AD User Authentication to Exchange 2016

Question

We have a number of devices that send email through our Exchange 2010 server. These devices all authenticate using a domain user prior to sending the message and this was working fine on 2010. We are now migrating to Exchange 2016 and I am trying to configure the receive connector to allow the same thing but I can't get it to work. Here is the configuration of my receive connector:

[PS] C:\>Get-ReceiveConnector "EX2016\default frontend EX2016" | fl
RunspaceId                                : 68459e4b-3af8-411d-a616-7db360d20905
AuthMechanism                             : Tls, Integrated, BasicAuth, BasicAuthRequireTLS, ExchangeServer
Banner                                    :
BinaryMimeEnabled                         : True
Bindings                                  : {[::]:25, 0.0.0.0:25}
ChunkingEnabled                           : True
DefaultDomain                             :
DeliveryStatusNotificationEnabled         : True
EightBitMimeEnabled                       : True
SmtpUtf8Enabled                           : False
BareLinefeedRejectionEnabled              : False
DomainSecureEnabled                       : True
EnhancedStatusCodesEnabled                : True
LongAddressesEnabled                      : False
OrarEnabled                               : False
SuppressXAnonymousTls                     : False
ProxyEnabled                              : False
AdvertiseClientSettings                   : False
Fqdn                                      : EX2016.example.com
ServiceDiscoveryFqdn                      :
TlsCertificateName                        :
Comment                                   :
Enabled                                   : True
ConnectionTimeout                         : 00:10:00
ConnectionInactivityTimeout               : 00:05:00
MessageRateLimit                          : Unlimited
MessageRateSource                         : IPAddress
MaxInboundConnection                      : 5000
MaxInboundConnectionPerSource             : 20
MaxInboundConnectionPercentagePerSource   : 2
MaxHeaderSize                             : 256 KB (262,144 bytes)
MaxHopCount                               : 60
MaxLocalHopCount                          : 5
MaxLogonFailures                          : 3
MaxMessageSize                            : 25 MB (26,214,400 bytes)
MaxProtocolErrors                         : 5
MaxRecipientsPerMessage                   : 200
PermissionGroups                          : AnonymousUsers, ExchangeServers, ExchangeLegacyServers
PipeliningEnabled                         : True
ProtocolLoggingLevel                      : Verbose
RemoteIPRanges                            : {::-ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff, 0.0.0.0-255.255.255.255}
RequireEHLODomain                         : False
RequireTLS                                : False
EnableAuthGSSAPI                          : False
ExtendedProtectionPolicy                  : None
LiveCredentialEnabled                     : False
TlsDomainCapabilities                     : {}
Server                                    : EX2016
TransportRole                             : FrontendTransport
RejectReservedTopLevelRecipientDomains    : False
RejectReservedSecondLevelRecipientDomains : False
RejectSingleLabelRecipientDomains         : False
SizeEnabled                               : Enabled
TarpitInterval                            : 00:00:05
MaxAcknowledgementDelay                   : 00:00:30
AdminDisplayName                          :
ExchangeVersion                           : 0.1 (8.0.535.0)
Name                                      : Default Frontend EX2016
DistinguishedName                         : CN=Default Frontend EX2016,CN=SMTP Receive
                                            Connectors,CN=Protocols,CN=EX2016,CN=Servers,CN=Exchange
                                            Administrative Group (###########),CN=Administrative Groups,CN=Org
                                            Unit,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=caymanport,
                                            DC=com
Identity                                  : EX2016\Default Frontend EX2016
ObjectCategory                            : example.com/Configuration/Schema/ms-Exch-Smtp-Receive-Connector
ObjectClass                               : {top, msExchSmtpReceiveConnector}
WhenChanged                               : 20/09/2016 8:21:49 AM
WhenCreated                               : 08/09/2016 8:02:11 AM
WhenChangedUTC                            : 20/09/2016 1:21:49 PM
WhenCreatedUTC                            : 08/09/2016 1:02:11 PM
OrganizationId                            :
Id                                        : EX2016\Default Frontend EX2016
OriginatingServer                         : dc.example.com
IsValid                                   : True
ObjectState                               : Unchanged

And this is the SMTP log of a connection attempt:

+,,
>,"220 EX2016.example.com Microsoft ESMTP MAIL Service ready at Tue, 20 Sep 2016 07:18:27 -0500",
<,EHLO printer.example.com,
>,250  EX2016.example.com Hello [172.16.113.55] SIZE 26214400 PIPELINING DSN ENHANCEDSTATUSCODES STARTTLS X-ANONYMOUSTLS AUTH NTLM X-EXPS GSSAPI NTLM 8BITMIME BINARYMIME CHUNKING XRDST,
<,AUTH NTLM,
>,334 <authentication response>,
>,334 <authentication response>,
*,,Inbound Negotiate failed because of LogonDenied
*,,User Name: NULL
*,Tarpit for '0.00:00:05' due to '535 5.7.3 Authentication unsuccessful',
>,535 5.7.3 Authentication unsuccessful,
-,,Remote(SocketError)

I don't think I should be using an anonymous relay connector because I am authenticating with a domain user/password. What am I doing wrong?

Edit: I should note that these printers need to be able to send email externally as well as internally.

score 1 · Answer 1 · answered Sep 21 '16 at 19:17

First, I wouldn't have touched the default Receive Connector. In these instances I always create a new Receive Connector. Therefore I would put things back as they were. You don't want an authentication enabled receive connector on port 25 exposed to the internet - that is asking for authenticated user attacks.

Then create a new Receive Connector. You will need to use PWS for this because the ECP GUI currently only creates backend types, whereas you want a frontend. Lock it down to the specific IP address of the devices. You then need to enable the authentication types and Exchange Users under Permission groups - basically the same as Client Frontend Receive Connector, but on a different port and probably without TLS.

Then restart the MS Exchange Transport service.

Thanks, I will try this today and let you know. But shouldn't the default connector support authenticated traffic without modification? I am trying to get away from having to enter the IP address of each device in to a receive connector and go with only allowing authenticated access. I only have a small handful of devices that don't support user name/password authentication and I can use an anonymous relay connector for those. — Caynadian, Sep 22 '16 at 15:41

score 1 · Accepted Answer · edited Oct 21 '22 at 22:30

1

This post at GeeksWithBlogs.net showed me how to set the extended AD permissions to accept authenticated connections from any user to any address.

The basics are to create a security group of users that are allowed to authenticate to Exchange to send mail. Add whatever users you want to this group. Then add ms-Exch-SMTP-Submit extended permission to your Default Frontend connector. As the front end connector simply relays to the Client Proxy connector, you have to add all the actual accept permissions to it instead of the Frontend.

edited Oct 21 '22 at 22:30

Glorfindel

1,213
4
15
22

answered Sep 23 '16 at 19:13

Caynadian

442
2
10
25

Here's the MS document https://technet.microsoft.com/en-us/library/mt668454(v=exchg.160).aspx – Aaron D Mar 22 '18 at 15:21

AD User Authentication to Exchange 2016

2 Answers2