Exchange 2010 Enable Authenticated User to Send As Any Address

Posted on 2013-09-24
Medium Priority
Last Modified: 2013-10-19
We have a number of applications and devices that need to send email through Exchange 2010.  One example is an application (GFI MailArchiver 2013) that needs to send emails occasionally with status updates.  It allows you to put in a user to authenticate with and an email address to send to.  It does not have an email address to send from.  On the default receive connector on our hub transport server, I added the Ms-Exch-SMTP-Accept-Any-Sender for NT AUTHORITY\Authenticated Users.  The receive connector is setup like this:
RunspaceId                              : 25170f51-437f-40bb-96c0-cb404ed7c23f
AuthMechanism                           : Tls, Integrated, BasicAuth, BasicAuthRequireTLS, ExchangeServer
Banner                                  :
BinaryMimeEnabled                       : True
Bindings                                : {:::25,}
ChunkingEnabled                         : True
DefaultDomain                           :
DeliveryStatusNotificationEnabled       : True
EightBitMimeEnabled                     : True
BareLinefeedRejectionEnabled            : False
DomainSecureEnabled                     : False
EnhancedStatusCodesEnabled              : True
LongAddressesEnabled                    : False
OrarEnabled                             : False
SuppressXAnonymousTls                   : False
AdvertiseClientSettings                 : False
Fqdn                                    : HUBTRANSPORT.caymanport.local
Comment                                 :
Enabled                                 : True
ConnectionTimeout                       : 00:10:00
ConnectionInactivityTimeout             : 00:05:00
MessageRateLimit                        : unlimited
MessageRateSource                       : IPAddress
MaxInboundConnection                    : 5000
MaxInboundConnectionPerSource           : unlimited
MaxInboundConnectionPercentagePerSource : 100
MaxHeaderSize                           : 64 KB (65,536 bytes)
MaxHopCount                             : 60
MaxLocalHopCount                        : 8
MaxLogonFailures                        : 3
MaxMessageSize                          : 80 MB (83,886,080 bytes)
MaxProtocolErrors                       : 5
MaxRecipientsPerMessage                 : 5000
PermissionGroups                        : AnonymousUsers, ExchangeUsers, ExchangeServers, ExchangeLegacyServers, Custom
PipeliningEnabled                       : True
ProtocolLoggingLevel                    : Verbose
RemoteIPRanges                          : {::-ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff,}
RequireEHLODomain                       : False
RequireTLS                              : False
EnableAuthGSSAPI                        : False
ExtendedProtectionPolicy                : None
LiveCredentialEnabled                   : False
TlsDomainCapabilities                   : {}
Server                                  : HUBTRANSPORT
SizeEnabled                             : EnabledWithoutValue
TarpitInterval                          : 00:00:05
MaxAcknowledgementDelay                 : 00:00:30
AdminDisplayName                        :
ExchangeVersion                         : 0.1 (8.0.535.0)
Name                                    : Default HUBTRANSPORT
DistinguishedName                       : CN=Default HUBTRANSPORT,CN=SMTP Receive Connectors,CN=Protocols,CN=HUBTRANSPORT,CN=Servers,CN=Exchange Administrative Group,CN=Administrative Groups,CN=Port Authority,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=caymanport,DC=local
Identity                                : HUBTRANSPORT\Default HUBTRANSPORT
Guid                                    : af67ef4c-5781-454b-b616-903d1d304306
ObjectCategory                          : caymanport.local/Configuration/Schema/ms-Exch-Smtp-Receive-Connector
ObjectClass                             : {top, msExchSmtpReceiveConnector}
WhenChanged                             : 24/09/2013 11:46:39 AM
WhenCreated                             : 09/08/2011 6:56:11 AM
WhenChangedUTC                          : 24/09/2013 4:46:39 PM
WhenCreatedUTC                          : 09/08/2011 11:56:11 AM
OrganizationId                          :
OriginatingServer                       : dc.caymanport.local
IsValid                                 : True

