• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 6644
  • Last Modified:

exchange server 2013 receive connector help

I need to allow SMTP mail in from a handful of IPs with auth NOT required (Postini), all others must authenticte to send. This was simple in ech 2003, but not as clear in 2013 with several defalt connectors

It looks like it defaukts to 4 connectors on a single box install.

I need to allow SMTP on ports 25 and 587, SSL SMTP on port 465, POP3, and IMAp4.

Authentication is required for all connections except SMTP traffic from a list or range of addresses.

I made a new transport frontend connector called Postini Connector, Scope is the Postini IP range and port 25, security has TLS and vasic, permisssion groups has partner and anonymous. Sound right?

On the Default Frontend connecter scope is all IPs and port 25. Security has all authentications on and permission groups are all on except partners and anonymous/
When I try to send mail from my phone (POP3 works great to pull the mail) i get an error that password auth is not supported. So I disabled "Offer basic authentication only after starting TLS". Now I get user name of password is incorrect. I have domain/user and the password - same as the working POP 3 - but no go. Same error SSL on or off. I didn't set up any other ports, but it fails the same on 25, 587, and 465.

What am I doing wrong?

1 Solution
Adam BrownSr Solutions ArchitectCommented:
You're over complicating it.

The Front End connector is what users will use to send email through SMTP if they have Pop3. It exists on the CAS server (If CAS and MBX are on the same server, don't worry too much about which connector you're using). It's port is set for 587 by default. The default settings for it will allow users to send on port 587. That needs to be accessible to all IP addresses if you want phones to send over it. Make sure this is set to allow Basic, TLS, Basic After TLS is initiated, and Windows Integrated authentication. Exchange Users are all that should be checked for permission groups on this connector.

Client Proxy, also leave it default, it's already on port 465. Same authentication and permission settings as the Client FrontEnd, with the addition of Exchange Server authentication and Exchange Server user group. This will handle IMAP SMTP, I believe, as well as some communication between Exchange serverws.

Default Exchange is what is used between exchange servers. Don't mess with it. Only needs Exchange Server authentication and Group assigned to it.

Default Frontend is the public SMTP connector. It is set for port 25. All you need to do with this one is go to Scoping and make sure the IP Addresses box on the top displays only the Postini IPs. You can remove your Postini connector after doing that, as this will do the work by limiting the IPs and adding Anonymous authentication back to the connector.

Do not enable Externally secured authentication, as this will remove security blocks and turn any connector into an open relay.
I QasmiTechnical LeadCommented:
Malli BoppeCommented:
Check the below article. Setup a SMTP relay receive connector and add the IP addresses which need to relay emails.
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

dlwynneAuthor Commented:
I have Client Frontend:

checked: Transport Layer Security (TLS)
checked: Enable domain security (mutual Auth TLS)
checked: Basic authentication
checked:  Offer basic authentication only after starting TLS
checked: Integrated Windows authentication
Clear: Exchange server authentication
Clear: Externally secured (for example, with IPSec)

Permission groups:
Only Exchange users checked

Scope is all IPs on port 587.

When I try to send from my iphone SSL off,, port 587 I get server doesn't support password authentication.

If I UNCHECK Offer basic authentication only after starting TLS then I get user name or password is incorrect. I am using domain/username - same as the working POP3.

If I try SSL on post 587 = same thing,
SSL on port 465 = same thing.

This works fine on the  same phone on our 2003 exchange server...

Anonymous users
dlwynneAuthor Commented:
I tried username without domain and full email address (no domain) and get the same error. The password is correct and has been retyped many times.
dlwynneAuthor Commented:
I enabled vebose logging and in

'\Exchange Server\TransportRoles\Logs\FrontEnd\ProtocolLog\SmtpReceive' log is this::


