JamesonJendreas
asked on
Exchange 2010 0 5.7.1 - Can't Relay and Client does not have permissions to send as this sender
Hello,
I am having some issues getting my Exchange server to allow me to relay. I am running a single stand-alone exchange 2010 server.
The way this works - I have my voice mail server (Windows server 2012). When a VM is left, an email is generated and sent to a defined address in my PBX. As long as the user is in my email domain, no problem. The problem arises when I attempt to send to an external domain (testing with gmail).
So, the VM server utilizes IIS 6.0 and the SMTP virtual server. The basic setup for the PBX is to set a SmartHost in the outbound delivery. Here I define my Exchange server.
For relay, I decided NOT to just open up the relay, but to authenticate. Easy enough. I've created a whole new AD account and created a mailbox for it. In IIS 6 on the VM server, I created new remote domain "gmail.com" and edited ti's properties. I entered my Exchange server as the smart host. I went ahead and setup integrated Windows authentication and put in the username and password of the newly created user.
Runing my tests result in a 5.7.1 user does not have permissions to send to this mailbox, and I can confirm that we are authenticating (by running wireshark on both the VM server and the exchange server).
I am having some issues getting my Exchange server to allow me to relay. I am running a single stand-alone exchange 2010 server.
The way this works - I have my voice mail server (Windows server 2012). When a VM is left, an email is generated and sent to a defined address in my PBX. As long as the user is in my email domain, no problem. The problem arises when I attempt to send to an external domain (testing with gmail).
So, the VM server utilizes IIS 6.0 and the SMTP virtual server. The basic setup for the PBX is to set a SmartHost in the outbound delivery. Here I define my Exchange server.
For relay, I decided NOT to just open up the relay, but to authenticate. Easy enough. I've created a whole new AD account and created a mailbox for it. In IIS 6 on the VM server, I created new remote domain "gmail.com" and edited ti's properties. I entered my Exchange server as the smart host. I went ahead and setup integrated Windows authentication and put in the username and password of the newly created user.
Runing my tests result in a 5.7.1 user does not have permissions to send to this mailbox, and I can confirm that we are authenticating (by running wireshark on both the VM server and the exchange server).
M A
Try ticking anonymous users in the defaut receive connector properties
ASKER
I'll give it a go, but I would perfer to authenticate. Note, I am getting pass authentication
Here is the TCP stream via wireshark (note I have scrubbed out my domain and other sensitive information)
220 cas.DOMAIN.SCRUBBED Microsoft ESMTP MAIL Service ready at Fri, 18 Apr 2014 07:53:50 -0700
EHLO HQ.DOMAIN.SCRUBBED
250-cas.DOMAIN.SCRUBBED Hello [<VM Server IP>]
250-SIZE 10485760
250-PIPELINING
250-DSN
250-ENHANCEDSTATUSCODES
250-STARTTLS
250-AUTH NTLM LOGIN
250-8BITMIME
250-BINARYMIME
250 CHUNKING
AUTH NTLM [SCRUBBED]==
334 [AUTH SCRUBBED]==
235 2.7.0 Authentication successful
MAIL FROM:<USER.SCRUBBED@DOMAIN
250 2.1.0 Sender OK
RCPT TO:<MYTEST@gmail.com>
250 2.1.5 Recipient OK
BDAT 1138 LAST
Received: from mail pickup service by HQ.DOMAIN.SCRUBBED with Microsoft SMTPSVC;
. Fri, 18 Apr 2014 07:53:51 -0700
thread-index: Ac9bFgKvUbmIVIogSfi6ttO7Hn
Thread-Topic: ShoreTel voice message from Jameson Jendreas, 6062 for mailbox 6094
From: "ShoreWare Voice Mail" <USER.SCRUBBED@DOMAIN.SCRU
To: <MYTEST@gmail.com>
Subject: ShoreTel voice message from Jameson Jendreas, 6062 for mailbox 6094
Date: Fri, 18 Apr 2014 07:53:50 -0700
Keywords: {"SHORETEL_INFO":"VMSync",
Message-ID: <B9B52EA3D2D04B229DC5F6A33
MIME-Version: 1.0
Content-Type: text/plain
Content-Transfer-Encoding:
X-Mailer: Microsoft CDO for Windows 2000
Content-Class: urn:content-classes:messag
Importance: normal
Priority: normal
X-MimeOLE: Produced By Microsoft MimeOLE V6.2.9200.16384
X-OriginalArrivalTime: 18 Apr 2014 14:53:51.0155 (UTC) FILETIME=[02CED030:01CF5B1
You have received a voice mail message from Jameson Jendreas, 6062 for mailbox 6094.