Open in new window

In the logs, I see that the email are being rejected with the "550 5.7.1 Client does not have permissions to send as this sender" error message.  But the logs also indicate that the permissions SMTPAcceptAnyRecipient and SMTPAcceptAnySender are set and I would think that means that anyone could send as any address:
2013-09-24T17:53:20.626Z,HUBTRANSPORT\Default HUBTRANSPORT,08D083C5375A12DB,0,,,+,,
2013-09-24T17:53:20.626Z,HUBTRANSPORT\Default HUBTRANSPORT,08D083C5375A12DB,1,,,*,SMTPSubmit SMTPAcceptAnySender SMTPAcceptAuthoritativeDomainSender AcceptRoutingHeaders,Set Session Permissions
2013-09-24T17:53:20.626Z,HUBTRANSPORT\Default HUBTRANSPORT,08D083C5375A12DB,2,,,>,"220 HUBTRANSPORT.caymanport.local Microsoft ESMTP MAIL Service ready at Tue, 24 Sep 2013 12:53:20 -0500",
2013-09-24T17:53:20.626Z,HUBTRANSPORT\Default HUBTRANSPORT,08D083C5375A12DB,3,,,<,HELO HUBTRANSPORT,
2013-09-24T17:53:20.626Z,HUBTRANSPORT\Default HUBTRANSPORT,08D083C5375A12DB,4,,,>,250 HUBTRANSPORT.caymanport.local Hello [],
2013-09-24T17:53:20.626Z,HUBTRANSPORT\Default HUBTRANSPORT,08D083C5375A12DB,5,,,<,STARTTLS,
2013-09-24T17:53:20.626Z,HUBTRANSPORT\Default HUBTRANSPORT,08D083C5375A12DB,6,,,>,220 2.0.0 SMTP server ready,
2013-09-24T17:53:20.626Z,HUBTRANSPORT\Default HUBTRANSPORT,08D083C5375A12DB,7,,,*,,Sending certificate
2013-09-24T17:53:20.626Z,HUBTRANSPORT\Default HUBTRANSPORT,08D083C5375A12DB,8,,,*,"CN=*.caymanport.local, OU=Comodo PremiumSSL Wildcard, O=Cayman Islands Port Authority, STREET=PO Box 1358GT, L=George Town, S=Grand Cayman, PostalCode=KY1-1108, C=KY",Certificate subject
2013-09-24T17:53:20.626Z,HUBTRANSPORT\Default HUBTRANSPORT,08D083C5375A12DB,9,,,*,"CN=COMODO High-Assurance Secure Server CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB",Certificate issuer name
2013-09-24T17:53:20.626Z,HUBTRANSPORT\Default HUBTRANSPORT,08D083C5375A12DB,10,,,*,226A1158D091CFB6EC7A5D956493BC15,Certificate serial number
2013-09-24T17:53:20.626Z,HUBTRANSPORT\Default HUBTRANSPORT,08D083C5375A12DB,11,,,*,45C5608CF3F701F6AF42F5DD742C135D78001F0A,Certificate thumbprint
2013-09-24T17:53:20.626Z,HUBTRANSPORT\Default HUBTRANSPORT,08D083C5375A12DB,12,,,*,*.caymanport.local;caymanport.local,Certificate alternate names
2013-09-24T17:53:20.782Z,HUBTRANSPORT\Default HUBTRANSPORT,08D083C5375A12DB,13,,,<,EHLO HUBTRANSPORT,
2013-09-24T17:53:20.782Z,HUBTRANSPORT\Default HUBTRANSPORT,08D083C5375A12DB,14,,,*,,TlsDomainCapabilities='None'; Status='NoRemoteCertificate'
2013-09-24T17:53:20.782Z,HUBTRANSPORT\Default HUBTRANSPORT,08D083C5375A12DB,15,,,>,250-HUBTRANSPORT.caymanport.local Hello [],
2013-09-24T17:53:20.782Z,HUBTRANSPORT\Default HUBTRANSPORT,08D083C5375A12DB,16,,,>,250-SIZE,
2013-09-24T17:53:20.782Z,HUBTRANSPORT\Default HUBTRANSPORT,08D083C5375A12DB,17,,,>,250-PIPELINING,
2013-09-24T17:53:20.782Z,HUBTRANSPORT\Default HUBTRANSPORT,08D083C5375A12DB,18,,,>,250-DSN,
2013-09-24T17:53:20.782Z,HUBTRANSPORT\Default HUBTRANSPORT,08D083C5375A12DB,19,,,>,250-ENHANCEDSTATUSCODES,
