Solved

exchange server 2013 receive connector help

Posted on 2013-06-05
8
5,312 Views
Last Modified: 2013-06-07
I need to allow SMTP mail in from a handful of IPs with auth NOT required (Postini), all others must authenticte to send. This was simple in ech 2003, but not as clear in 2013 with several defalt connectors

It looks like it defaukts to 4 connectors on a single box install.

I need to allow SMTP on ports 25 and 587, SSL SMTP on port 465, POP3, and IMAp4.

Authentication is required for all connections except SMTP traffic from a list or range of addresses.

I made a new transport frontend connector called Postini Connector, Scope is the Postini IP range and port 25, security has TLS and vasic, permisssion groups has partner and anonymous. Sound right?

On the Default Frontend connecter scope is all IPs and port 25. Security has all authentications on and permission groups are all on except partners and anonymous/
When I try to send mail from my phone (POP3 works great to pull the mail) i get an error that password auth is not supported. So I disabled "Offer basic authentication only after starting TLS". Now I get user name of password is incorrect. I have domain/user and the password - same as the working POP 3 - but no go. Same error SSL on or off. I didn't set up any other ports, but it fails the same on 25, 587, and 465.

What am I doing wrong?

Thanks
0
Comment
Question by:dlwynne
8 Comments
 
LVL 38

Accepted Solution

by:
Adam Brown earned 500 total points
ID: 39224262
You're over complicating it.

The Front End connector is what users will use to send email through SMTP if they have Pop3. It exists on the CAS server (If CAS and MBX are on the same server, don't worry too much about which connector you're using). It's port is set for 587 by default. The default settings for it will allow users to send on port 587. That needs to be accessible to all IP addresses if you want phones to send over it. Make sure this is set to allow Basic, TLS, Basic After TLS is initiated, and Windows Integrated authentication. Exchange Users are all that should be checked for permission groups on this connector.

Client Proxy, also leave it default, it's already on port 465. Same authentication and permission settings as the Client FrontEnd, with the addition of Exchange Server authentication and Exchange Server user group. This will handle IMAP SMTP, I believe, as well as some communication between Exchange serverws.

Default Exchange is what is used between exchange servers. Don't mess with it. Only needs Exchange Server authentication and Group assigned to it.

Default Frontend is the public SMTP connector. It is set for port 25. All you need to do with this one is go to Scoping and make sure the IP Addresses box on the top displays only the Postini IPs. You can remove your Postini connector after doing that, as this will do the work by limiting the IPs and adding Anonymous authentication back to the connector.

Do not enable Externally secured authentication, as this will remove security blocks and turn any connector into an open relay.
0
 
LVL 8

Expert Comment

by:I Qasmi
ID: 39224417
0
 
LVL 23

Expert Comment

by:Malli Boppe
ID: 39224669
Check the below article. Setup a SMTP relay receive connector and add the IP addresses which need to relay emails.
http://blogs.technet.com/b/exchange/archive/2006/12/28/3397620.aspx
0
 

Author Comment

by:dlwynne
ID: 39226023
I have Client Frontend:


checked: Transport Layer Security (TLS)
checked: Enable domain security (mutual Auth TLS)
checked: Basic authentication
checked:  Offer basic authentication only after starting TLS
checked: Integrated Windows authentication
Clear: Exchange server authentication
Clear: Externally secured (for example, with IPSec)

Permission groups:
Only Exchange users checked


Scope is all IPs on port 587.

When I try to send from my iphone SSL off,, port 587 I get server doesn't support password authentication.

If I UNCHECK Offer basic authentication only after starting TLS then I get user name or password is incorrect. I am using domain/username - same as the working POP3.

If I try SSL on post 587 = same thing,
SSL on port 465 = same thing.

This works fine on the  same phone on our 2003 exchange server...




Anonymous users
0
Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

 

Author Comment

by:dlwynne
ID: 39226053
I tried username without domain and full email address (no domain) and get the same error. The password is correct and has been retyped many times.
0
 

Author Comment

by:dlwynne
ID: 39227403
I enabled vebose logging and in

'\Exchange Server\TransportRoles\Logs\FrontEnd\ProtocolLog\SmtpReceive' log is this::

:

