locked
set up exchange 2007 as Outgoing SMTP Server RRS feed

  • Question

  • Hi there,

    We have a user outside our network who uses MS Outlook 2007 to connect to our exchange server using IMAP4 but keeps having issues with sending email out.

    on Exchange 2007:
    We have the receive connector listed as Client Connector, which has port 587
    this connector was created by default after installation and no settings has been changed

    on Outlook 2007 client:
    set up incoming AND outgoing server as our exchange 2007 server
    when he click the test connection button, there were 2 processes listed:
    - logon to domain ... : successful
    - sending test message: connection timed out

    we set up everything correct (I think):
    Incoming using port 993 SSL
    Outgoing using port 587 TLS (using same authentication as incoming)

    Connection definitely not blocked by the firewall on both ports.
    I'm pretty sure the issue lies with the server itself since i also tried it using thunderbird and got the same issue.

    help?

     

    Note:
    we also installed Exchange 2010 on the network but it hasn't been configured yet


    Andrew P.
    Wednesday, April 13, 2011 10:22 AM

Answers

  • Hi Andrew,

     

    For this issue, I suggest you follow these steps to troubleshoot the problem:

     

    1.       Use this command to grant NT AUTHORITY\SELF send as permission, then check whether it will go or not?

     

    Get-Mailbox MailboxName | Add-ADPermission –user “NT AUTHORITY\SELF” –ExtendedRights Send-As

     

    2.       If you still cannot grant NT AUTHORITY\SELF send as permission, I suggest you follow these steps to have a try:

     

    <1> Run this command in CMD:

             dsacls "cn=adminsdholder,cn=system,dc=mydomain,dc=com" /G "\SELF:CA;Send As" (note: Replace "dc=<mydomain>,dc=com" with the distinguished name of your domain)

     

    <2> After that, follow step1 to grant NT AUTHORITY\SELF send as permission, then check whether this issue will occur or not.

     

    Sorry that I didn’t explain clearly, this issue may because the user is member of protected group does not match the security descriptor on the AdminSDHolder object, the user’s security descriptor is overwritten with a new security descriptor that is taken from the AdminSDHolder object.

     

    You can know more information from this document:

     

    The "Send As" right is removed from a user object after you configure the "Send As" right in the Active Directory Users and Computers snap-in in Exchange Server

    http://support.microsoft.com/kb/907434

     

     

    Thanks,

     

    Evan


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Wednesday, April 20, 2011 6:58 AM
    Moderator

All replies

  • Can you telnet to 587?
    Wednesday, April 13, 2011 3:23 PM
  • after much troubleshooting, I found the issue.

    1. McAfee blocks the connection
      - resolved -
    2. the user account I used has no NT AUTHORITY\SELF listed in the Send As permission group
      I don't know why but after I set it last night, it's gone again this morning
      Any idea?
      - resolved temporarily -

    even though testing the account via Outlook 2007 works, when I start it up it refuse to get any emails in.
    when I do the send/receive, I got this message:

    Your IMAP server closed the connection. This can occur if you leave the connection idle for too long.
    Details:
    Connection is closed. 15
        Protocol:    IMAP
        Server:    MYSERVER.DOMAIN.COM
        Port:    993
        Error Code:    0x800CCCDD

    sending email out is now ok though.

    I'll post the IMAP issue on another post.


    Andrew P.
    Thursday, April 14, 2011 1:12 AM
  • Hi Andrew,

     

    The user account I used has no NT AUTHORITY\SELF listed in the Send As permission group

     

    The behavior you have seen shouldn’t happen, unless it is an admin level account that has the send as permission. By default the admin level account cannot hold that permission.

     

    Exchange 2007 Permissions: Frequently Asked Questions

    http://technet.microsoft.com/en-us/library/bb310792(EXCHG.80).aspx

     

    Error “Your IMAP server closed the connection. This can occur if you leave the connection idle for too long”

     

    This might be some folders in User mailbox causing the issue. In some threads it is because a duplicate folder in client’s mailbox created by IMAP client.