2013-09-24T17:53:20.782Z,HUBTRANSPORT\Default HUBTRANSPORT,08D083C5375A12DB,20,,,>,250-AUTH NTLM LOGIN,
2013-09-24T17:53:20.782Z,HUBTRANSPORT\Default HUBTRANSPORT,08D083C5375A12DB,21,,,>,250-X-EXPS GSSAPI NTLM,
2013-09-24T17:53:20.782Z,HUBTRANSPORT\Default HUBTRANSPORT,08D083C5375A12DB,22,,,>,250-8BITMIME,
2013-09-24T17:53:20.782Z,HUBTRANSPORT\Default HUBTRANSPORT,08D083C5375A12DB,23,,,>,250-BINARYMIME,
2013-09-24T17:53:20.782Z,HUBTRANSPORT\Default HUBTRANSPORT,08D083C5375A12DB,24,,,>,250-CHUNKING,
2013-09-24T17:53:20.782Z,HUBTRANSPORT\Default HUBTRANSPORT,08D083C5375A12DB,25,,,>,250-XEXCH50,
2013-09-24T17:53:20.782Z,HUBTRANSPORT\Default HUBTRANSPORT,08D083C5375A12DB,26,,,>,250-XRDST,
2013-09-24T17:53:20.782Z,HUBTRANSPORT\Default HUBTRANSPORT,08D083C5375A12DB,27,,,>,250 XSHADOW,
2013-09-24T17:53:20.814Z,HUBTRANSPORT\Default HUBTRANSPORT,08D083C5375A12DB,28,,,<,AUTH LOGIN,
2013-09-24T17:53:20.814Z,HUBTRANSPORT\Default HUBTRANSPORT,08D083C5375A12DB,29,,,>,334 <authentication response>,
2013-09-24T17:53:20.814Z,HUBTRANSPORT\Default HUBTRANSPORT,08D083C5375A12DB,30,,,>,334 <authentication response>,
2013-09-24T17:53:20.829Z,HUBTRANSPORT\Default HUBTRANSPORT,08D083C5375A12DB,31,,,*,SMTPSubmit SMTPAcceptAnyRecipient SMTPAcceptAnySender BypassAntiSpam AcceptRoutingHeaders,Set Session Permissions
2013-09-24T17:53:20.829Z,HUBTRANSPORT\Default HUBTRANSPORT,08D083C5375A12DB,32,,,*,CAYMANPORT\MailArchive,authenticated
2013-09-24T17:53:20.829Z,HUBTRANSPORT\Default HUBTRANSPORT,08D083C5375A12DB,33,,,>,235 2.7.0 Authentication successful,
2013-09-24T17:53:20.829Z,HUBTRANSPORT\Default HUBTRANSPORT,08D083C5375A12DB,34,,,<,RSET,
2013-09-24T17:53:20.829Z,HUBTRANSPORT\Default HUBTRANSPORT,08D083C5375A12DB,35,,,>,250 2.0.0 Resetting,
2013-09-24T17:53:20.829Z,HUBTRANSPORT\Default HUBTRANSPORT,08D083C5375A12DB,36,,,<,MAIL FROM: <IT@caymanport.local>,
2013-09-24T17:53:20.829Z,HUBTRANSPORT\Default HUBTRANSPORT,08D083C5375A12DB,37,,,*,08D083C5375A12DB;2013-09-24T17:53:20.626Z;1,receiving message
2013-09-24T17:53:20.829Z,HUBTRANSPORT\Default HUBTRANSPORT,08D083C5375A12DB,38,,,>,250 2.1.0 Sender OK,
2013-09-24T17:53:20.829Z,HUBTRANSPORT\Default HUBTRANSPORT,08D083C5375A12DB,39,,,<,RCPT TO: <IT@caymanport.local>,
2013-09-24T17:53:20.829Z,HUBTRANSPORT\Default HUBTRANSPORT,08D083C5375A12DB,40,,,>,250 2.1.5 Recipient OK,
2013-09-24T17:53:20.829Z,HUBTRANSPORT\Default HUBTRANSPORT,08D083C5375A12DB,41,,,<,DATA,
2013-09-24T17:53:20.829Z,HUBTRANSPORT\Default HUBTRANSPORT,08D083C5375A12DB,42,,,>,354 Start mail input; end with <CRLF>.<CRLF>,
2013-09-24T17:53:20.845Z,HUBTRANSPORT\Default HUBTRANSPORT,08D083C5375A12DB,43,,,>,550 5.7.1 Client does not have permissions to send as this sender,
2013-09-24T17:53:20.845Z,HUBTRANSPORT\Default HUBTRANSPORT,08D083C5375A12DB,44,,,<,QUIT,
2013-09-24T17:53:20.845Z,HUBTRANSPORT\Default HUBTRANSPORT,08D083C5375A12DB,45,,,>,221 2.0.0 Service closing transmission channel,
2013-09-24T17:53:20.845Z,HUBTRANSPORT\Default HUBTRANSPORT,08D083C5375A12DB,46,,,-,,Local

