2

We just upgraded a customer to Exchange 2013 from Exchange 2010. The 2010 machine is still in place, but all the mailboxes have been moved over to the 2013 machine.

The users have absolutely no problem exchanging mail inside or outside with Outlook, Activesync etc.

However, a few users have to send emails from a 3rd party program that just uses SMTP. With this, it fails with:

550 5.7.1 Client does not have permissions to send as this sender

To troubleshoot I used telnet into the SMTP server. It connects fine, takes the AUTH LOGIN with their username and password successfully, but then rejects sending the email, even though it is their own email address, and listed under their user.

I'm really out of ideas here. It worked fine before with Exchange 2010 and I don't remember doing anything special.

EDIT: I just noticed that it does seem to work with my account.

EDIT 2: Created a test user and it works for them as well. It must be something going on with only some accounts.

EDIT 3: I added them as being able to send to their own account in the Exchange admin center. This allowed the email to go through. I don't quite understand why this would need to be since my account is not set that way and works correct. Obviously something is still wrong, but at least this buys me time.

Another thing I tried was adding the "NT AUTHORITY\SELF" account send permissions on the mailbox. It appears this fixes the problems for a lot of people, but in my case that permission was already set.

Tamerz
  • 412
  • 3
  • 6
  • 14
  • Are the users without the "NT AUTHORITY\SELF" send-as permission members of privileged groups? http://social.technet.microsoft.com/Forums/exchange/en-US/1161cfa7-feb0-44f5-af85-fe8c0f59b84d/nt-authority-self-disappearing – Jeremy Lyons Jul 31 '13 at 16:11
  • I just realized I didn't state that last sentence well. Every mailbox already had the "NT AUTHORITY\SELF" set. The "other people" I was talking about were people on other forums, not in the organization. It is a mix of privileged and not privileged people not working. My test account I created was a basic user, one person who can't send is a domain admin. – Tamerz Jul 31 '13 at 19:53
  • I've applied this solution, but for some users in the organization the problems with SMTP persist. For others, including my account, there is no problem. I have no idea what to do next... –  Jun 16 '14 at 11:08

2 Answers2

2

I finally called Microsoft to get this resolved. The issue appeared to be permissions on the "Client Proxy" HubTransport receive connector. They went into ADSI Edit, Configuration -> Services -> Microsoft Exchange -> DOMAINNAME -> Administrative Groups -> Exchange Administrative Group -> Servers -> SERVERNAME -> Protocols -> SMTP Receive Connectors, then went to the properties for the "Client Proxy SERVERNAME" entry.

Then, on the security tab, went to "Authenticated Users" and made sure "Accept any Sender" and "Accept Authoritative Domain Sender".

Once these were set it began working. I'm not sure what the defaults would be, and if these are the defaults, why ours was not set to that. We didn't change anything with the built in receive connectors.

Tamerz
  • 412
  • 3
  • 6
  • 14
0

A little more information: Start ADSIedit as an administrator.

When ADSIEdit starts, right-click on ADSIEDIT in top left corner, choose "Connect to".

Under "Select a well known Naming Context", pull-down to 'Configuration'.

Browse to "Configuration" CN=Configuration CN=Services CN=Microsoft Exchange CN=your Organization CN=Administrative Groups CN=Exchange Administrative Groups CN=servers CN=Your Exchange Server name CN=Protocols CN=SMTP Receive Connectors

Right-click on "CN=Client Proxy your-server-name" and change permissions on Authenticated Users to include both ALLOW for both "Accept Any Sender", and "Accept Authoritative Domain Sender".

Rick Roepke
  • 1