1

Currently, we have SMTP Authentication setup via a Domain Admin account. I'm not a fan of the setup since it is a domain admin for an individuals admin account.

Is there a group that I could assign a dedicated account/service to resolve dependency on an individuals admin account?

edit

Clarification. SMTP on the server is working, it's when SMTP is used via an application it fails. We found out recently that a domain admin account was being used for SMTP authentication because of a password expiration and the domain admin had to be set to not expire to prevent the issue. Having the domain admin configured to send email through this application creates a dependency and I'm looking to eliminate future headaches.

confoundr
  • 377
  • 3
  • 9
  • 20
  • I see you are using exchange server. What do you mean you have SMTP authentication setup via a domain admin account? Typically SMTP authentication is done when a client connects and submits their own username and password to authenticate. Those credentials are typically stored in active directory. – Appleoddity Jul 15 '19 at 23:31
  • Yes, SMTP on an application is using a domain admin account to authenticate to then send email. It doesn't seem to work with a regular domain user account, but it does work with the domain admin account (eg jsmith-a) – confoundr Jul 15 '19 at 23:34
  • It’s not a question of what user account to use or what group they should be in. That is whatever you want it to be, and in this case it should probably just be a user account with domain guest membership. What is important is if the user account has permission to “Send As” the email address your application is trying to use. You’ll need to set the permissions in exchange on the mailbox, or you can allow the user to send as any email address, but the technique to do so eludes me because I have only worked on Exchange online for years now. The information should be readily available online. – Appleoddity Jul 15 '19 at 23:38
  • hmm.. a ```send as``` option may be what I need to search for. I guess that's part of my problem to is I didn't quite know what to ask. I assumed it was the admin because a user who uses the software tried their credentials and it didn't work, but the Domain Admin credentials did. – confoundr Jul 15 '19 at 23:42
  • Yes. You can configure a user account to be able to send as any email address `@yourdomain.com`. In the past, I usually just create a mailbox and user like “outbound@domain.com” and then give that user permission to use any outbound email address `@domain.com`. I then use the account in my applications / devices. However, you can also bypass authentication all together by allowing specific IP addresses to send without authentication which usually is an option in this scenario as well. I wish I could provide more details but I’ve forgotten a lot. At least you know what is possible. – Appleoddity Jul 15 '19 at 23:47
  • Here’s a link for an old version of exchange but the procedures described here sound right: https://community.spiceworks.com/topic/202674-exchange-2010-smtp-send-as-any-user. Specifically the part about creating a second receive connector and allowing relaying through the server. However, be careful not to open your relay up to the internet. – Appleoddity Jul 15 '19 at 23:51
  • Another link: https://serverfault.com/questions/859682/only-allowing-authenticated-user-on-host-to-relay-emails-to-external-address-in – Appleoddity Jul 15 '19 at 23:57
  • I would suggest you read this article: https://practical365.com/exchange-server/exchange-2016-smtp-relay-connector/ – joyceshen Jul 16 '19 at 06:59
  • SMTP relay was the issue. This ended up being an issue with the relay-- the relay did not have the subnet setup to allow relay from the internal IP addresses, and would not allow authentication. Your link, did assist in [determining the connector](https://practical365.com/exchange-server/exchange-2016-smtp-relay-connector/), specifically ```Get-ReceiveConnector``` – confoundr Jul 17 '19 at 23:22

1 Answers1

0

It turns out that there was a Subnet/IP change and not one notified me. Here's the solution to the SMTP mail issue I had.

  1. Verified users IP/subnet with IPConfig /all
  2. Verified 220 SMTP mail connector response in the Application that the user was using via the testing feature of the application
  3. Verified the which Connector was being used by using Get-RecieveConnector to find the 220 banner correlated to the message (this may not be useful if the default 'banner' is being used)
  4. Used Exchange Control Panel (ECP) to add the Remote IP Address https://localhost/ecp/ > Mail Flow > Receive Connectors> Connector(by name)> Scoping and added the IP address for the users PC
  5. Verified by sending mail via the application SMTP mail test
confoundr
  • 377
  • 3
  • 9
  • 20