Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

5.7.1 Client does not have permission to send as this sender

Posted on 2010-11-11
12
Medium Priority
?
4,831 Views
Last Modified: 2012-06-27
Hi all,

I've searched the KBs here, and I guess I'm just not too sure what to look for, so here it is!

I run an Exchange 2007 server in a hosted environment. I have a mailbox called mwa@ourdomain.com. We send emails from a few different sources on the internet using this email address. These users are not MAPI clients, they just connect to our server via smtp, password authentication. When this user sends email as mwa@ourdomain.com, all goes through just fine, however, when they try to send it as someone else, it gets the 5.7.1 error, client does not have permission to send as this sender.

How can I configure this user to be able to send as any email address?

Thanks!
0
Comment
Question by:newtoexchange
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 5
12 Comments
 
LVL 58

Expert Comment

by:tigermatt
ID: 34115390

When you say "a hosted environment", can you still control the box? You'll need to have login rights to make the following changes; if you don't you will need to take the issue up with your ISP.

The receive connector which the emails are going through needs to grant Authenticated Users the ms-Exch-SMTP-Accept-Authoritative-Domain-Sender permission. This allows emails from authenticated users to be sent from any email address, not just the address associated with the logging in user.

To add this, at Exchange Management Shell type:

Get-ReceiveConnector "SERVERNAME\Connector Name" | Add-ADPermission -User "NT AUTHORITY\Authenticated Users" -ExtendedRights ms-Exch-SMTP-Accept-Authoritative-Domain-Sender

This should fix your problem.

More on receive connectors and the set of permissions here: http://technet.microsoft.com/en-us/library/aa996395.aspx

Matt
0
 

Author Comment

by:newtoexchange
ID: 34115751
I've run this command, changing the Servername\Connector Name only, appeared to run without fail, however, I'm still getting the same result. Do I need to restart any services to make this effective? I assume not since it is an AD change.

Thanks,

0
 
LVL 6

Expert Comment

by:linraf
ID: 34116280
I believe that you also need to add sendas permissions in AD.

Log in to a computer in the Windows® domain as an administrator that has permissions to modify user objects in Microsoft Active Directory.
On the taskbar, click Start > Administrative Tools > Active Directory Users and Computers.
On the View menu, click Advanced Features.
Right-click the domain root. Click Properties.
On the Security tab, click Advanced.
Click Add.
Type the name of the Windows account that you created (for example, mwa).
Click Check Names.
Click OK.
In the Apply drop-down list, click User Objects.
In the Allow column, select the Send As check box.
Click Apply.
Click OK.
0
Get your Conversational Ransomware Defense e‑book

This e-book gives you an insight into the ransomware threat and reviews the fundamentals of top-notch ransomware preparedness and recovery. To help you protect yourself and your organization. The initial infection may be inevitable, so the best protection is to be fully prepared.

 
LVL 58

Expert Comment

by:tigermatt
ID: 34116718

It shouldn't need Send As rights. I've just tested this myself with a test connector and adding the above permission was sufficient to allow the email to pass.

My connector was configured with Basic Authentication and permitted Exchange Users to connect to it.

What is the configuration of your connector as seen in the GUI?

Matt
0
 

Author Comment

by:newtoexchange
ID: 34116763
Here's how my default receive connector is configured.

tigermatt, do I need to add the domain that we're trying to send from anywhere else in Exchange in order for the command you'd suggested to work? Was I correct in only changing the "SERVERNAME\Connector" in your command?

Thanks,

 receive connector authentication receive connector permission groups
0
 

Author Comment

by:newtoexchange
ID: 34116770
For the record, I did try linraf's solution with no effect, still getting the same error.
0
 
LVL 58

Expert Comment

by:tigermatt
ID: 34116840

That's the same setup as me in my lab.

