?
Solved

exchange server 2013 receive connector help

Posted on 2013-06-05
8
Medium Priority
?
5,916 Views
Last Modified: 2013-06-07
I need to allow SMTP mail in from a handful of IPs with auth NOT required (Postini), all others must authenticte to send. This was simple in ech 2003, but not as clear in 2013 with several defalt connectors

It looks like it defaukts to 4 connectors on a single box install.

I need to allow SMTP on ports 25 and 587, SSL SMTP on port 465, POP3, and IMAp4.

Authentication is required for all connections except SMTP traffic from a list or range of addresses.

I made a new transport frontend connector called Postini Connector, Scope is the Postini IP range and port 25, security has TLS and vasic, permisssion groups has partner and anonymous. Sound right?

On the Default Frontend connecter scope is all IPs and port 25. Security has all authentications on and permission groups are all on except partners and anonymous/
When I try to send mail from my phone (POP3 works great to pull the mail) i get an error that password auth is not supported. So I disabled "Offer basic authentication only after starting TLS". Now I get user name of password is incorrect. I have domain/user and the password - same as the working POP 3 - but no go. Same error SSL on or off. I didn't set up any other ports, but it fails the same on 25, 587, and 465.

What am I doing wrong?

Thanks
0
Comment
Question by:dlwynne
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
8 Comments
 
LVL 42

Accepted Solution

by:
Adam Brown earned 2000 total points
ID: 39224262
You're over complicating it.

The Front End connector is what users will use to send email through SMTP if they have Pop3. It exists on the CAS server (If CAS and MBX are on the same server, don't worry too much about which connector you're using). It's port is set for 587 by default. The default settings for it will allow users to send on port 587. That needs to be accessible to all IP addresses if you want phones to send over it. Make sure this is set to allow Basic, TLS, Basic After TLS is initiated, and Windows Integrated authentication. Exchange Users are all that should be checked for permission groups on this connector.

Client Proxy, also leave it default, it's already on port 465. Same authentication and permission settings as the Client FrontEnd, with the addition of Exchange Server authentication and Exchange Server user group. This will handle IMAP SMTP, I believe, as well as some communication between Exchange serverws.

Default Exchange is what is used between exchange servers. Don't mess with it. Only needs Exchange Server authentication and Group assigned to it.

Default Frontend is the public SMTP connector. It is set for port 25. All you need to do with this one is go to Scoping and make sure the IP Addresses box on the top displays only the Postini IPs. You can remove your Postini connector after doing that, as this will do the work by limiting the IPs and adding Anonymous authentication back to the connector.

Do not enable Externally secured authentication, as this will remove security blocks and turn any connector into an open relay.
0
 
LVL 8

Expert Comment

by:I Qasmi
ID: 39224417
0
 
LVL 23

Expert Comment

by:Malli Boppe
ID: 39224669
Check the below article. Setup a SMTP relay receive connector and add the IP addresses which need to relay emails.
http://blogs.technet.com/b/exchange/archive/2006/12/28/3397620.aspx
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:dlwynne
ID: 39226023
I have Client Frontend:


checked: Transport Layer Security (TLS)
checked: Enable domain security (mutual Auth TLS)
checked: Basic authentication
checked:  Offer basic authentication only after starting TLS
checked: Integrated Windows authentication
Clear: Exchange server authentication
Clear: Externally secured (for example, with IPSec)

Permission groups:
Only Exchange users checked


Scope is all IPs on port 587.

When I try to send from my iphone SSL off,, port 587 I get server doesn't support password authentication.

If I UNCHECK Offer basic authentication only after starting TLS then I get user name or password is incorrect. I am using domain/username - same as the working POP3.

If I try SSL on post 587 = same thing,
SSL on port 465 = same thing.

This works fine on the  same phone on our 2003 exchange server...




Anonymous users
0
 

Author Comment

by:dlwynne
ID: 39226053
I tried username without domain and full email address (no domain) and get the same error. The password is correct and has been retyped many times.
0
 

Author Comment

by:dlwynne
ID: 39227403
I enabled vebose logging and in

'\Exchange Server\TransportRoles\Logs\FrontEnd\ProtocolLog\SmtpReceive' log is this::

:

