none
ms-Exch-SMTP-Accept-Any-Sender on ReceiveConnector does not work

    Question

  • Hi Everybody,

    while deploying Exchange 2013 (first Exchange server in organization) I recognized that authorized users are only allowed to send as users configured recording their mailbox.

    Now we have users/devices sending with SMTP (no Outlook!) that should be allowed to send as any sender (for who no mailbox might be configured)

    We have some internal ReceiveConnector configured (SMTP-LAN-Relay) and I have set extended permissions with:

    [PS] C:\Windows\system32>Add-AdPermission -Identity "SMTP-LAN-Relay" -User "NT-AUTORITÄT\Authentifizierte Benutzer" -ExtendedRights ms-Exch-SMTP-Accept-Any-Sender

    I can see these permissions also when quering the permissions

    [PS] C:\Windows\system32>Get-ReceiveConnector |Get-ADPermission|where {$_.User -like '*authentifi*'}|ft identity,user,extendedrights,accessrights
    
    Identity                              User                                  ExtendedRights                       AccessRights
    --------                              ----                                  --------------                       ------------
    VM-EXCHANGE01\Default VM-EXCHANGE01   NT-AUTORITÄT\Authentifizierte Benu... {ms-Exch-SMTP-Submit}                {ExtendedRight}
    VM-EXCHANGE01\Default VM-EXCHANGE01   NT-AUTORITÄT\Authentifizierte Benu... {ms-Exch-Bypass-Anti-Spam}           {ExtendedRight}
    VM-EXCHANGE01\Default VM-EXCHANGE01   NT-AUTORITÄT\Authentifizierte Benu... {ms-Exch-Accept-Headers-Routing}     {ExtendedRight}
    VM-EXCHANGE01\Default VM-EXCHANGE01   NT-AUTORITÄT\Authentifizierte Benu... {ms-Exch-SMTP-Accept-Any-Recipient}  {ExtendedRight}
    VM-EXCHANGE01\Default VM-EXCHANGE01   NT-AUTORITÄT\Authentifizierte Benu...                                      {ReadProperty}
    VM-EXCHANGE01\Client Proxy VM-EXCH... NT-AUTORITÄT\Authentifizierte Benu... {ms-Exch-SMTP-Submit}                {ExtendedRight}
    VM-EXCHANGE01\Client Proxy VM-EXCH... NT-AUTORITÄT\Authentifizierte Benu... {ms-Exch-Bypass-Anti-Spam}           {ExtendedRight}
    VM-EXCHANGE01\Client Proxy VM-EXCH... NT-AUTORITÄT\Authentifizierte Benu... {ms-Exch-Accept-Headers-Routing}     {ExtendedRight}
    VM-EXCHANGE01\Client Proxy VM-EXCH... NT-AUTORITÄT\Authentifizierte Benu... {ms-Exch-SMTP-Accept-Any-Recipient}  {ExtendedRight}
    VM-EXCHANGE01\Client Proxy VM-EXCH... NT-AUTORITÄT\Authentifizierte Benu...                                      {ReadProperty}
    VM-EXCHANGE01\SMTP-Anywhere-Relay     NT-AUTORITÄT\Authentifizierte Benu... {ms-Exch-SMTP-Accept-Any-Sender}     {ExtendedRight}
    VM-EXCHANGE01\SMTP-Anywhere-Relay     NT-AUTORITÄT\Authentifizierte Benu... {ms-Exch-SMTP-Accept-Any-Recipient}  {ExtendedRight}
    VM-EXCHANGE01\SMTP-Anywhere-Relay     NT-AUTORITÄT\Authentifizierte Benu... {ms-Exch-Accept-Headers-Routing}     {ExtendedRight}
    VM-EXCHANGE01\SMTP-Anywhere-Relay     NT-AUTORITÄT\Authentifizierte Benu... {ms-Exch-Bypass-Anti-Spam}           {ExtendedRight}
    VM-EXCHANGE01\SMTP-Anywhere-Relay     NT-AUTORITÄT\Authentifizierte Benu... {ms-Exch-SMTP-Submit}                {ExtendedRight}
    VM-EXCHANGE01\SMTP-Anywhere-Relay     NT-AUTORITÄT\Authentifizierte Benu...                                      {ReadProperty}
    VM-EXCHANGE01\Outbound Proxy Front... NT-AUTORITÄT\Authentifizierte Benu...                                      {ReadProperty}
    VM-EXCHANGE01\Client Frontend VM-E... NT-AUTORITÄT\Authentifizierte Benu... {ms-Exch-SMTP-Accept-Any-Recipient}  {ExtendedRight}
    VM-EXCHANGE01\Client Frontend VM-E... NT-AUTORITÄT\Authentifizierte Benu... {ms-Exch-Accept-Headers-Routing}     {ExtendedRight}
    VM-EXCHANGE01\Client Frontend VM-E... NT-AUTORITÄT\Authentifizierte Benu... {ms-Exch-Bypass-Anti-Spam}           {ExtendedRight}
    VM-EXCHANGE01\Client Frontend VM-E... NT-AUTORITÄT\Authentifizierte Benu... {ms-Exch-SMTP-Submit}                {ExtendedRight}
    VM-EXCHANGE01\Client Frontend VM-E... NT-AUTORITÄT\Authentifizierte Benu...                                      {ReadProperty}
    VM-EXCHANGE01\SMTP-DMZ-NoRelay        NT-AUTORITÄT\Authentifizierte Benu... {ms-Exch-Accept-Headers-Routing}     {ExtendedRight}
    VM-EXCHANGE01\SMTP-DMZ-NoRelay        NT-AUTORITÄT\Authentifizierte Benu... {ms-Exch-Bypass-Anti-Spam}           {ExtendedRight}
    VM-EXCHANGE01\SMTP-DMZ-NoRelay        NT-AUTORITÄT\Authentifizierte Benu... {ms-Exch-SMTP-Accept-Any-Recipient}  {ExtendedRight}
    VM-EXCHANGE01\SMTP-DMZ-NoRelay        NT-AUTORITÄT\Authentifizierte Benu... {ms-Exch-SMTP-Submit}                {ExtendedRight}
    VM-EXCHANGE01\SMTP-DMZ-NoRelay        NT-AUTORITÄT\Authentifizierte Benu... {ms-Exch-SMTP-Accept-Any-Sender}     {ExtendedRight}
    VM-EXCHANGE01\SMTP-DMZ-NoRelay        NT-AUTORITÄT\Authentifizierte Benu...                                      {ReadProperty}
    VM-EXCHANGE01\SMTP-MX-NoRelay         NT-AUTORITÄT\Authentifizierte Benu...                                      {ReadProperty}

