Exchange 2010 Enable Authenticated User to Send As Any Address

We have a number of applications and devices that need to send email through Exchange 2010.  One example is an application (GFI MailArchiver 2013) that needs to send emails occasionally with status updates.  It allows you to put in a user to authenticate with and an email address to send to.  It does not have an email address to send from.  On the default receive connector on our hub transport server, I added the Ms-Exch-SMTP-Accept-Any-Sender for NT AUTHORITY\Authenticated Users.  The receive connector is setup like this:
RunspaceId                              : 25170f51-437f-40bb-96c0-cb404ed7c23f
AuthMechanism                           : Tls, Integrated, BasicAuth, BasicAuthRequireTLS, ExchangeServer
Banner                                  :
BinaryMimeEnabled                       : True
Bindings                                : {:::25, 0.0.0.0:25}
ChunkingEnabled                         : True
DefaultDomain                           :
DeliveryStatusNotificationEnabled       : True
EightBitMimeEnabled                     : True
BareLinefeedRejectionEnabled            : False
DomainSecureEnabled                     : False
EnhancedStatusCodesEnabled              : True
LongAddressesEnabled                    : False
OrarEnabled                             : False
SuppressXAnonymousTls                   : False
AdvertiseClientSettings                 : False
Fqdn                                    : HUBTRANSPORT.caymanport.local
Comment                                 :
Enabled                                 : True
ConnectionTimeout                       : 00:10:00
ConnectionInactivityTimeout             : 00:05:00
MessageRateLimit                        : unlimited
MessageRateSource                       : IPAddress
MaxInboundConnection                    : 5000
MaxInboundConnectionPerSource           : unlimited
MaxInboundConnectionPercentagePerSource : 100
MaxHeaderSize                           : 64 KB (65,536 bytes)
MaxHopCount                             : 60
MaxLocalHopCount                        : 8
MaxLogonFailures                        : 3
MaxMessageSize                          : 80 MB (83,886,080 bytes)
MaxProtocolErrors                       : 5
MaxRecipientsPerMessage                 : 5000
PermissionGroups                        : AnonymousUsers, ExchangeUsers, ExchangeServers, ExchangeLegacyServers, Custom
PipeliningEnabled                       : True
ProtocolLoggingLevel                    : Verbose
RemoteIPRanges                          : {::-ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff, 0.0.0.0-255.255.255.255}
RequireEHLODomain                       : False
RequireTLS                              : False
EnableAuthGSSAPI                        : False
ExtendedProtectionPolicy                : None
LiveCredentialEnabled                   : False
TlsDomainCapabilities                   : {}
Server                                  : HUBTRANSPORT
SizeEnabled                             : EnabledWithoutValue
TarpitInterval                          : 00:00:05
MaxAcknowledgementDelay                 : 00:00:30
AdminDisplayName                        :
ExchangeVersion                         : 0.1 (8.0.535.0)
Name                                    : Default HUBTRANSPORT
DistinguishedName                       : CN=Default HUBTRANSPORT,CN=SMTP Receive Connectors,CN=Protocols,CN=HUBTRANSPORT,CN=Servers,CN=Exchange Administrative Group,CN=Administrative Groups,CN=Port Authority,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=caymanport,DC=local
Identity                                : HUBTRANSPORT\Default HUBTRANSPORT
Guid                                    : af67ef4c-5781-454b-b616-903d1d304306
ObjectCategory                          : caymanport.local/Configuration/Schema/ms-Exch-Smtp-Receive-Connector
ObjectClass                             : {top, msExchSmtpReceiveConnector}
WhenChanged                             : 24/09/2013 11:46:39 AM
WhenCreated                             : 09/08/2011 6:56:11 AM
WhenChangedUTC                          : 24/09/2013 4:46:39 PM
WhenCreatedUTC                          : 09/08/2011 11:56:11 AM
OrganizationId                          :
OriginatingServer                       : dc.caymanport.local
IsValid                                 : True