2013-06-06T21:04:31.002Z,EXCHANGE\Client Frontend EXCHANGE,08D02C483B507971,18,192.168.1.5:587,192.168.1.67:49871,*,DomainName/UserName ,authenticated
2013-06-06T21:04:32.031Z,EXCHANGE\Client Frontend EXCHANGE,08D02C483B507971,19,192.168.1.5:587,192.168.1.67:49871,*,,Setting up proxy session failed for 'DomainName/UserName' with error: 421 4.2.1 Unable to connect
2013-06-06T21:04:33.030Z,EXCHANGE\Client Frontend EXCHANGE,08D02C483B507971,20,192.168.1.5:587,192.168.1.67:49871,*,,Setting up proxy session failed for 'DomainName/UserName' with error: 421 4.2.1 Unable to connect
2013-06-06T21:04:34.028Z,EXCHANGE\Client Frontend EXCHANGE,08D02C483B507971,21,192.168.1.5:587,192.168.1.67:49871,*,,Setting up proxy session failed for 'DomainName/UserName' with error: 421 4.2.1 Unable to connect
2013-06-06T21:04:34.028Z,EXCHANGE\Client Frontend EXCHANGE,08D02C483B507971,22,192.168.1.5:587,192.168.1.67:49871,*,,"Setting up proxy session failed for 'DomainName/UserName' with error: 451 4.4.0 Error encountered while communicating with primary target IP address: ""421 4.2.1 Unable to connect."" Attempted failover to alternate host, but that did not succeed. Either there are no alternate hosts, or delivery failed to all alternate hosts. The last endpoint attempted was 192.168.1.5:465"
2013-06-06T21:04:34.028Z,EXCHANGE\Client Frontend EXCHANGE,08D02C483B507971,23,192.168.1.5:587,192.168.1.67:49871,*,None,Set Session Permissions
2013-06-06T21:04:34.028Z,EXCHANGE\Client Frontend EXCHANGE,08D02C483B507971,24,192.168.1.5:587,192.168.1.67:49871,>,451 4.7.0 Temporary server error. Please try again later,
2013-06-06T21:04:34.465Z,EXCHANGE\Client Frontend EXCHANGE,08D02C483B507970,40,[::1]:587,[::1]:40100,>,535 5.7.3 Authentication unsuccessful,
2013-06-06T21:04:34.465Z,EXCHANGE\Client Frontend EXCHANGE,08D02C483B507970,41,[::1]:587,[::1]:40100,<,QUIT,
2013-06-06T21:04:34.465Z,EXCHANGE\Client Frontend EXCHANGE,08D02C483B507970,42,[::1]:587,[::1]:40100,>,221 2.0.0 Service closing transmission channel,
2013-06-06T21:04:34.465Z,EXCHANGE\Client Frontend EXCHANGE,08D02C483B507970,43,[::1]:587,[::1]:40100,-,,Local
2013-06-06T21:04:35.042Z,EXCHANGE\Client Frontend EXCHANGE,08D02C483B507971,25,192.168.1.5:587,192.168.1.67:49871,-,,Remote


So the client front end can't talk to the client proxy.

From the connectons log::

2013-06-06T21:04:31.017Z,08D02C483B507972,SMTP,client proxy,+,Client proxy session for DomainName/UserName
2013-06-06T21:04:31.017Z,08D02C483B507972,SMTP,client proxy,>,Exchange.local.domain.name[192.168.1.5]
2013-06-06T21:04:32.031Z,08D02C483B507972,SMTP,client proxy,>,Failed connection to 192.168.1.5:465 (ConnectionRefused:0000274D)[TargetHost:Exchange.local.domain.name:465|MarkedUnhealthy|FailureCount:4|NextRetryTime:2013-06-06T21:05:27.804Z][TargetIPAddress:192.168.1.5:465|MarkedUnhealthy|FailureCount:4|NextRetryTime:2013-06-06T21:05:27.804Z]
2013-06-06T21:04:32.031Z,08D02C483B507972,SMTP,client proxy,-,Messages: 0 Bytes: 0 (Attempting next target)
2013-06-06T21:04:32.031Z,08D02C483B507971,SMTP,client proxy,+,Undefined 00000000-0000-0000-0000-000000000000;QueueLength=0
2013-06-06T21:04:33.030Z,08D02C483B507971,SMTP,client proxy,>,Failed connection to 192.168.1.5:465 (ConnectionRefused:0000274D)[TargetIPAddress:192.168.1.5:465|MarkedUnhealthy|FailureCount:4|NextRetryTime:2013-06-06T21:05:27.804Z]
2013-06-06T21:04:33.030Z,08D02C483B507971,SMTP,client proxy,-,Messages: 0 Bytes: 0 (Attempting next target)
2013-06-06T21:04:33.030Z,08D02C483B507971,SMTP,client proxy,+,Undefined 00000000-0000-0000-0000-000000000000;QueueLength=0
2013-06-06T21:04:34.028Z,08D02C483B507971,SMTP,client proxy,>,Failed connection to 192.168.1.5:465 (ConnectionRefused:0000274D)[TargetHost:Exchange.local.domain.name:465|MarkedUnhealthy|FailureCount:4|NextRetryTime:2013-06-06T21:05:27.804Z][TargetIPAddress:192.168.1.5:465|MarkedUnhealthy|FailureCount:4|NextRetryTime:2013-06-06T21:05:27.804Z]
2013-06-06T21:04:34.028Z,08D02C483B507971,SMTP,client proxy,-,Messages: 0 Bytes: 0 (Retry : Unable to connect)


In the same log  the internal proxy has the same problem on port 2525

,SMTP,internalproxy,>,Failed connection to 192.168.1.5:2525 (ConnectionRefused:0000274D)

It is on one box, but it is like the hub and the frontend are not talking. Note the FQDN of the hub parts is the local machine.domain and rhe FQDN of the Internet oarts macthes the cert as machine.domain.com.
0
 
LVL 42

Expert Comment

by:Adam Brown
ID: 39227408
Also, why are you using POP3 on your phone? Does it not support ActiveSync? You should be able to configure it to work as an exchange device (iPhones, android, and windows phone does this).
0
 

Author Comment

by:dlwynne
ID: 39227494
POP3 / SMTP makes it easy to test and we have users that don't sync.

i tried to look in the hub logs to see what they showed and there weren't any for the last few days. It looks like the transport service had crashed. Once I rstarted it the mail was accepted.

Next problem:

Mail for off domain is accepted and delivered from the client SMTP connectior. Mail for IN th doamin is accepted and queued for delivery but never shows up.
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article explains how to install and use the NTBackup utility that comes with Windows Server.
This article will help to fix the below error for MS Exchange server 2010 I. Out Of office not working II. Certificate error "name on the security certificate is invalid or does not match the name of the site" III. Make Internal URLs and External…
In this video we show how to create a Shared Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Sha…
This video shows how to quickly and easily add an email signature for all users on Exchange 2016. The resulting signature is applied on a server level by Exchange Online. The email signature template has been downloaded from: www.mail-signatures…
Suggested Courses
Course of the Month15 days, 2 hours left to enroll

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question