[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1220
  • Last Modified:

How do I configure Exchange 2007 Recieve Connector for GSSAPI Authentication?

We are not recieving mail from many different companies. In the event viewer I see this:

Any help would be appreciated as this is very urgent. Thank You.
Event Type:	Error
Event Source:	MSExchangeTransport
Event Category:	SmtpReceive 
Event ID:	1035
Date:		2/21/2009
Time:		7:52:28 AM
User:		N/A
Computer:	GSMAIL
Description:
Inbound authentication failed with error LogonDenied for Receive connector Default GSMAIL. The authentication mechanism is Gssapi. The source IP address of the client who tried to authenticate to Microsoft Exchange is [67.240.233.192].
 
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Open in new window

0
gsco
Asked:
gsco
  • 6
  • 4
1 Solution
 
MesthaCommented:
Have you enabled anonymous on the receive connector?
If you are not using an Edge then you should go through this article on the MS Exchange team site: http://msexchangeteam.com/archive/2006/11/17/431555.aspx

You don't need GSSAPI enabled at all, you just need to ensure that anonymous is enabled.

-M
0
 
SurajCommented:
Set the Default Receive connector to have a RemoteIPRange for the internal network only.

Configured a new receive connector with a Type of "Internet". With this type of connector, the only Authentication that is enabled is TLS so the AUTH GSSAPI verb will not be advertised. Anonymous Permission Group will be automatically added.

This will prevent any remote Exchange servers from attempting to use Exchange
authentication.And then Restart the Transport service.

check if you are still getting that error ....

-x
0
 
gscoAuthor Commented:
I have attached snippets of my internet receive connector tabs now. I do not use an edge server but I have the anti-spam agents installed. Hopefully this is configured correctly now. Do all e-mail servers support the tls/mutual tls? Should I have anything else checked or not checked? Thanks for all the help.

Also is there any advice on a good tutorial to get maximum benefits from the integrated anti-spam because we are still receiving a lot of junk and if I set the SCL rating too low it kills a lot of legitimate e-mails.

Thanks Again
Auth-Tab.JPG
Network-Tab.JPG
Permission-Groups.JPG
0
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

 
MesthaCommented:
What else is on the machine?
What is between Exchange and the internet?

-M
0
 
gscoAuthor Commented:
Nothing besides a Sonicwall appliance.
0
 
MesthaCommented:
Does that have any SMTP scanning functionality?

Try the inbound SMTP test here:
https://www.testexchangeconnectivity.com/

See what that flags up.

-M
0
 
gscoAuthor Commented:
Yes it does, it scans e-mail as well as attachments including archives, and I have the RBL configured which is working nicely. So everything seems to be good now, but is TLS the only authentication that should be used? Should I have Mutual TLS checked also? E-mail was working fine before all of this except for one companies server which routes through Time Warner Cables SMTP server. So I had no problems personally but one companies server kept trying to use GSSAPI authentication due to the relaying through time warner. So this should have helped now that I have the other authentication methods unchecked, correct?
0
 
gscoAuthor Commented:
So what authentication methods should I have enabled? Just TLS or TLS and Mutual TLS or even more than that?
0
 
MesthaCommented:
No one else can see your comments...

"So what authentication methods should I have enabled? Just TLS or TLS and Mutual TLS or even more than that?"

The TLS options are enabled by default and shouldn't cause any problems.
If the router is scanning email, then it would be the place I would looking at as the potential source of the problem.

-M
0
 
gscoAuthor Commented:
I had just turned the sonicwall firewall back on after I made the changes. So the sonicwall appliance doesnt have anything to do with it. Am I correct in thinking I shouldn't of had all of the extra authentication methods working? Just TLS And Mutual TLS?
0
 
gscoAuthor Commented:
This discussion has been continued here for anyone who is interested:

http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/Q_24172159.html
0

Featured Post

Get your Disaster Recovery as a Service basics

Disaster Recovery as a Service is one go-to solution that revolutionizes DR planning. Implementing DRaaS could be an efficient process, easily accessible to non-DR experts. Learn about monitoring, testing, executing failovers and failbacks to ensure a "healthy" DR environment.

  • 6
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now