Open in new window


In the logs, I see that the email are being rejected with the "550 5.7.1 Client does not have permissions to send as this sender" error message.  But the logs also indicate that the permissions SMTPAcceptAnyRecipient and SMTPAcceptAnySender are set and I would think that means that anyone could send as any address:
2013-09-24T17:53:20.626Z,HUBTRANSPORT\Default HUBTRANSPORT,08D083C5375A12DB,0,192.168.1.56:25,192.168.1.56:31328,+,,
2013-09-24T17:53:20.626Z,HUBTRANSPORT\Default HUBTRANSPORT,08D083C5375A12DB,1,192.168.1.56:25,192.168.1.56:31328,*,SMTPSubmit SMTPAcceptAnySender SMTPAcceptAuthoritativeDomainSender AcceptRoutingHeaders,Set Session Permissions
2013-09-24T17:53:20.626Z,HUBTRANSPORT\Default HUBTRANSPORT,08D083C5375A12DB,2,192.168.1.56:25,192.168.1.56:31328,>,"220 HUBTRANSPORT.caymanport.local Microsoft ESMTP MAIL Service ready at Tue, 24 Sep 2013 12:53:20 -0500",
2013-09-24T17:53:20.626Z,HUBTRANSPORT\Default HUBTRANSPORT,08D083C5375A12DB,3,192.168.1.56:25,192.168.1.56:31328,<,HELO HUBTRANSPORT,
2013-09-24T17:53:20.626Z,HUBTRANSPORT\Default HUBTRANSPORT,08D083C5375A12DB,4,192.168.1.56:25,192.168.1.56:31328,>,250 HUBTRANSPORT.caymanport.local Hello [192.168.1.56],
2013-09-24T17:53:20.626Z,HUBTRANSPORT\Default HUBTRANSPORT,08D083C5375A12DB,5,192.168.1.56:25,192.168.1.56:31328,<,STARTTLS,
2013-09-24T17:53:20.626Z,HUBTRANSPORT\Default HUBTRANSPORT,08D083C5375A12DB,6,192.168.1.56:25,192.168.1.56:31328,>,220 2.0.0 SMTP server ready,
2013-09-24T17:53:20.626Z,HUBTRANSPORT\Default HUBTRANSPORT,08D083C5375A12DB,7,192.168.1.56:25,192.168.1.56:31328,*,,Sending certificate
2013-09-24T17:53:20.626Z,HUBTRANSPORT\Default HUBTRANSPORT,08D083C5375A12DB,8,192.168.1.56:25,192.168.1.56:31328,*,"CN=*.caymanport.local, OU=Comodo PremiumSSL Wildcard, O=Cayman Islands Port Authority, STREET=PO Box 1358GT, L=George Town, S=Grand Cayman, PostalCode=KY1-1108, C=KY",Certificate subject
2013-09-24T17:53:20.626Z,HUBTRANSPORT\Default HUBTRANSPORT,08D083C5375A12DB,9,192.168.1.56:25,192.168.1.56:31328,*,"CN=COMODO High-Assurance Secure Server CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB",Certificate issuer name
2013-09-24T17:53:20.626Z,HUBTRANSPORT\Default HUBTRANSPORT,08D083C5375A12DB,10,192.168.1.56:25,192.168.1.56:31328,*,226A1158D091CFB6EC7A5D956493BC15,Certificate serial number
2013-09-24T17:53:20.626Z,HUBTRANSPORT\Default HUBTRANSPORT,08D083C5375A12DB,11,192.168.1.56:25,192.168.1.56:31328,*,45C5608CF3F701F6AF42F5DD742C135D78001F0A,Certificate thumbprint
2013-09-24T17:53:20.626Z,HUBTRANSPORT\Default HUBTRANSPORT,08D083C5375A12DB,12,192.168.1.56:25,192.168.1.56:31328,*,*.caymanport.local;caymanport.local,Certificate alternate names
2013-09-24T17:53:20.782Z,HUBTRANSPORT\Default HUBTRANSPORT,08D083C5375A12DB,13,192.168.1.56:25,192.168.1.56:31328,<,EHLO HUBTRANSPORT,
2013-09-24T17:53:20.782Z,HUBTRANSPORT\Default HUBTRANSPORT,08D083C5375A12DB,14,192.168.1.56:25,192.168.1.56:31328,*,,TlsDomainCapabilities='None'; Status='NoRemoteCertificate'
2013-09-24T17:53:20.782Z,HUBTRANSPORT\Default HUBTRANSPORT,08D083C5375A12DB,15,192.168.1.56:25,192.168.1.56:31328,>,250-HUBTRANSPORT.caymanport.local Hello [192.168.1.56],
2013-09-24T17:53:20.782Z,HUBTRANSPORT\Default HUBTRANSPORT,08D083C5375A12DB,16,192.168.1.56:25,192.168.1.56:31328,>,250-SIZE,
2013-09-24T17:53:20.782Z,HUBTRANSPORT\Default HUBTRANSPORT,08D083C5375A12DB,17,192.168.1.56:25,192.168.1.56:31328,>,250-PIPELINING,
2013-09-24T17:53:20.782Z,HUBTRANSPORT\Default HUBTRANSPORT,08D083C5375A12DB,18,192.168.1.56:25,192.168.1.56:31328,>,250-DSN,
2013-09-24T17:53:20.782Z,HUBTRANSPORT\Default HUBTRANSPORT,08D083C5375A12DB,19,192.168.1.56:25,192.168.1.56:31328,>,250-ENHANCEDSTATUSCODES,
2013-09-24T17:53:20.782Z,HUBTRANSPORT\Default HUBTRANSPORT,08D083C5375A12DB,20,192.168.1.56:25,192.168.1.56:31328,>,250-AUTH NTLM LOGIN,
