Solved

exchange server 2013 receive connector help

Posted on 2013-06-05
8
5,213 Views
Last Modified: 2013-06-07
I need to allow SMTP mail in from a handful of IPs with auth NOT required (Postini), all others must authenticte to send. This was simple in ech 2003, but not as clear in 2013 with several defalt connectors

It looks like it defaukts to 4 connectors on a single box install.

I need to allow SMTP on ports 25 and 587, SSL SMTP on port 465, POP3, and IMAp4.

Authentication is required for all connections except SMTP traffic from a list or range of addresses.

I made a new transport frontend connector called Postini Connector, Scope is the Postini IP range and port 25, security has TLS and vasic, permisssion groups has partner and anonymous. Sound right?

On the Default Frontend connecter scope is all IPs and port 25. Security has all authentications on and permission groups are all on except partners and anonymous/
When I try to send mail from my phone (POP3 works great to pull the mail) i get an error that password auth is not supported. So I disabled "Offer basic authentication only after starting TLS". Now I get user name of password is incorrect. I have domain/user and the password - same as the working POP 3 - but no go. Same error SSL on or off. I didn't set up any other ports, but it fails the same on 25, 587, and 465.

What am I doing wrong?

Thanks
0
Comment
Question by:dlwynne
8 Comments
 
LVL 38

Accepted Solution

by:
Adam Brown earned 500 total points
Comment Utility
You're over complicating it.

The Front End connector is what users will use to send email through SMTP if they have Pop3. It exists on the CAS server (If CAS and MBX are on the same server, don't worry too much about which connector you're using). It's port is set for 587 by default. The default settings for it will allow users to send on port 587. That needs to be accessible to all IP addresses if you want phones to send over it. Make sure this is set to allow Basic, TLS, Basic After TLS is initiated, and Windows Integrated authentication. Exchange Users are all that should be checked for permission groups on this connector.

Client Proxy, also leave it default, it's already on port 465. Same authentication and permission settings as the Client FrontEnd, with the addition of Exchange Server authentication and Exchange Server user group. This will handle IMAP SMTP, I believe, as well as some communication between Exchange serverws.

Default Exchange is what is used between exchange servers. Don't mess with it. Only needs Exchange Server authentication and Group assigned to it.

Default Frontend is the public SMTP connector. It is set for port 25. All you need to do with this one is go to Scoping and make sure the IP Addresses box on the top displays only the Postini IPs. You can remove your Postini connector after doing that, as this will do the work by limiting the IPs and adding Anonymous authentication back to the connector.

Do not enable Externally secured authentication, as this will remove security blocks and turn any connector into an open relay.
0
 
LVL 8

Expert Comment

by:I Qasmi
Comment Utility
0
 
LVL 23

Expert Comment

by:Malli Boppe
Comment Utility
Check the below article. Setup a SMTP relay receive connector and add the IP addresses which need to relay emails.
http://blogs.technet.com/b/exchange/archive/2006/12/28/3397620.aspx
0
 

Author Comment

by:dlwynne
Comment Utility
I have Client Frontend:


checked: Transport Layer Security (TLS)
checked: Enable domain security (mutual Auth TLS)
checked: Basic authentication
checked:  Offer basic authentication only after starting TLS
checked: Integrated Windows authentication
Clear: Exchange server authentication
Clear: Externally secured (for example, with IPSec)

Permission groups:
Only Exchange users checked


Scope is all IPs on port 587.

When I try to send from my iphone SSL off,, port 587 I get server doesn't support password authentication.

If I UNCHECK Offer basic authentication only after starting TLS then I get user name or password is incorrect. I am using domain/username - same as the working POP3.

If I try SSL on post 587 = same thing,
SSL on port 465 = same thing.

This works fine on the  same phone on our 2003 exchange server...




Anonymous users
0
Why spend so long doing email signature updates?

Do you spend loads of your time carrying out email signature updates? Not very interesting are they? Don’t let signature updates get you down. Let Exclaimer Cloud - Signatures for Office 365 make managing email signatures a breeze.

 

Author Comment

by:dlwynne
Comment Utility
I tried username without domain and full email address (no domain) and get the same error. The password is correct and has been retyped many times.
0
 

Author Comment

by:dlwynne
Comment Utility
I enabled vebose logging and in

'\Exchange Server\TransportRoles\Logs\FrontEnd\ProtocolLog\SmtpReceive' log is this::

:

