AD User Authentication to Exchange 2016

exchange smtp exchange-2016
8,638

Solution 1

This post at GeeksWithBlogs.net showed me how to set the extended AD permissions to accept authenticated connections from any user to any address.

The basics are to create a security group of users that are allowed to authenticate to Exchange to send mail. Add whatever users you want to this group. Then add ms-Exch-SMTP-Submit extended permission to your Default Frontend connector. As the front end connector simply relays to the Client Proxy connector, you have to add all the actual accept permissions to it instead of the Frontend.

Solution 2

First, I wouldn't have touched the default Receive Connector. In these instances I always create a new Receive Connector. Therefore I would put things back as they were. You don't want an authentication enabled receive connector on port 25 exposed to the internet - that is asking for authenticated user attacks.

Then create a new Receive Connector. You will need to use PWS for this because the ECP GUI currently only creates backend types, whereas you want a frontend. Lock it down to the specific IP address of the devices. You then need to enable the authentication types and Exchange Users under Permission groups - basically the same as Client Frontend Receive Connector, but on a different port and probably without TLS.

Then restart the MS Exchange Transport service.

Share:
8,638

Related videos on Youtube

Caynadian
Author by

Caynadian

Updated on September 18, 2022

Comments

  • Caynadian
    Caynadian over 1 year

    We have a number of devices that send email through our Exchange 2010 server. These devices all authenticate using a domain user prior to sending the message and this was working fine on 2010. We are now migrating to Exchange 2016 and I am trying to configure the receive connector to allow the same thing but I can't get it to work. Here is the configuration of my receive connector:

    [PS] C:\>Get-ReceiveConnector "EX2016\default frontend EX2016" | fl
RunspaceId                                : 68459e4b-3af8-411d-a616-7db360d20905
AuthMechanism                             : Tls, Integrated, BasicAuth, BasicAuthRequireTLS, ExchangeServer
Banner                                    :
BinaryMimeEnabled                         : True
Bindings                                  : {[::]:25, 0.0.0.0:25}
ChunkingEnabled                           : True
DefaultDomain                             :
DeliveryStatusNotificationEnabled         : True
EightBitMimeEnabled                       : True
SmtpUtf8Enabled                           : False
BareLinefeedRejectionEnabled              : False
DomainSecureEnabled                       : True
EnhancedStatusCodesEnabled                : True
LongAddressesEnabled                      : False
OrarEnabled                               : False
SuppressXAnonymousTls                     : False
ProxyEnabled                              : False
AdvertiseClientSettings                   : False
Fqdn                                      : EX2016.example.com
ServiceDiscoveryFqdn                      :
TlsCertificateName                        :
Comment                                   :
Enabled                                   : True
ConnectionTimeout                         : 00:10:00
ConnectionInactivityTimeout               : 00:05:00
MessageRateLimit                          : Unlimited
MessageRateSource                         : IPAddress
MaxInboundConnection                      : 5000
MaxInboundConnectionPerSource             : 20
MaxInboundConnectionPercentagePerSource   : 2
MaxHeaderSize                             : 256 KB (262,144 bytes)
MaxHopCount                               : 60
MaxLocalHopCount                          : 5
MaxLogonFailures                          : 3
MaxMessageSize                            : 25 MB (26,214,400 bytes)
MaxProtocolErrors                         : 5
MaxRecipientsPerMessage                   : 200
PermissionGroups                          : AnonymousUsers, ExchangeServers, ExchangeLegacyServers
PipeliningEnabled                         : True
ProtocolLoggingLevel                      : Verbose
RemoteIPRanges                            : {::-ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff, 0.0.0.0-255.255.255.255}
RequireEHLODomain                         : False
RequireTLS                                : False
EnableAuthGSSAPI                          : False
ExtendedProtectionPolicy                  : None
LiveCredentialEnabled                     : False
TlsDomainCapabilities                     : {}
Server                                    : EX2016
TransportRole                             : FrontendTransport
RejectReservedTopLevelRecipientDomains    : False
RejectReservedSecondLevelRecipientDomains : False
RejectSingleLabelRecipientDomains         : False
SizeEnabled                               : Enabled
TarpitInterval                            : 00:00:05
MaxAcknowledgementDelay                   : 00:00:30
AdminDisplayName                          :
ExchangeVersion                           : 0.1 (8.0.535.0)
Name                                      : Default Frontend EX2016
DistinguishedName                         : CN=Default Frontend EX2016,CN=SMTP Receive
                                            Connectors,CN=Protocols,CN=EX2016,CN=Servers,CN=Exchange
                                            Administrative Group (###########),CN=Administrative Groups,CN=Org
                                            Unit,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=caymanport,
                                            DC=com
Identity                                  : EX2016\Default Frontend EX2016
ObjectCategory                            : example.com/Configuration/Schema/ms-Exch-Smtp-Receive-Connector
ObjectClass                               : {top, msExchSmtpReceiveConnector}
WhenChanged                               : 20/09/2016 8:21:49 AM
WhenCreated                               : 08/09/2016 8:02:11 AM
WhenChangedUTC                            : 20/09/2016 1:21:49 PM
WhenCreatedUTC                            : 08/09/2016 1:02:11 PM
OrganizationId                            :
Id                                        : EX2016\Default Frontend EX2016
OriginatingServer                         : dc.example.com
IsValid                                   : True
ObjectState                               : Unchanged

    And this is the SMTP log of a connection attempt:

    +,,
>,"220 EX2016.example.com Microsoft ESMTP MAIL Service ready at Tue, 20 Sep 2016 07:18:27 -0500",
<,EHLO printer.example.com,
>,250  EX2016.example.com Hello [172.16.113.55] SIZE 26214400 PIPELINING DSN ENHANCEDSTATUSCODES STARTTLS X-ANONYMOUSTLS AUTH NTLM X-EXPS GSSAPI NTLM 8BITMIME BINARYMIME CHUNKING XRDST,
<,AUTH NTLM,
>,334 <authentication response>,
>,334 <authentication response>,
*,,Inbound Negotiate failed because of LogonDenied
*,,User Name: NULL
*,Tarpit for '0.00:00:05' due to '535 5.7.3 Authentication unsuccessful',
>,535 5.7.3 Authentication unsuccessful,
-,,Remote(SocketError)

    I don't think I should be using an anonymous relay connector because I am authenticating with a domain user/password. What am I doing wrong?

    Edit: I should note that these printers need to be able to send email externally as well as internally.

  • Caynadian
    Caynadian over 7 years
    Thanks, I will try this today and let you know. But shouldn't the default connector support authenticated traffic without modification? I am trying to get away from having to enter the IP address of each device in to a receive connector and go with only allowing authenticated access. I only have a small handful of devices that don't support user name/password authentication and I can use an anonymous relay connector for those.
  • Aaron D
    Aaron D about 6 years

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Can't connect to Exchange 2016 with port 587 TLS
Making a exchange resource mailbox visible to certain users only
New Exchange 2016 Install Reporting HealthManagerWorkItemQuarantineMonitor Unhealthy
Exchange 2013/2016 Queue Viewer and corresponding log location
Exchange 2010 550 5.7.1 unable to relay
Getting "500 unrecognized command" when telnet to mail server from Windows - works fine from Linux
Exchange 2010 - Exchange 2016 co-existence and migration
Credential pop-ups after moving mailbox from 2010 to 2016
What is the role of the "generating server" and/or "Reporting-MTA" in an Exchange NDR?
Exchange 2010 periodically stops responding to SMTP events with error 421 4.4.1 Connection timed out