2013-09-24T17:53:20.782Z,HUBTRANSPORT\Default HUBTRANSPORT,08D083C5375A12DB,21,192.168.1.56:25,192.168.1.56:31328,>,250-X-EXPS GSSAPI NTLM,
2013-09-24T17:53:20.782Z,HUBTRANSPORT\Default HUBTRANSPORT,08D083C5375A12DB,22,192.168.1.56:25,192.168.1.56:31328,>,250-8BITMIME,
2013-09-24T17:53:20.782Z,HUBTRANSPORT\Default HUBTRANSPORT,08D083C5375A12DB,23,192.168.1.56:25,192.168.1.56:31328,>,250-BINARYMIME,
2013-09-24T17:53:20.782Z,HUBTRANSPORT\Default HUBTRANSPORT,08D083C5375A12DB,24,192.168.1.56:25,192.168.1.56:31328,>,250-CHUNKING,
2013-09-24T17:53:20.782Z,HUBTRANSPORT\Default HUBTRANSPORT,08D083C5375A12DB,25,192.168.1.56:25,192.168.1.56:31328,>,250-XEXCH50,
2013-09-24T17:53:20.782Z,HUBTRANSPORT\Default HUBTRANSPORT,08D083C5375A12DB,26,192.168.1.56:25,192.168.1.56:31328,>,250-XRDST,
2013-09-24T17:53:20.782Z,HUBTRANSPORT\Default HUBTRANSPORT,08D083C5375A12DB,27,192.168.1.56:25,192.168.1.56:31328,>,250 XSHADOW,
2013-09-24T17:53:20.814Z,HUBTRANSPORT\Default HUBTRANSPORT,08D083C5375A12DB,28,192.168.1.56:25,192.168.1.56:31328,<,AUTH LOGIN,
2013-09-24T17:53:20.814Z,HUBTRANSPORT\Default HUBTRANSPORT,08D083C5375A12DB,29,192.168.1.56:25,192.168.1.56:31328,>,334 <authentication response>,
2013-09-24T17:53:20.814Z,HUBTRANSPORT\Default HUBTRANSPORT,08D083C5375A12DB,30,192.168.1.56:25,192.168.1.56:31328,>,334 <authentication response>,
2013-09-24T17:53:20.829Z,HUBTRANSPORT\Default HUBTRANSPORT,08D083C5375A12DB,31,192.168.1.56:25,192.168.1.56:31328,*,SMTPSubmit SMTPAcceptAnyRecipient SMTPAcceptAnySender BypassAntiSpam AcceptRoutingHeaders,Set Session Permissions
2013-09-24T17:53:20.829Z,HUBTRANSPORT\Default HUBTRANSPORT,08D083C5375A12DB,32,192.168.1.56:25,192.168.1.56:31328,*,CAYMANPORT\MailArchive,authenticated
2013-09-24T17:53:20.829Z,HUBTRANSPORT\Default HUBTRANSPORT,08D083C5375A12DB,33,192.168.1.56:25,192.168.1.56:31328,>,235 2.7.0 Authentication successful,
2013-09-24T17:53:20.829Z,HUBTRANSPORT\Default HUBTRANSPORT,08D083C5375A12DB,34,192.168.1.56:25,192.168.1.56:31328,<,RSET,
2013-09-24T17:53:20.829Z,HUBTRANSPORT\Default HUBTRANSPORT,08D083C5375A12DB,35,192.168.1.56:25,192.168.1.56:31328,>,250 2.0.0 Resetting,
2013-09-24T17:53:20.829Z,HUBTRANSPORT\Default HUBTRANSPORT,08D083C5375A12DB,36,192.168.1.56:25,192.168.1.56:31328,<,MAIL FROM: <IT@caymanport.local>,
2013-09-24T17:53:20.829Z,HUBTRANSPORT\Default HUBTRANSPORT,08D083C5375A12DB,37,192.168.1.56:25,192.168.1.56:31328,*,08D083C5375A12DB;2013-09-24T17:53:20.626Z;1,receiving message
2013-09-24T17:53:20.829Z,HUBTRANSPORT\Default HUBTRANSPORT,08D083C5375A12DB,38,192.168.1.56:25,192.168.1.56:31328,>,250 2.1.0 Sender OK,
2013-09-24T17:53:20.829Z,HUBTRANSPORT\Default HUBTRANSPORT,08D083C5375A12DB,39,192.168.1.56:25,192.168.1.56:31328,<,RCPT TO: <IT@caymanport.local>,
2013-09-24T17:53:20.829Z,HUBTRANSPORT\Default HUBTRANSPORT,08D083C5375A12DB,40,192.168.1.56:25,192.168.1.56:31328,>,250 2.1.5 Recipient OK,
2013-09-24T17:53:20.829Z,HUBTRANSPORT\Default HUBTRANSPORT,08D083C5375A12DB,41,192.168.1.56:25,192.168.1.56:31328,<,DATA,
2013-09-24T17:53:20.829Z,HUBTRANSPORT\Default HUBTRANSPORT,08D083C5375A12DB,42,192.168.1.56:25,192.168.1.56:31328,>,354 Start mail input; end with <CRLF>.<CRLF>,
2013-09-24T17:53:20.845Z,HUBTRANSPORT\Default HUBTRANSPORT,08D083C5375A12DB,43,192.168.1.56:25,192.168.1.56:31328,>,550 5.7.1 Client does not have permissions to send as this sender,
2013-09-24T17:53:20.845Z,HUBTRANSPORT\Default HUBTRANSPORT,08D083C5375A12DB,44,192.168.1.56:25,192.168.1.56:31328,<,QUIT,
2013-09-24T17:53:20.845Z,HUBTRANSPORT\Default HUBTRANSPORT,08D083C5375A12DB,45,192.168.1.56:25,192.168.1.56:31328,>,221 2.0.0 Service closing transmission channel,
2013-09-24T17:53:20.845Z,HUBTRANSPORT\Default HUBTRANSPORT,08D083C5375A12DB,46,192.168.1.56:25,192.168.1.56:31328,-,,Local

