none
Exchange 2013 - create send connector from Edge to internal MB server (non-subscribed)

    General discussion

  • We have created a new Exchange organization in a resource forest that runs parallel to our corporate installation. Both system are running Exchange 2013. I want to have both systems use the same  Edge servers (also 2013).
    - Lets call the original Exchange installation CORP
    - Lets call the new Exchange installation RESOURCE

    The Edge servers are subscribed to the CORP systems. I am trying to get a new send connector on the Edge servers to send a certain mail domain to the RESOURCE system. I created a new connector using ECP on the CORP system and see it has replicated to the Edge servers. When I send a message that will go through the new connector deliver fails stating that the Client does not have permissions to send as this sender.  ( 5.7.1 smtp;550 )

    I configured the Edge server send-connector to use Basic Authentication AFTER starting TLS. I have an account created in the RESOURCE forest and entered it and credentials on the send connector. I am sending on port 2525 to send to the Default receive connector (HUB) on the internal mailbox server (RESOURCE system).

    On the receive connector I checked the Basic Authentication option along with the Offer basic authentication only after starting TLS. ( default hub transport - receiving on port 2525 )
    I made sure that the certificate chains are present on all the servers to insure certificate validation.

    I read the following links in preparation for making the above changes:
    - https://blogs.technet.microsoft.com/ehlro/2015/03/30/exchange-2013-edge-as-a-smarthost-with-basic-over-tls-authentication/
    - https://technet.microsoft.com/en-us/library/bb232082%28v=exchg.150%29.aspx

    After I get the inbound messages delivering to the RESOURCE system I will then create an outbound send-connector on the RESOURCE MB server with an associated receive-connector on the Edge servers (also BASIC Authentication)

    Any suggestions for getting around the issue?  --  the Client does not have permissions to send as this sender.  ( 5.7.1 smtp;550 )
    Should I be using a receive connector other than the Default Hub Transport receive connectgor?
    Will adding Basic Authentication to this recive connector adversely impact any other default Exchange routing?
    Does the AD account used for the  Basic Authentication require any special permissions?


    Anxious to hear how bad I messed things up  :)

    Thanks in advance
    Tom

    • Changed type Tom_Slycke Tuesday, June 14, 2016 6:31 PM dont need the answer
    Wednesday, June 8, 2016 4:51 PM

All replies

  • OK, I tested delivery all morning with the powershell command:

       send-mailmessage -SMTP Edge.corp.com -to resourceuser@resource.com -from me@corp.com -subject test -body test

    and received error message

    Remote Server returned '<mailserver.resource.Com #5.7.1 smtp;550 5.7.1 Client does not have permissions to send as this sender>'

    Changing the -from parameter to the SMTP address of the service account i used fo rthe connector, delivery succeeded. Is this telling me that the service account used for the Basic Authentication on the connector needs to have elevated permissions in Exchange?  

    Tom

    Wednesday, June 8, 2016 6:31 PM
  • OK, nevermind. I went away from Basic Authentication and am using remoteIP settings to limit access to the receive connectors.

    Tom

    Tuesday, June 14, 2016 6:29 PM