asked on

How do I configure Exchange 2007 Recieve Connector for GSSAPI Authentication?

We are not recieving mail from many different companies. In the event viewer I see this:

Any help would be appreciated as this is very urgent. Thank You.

Event Type:	Error
Event Source:	MSExchangeTransport
Event Category:	SmtpReceive 
Event ID:	1035
Date:		2/21/2009
Time:		7:52:28 AM
User:		N/A
Computer:	GSMAIL
Description:
Inbound authentication failed with error LogonDenied for Receive connector Default GSMAIL. The authentication mechanism is Gssapi. The source IP address of the client who tried to authenticate to Microsoft Exchange is [67.240.233.192].
 
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Open in new window

ASKER CERTIFIED SOLUTION

Mestha

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial

Suraj

Set the Default Receive connector to have a RemoteIPRange for the internal network only.

Configured a new receive connector with a Type of "Internet". With this type of connector, the only Authentication that is enabled is TLS so the AUTH GSSAPI verb will not be advertised. Anonymous Permission Group will be automatically added.

This will prevent any remote Exchange servers from attempting to use Exchange
authentication.And then Restart the Transport service.

check if you are still getting that error ....

-x

gsco

ASKER

I have attached snippets of my internet receive connector tabs now. I do not use an edge server but I have the anti-spam agents installed. Hopefully this is configured correctly now. Do all e-mail servers support the tls/mutual tls? Should I have anything else checked or not checked? Thanks for all the help.

Also is there any advice on a good tutorial to get maximum benefits from the integrated anti-spam because we are still receiving a lot of junk and if I set the SCL rating too low it kills a lot of legitimate e-mails.

Thanks Again
Auth-Tab.JPG
Network-Tab.JPG
Permission-Groups.JPG

Mestha

What else is on the machine?
What is between Exchange and the internet?

-M

gsco

ASKER

Nothing besides a Sonicwall appliance.

Mestha

Does that have any SMTP scanning functionality?

Try the inbound SMTP test here:
https://www.testexchangeconnectivity.com/

See what that flags up.

-M

gsco

ASKER

Yes it does, it scans e-mail as well as attachments including archives, and I have the RBL configured which is working nicely. So everything seems to be good now, but is TLS the only authentication that should be used? Should I have Mutual TLS checked also? E-mail was working fine before all of this except for one companies server which routes through Time Warner Cables SMTP server. So I had no problems personally but one companies server kept trying to use GSSAPI authentication due to the relaying through time warner. So this should have helped now that I have the other authentication methods unchecked, correct?

gsco

ASKER

So what authentication methods should I have enabled? Just TLS or TLS and Mutual TLS or even more than that?

Mestha

No one else can see your comments...

"So what authentication methods should I have enabled? Just TLS or TLS and Mutual TLS or even more than that?"

The TLS options are enabled by default and shouldn't cause any problems.
If the router is scanning email, then it would be the place I would looking at as the potential source of the problem.

-M

gsco

ASKER

I had just turned the sonicwall firewall back on after I made the changes. So the sonicwall appliance doesnt have anything to do with it. Am I correct in thinking I shouldn't of had all of the extra authentication methods working? Just TLS And Mutual TLS?

gsco

ASKER

This discussion has been continued here for anyone who is interested:

https://www.experts-exchange.com/questions/24172159/What-authentication-method-s-should-our-Exchange-2007-recieve-connector-advertise.html