Open in new window


What am I missing here?
CIPortAuthorityAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

AmitIT ArchitectCommented:
leave this connector as it is. Create new relay connector and configure application to use new relay connector.

follow this
http://exchangeserverpro.com/how-to-configure-a-relay-connector-for-exchange-server-2010/

or

http://www.petenetlive.com/KB/Article/0000542.htm
0
CIPortAuthorityAuthor Commented:
I already have a relay connector setup for those few devices that can't authenticate.  But we have a lot of devices and apps that work this way and I need a way to allow authenticated users to send mail.  Otherwise I would need to find each and every IP address and add it to the relay connector.
0
AmitIT ArchitectCommented:
Ya that is a bit painful task. I am doing this from last 8 months. As i have very big environment.
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Alan HardistyCo-OwnerCommented:
It looks like you are authenticating as user "MailArchive" yet you are sending out as "IT" - are these two separate accounts?

If they are, just add Send As on the "IT" account for "MailArchive" and you should be fine.

Alan
0
CIPortAuthorityAuthor Commented:
The email address IT@caymanport.local is not a valid address and I'm not entirely sure that I can change the "from" address in this particular application.  In Exchange 2003, once you have authenticated, you could use any from/to address that you want.  In Exchange 2010, do the addresses have to be valid AD account associated email addresses?  If so, what is the point of the SMTPAcceptAnySender permission?  Ideally, what I am looking to be able to do is setup a single user name/password in AD for devices to use to authenticate with Exchange 2010 but the devices could choose a from address that is more meaningful.  For example, I would setup a user EmailAuth@caymanport.com and then DeviceA would authenticate with that user but send out emails as DeviceA@caymanport.com.
0
CIPortAuthorityAuthor Commented:
OK... I finally figured out what was going on.  My setup was mostly correct and Exchange was sort of hiding the real issue.  I had the "Offer Basic authentication only after starting TLS" option turned on.  This means that any client that was trying to authenticate had to support TLS which of course most of my devices/applications don't.  Without enabling TLS, the client never got a chance to authenticate and thus all emails were considered un-authenticated and were rejected with the "Unable to relay" error.  Once I turned this off, everything started working properly.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
CIPortAuthorityAuthor Commented:
Discovered my own solution.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Exchange

From novice to tech pro — start learning today.