2013-06-06T21:04:31.002Z,EXCHANGE\Client Frontend EXCHANGE,08D02C483B507971,18,,,*,DomainName/UserName ,authenticated
2013-06-06T21:04:32.031Z,EXCHANGE\Client Frontend EXCHANGE,08D02C483B507971,19,,,*,,Setting up proxy session failed for 'DomainName/UserName' with error: 421 4.2.1 Unable to connect
2013-06-06T21:04:33.030Z,EXCHANGE\Client Frontend EXCHANGE,08D02C483B507971,20,,,*,,Setting up proxy session failed for 'DomainName/UserName' with error: 421 4.2.1 Unable to connect
2013-06-06T21:04:34.028Z,EXCHANGE\Client Frontend EXCHANGE,08D02C483B507971,21,,,*,,Setting up proxy session failed for 'DomainName/UserName' with error: 421 4.2.1 Unable to connect
2013-06-06T21:04:34.028Z,EXCHANGE\Client Frontend EXCHANGE,08D02C483B507971,22,,,*,,"Setting up proxy session failed for 'DomainName/UserName' with error: 451 4.4.0 Error encountered while communicating with primary target IP address: ""421 4.2.1 Unable to connect."" Attempted failover to alternate host, but that did not succeed. Either there are no alternate hosts, or delivery failed to all alternate hosts. The last endpoint attempted was"
2013-06-06T21:04:34.028Z,EXCHANGE\Client Frontend EXCHANGE,08D02C483B507971,23,,,*,None,Set Session Permissions
2013-06-06T21:04:34.028Z,EXCHANGE\Client Frontend EXCHANGE,08D02C483B507971,24,,,>,451 4.7.0 Temporary server error. Please try again later,
2013-06-06T21:04:34.465Z,EXCHANGE\Client Frontend EXCHANGE,08D02C483B507970,40,[::1]:587,[::1]:40100,>,535 5.7.3 Authentication unsuccessful,
2013-06-06T21:04:34.465Z,EXCHANGE\Client Frontend EXCHANGE,08D02C483B507970,41,[::1]:587,[::1]:40100,<,QUIT,
2013-06-06T21:04:34.465Z,EXCHANGE\Client Frontend EXCHANGE,08D02C483B507970,42,[::1]:587,[::1]:40100,>,221 2.0.0 Service closing transmission channel,
2013-06-06T21:04:34.465Z,EXCHANGE\Client Frontend EXCHANGE,08D02C483B507970,43,[::1]:587,[::1]:40100,-,,Local
2013-06-06T21:04:35.042Z,EXCHANGE\Client Frontend EXCHANGE,08D02C483B507971,25,,,-,,Remote

So the client front end can't talk to the client proxy.

From the connectons log::

2013-06-06T21:04:31.017Z,08D02C483B507972,SMTP,client proxy,+,Client proxy session for DomainName/UserName
2013-06-06T21:04:31.017Z,08D02C483B507972,SMTP,client proxy,>,Exchange.local.domain.name[]
2013-06-06T21:04:32.031Z,08D02C483B507972,SMTP,client proxy,>,Failed connection to (ConnectionRefused:0000274D)[TargetHost:Exchange.local.domain.name:465|MarkedUnhealthy|FailureCount:4|NextRetryTime:2013-06-06T21:05:27.804Z][TargetIPAddress:|MarkedUnhealthy|FailureCount:4|NextRetryTime:2013-06-06T21:05:27.804Z]
2013-06-06T21:04:32.031Z,08D02C483B507972,SMTP,client proxy,-,Messages: 0 Bytes: 0 (Attempting next target)
2013-06-06T21:04:32.031Z,08D02C483B507971,SMTP,client proxy,+,Undefined 00000000-0000-0000-0000-000000000000;QueueLength=0
2013-06-06T21:04:33.030Z,08D02C483B507971,SMTP,client proxy,>,Failed connection to (ConnectionRefused:0000274D)[TargetIPAddress:|MarkedUnhealthy|FailureCount:4|NextRetryTime:2013-06-06T21:05:27.804Z]
2013-06-06T21:04:33.030Z,08D02C483B507971,SMTP,client proxy,-,Messages: 0 Bytes: 0 (Attempting next target)
2013-06-06T21:04:33.030Z,08D02C483B507971,SMTP,client proxy,+,Undefined 00000000-0000-0000-0000-000000000000;QueueLength=0
2013-06-06T21:04:34.028Z,08D02C483B507971,SMTP,client proxy,>,Failed connection to (ConnectionRefused:0000274D)[TargetHost:Exchange.local.domain.name:465|MarkedUnhealthy|FailureCount:4|NextRetryTime:2013-06-06T21:05:27.804Z][TargetIPAddress:|MarkedUnhealthy|FailureCount:4|NextRetryTime:2013-06-06T21:05:27.804Z]
2013-06-06T21:04:34.028Z,08D02C483B507971,SMTP,client proxy,-,Messages: 0 Bytes: 0 (Retry : Unable to connect)

In the same log  the internal proxy has the same problem on port 2525

,SMTP,internalproxy,>,Failed connection to (ConnectionRefused:0000274D)

It is on one box, but it is like the hub and the frontend are not talking. Note the FQDN of the hub parts is the local machine.domain and rhe FQDN of the Internet oarts macthes the cert as machine.domain.com.
Adam BrownSr Solutions ArchitectCommented:
Also, why are you using POP3 on your phone? Does it not support ActiveSync? You should be able to configure it to work as an exchange device (iPhones, android, and windows phone does this).
dlwynneAuthor Commented:
POP3 / SMTP makes it easy to test and we have users that don't sync.

i tried to look in the hub logs to see what they showed and there weren't any for the last few days. It looks like the transport service had crashed. Once I rstarted it the mail was accepted.

Next problem:

Mail for off domain is accepted and delivered from the client SMTP connectior. Mail for IN th doamin is accepted and queued for delivery but never shows up.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now