    Unfortunately this setting is not working at all, that means I still get errors

    5.7.1 Client does not have permissions to send as this sender

    when sending as nomailboxexists@domain.tld while authenticating as my.user@domain.local
    I also tried ms-Exch-SMTP-Accept-Authoritative-Domain-Sender already instead of Accept-Any-Sender, no change.

    Any ideas? Any help?

    Thanks a lot in advance!

    Matt



    • Edited by blindzero Wednesday, July 10, 2013 8:33 PM
    Wednesday, July 10, 2013 8:15 PM

Answers

  • Hi Ed,

    Thanks for your input, but are you really sure about this? I think what you mean is accept-any-recipient

    It is documented that the receiveconnector right ms-Exch-SMTP-Accept-Any-Sender is used to bypass anti-spoofing checks. Thats exactly what I want. But it seems that their is an issue on Exch 2013 with Frontend-Transport connectors and this right. With Hub-TransPort it is working:

    http://social.technet.microsoft.com/Forums/exchange/en-US/611d9d06-c3dd-4483-b5cd-96ff30ef34d8/exchange2013-msexchsmtpacceptanysender-not-working-with-frontendtransport#611d9d06-c3dd-4483-b5cd-96ff30ef34d8

    http://www.networksteve.com/exchange/topic.php/550_5.7.1_Unable_to_relay_for_external_domains_on_Exchange_2013/?TopicId=37788&Posts=1

    • Marked as answer by blindzero Saturday, July 13, 2013 12:16 PM
    Saturday, July 13, 2013 12:16 PM

All replies

  • That right doesn't control "Send As", it allows all authenticated users to submit messages that are destined outside your Exchange organization, i.e., relay mail.

    Is the AnonymousUsers in the PermissionsGroups property of the receive connector?


    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."

    Saturday, July 13, 2013 3:06 AM
    Moderator
  • Hi Ed,

    Thanks for your input, but are you really sure about this? I think what you mean is accept-any-recipient

    It is documented that the receiveconnector right ms-Exch-SMTP-Accept-Any-Sender is used to bypass anti-spoofing checks. Thats exactly what I want. But it seems that their is an issue on Exch 2013 with Frontend-Transport connectors and this right. With Hub-TransPort it is working:

    http://social.technet.microsoft.com/Forums/exchange/en-US/611d9d06-c3dd-4483-b5cd-96ff30ef34d8/exchange2013-msexchsmtpacceptanysender-not-working-with-frontendtransport#611d9d06-c3dd-4483-b5cd-96ff30ef34d8

    http://www.networksteve.com/exchange/topic.php/550_5.7.1_Unable_to_relay_for_external_domains_on_Exchange_2013/?TopicId=37788&Posts=1

    • Marked as answer by blindzero Saturday, July 13, 2013 12:16 PM
    Saturday, July 13, 2013 12:16 PM
  • Looking at the second link you provided, what you are doing is what I said, enabling SMTP relay.  The way I've always done that is to create a receive connector limited to the source IP addresses that are allowed to send to it, and then adding the right to the connector.  It would be something like this:

    New-ReceiveConnector -Name Relay -Bindings 0.0.0.0:25 -RemoteIpRanges 123.123.123.123 -PermissionGroups AnonymousUsers

    Add-AdPermission ...


    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."

    Saturday, July 13, 2013 4:32 PM
    Moderator
  • Hi Ed,

    but these are two different thinks! Even when not wanting to have relay enabled (accept-any-recipient) the bypass of anti-spooing with accept-any-sender is not working with frontend-transport connectors for authentitcated users - only for anonymous (what I dont want here).

    Creating a new connector with the given command is creating a Hub-Transport connector in EX2K13, what is not inteded to be used for client communication.

    Sunday, July 14, 2013 7:18 PM
  • Hi everybody,

    Several years later, I encounter the same issue and the Microsoft support premier give me a solution:

    https://technet.microsoft.com/en-us/library/aa996549(v=exchg.150).aspx

    If this can help.

    Friday, October 20, 2017 12:10 PM