0

How come that on one particular machine in our network, MS Exchange SMTP doesn't provide any authentication mechanisms?

On my machine it goes:

CLIENT > EHLO [10.51.5.31]
SERVER > 250-mail.MYSERVER.com Hello [10.51.5.31]
         250-SIZE
         250-PIPELINING
         250-DSN
         250-ENHANCEDSTATUSCODES
         250-STARTTLS
         250-AUTH NTLM
         250-8BITMIME
         250-BINARYMIME
         250 CHUNKING

Where on that particular machine it goes:

CLIENT > EHLO [10.1.240.209]
SERVER > 250-mail.MYSERVER.com Hello [10.1.240.209]
         250-SIZE 10485760
         250-PIPELINING
         250-DSN
         250-ENHANCEDSTATUSCODES
         250-STARTTLS
         250-AUTH
         250-8BITMIME
         250-BINARYMIME
         250-CHUNKING
         250 XEXCH50

As you can see, my machine gets 'AUTH NTLM' as an answer whereas the other machine only gets 'AUTH' with no authentication mechanisms, causing the SMTP client to bail out with a "No compatible authentication mechanisms found." message.

What might be causing this difference in answers from the same server and more importantly, how do we fix it?

viking_grll
  • 11
  • 5
  • 4
    Without knowing more about your network, I would suspect that you're connecting to the server from different remote networks or subnets and that you have separate receive connectors with different authentication mechanisms for those individual networks. – Matt Southward Oct 29 '18 at 15:15
  • 2
    To maybe point out the obvious: because it isn't configured in the associated connector? – Lenniey Oct 29 '18 at 15:15
  • @MattSouthward Yes that was it :-) – viking_grll Oct 29 '18 at 15:32
  • @Lenniey Obvious for an admin -- I'm a developer :-) – viking_grll Oct 29 '18 at 15:33
  • I don't know if such is the case for MS Exchange SMTP but most Linux servers I set up such that unless the client uses SSL encryption authentication is not even offered. So rather than test capabilities with `telnet mail.example.com 25` check with a tool that will upgrade to an encrypted connection i.e. for instance: `oppenssl s_client -starttls smtp -connect mail.example.com:25` (If that is the case: configure the client to also use TLS) – HBruijn Oct 29 '18 at 15:34

1 Answers1

3

It depends on the configuration of the Receive Connector you are talking to.

The actual Receive Connector that handles a connection is selected based on the IP/port of the Exchange Server and on the source IP address the connection comes from.

You can have multiple Receive Connectors listening on the same IP/port on the same server, but they can react diferently to connections coming from different IP addresses (so you can f.e. allow relay from trusted servers).

Serveral options in Receive Connectors handle authentication methods.

Massimo
  • 70,200
  • 57
  • 200
  • 323
  • Thanks! We actually had a separate connector configured for clients that are allowed (filtered on IP address) to relay and that connector didn't allow authentication. – viking_grll Oct 29 '18 at 15:28