none
Custom Receive Connector rejects emails

    Question

  • Hello,

    We are migrating from 2010 to 2013. We have a 2010 hub server that has relay connector (dedicated IP) for our linux/ASP/vendors to send emails. The connector is set with annonymous and also with (Add-ADPermission -User 'NT AUTHORITY\Anonymous Logon' -ExtendedRights MS-Exch-SMTP-Accept-Any-Recipient). So if applications send emails to interl AD users there is no authentication needed on the connector and mail goes through. If applications need to send externally then we add their IPs to the Remote range IP and it works fine. This setting has been in place for years with no issue. Now, enters 2013. We have a dedicated MBX server (no CAS role) that we are trying to dedicate to applications relay the same way as 2010 existing box. I create the connector (New-ReceiveConnector -Name "SMTP-Relay-SERVER1" -Server SERVER1 -Usage Custom -Bindings 192.168.1.20:25 -RemoteIPRanges 192.168.1.1-192.168.1.10 -MaxMessageSize 20MB), I add anonymous and then I run Add-ADPermission -User 'NT AUTHORITY\Anonymous Logon' -ExtendedRights MS-Exch-SMTP-Accept-Any-Recipient. Now when third party applications try to send they get an error: The server rejected the sender address. The server responsewas: 530 5.7.1 Client was not authenticated. This is for internal AD users so I am assuming we should be able to send. Any ideas?

    Monday, February 27, 2017 9:14 PM

All replies

  • Hello,

    We are migrating from 2010 to 2013. We have a 2010 hub server that has relay connector (dedicated IP) for our linux/ASP/vendors to send emails. The connector is set with annonymous and also with (Add-ADPermission -User 'NT AUTHORITY\Anonymous Logon' -ExtendedRights MS-Exch-SMTP-Accept-Any-Recipient). So if applications send emails to interl AD users there is no authentication needed on the connector and mail goes through. If applications need to send externally then we add their IPs to the Remote range IP and it works fine. This setting has been in place for years with no issue. Now, enters 2013. We have a dedicated MBX server (no CAS role) that we are trying to dedicate to applications relay the same way as 2010 existing box. I create the connector (New-ReceiveConnector -Name "SMTP-Relay-SERVER1" -Server SERVER1 -Usage Custom -Bindings 192.168.1.20:25 -RemoteIPRanges 192.168.1.1-192.168.1.10 -MaxMessageSize 20MB), I add anonymous and then I run Add-ADPermission -User 'NT AUTHORITY\Anonymous Logon' -ExtendedRights MS-Exch-SMTP-Accept-Any-Recipient. Now when third party applications try to send they get an error: The server rejected the sender address. The server responsewas: 530 5.7.1 Client was not authenticated. This is for internal AD users so I am assuming we should be able to send. Any ideas?

    Make sure you create the Receive Connector as a Front End connector and not a HubTransport.

    Paul Cunningham has a great guide to setting this up.

    http://practical365.com/exchange-server/exchange-2013-configure-smtp-relay-connector/


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread

    Monday, February 27, 2017 9:43 PM
  • There is no Front End connector. This is a single role MBX server. The only option we have is the HUB role.

    • Edited by Mike Logan Monday, February 27, 2017 9:49 PM
    Monday, February 27, 2017 9:49 PM
  • There is no Front End connector. This is a single role MBX server. The only option we have is the HUB role.

    Why do you only have the Mailbox Server Role installed?  The preferred architecture recommends colocating the roles on the same server.  Since the Hub Transport role was absorbed by both the Client Access Server and Mailbox Server role, this might be something you need the CAS piece to run through.

    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread

    Monday, February 27, 2017 10:01 PM
  • That's the requirement for this setup. We already have a 6 Node DAG each node is a MBX CAS. We have a dedicated CAS server (no MBX role)  to webmail and activesync. And then we have this single role MBX box that they need to dedicate to mail relay internally(applications,etc..) and incoming emails from the internet. That's the setup in a nutshell so we can not install a CAS role on this MBX. Is this doable?

    • Edited by Mike Logan Monday, February 27, 2017 10:07 PM
    Monday, February 27, 2017 10:07 PM
  • That's the requirement for this setup. We already have a 6 Node DAG each node is a MBX CAS. We have a dedicated CAS server (no MBX role)  to webmail and activesync. And then we have this single role MBX box that they need to dedicate to mail relay internally(applications,etc..) and incoming emails from the internet. That's the setup in a nutshell so we can not install a CAS role on this MBX. Is this doable?


    Sure, you can create on the CAS role, it will then proxy the actual connection through a mbx server.
    Monday, February 27, 2017 10:26 PM
  •  Not on the CAS. Can we create one on the MBX server (No CAS role) and have do what want it to do or is there a limitation with a Receive Connector when created on a mailbox server?
    Tuesday, February 28, 2017 12:00 AM
  •  Not on the CAS. Can we create one on the MBX server (No CAS role) and have do what want it to do or is there a limitation with a Receive Connector when created on a mailbox server?

    No, because on the MBX only role server, you can only create "Hub Transport" role receive connectors. Those aren't intended for external SMTP servers and can actually cause things to break if you have 2 that listen on the same port (25) . (Note you can not create a FrontEnd Transport rec conn on a mbx only server via the GUI)

    The FrontEnd Transport is intended for scenarios such as yours and lives only on the CAS role.

    Tuesday, February 28, 2017 2:23 AM