2013-06-06T21:04:31.002Z,EXCHANGE\Client Frontend EXCHANGE,08D02C483B507971,18,192.168.1.5:587,192.168.1.67:49871,*,DomainName/UserName ,authenticated
2013-06-06T21:04:32.031Z,EXCHANGE\Client Frontend EXCHANGE,08D02C483B507971,19,192.168.1.5:587,192.168.1.67:49871,*,,Setting up proxy session failed for 'DomainName/UserName' with error: 421 4.2.1 Unable to connect
2013-06-06T21:04:33.030Z,EXCHANGE\Client Frontend EXCHANGE,08D02C483B507971,20,192.168.1.5:587,192.168.1.67:49871,*,,Setting up proxy session failed for 'DomainName/UserName' with error: 421 4.2.1 Unable to connect
2013-06-06T21:04:34.028Z,EXCHANGE\Client Frontend EXCHANGE,08D02C483B507971,21,192.168.1.5:587,192.168.1.67:49871,*,,Setting up proxy session failed for 'DomainName/UserName' with error: 421 4.2.1 Unable to connect
2013-06-06T21:04:34.028Z,EXCHANGE\Client Frontend EXCHANGE,08D02C483B507971,22,192.168.1.5:587,192.168.1.67:49871,*,,"Setting up proxy session failed for 'DomainName/UserName' with error: 451 4.4.0 Error encountered while communicating with primary target IP address: ""421 4.2.1 Unable to connect."" Attempted failover to alternate host, but that did not succeed. Either there are no alternate hosts, or delivery failed to all alternate hosts. The last endpoint attempted was 192.168.1.5:465"
2013-06-06T21:04:34.028Z,EXCHANGE\Client Frontend EXCHANGE,08D02C483B507971,23,192.168.1.5:587,192.168.1.67:49871,*,None,Set Session Permissions
2013-06-06T21:04:34.028Z,EXCHANGE\Client Frontend EXCHANGE,08D02C483B507971,24,192.168.1.5:587,192.168.1.67:49871,>,451 4.7.0 Temporary server error. Please try again later,
2013-06-06T21:04:34.465Z,EXCHANGE\Client Frontend EXCHANGE,08D02C483B507970,40,[::1]:587,[::1]:40100,>,535 5.7.3 Authentication unsuccessful,
2013-06-06T21:04:34.465Z,EXCHANGE\Client Frontend EXCHANGE,08D02C483B507970,41,[::1]:587,[::1]:40100,<,QUIT,
2013-06-06T21:04:34.465Z,EXCHANGE\Client Frontend EXCHANGE,08D02C483B507970,42,[::1]:587,[::1]:40100,>,221 2.0.0 Service closing transmission channel,
2013-06-06T21:04:34.465Z,EXCHANGE\Client Frontend EXCHANGE,08D02C483B507970,43,[::1]:587,[::1]:40100,-,,Local
2013-06-06T21:04:35.042Z,EXCHANGE\Client Frontend EXCHANGE,08D02C483B507971,25,192.168.1.5:587,192.168.1.67:49871,-,,Remote


So the client front end can't talk to the client proxy.

From the connectons log::

2013-06-06T21:04:31.017Z,08D02C483B507972,SMTP,client proxy,+,Client proxy session for DomainName/UserName
2013-06-06T21:04:31.017Z,08D02C483B507972,SMTP,client proxy,>,Exchange.local.domain.name[192.168.1.5]
2013-06-06T21:04:32.031Z,08D02C483B507972,SMTP,client proxy,>,Failed connection to 192.168.1.5:465 (ConnectionRefused:0000274D)[TargetHost:Exchange.local.domain.name:465|MarkedUnhealthy|FailureCount:4|NextRetryTime:2013-06-06T21:05:27.804Z][TargetIPAddress:192.168.1.5:465|MarkedUnhealthy|FailureCount:4|NextRetryTime:2013-06-06T21:05:27.804Z]
2013-06-06T21:04:32.031Z,08D02C483B507972,SMTP,client proxy,-,Messages: 0 Bytes: 0 (Attempting next target)
2013-06-06T21:04:32.031Z,08D02C483B507971,SMTP,client proxy,+,Undefined 00000000-0000-0000-0000-000000000000;QueueLength=0
2013-06-06T21:04:33.030Z,08D02C483B507971,SMTP,client proxy,>,Failed connection to 192.168.1.5:465 (ConnectionRefused:0000274D)[TargetIPAddress:192.168.1.5:465|MarkedUnhealthy|FailureCount:4|NextRetryTime:2013-06-06T21:05:27.804Z]
2013-06-06T21:04:33.030Z,08D02C483B507971,SMTP,client proxy,-,Messages: 0 Bytes: 0 (Attempting next target)
2013-06-06T21:04:33.030Z,08D02C483B507971,SMTP,client proxy,+,Undefined 00000000-0000-0000-0000-000000000000;QueueLength=0
2013-06-06T21:04:34.028Z,08D02C483B507971,SMTP,client proxy,>,Failed connection to 192.168.1.5:465 (ConnectionRefused:0000274D)[TargetHost:Exchange.local.domain.name:465|MarkedUnhealthy|FailureCount:4|NextRetryTime:2013-06-06T21:05:27.804Z][TargetIPAddress:192.168.1.5:465|MarkedUnhealthy|FailureCount:4|NextRetryTime:2013-06-06T21:05:27.804Z]
2013-06-06T21:04:34.028Z,08D02C483B507971,SMTP,client proxy,-,Messages: 0 Bytes: 0 (Retry : Unable to connect)


In the same log  the internal proxy has the same problem on port 2525

,SMTP,internalproxy,>,Failed connection to 192.168.1.5:2525 (ConnectionRefused:0000274D)

It is on one box, but it is like the hub and the frontend are not talking. Note the FQDN of the hub parts is the local machine.domain and rhe FQDN of the Internet oarts macthes the cert as machine.domain.com.
0
 
LVL 38

Expert Comment

by:Adam Brown
ID: 39227408
Also, why are you using POP3 on your phone? Does it not support ActiveSync? You should be able to configure it to work as an exchange device (iPhones, android, and windows phone does this).
0
 

Author Comment

by:dlwynne
ID: 39227494
POP3 / SMTP makes it easy to test and we have users that don't sync.

i tried to look in the hub logs to see what they showed and there weren't any for the last few days. It looks like the transport service had crashed. Once I rstarted it the mail was accepted.

Next problem:

Mail for off domain is accepted and delivered from the client SMTP connectior. Mail for IN th doamin is accepted and queued for delivery but never shows up.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Lotus Notes – formerly IBM Notes – is an email client application, while IBM Domino (earlier Lotus Domino) is an email server. The client possesses a set of features that are even more advanced as compared to that of Outlook. Likewise, IBM Domino is…
Disabling the Directory Sync Service Account in Office 365 will stop directory synchronization from working.
In this video we show how to create a Distribution Group in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >>…
The video tutorial explains the basics of the Exchange server Database Availability groups. The components of this video include: 1. Automatic Failover 2. Failover Clustering 3. Active Manager

861 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

26 Experts available now in Live!

Get 1:1 Help Now