     

    You can get more information from these similar threads:

     

    IMAP not working for one user only? Problem

    http://social.technet.microsoft.com/Forums/en-US/exchangesvrtransport/thread/342ff88e-d0a8-409f-96b2-c9cf7f31c8f1

     

    IMAP account configuration issue

    http://social.technet.microsoft.com/Forums/en-US/exchangesvradmin/thread/da569d41-3136-42aa-aa2a-8a2d55e365c9

     

    Thanks,

     

    Evan


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Monday, April 18, 2011 1:21 PM
    Moderator
  • the only admin group I belong to is Exchange Public Folder Administrators.
    I've checked the links but it didn't say anything about send as permission being denied for that particular group.

    I've created a new post for the IMAP issue here:
    http://social.technet.microsoft.com/Forums/en-AU/exchangesvrclients/thread/b418d42a-ce66-4cfa-adb9-e6e24ec769f4



    Andrew P.
    • Edited by p.andrew Monday, April 18, 2011 11:47 PM links to IMAP issue
    Monday, April 18, 2011 11:43 PM
  • Hi Andrew,

     

    For this issue, I suggest you follow these steps to troubleshoot the problem:

     

    1.       Use this command to grant NT AUTHORITY\SELF send as permission, then check whether it will go or not?

     

    Get-Mailbox MailboxName | Add-ADPermission –user “NT AUTHORITY\SELF” –ExtendedRights Send-As

     

    2.       If you still cannot grant NT AUTHORITY\SELF send as permission, I suggest you follow these steps to have a try:

     

    <1> Run this command in CMD:

             dsacls "cn=adminsdholder,cn=system,dc=mydomain,dc=com" /G "\SELF:CA;Send As" (note: Replace "dc=<mydomain>,dc=com" with the distinguished name of your domain)

     

    <2> After that, follow step1 to grant NT AUTHORITY\SELF send as permission, then check whether this issue will occur or not.

     

    Sorry that I didn’t explain clearly, this issue may because the user is member of protected group does not match the security descriptor on the AdminSDHolder object, the user’s security descriptor is overwritten with a new security descriptor that is taken from the AdminSDHolder object.

     

    You can know more information from this document:

     

    The "Send As" right is removed from a user object after you configure the "Send As" right in the Active Directory Users and Computers snap-in in Exchange Server

    http://support.microsoft.com/kb/907434

     

     

    Thanks,

     

    Evan


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Wednesday, April 20, 2011 6:58 AM
    Moderator
  • I haven't tried the CLI commands but I set the send as permission via exchange management console (Exchange 2007).
    it was set ok but a few hours later it removed the NT AUTHORITY\SELF from my mailbox account.

    Will that be the same thing or I should still try the CLI?

    also, the link saying something about Exchange 5.5, which is not exist in our organization.
    and it also advised me to "do not use accounts that are members of protected groups"
    Where or what are these protected groups?


    Andrew P.
    Thursday, April 21, 2011 5:05 AM
  • Hi Andrew,

     

    I tested on my lab (Exchange 2007 SP3), it works for my Administrator account.

     

    If you don’t want to change the setting for ADminsdholder, you can use account which is not added in protected group.

     

    The protected group for Windows:

     

    Windows 2000 Server RTM
    Windows 2000 Server with SP1
    Windows 2000 Server with SP2
    Windows 2000 Server with SP3

    Windows 2000 Server with SP4
    Windows Server 2003 RTM

    Windows Server 2003 with SP1
    Windows Server 2003 with SP2

    Windows Server 2008 RTM
    Windows Server 2008 R2

    Administrators

    Account Operators

    Account Operators

    Account Operators

    Domain Admins

    Administrator

    Administrator

    Administrator

    Enterprise Admins

    Administrators

    Administrators

    Administrators

    Schema Admins

    Backup Operators

    Backup Operators

    Backup Operators

     

    Cert Publishers

    Domain Admins

    Domain Admins

     

    Domain Admins

    Domain Controllers

    Domain Controllers

     

    Domain Controllers

    Enterprise Admins

    Enterprise Admins

     

    Enterprise Admins

    Krbtgt

    Krbtgt

     

    Krbtgt

    Print Operators

    Print Operators

     

    Print Operators

    Replicator

    Read-only Domain Controllers

     

    Replicator

    Schema Admins

    Replicator

     

    Schema Admins

    Server Operators

    Schema Admins

     

    Server Operators

     

    Server Operators

     

    Thanks,

     

    Evan


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Thursday, April 21, 2011 3:53 PM
    Moderator