I have my default connector on which I ran the above command. Yes, all you need to change is the connector name.
I am then using Outlook, creating a POP account with a bogus POP server and the server name as the SMTP server.
Enter login credentials for TestUser and TestUser@domain.com in email field to begin with, where domain.com is one of the domains hosted by this Exchange environment.
Enabled SMTP Authentication in Advanced.
Tested the configuration; I receive the confirmation email back in TestUser's inbox.

If I now change the email address in the email field, to TestUser2, but continue to log in as TestUser, and click the test button, TestUser2 gets the email back.

This indicates that as an authenticated user, TestUser now has permission to make it appear he can send emails from any other user@domain.com.

I don't believe the Transport Service caches connector permissions as all my changes have been immediate, but it wouldn't hurt to restore that service on the server just in case.

Perhaps you could run the same tests from Outlook? Are the clients trying to send via this server using Outlook or something else?

Matt
0
 

Author Comment

by:newtoexchange
ID: 34116860
In re-reading my original post, I believe I should've clarified something. I want to log in as mwa@ourdomain.com, and might like to send email as: mwa@somethingelse.com, or completely@differentdomain.com.

My apologies on the lack of communication.
0
 

Author Comment

by:newtoexchange
ID: 34116869
I am running Thunderbird in almost exactly the same fashion as you have your Outlook setup. I get the same result in Outlook.
0
 
LVL 58

Accepted Solution

by:
tigermatt earned 2000 total points
ID: 34116906

Aha!

Two different permissions for these two different scenarios.

For the one you describe, you need to give Authenticated Users ms-Exch-SMTP-Accept-Any-Sender.

For the one I was using the other permission was sufficient.

You probably want to remove the permission added earlier using the below command, then use the one just below to add the new permission.

Get-ReceiveConnector "SERVER\Connector" | Remove-ADPermission -User "NT AUTHORITY\Authenticated Users" -ExtendedRights ms-Exch-SMTP-Accept-Authoritative-Domain-Sender

Get-ReceiveConnector "SERVER\Connector" | Add-ADPermission -User "NT AUTHORITY\Authenticated Users" -ExtendedRights ms-Exch-SMTP-Accept-Any-Sender

If you will need to relay as an authenticated user with a sender address @domain.com as well as @somethingelse.com, then don't run the first command. In that scenario you'll need both permissions to make this work.

Also, on a security note: if you authenticate with one particular user, you might want to change the part after -User in the "Add" permission commands to DOMAIN\user. You could also make a security group and use DOMAIN\Group Name. This means only the users YOU designate can send as anyone through your server (which could be used for malicious purposes).

If this is something you want to pursue, I would get it working with the above commands. Once you do so, switch Add- to Remove- to take the permissions out and re-grant them to just those users who need it.

Let me know how you get on!

-Matt
0
 

Author Closing Comment

by:newtoexchange
ID: 34116922
Matt,

As soon as I realized I wasn't very clear in my original question, I went back and added the domain I'm trying to send from to the accepted domains, and made sure it was authoritative. This made your command work like a charm. Thanks for the tips! I will likely lock this down to only this user in the future to stop all of our clients from having the ability to spoof maliciously.

THANK YOU!!!
0
 
LVL 58

Expert Comment

by:tigermatt
ID: 34117072

No problem at all regarding the question; things like that happen to all of us.

Glad to hear you're up and working.

Cheers,

Matt
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I don't pretend to be an expert at this, but I have found a few things that are useful. I hope that sharing them here will help others, so they will not have to face some rather hard choices. Since I felt this to be a topic of enough importance and…
One-stop solution for Exchange Administrators to address all MS Exchange Server issues, which is known by the name of Stellar Exchange Toolkit.
The video tutorial explains the basics of the Exchange server Database Availability groups. The components of this video include: 1. Automatic Failover 2. Failover Clustering 3. Active Manager
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit https://www.mail-signatures.com/articles/signature-templates/?sts=6651 If you want to manage em…

704 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question