2013-06-06T21:04:31.002Z,EXCHANGE\Client Frontend EXCHANGE,08D02C483B507971,18,192.168.1.5:587,192.168.1.67:49871,*,DomainName/UserName ,authenticated
2013-06-06T21:04:32.031Z,EXCHANGE\Client Frontend EXCHANGE,08D02C483B507971,19,192.168.1.5:587,192.168.1.67:49871,*,,Setting up proxy session failed for 'DomainName/UserName' with error: 421 4.2.1 Unable to connect
2013-06-06T21:04:33.030Z,EXCHANGE\Client Frontend EXCHANGE,08D02C483B507971,20,192.168.1.5:587,192.168.1.67:49871,*,,Setting up proxy session failed for 'DomainName/UserName' with error: 421 4.2.1 Unable to connect
2013-06-06T21:04:34.028Z,EXCHANGE\Client Frontend EXCHANGE,08D02C483B507971,21,192.168.1.5:587,192.168.1.67:49871,*,,Setting up proxy session failed for 'DomainName/UserName' with error: 421 4.2.1 Unable to connect
2013-06-06T21:04:34.028Z,EXCHANGE\Client Frontend EXCHANGE,08D02C483B507971,22,192.168.1.5:587,192.168.1.67:49871,*,,"Setting up proxy session failed for 'DomainName/UserName' with error: 451 4.4.0 Error encountered while communicating with primary target IP address: ""421 4.2.1 Unable to connect."" Attempted failover to alternate host, but that did not succeed. Either there are no alternate hosts, or delivery failed to all alternate hosts. The last endpoint attempted was 192.168.1.5:465"
2013-06-06T21:04:34.028Z,EXCHANGE\Client Frontend EXCHANGE,08D02C483B507971,23,192.168.1.5:587,192.168.1.67:49871,*,None,Set Session Permissions
2013-06-06T21:04:34.028Z,EXCHANGE\Client Frontend EXCHANGE,08D02C483B507971,24,192.168.1.5:587,192.168.1.67:49871,>,451 4.7.0 Temporary server error. Please try again later,
2013-06-06T21:04:34.465Z,EXCHANGE\Client Frontend EXCHANGE,08D02C483B507970,40,[::1]:587,[::1]:40100,>,535 5.7.3 Authentication unsuccessful,
2013-06-06T21:04:34.465Z,EXCHANGE\Client Frontend EXCHANGE,08D02C483B507970,41,[::1]:587,[::1]:40100,<,QUIT,
2013-06-06T21:04:34.465Z,EXCHANGE\Client Frontend EXCHANGE,08D02C483B507970,42,[::1]:587,[::1]:40100,>,221 2.0.0 Service closing transmission channel,
2013-06-06T21:04:34.465Z,EXCHANGE\Client Frontend EXCHANGE,08D02C483B507970,43,[::1]:587,[::1]:40100,-,,Local
2013-06-06T21:04:35.042Z,EXCHANGE\Client Frontend EXCHANGE,08D02C483B507971,25,192.168.1.5:587,192.168.1.67:49871,-,,Remote


So the client front end can't talk to the client proxy.

From the connectons log::

2013-06-06T21:04:31.017Z,08D02C483B507972,SMTP,client proxy,+,Client proxy session for DomainName/UserName
2013-06-06T21:04:31.017Z,08D02C483B507972,SMTP,client proxy,>,Exchange.local.domain.name[192.168.1.5]
2013-06-06T21:04:32.031Z,08D02C483B507972,SMTP,client proxy,>,Failed connection to 192.168.1.5:465 (ConnectionRefused:0000274D)[TargetHost:Exchange.local.domain.name:465|MarkedUnhealthy|FailureCount:4|NextRetryTime:2013-06-06T21:05:27.804Z][TargetIPAddress:192.168.1.5:465|MarkedUnhealthy|FailureCount:4|NextRetryTime:2013-06-06T21:05:27.804Z]
2013-06-06T21:04:32.031Z,08D02C483B507972,SMTP,client proxy,-,Messages: 0 Bytes: 0 (Attempting next target)
2013-06-06T21:04:32.031Z,08D02C483B507971,SMTP,client proxy,+,Undefined 00000000-0000-0000-0000-000000000000;QueueLength=0
2013-06-06T21:04:33.030Z,08D02C483B507971,SMTP,client proxy,>,Failed connection to 192.168.1.5:465 (ConnectionRefused:0000274D)[TargetIPAddress:192.168.1.5:465|MarkedUnhealthy|FailureCount:4|NextRetryTime:2013-06-06T21:05:27.804Z]
2013-06-06T21:04:33.030Z,08D02C483B507971,SMTP,client proxy,-,Messages: 0 Bytes: 0 (Attempting next target)
2013-06-06T21:04:33.030Z,08D02C483B507971,SMTP,client proxy,+,Undefined 00000000-0000-0000-0000-000000000000;QueueLength=0
2013-06-06T21:04:34.028Z,08D02C483B507971,SMTP,client proxy,>,Failed connection to 192.168.1.5:465 (ConnectionRefused:0000274D)[TargetHost:Exchange.local.domain.name:465|MarkedUnhealthy|FailureCount:4|NextRetryTime:2013-06-06T21:05:27.804Z][TargetIPAddress:192.168.1.5:465|MarkedUnhealthy|FailureCount:4|NextRetryTime:2013-06-06T21:05:27.804Z]
2013-06-06T21:04:34.028Z,08D02C483B507971,SMTP,client proxy,-,Messages: 0 Bytes: 0 (Retry : Unable to connect)


In the same log  the internal proxy has the same problem on port 2525

,SMTP,internalproxy,>,Failed connection to 192.168.1.5:2525 (ConnectionRefused:0000274D)

It is on one box, but it is like the hub and the frontend are not talking. Note the FQDN of the hub parts is the local machine.domain and rhe FQDN of the Internet oarts macthes the cert as machine.domain.com.
0
 
LVL 38

Expert Comment

by:Adam Brown
Comment Utility
Also, why are you using POP3 on your phone? Does it not support ActiveSync? You should be able to configure it to work as an exchange device (iPhones, android, and windows phone does this).
0
 

Author Comment

by:dlwynne
Comment Utility
POP3 / SMTP makes it easy to test and we have users that don't sync.

i tried to look in the hub logs to see what they showed and there weren't any for the last few days. It looks like the transport service had crashed. Once I rstarted it the mail was accepted.

Next problem:

Mail for off domain is accepted and delivered from the client SMTP connectior. Mail for IN th doamin is accepted and queued for delivery but never shows up.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Easy CSR creation in Exchange 2007,2010 and 2013
Learn to move / copy / export exchange contacts to iPhone without using any software. Also see the issues in configuration of exchange with iPhone to migrate contacts.
In this video we show how to create a Resource Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: Navigate to the Recipients >> Resources tab.: "Recipients" is our default selection …
To show how to generate a certificate request in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Servers >> Certificates…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now