0

I am trying to setup a receive connector as described in https://www.codetwo.com/admins-blog/how-to-prevent-internal-email-spoofing-in-exchange/

This receive connector listens to IP Ranges from the internal network. Here is how I created the connector:

New-ReceiveConnector -Name "Internal Clients" -TransportRole FrontendTransport -Usage Custom -Bindings 0.0.0.0:25 -RemoteIPRanges 192.168.0.50 -AuthMechanism TLS,Integrated -PermissionGroups ExchangeUsers

The IP address is from the machine I'm doing the testing from. Now I want to send a message from this computer. I am testing with PowerShell.

Send-MailMessage -SmtpServer exchange2013@domain.com -UseSsl -From TEST@domain.com -to TEST@domain.com -Subject "Test"

In the link mentioned above, this seemed to work immediately. I however get the following error message:

Send-MailMessage: The SMTP server requires a secure connection or the client was not 
authenticated. The server response was: 5.7.1 Client was not 
authenticated

I'm logged in as TEST@domain.com. So I thought that maybe this doesn't work because the receive connector doesn't have the anonymous access and that I have to provide credentials.

After manually providing the Credentials with the -Credentials parameter I receive the following message instead.

5.7.1 Client does not have permissions to send as this sender

This doesn't make any sense to me, since I am literally authenticating as the AD user of the mailbox, but I cannot send mails.

The FrontendTransport Receive Connector Log has the following entries:

2020-01-31T09:01:02.552Z,SERVER\Internal Clients,73D4991F209,46,192.168.0.1:25,192.168.0.50:52691,*,DOMAIN\TEST,authenticated
2020-01-31T09:01:02.583Z,SERVER\Internal Clients,73D4991F209,47,192.168.0.1:25,192.168.0.50:52691,*,,Proxy session was successfully set up. Outbound session will now be proxied
2020-01-31T09:01:02.583Z,SERVER\Internal Clients,73D4991F209,48,192.168.0.1:25,192.168.0.50:52691,>,235 2.7.0 Authentication successful,
2020-01-31T09:01:02.661Z,SERVER\Internal Clients,73D4991F209,49,192.168.0.1:25,192.168.0.50:52691,-,,Remote(SocketError)

It looks like the authentication goes through, but after that there is an error?

Okay I found the log of the connector which it gets proxied to, this basically just shows the message that I already get in my PowerShell Session:

2020-01-31T09:21:26.875Z,SERVER\Client Proxy SERVER,48F69B08,67,192.168.0.1:465,192.168.0.50:13767,>,550 5.7.1 Client does not have permissions to send as this sender,
2020-01-31T09:21:26.875Z,SERVER\Client Proxy SERVER,48F69B08,68,192.168.0.1:465,192.168.0.50:13767,-,,Remote(ConnectionReset)

So I guess my question would now be why am I getting refused to send as the sender who owns the mailbox?

AnFi
  • 6,103
  • 1
  • 14
  • 27
David Trevor
  • 205
  • 1
  • 12

1 Answers1

0

According to error messages, you could run AdsiEdit and select the following path: Configuration – Services – Microsoft Exchange – – Administrative Groups – Exchange Administrative Group – Servers – – Protocols – SMTP Receive Connectors

Select custom receive connector and click “Security” tab and grant the “Accept Authoritative Domain Sender” allow permission for the “Authenticated users”

More steps in this article for your reference.

Joy Zhang
  • 1,057
  • 1
  • 5
  • 5
  • Well this was something I was thinking about, but since the configuration of the "Client Frontend SERVERNAME" connector has the exact same extendedRights in AD (Authoritative Domain Sender is not checked there either) and there aren't any problems when sending from Outlook I thought that can't possibly be the solution. This part also isn't included as a necessary step in the link I provided in my question. – David Trevor Jan 31 '20 at 07:46