONYMOUS LOGON
    Everyone
    NT AUTHORITY\ANONYMOUS LOGON
    DOMAIN\Exchange Servers
    DOMAIN\Exchange Domain Servers
    DOMAIN\Organization Management
    DOMAIN\Public Folder Management
    DOMAIN\Managed Availability Servers
    DOMAIN\Exchange Public Folder Administrators
    NT AUTHORITY\SYSTEM
    DOMAIN\Exchange Domain Servers
    DOMAIN\Exchange Servers
    DOMAIN\Exchange View-Only Administrators
    DOMAIN\exchangeadmin
    DOMAIN\Organization Management
    DOMAIN\ExchangeAdmins
    DOMAIN\Exchange Organization Administrators
    DOMAIN\Exchange Trusted Subsystem
    DOMAIN\Domain Admin
    DOMAIN\Enterprise Admin
    DOMAIN\Enterprise Admins
    DOMAIN\Domain Admins


    Marc Hauge



    • Edited by mhauge Monday, October 24, 2016 4:44 PM
    Monday, October 24, 2016 2:50 PM
  • Hi Marc,

    Based on my knowledge, the ms-Exch-SMTP-Accept-Any-Sender permission is used to allow the session to bypass the sender address spoofing check, not allow the "Send As" permission. 

    If you want the connector to send as any sender, I think anonymous relay would be a solution you are looking for, you can run the following command to add "ms-Exch-SMTP-Accept-Any-Recipient" permission on this frontend receive connector and check again:

    Get-ReceiveConnector -Identity "new FrontendTransport" |Add-ADPermission -User "NT AUTHORITY\ANONYMOUS LOGON" -ExtendedRights "Ms-Exch-SMTP-Accept-Any-Recipient"

    Since you had only scoped to your internal sever IPs, this connector only used in internal.

    Hope this helps,

    Best regards,


    Niko Cheng
    TechNet Community Support


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, October 26, 2016 10:12 AM
    Moderator