exchange server 2013 receive connector help

Posted on 2013-06-05
Last Modified: 2013-06-07
I need to allow SMTP mail in from a handful of IPs with auth NOT required (Postini), all others must authenticte to send. This was simple in ech 2003, but not as clear in 2013 with several defalt connectors

It looks like it defaukts to 4 connectors on a single box install.

I need to allow SMTP on ports 25 and 587, SSL SMTP on port 465, POP3, and IMAp4.

Authentication is required for all connections except SMTP traffic from a list or range of addresses.

I made a new transport frontend connector called Postini Connector, Scope is the Postini IP range and port 25, security has TLS and vasic, permisssion groups has partner and anonymous. Sound right?

On the Default Frontend connecter scope is all IPs and port 25. Security has all authentications on and permission groups are all on except partners and anonymous/
When I try to send mail from my phone (POP3 works great to pull the mail) i get an error that password auth is not supported. So I disabled "Offer basic authentication only after starting TLS". Now I get user name of password is incorrect. I have domain/user and the password - same as the working POP 3 - but no go. Same error SSL on or off. I didn't set up any other ports, but it fails the same on 25, 587, and 465.

What am I doing wrong?

Question by:dlwynne
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
LVL 40

Accepted Solution

Adam Brown earned 500 total points
ID: 39224262
You're over complicating it.

The Front End connector is what users will use to send email through SMTP if they have Pop3. It exists on the CAS server (If CAS and MBX are on the same server, don't worry too much about which connector you're using). It's port is set for 587 by default. The default settings for it will allow users to send on port 587. That needs to be accessible to all IP addresses if you want phones to send over it. Make sure this is set to allow Basic, TLS, Basic After TLS is initiated, and Windows Integrated authentication. Exchange Users are all that should be checked for permission groups on this connector.

Client Proxy, also leave it default, it's already on port 465. Same authentication and permission settings as the Client FrontEnd, with the addition of Exchange Server authentication and Exchange Server user group. This will handle IMAP SMTP, I believe, as well as some communication between Exchange serverws.

Default Exchange is what is used between exchange servers. Don't mess with it. Only needs Exchange Server authentication and Group assigned to it.

Default Frontend is the public SMTP connector. It is set for port 25. All you need to do with this one is go to Scoping and make sure the IP Addresses box on the top displays only the Postini IPs. You can remove your Postini connector after doing that, as this will do the work by limiting the IPs and adding Anonymous authentication back to the connector.

Do not enable Externally secured authentication, as this will remove security blocks and turn any connector into an open relay.

Expert Comment

by:I Qasmi
ID: 39224417
LVL 23

Expert Comment

by:Malli Boppe
ID: 39224669
Check the below article. Setup a SMTP relay receive connector and add the IP addresses which need to relay emails.
Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.


Author Comment

ID: 39226023
I have Client Frontend:

checked: Transport Layer Security (TLS)
checked: Enable domain security (mutual Auth TLS)
checked: Basic authentication
checked:  Offer basic authentication only after starting TLS
checked: Integrated Windows authentication
Clear: Exchange server authentication
Clear: Externally secured (for example, with IPSec)

Permission groups:
Only Exchange users checked

Scope is all IPs on port 587.

When I try to send from my iphone SSL off,, port 587 I get server doesn't support password authentication.

If I UNCHECK Offer basic authentication only after starting TLS then I get user name or password is incorrect. I am using domain/username - same as the working POP3.

If I try SSL on post 587 = same thing,
SSL on port 465 = same thing.

This works fine on the  same phone on our 2003 exchange server...

Anonymous users

Author Comment

ID: 39226053
I tried username without domain and full email address (no domain) and get the same error. The password is correct and has been retyped many times.

Author Comment

ID: 39227403
I enabled vebose logging and in

'\Exchange Server\TransportRoles\Logs\FrontEnd\ProtocolLog\SmtpReceive' log is this::