Open in new window

What am I missing here?
Question by:CIPortAuthority
  • 4
  • 2
LVL 45

Expert Comment

ID: 39518791
leave this connector as it is. Create new relay connector and configure application to use new relay connector.

follow this



Author Comment

ID: 39518885
I already have a relay connector setup for those few devices that can't authenticate.  But we have a lot of devices and apps that work this way and I need a way to allow authenticated users to send mail.  Otherwise I would need to find each and every IP address and add it to the relay connector.
LVL 45

Expert Comment

ID: 39518903
Ya that is a bit painful task. I am doing this from last 8 months. As i have very big environment.
Easily manage email signatures in Office 365

Managing email signatures in Office 365 can be a challenging task if you don't have the right tool. CodeTwo Email Signatures for Office 365 will help you implement a unified email signature look, no matter what email client is used by users. Test it for free!

LVL 76

Expert Comment

by:Alan Hardisty
ID: 39564744
It looks like you are authenticating as user "MailArchive" yet you are sending out as "IT" - are these two separate accounts?

If they are, just add Send As on the "IT" account for "MailArchive" and you should be fine.


Author Comment

ID: 39565387
The email address IT@caymanport.local is not a valid address and I'm not entirely sure that I can change the "from" address in this particular application.  In Exchange 2003, once you have authenticated, you could use any from/to address that you want.  In Exchange 2010, do the addresses have to be valid AD account associated email addresses?  If so, what is the point of the SMTPAcceptAnySender permission?  Ideally, what I am looking to be able to do is setup a single user name/password in AD for devices to use to authenticate with Exchange 2010 but the devices could choose a from address that is more meaningful.  For example, I would setup a user EmailAuth@caymanport.com and then DeviceA would authenticate with that user but send out emails as DeviceA@caymanport.com.

Accepted Solution

CIPortAuthority earned 0 total points
ID: 39572264
OK... I finally figured out what was going on.  My setup was mostly correct and Exchange was sort of hiding the real issue.  I had the "Offer Basic authentication only after starting TLS" option turned on.  This means that any client that was trying to authenticate had to support TLS which of course most of my devices/applications don't.  Without enabling TLS, the client never got a chance to authenticate and thus all emails were considered un-authenticated and were rejected with the "Unable to relay" error.  Once I turned this off, everything started working properly.

Author Closing Comment

ID: 39584541
Discovered my own solution.

Featured Post

Free tool for managing users' photos in Office 365

Easily upload multiple users’ photos to Office 365. Manage them with an intuitive GUI and use handy built-in cropping and resizing options. Link photos with users based on Azure AD attributes. Free tool!

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

I am posting this in case anyone runs into similar issues that I did, this may save you a lot of grief: Condition: 1. Your NetBIOS domain name contains an ampersand " & " character.  (e.g. AT&T) 2. You've tried to run any Microsoft installation…
There are literally thousands of Exchange recovery applications out there. So how do you end up picking one that’s ideal for your business & purpose? By carefully scouting the product’s features, the benefits it offers you, & reading ample reviews f…
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…

600 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question