Message length is 00:00:02. Message size is 19 KB.
550 5.7.1 Client does not have permissions to send as this sender
QUIT
221 2.0.0 Service closing transmission channel
Here is the TCP stream via wireshark (note I have scrubbed out my domain and other sensitive information)
220 cas.DOMAIN.SCRUBBED Microsoft ESMTP MAIL Service ready at Fri, 18 Apr 2014 07:53:50 -0700
EHLO HQ.DOMAIN.SCRUBBED
250-cas.DOMAIN.SCRUBBED Hello [<VM Server IP>]
250-SIZE 10485760
250-PIPELINING
250-DSN
250-ENHANCEDSTATUSCODES
250-STARTTLS
250-AUTH NTLM LOGIN
250-8BITMIME
250-BINARYMIME
250 CHUNKING
AUTH NTLM [SCRUBBED]==
334 [AUTH SCRUBBED]==
235 2.7.0 Authentication successful
MAIL FROM:<USER.SCRUBBED@DOMAIN
250 2.1.0 Sender OK
RCPT TO:<MYTEST@gmail.com>
250 2.1.5 Recipient OK
BDAT 1138 LAST
Received: from mail pickup service by HQ.DOMAIN.SCRUBBED with Microsoft SMTPSVC;
. Fri, 18 Apr 2014 07:53:51 -0700
thread-index: Ac9bFgKvUbmIVIogSfi6ttO7Hn
Thread-Topic: ShoreTel voice message from Jameson Jendreas, 6062 for mailbox 6094
From: "ShoreWare Voice Mail" <USER.SCRUBBED@DOMAIN.SCRU
To: <MYTEST@gmail.com>
Subject: ShoreTel voice message from Jameson Jendreas, 6062 for mailbox 6094
Date: Fri, 18 Apr 2014 07:53:50 -0700
Keywords: {"SHORETEL_INFO":"VMSync",
Message-ID: <B9B52EA3D2D04B229DC5F6A33
MIME-Version: 1.0
Content-Type: text/plain
Content-Transfer-Encoding:
X-Mailer: Microsoft CDO for Windows 2000
Content-Class: urn:content-classes:messag
Importance: normal
Priority: normal
X-MimeOLE: Produced By Microsoft MimeOLE V6.2.9200.16384
X-OriginalArrivalTime: 18 Apr 2014 14:53:51.0155 (UTC) FILETIME=[02CED030:01CF5B1
You have received a voice mail message from Jameson Jendreas, 6062 for mailbox 6094.
Message length is 00:00:02. Message size is 19 KB.
550 5.7.1 Client does not have permissions to send as this sender
QUIT
221 2.0.0 Service closing transmission channel
ASKER
Actually, Anonymous Users is already checked.
Please try allowing relay that particular IP
https://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/A_2666-Allow-relaying-on-Exchange-2007-Exchange-2010-in-4-easy-steps.html
https://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/A_2666-Allow-relaying-on-Exchange-2007-Exchange-2010-in-4-easy-steps.html
ASKER
So that was my next thought actually, essentially I need to add another NIC to my exchange server. It's a virtual server, so while that isn't hard, it'll require going through extra change control so I can't do it right now. Once approved, then that'l likely be the solution.
But you dont need to wait for the second NIC.
You can configure the current IP and try without user work interruption. if its successful then do as you wish.
Furthermore you are allowing the IP of the other server not the exchange server.
So it doesn't make difference if you do it now or later as you are allowing a non-mail server to relay through your mail server
You can configure the current IP and try without user work interruption. if its successful then do as you wish.
Furthermore you are allowing the IP of the other server not the exchange server.
So it doesn't make difference if you do it now or later as you are allowing a non-mail server to relay through your mail server
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
OK - I ended up going about this a little different (and still not too sure why this works this way and not using self sending).
I ended up creating a new account (NOT the account with the mailbox). I gave that account send-as rights for the email box. I then setup my SMTP virtual server on the voice mail server to authenticate using the newly created account that had send-as rights for the mailbox,
It makes little sense to me as why if I attempt to authenticate using the actual user account tied to the mailbox, especially since I checked to ensure it had self-send permissions.
I ended up creating a new account (NOT the account with the mailbox). I gave that account send-as rights for the email box. I then setup my SMTP virtual server on the voice mail server to authenticate using the newly created account that had send-as rights for the mailbox,
It makes little sense to me as why if I attempt to authenticate using the actual user account tied to the mailbox, especially since I checked to ensure it had self-send permissions.