2013-06-06T21:04:31.002Z,EXCHANGE\Client Frontend EXCHANGE,08D02C483B507971,18,,,*,DomainName/UserName ,authenticated
2013-06-06T21:04:32.031Z,EXCHANGE\Client Frontend EXCHANGE,08D02C483B507971,19,,,*,,Setting up proxy session failed for 'DomainName/UserName' with error: 421 4.2.1 Unable to connect
2013-06-06T21:04:33.030Z,EXCHANGE\Client Frontend EXCHANGE,08D02C483B507971,20,,,*,,Setting up proxy session failed for 'DomainName/UserName' with error: 421 4.2.1 Unable to connect
2013-06-06T21:04:34.028Z,EXCHANGE\Client Frontend EXCHANGE,08D02C483B507971,21,,,*,,Setting up proxy session failed for 'DomainName/UserName' with error: 421 4.2.1 Unable to connect
2013-06-06T21:04:34.028Z,EXCHANGE\Client Frontend EXCHANGE,08D02C483B507971,22,,,*,,"Setting up proxy session failed for 'DomainName/UserName' with error: 451 4.4.0 Error encountered while communicating with primary target IP address: ""421 4.2.1 Unable to connect."" Attempted failover to alternate host, but that did not succeed. Either there are no alternate hosts, or delivery failed to all alternate hosts. The last endpoint attempted was"
2013-06-06T21:04:34.028Z,EXCHANGE\Client Frontend EXCHANGE,08D02C483B507971,23,,,*,None,Set Session Permissions
2013-06-06T21:04:34.028Z,EXCHANGE\Client Frontend EXCHANGE,08D02C483B507971,24,,,>,451 4.7.0 Temporary server error. Please try again later,
2013-06-06T21:04:34.465Z,EXCHANGE\Client Frontend EXCHANGE,08D02C483B507970,40,[::1]:587,[::1]:40100,>,535 5.7.3 Authentication unsuccessful,
2013-06-06T21:04:34.465Z,EXCHANGE\Client Frontend EXCHANGE,08D02C483B507970,41,[::1]:587,[::1]:40100,<,QUIT,
2013-06-06T21:04:34.465Z,EXCHANGE\Client Frontend EXCHANGE,08D02C483B507970,42,[::1]:587,[::1]:40100,>,221 2.0.0 Service closing transmission channel,
2013-06-06T21:04:34.465Z,EXCHANGE\Client Frontend EXCHANGE,08D02C483B507970,43,[::1]:587,[::1]:40100,-,,Local
2013-06-06T21:04:35.042Z,EXCHANGE\Client Frontend EXCHANGE,08D02C483B507971,25,,,-,,Remote

So the client front end can't talk to the client proxy.

From the connectons log::

2013-06-06T21:04:31.017Z,08D02C483B507972,SMTP,client proxy,+,Client proxy session for DomainName/UserName
2013-06-06T21:04:31.017Z,08D02C483B507972,SMTP,client proxy,>,[]
2013-06-06T21:04:32.031Z,08D02C483B507972,SMTP,client proxy,>,Failed connection to (ConnectionRefused:0000274D)[|MarkedUnhealthy|FailureCount:4|NextRetryTime:2013-06-06T21:05:27.804Z][TargetIPAddress:|MarkedUnhealthy|FailureCount:4|NextRetryTime:2013-06-06T21:05:27.804Z]
2013-06-06T21:04:32.031Z,08D02C483B507972,SMTP,client proxy,-,Messages: 0 Bytes: 0 (Attempting next target)
2013-06-06T21:04:32.031Z,08D02C483B507971,SMTP,client proxy,+,Undefined 00000000-0000-0000-0000-000000000000;QueueLength=0
2013-06-06T21:04:33.030Z,08D02C483B507971,SMTP,client proxy,>,Failed connection to (ConnectionRefused:0000274D)[TargetIPAddress:|MarkedUnhealthy|FailureCount:4|NextRetryTime:2013-06-06T21:05:27.804Z]
2013-06-06T21:04:33.030Z,08D02C483B507971,SMTP,client proxy,-,Messages: 0 Bytes: 0 (Attempting next target)
2013-06-06T21:04:33.030Z,08D02C483B507971,SMTP,client proxy,+,Undefined 00000000-0000-0000-0000-000000000000;QueueLength=0
2013-06-06T21:04:34.028Z,08D02C483B507971,SMTP,client proxy,>,Failed connection to (ConnectionRefused:0000274D)[|MarkedUnhealthy|FailureCount:4|NextRetryTime:2013-06-06T21:05:27.804Z][TargetIPAddress:|MarkedUnhealthy|FailureCount:4|NextRetryTime:2013-06-06T21:05:27.804Z]
2013-06-06T21:04:34.028Z,08D02C483B507971,SMTP,client proxy,-,Messages: 0 Bytes: 0 (Retry : Unable to connect)

In the same log  the internal proxy has the same problem on port 2525

,SMTP,internalproxy,>,Failed connection to (ConnectionRefused:0000274D)

It is on one box, but it is like the hub and the frontend are not talking. Note the FQDN of the hub parts is the local machine.domain and rhe FQDN of the Internet oarts macthes the cert as
LVL 40

Expert Comment

by:Adam Brown
ID: 39227408
Also, why are you using POP3 on your phone? Does it not support ActiveSync? You should be able to configure it to work as an exchange device (iPhones, android, and windows phone does this).

Author Comment

ID: 39227494
POP3 / SMTP makes it easy to test and we have users that don't sync.

i tried to look in the hub logs to see what they showed and there weren't any for the last few days. It looks like the transport service had crashed. Once I rstarted it the mail was accepted.

Next problem:

Mail for off domain is accepted and delivered from the client SMTP connectior. Mail for IN th doamin is accepted and queued for delivery but never shows up.

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This process describes the steps required to Import and Export data from and to .pst files using Exchange 2010. We can use these steps to export data from a user to a .pst file, import data back to the same or a different user, or even import data t…
How to resolve IMCEAEX NDRs in Exchange or Exchange Online related to invalid X500 addresses.
In this video we show how to create a Distribution Group in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >>…
The basic steps you have just learned will be implemented in this video. The basic steps are shown to configure an Exchange DAG in a live working Exchange Server Environment and manage the same (Exchange Server 2010 Software is used in a Windows Ser…

749 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question