AD User Authentication to Exchange 2016
Solution 1
This post at GeeksWithBlogs.net showed me how to set the extended AD permissions to accept authenticated connections from any user to any address.
The basics are to create a security group of users that are allowed to authenticate to Exchange to send mail. Add whatever users you want to this group. Then add ms-Exch-SMTP-Submit extended permission to your Default Frontend connector. As the front end connector simply relays to the Client Proxy connector, you have to add all the actual accept permissions to it instead of the Frontend.
Solution 2
First, I wouldn't have touched the default Receive Connector. In these instances I always create a new Receive Connector. Therefore I would put things back as they were. You don't want an authentication enabled receive connector on port 25 exposed to the internet - that is asking for authenticated user attacks.
Then create a new Receive Connector. You will need to use PWS for this because the ECP GUI currently only creates backend types, whereas you want a frontend. Lock it down to the specific IP address of the devices. You then need to enable the authentication types and Exchange Users under Permission groups - basically the same as Client Frontend Receive Connector, but on a different port and probably without TLS.
Then restart the MS Exchange Transport service.
Related videos on Youtube
Caynadian
Updated on September 18, 2022Comments
-
Caynadian over 1 year
We have a number of devices that send email through our Exchange 2010 server. These devices all authenticate using a domain user prior to sending the message and this was working fine on 2010. We are now migrating to Exchange 2016 and I am trying to configure the receive connector to allow the same thing but I can't get it to work. Here is the configuration of my receive connector:
[PS] C:\>Get-ReceiveConnector "EX2016\default frontend EX2016" | fl RunspaceId : 68459e4b-3af8-411d-a616-7db360d20905 AuthMechanism : Tls, Integrated, BasicAuth, BasicAuthRequireTLS, ExchangeServer Banner : BinaryMimeEnabled : True Bindings : {[::]:25, 0.0.0.0:25} ChunkingEnabled : True DefaultDomain : DeliveryStatusNotificationEnabled : True EightBitMimeEnabled : True SmtpUtf8Enabled : False BareLinefeedRejectionEnabled : False DomainSecureEnabled : True EnhancedStatusCodesEnabled : True LongAddressesEnabled : False OrarEnabled : False SuppressXAnonymousTls : False ProxyEnabled : False AdvertiseClientSettings : False Fqdn : EX2016.example.com ServiceDiscoveryFqdn : TlsCertificateName : Comment : Enabled : True ConnectionTimeout : 00:10:00 ConnectionInactivityTimeout : 00:05:00 MessageRateLimit : Unlimited MessageRateSource : IPAddress MaxInboundConnection : 5000 MaxInboundConnectionPerSource : 20 MaxInboundConnectionPercentagePerSource : 2 MaxHeaderSize : 256 KB (262,144 bytes) MaxHopCount : 60 MaxLocalHopCount : 5 MaxLogonFailures : 3 MaxMessageSize : 25 MB (26,214,400 bytes) MaxProtocolErrors : 5 MaxRecipientsPerMessage : 200 PermissionGroups : AnonymousUsers, ExchangeServers, ExchangeLegacyServers PipeliningEnabled : True ProtocolLoggingLevel : Verbose RemoteIPRanges : {::-ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff, 0.0.0.0-255.255.255.255} RequireEHLODomain : False RequireTLS : False EnableAuthGSSAPI : False ExtendedProtectionPolicy : None LiveCredentialEnabled : False TlsDomainCapabilities : {} Server : EX2016 TransportRole : FrontendTransport RejectReservedTopLevelRecipientDomains : False RejectReservedSecondLevelRecipientDomains : False RejectSingleLabelRecipientDomains : False SizeEnabled : Enabled TarpitInterval : 00:00:05 MaxAcknowledgementDelay : 00:00:30 AdminDisplayName : ExchangeVersion : 0.1 (8.0.535.0) Name : Default Frontend EX2016 DistinguishedName : CN=Default Frontend EX2016,CN=SMTP Receive Connectors,CN=Protocols,CN=EX2016,CN=Servers,CN=Exchange Administrative Group (###########),CN=Administrative Groups,CN=Org Unit,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=caymanport, DC=com Identity : EX2016\Default Frontend EX2016 ObjectCategory : example.com/Configuration/Schema/ms-Exch-Smtp-Receive-Connector ObjectClass : {top, msExchSmtpReceiveConnector} WhenChanged : 20/09/2016 8:21:49 AM WhenCreated : 08/09/2016 8:02:11 AM WhenChangedUTC : 20/09/2016 1:21:49 PM WhenCreatedUTC : 08/09/2016 1:02:11 PM OrganizationId : Id : EX2016\Default Frontend EX2016 OriginatingServer : dc.example.com IsValid : True ObjectState : Unchanged
And this is the SMTP log of a connection attempt:
+,, >,"220 EX2016.example.com Microsoft ESMTP MAIL Service ready at Tue, 20 Sep 2016 07:18:27 -0500", <,EHLO printer.example.com, >,250 EX2016.example.com Hello [172.16.113.55] SIZE 26214400 PIPELINING DSN ENHANCEDSTATUSCODES STARTTLS X-ANONYMOUSTLS AUTH NTLM X-EXPS GSSAPI NTLM 8BITMIME BINARYMIME CHUNKING XRDST, <,AUTH NTLM, >,334 <authentication response>, >,334 <authentication response>, *,,Inbound Negotiate failed because of LogonDenied *,,User Name: NULL *,Tarpit for '0.00:00:05' due to '535 5.7.3 Authentication unsuccessful', >,535 5.7.3 Authentication unsuccessful, -,,Remote(SocketError)
I don't think I should be using an anonymous relay connector because I am authenticating with a domain user/password. What am I doing wrong?
Edit: I should note that these printers need to be able to send email externally as well as internally.
-
Caynadian over 7 yearsThanks, I will try this today and let you know. But shouldn't the default connector support authenticated traffic without modification? I am trying to get away from having to enter the IP address of each device in to a receive connector and go with only allowing authenticated access. I only have a small handful of devices that don't support user name/password authentication and I can use an anonymous relay connector for those.
-
Aaron D about 6 yearsHere's the MS document technet.microsoft.com/en-us/library/mt668454(v=exchg.160).aspx