Solved

ReceiveConnectors on Exchange 2010 Help needed

Posted on 2015-02-03
29
254 Views
Last Modified: 2015-02-20
Exchange Server 2010 Enterprise 64 Bit SP3 Rollup 8
Windows 2008 R2 SP1 64 bit

Getting this message

Log Name:      Application
Source:        MSExchangeTransport
Date:          2/1/2015 1:00:05 PM
Event ID:      1035
Task Category: SmtpReceive
Level:         Warning
Keywords:      Classic
User:          N/A
Computer:      SERV025.our.network.tgcsnet.com
Description:
Inbound authentication failed with error LogonDenied for Receive connector My Connector. The authentication mechanism is Ntlm. The source IP address of the client who tried to authenticate to Microsoft Exchange is [10.2.8.17].


The ip address is an internal address on my WSUS server which sends status emails each day.

I also get the same 1035 on some external emails.

The Relay connector was disabled due to the many spam emails I was getting
The Relay connector was what I used on my 2007 exchange server.
The Relay connector was setup to allow all my internal devices to send smtp email to port 25
After switching to 2010 Exchange server I started getting this message.

See the attached get-receiveconnector | FL
rec.txt
0
Comment
Question by:Thomas Grassi
  • 18
  • 11
29 Comments
 
LVL 53

Expert Comment

by:Will Szymkowski
ID: 40587680
Under the network tab for your receive connector do you have the IP address of the WSUS server listed?

Will.
0
 
LVL 23

Author Comment

by:Thomas Grassi
ID: 40587704
Will
Welcome back.

When I look at the receive connectors using the EMC I see all my local network address listed.

But when I run get-receiveconnector | FL  

they do not show

Are we talking about  TGCSNET Connector???????


Any thoughts on why the FL not showing


Update

I ran this get-receiveconnector 'tgcsnet connector' | fl

That shows the ip addresses doing the full list it does not
0
 
LVL 53

Accepted Solution

by:
Will Szymkowski earned 500 total points
ID: 40587721
When you do get-receiveconnector | fl you want to look at the RemoteIPRanges attribute.

Is it possible to create a new receive connector and test? Do you have the proper Permission Groups? If you are sending email from WSUS server and you are not using authentication you will need to have your receive connector permission set to Anonymous.

Will.
0
 
LVL 23

Author Comment

by:Thomas Grassi
ID: 40587734
Will


I attached new get-receieveconnector


If we create a new receive connector then how do we determine which connector is going to be used by my internal devices?

I use to use tgcsnet relay    that worked on 2007 but we disabled it when I installed 2010  you and I worked on another issue with that.
receive-connectors.txt
0
 
LVL 53

Expert Comment

by:Will Szymkowski
ID: 40587739
You can disable your current receive connector temporarily when you are testing the new connector to ensure that it is using the one you created.

Will.
0
 
LVL 23

Author Comment

by:Thomas Grassi
ID: 40589558
Will

Which one should we do this?

'tgcsnet connector'    ????
0
 
LVL 23

Author Comment

by:Thomas Grassi
ID: 40590214
Will

update,

On the WSUS server I changed the WSUS server email settings to use port 1025

That worked without using logon settings

When using port 25 I needed to use logon / password

Both connectors have anonymous checked you can see that in the attachments
0
 
LVL 23

Author Comment

by:Thomas Grassi
ID: 40591741
Will

Update

My WSUS server is working now with port 1025.

My only concern now is the external attempts causing this message to appear

I only get this once in a while

Thoughts?
0
 
LVL 23

Author Comment

by:Thomas Grassi
ID: 40592844
Will

Still getting 1035 messages on outside ip addresses  the last ip address came from a site in Germany
I have no clients in Germany

I ran this

[PS] C:\Windows\system32>setspn -L SERV025
Registered ServicePrincipalNames for CN=SERV025,CN=Computers,DC=our,DC=network,DC=MyDomain,DC=com:
        exchangeRFR/SERV025
        exchangeRFR/SERV025.our.network.MyDomain.com
        exchangeAB/SERV025
        exchangeAB/SERV025.our.network.MyDomain.com
        exchangeMDB/SERV025.our.network.MyDomain.com
        exchangeMDB/SERV025
        SMTP/SERV025
        SMTP/SERV025.our.network.MyDomain.com
        SmtpSvc/SERV025
        SmtpSvc/SERV025.our.network.MyDomain.com
        WSMAN/SERV025.our.network.MyDomain.com
        WSMAN/SERV025
        RestrictedKrbHost/SERV025
        HOST/SERV025
        RestrictedKrbHost/SERV025.our.network.MyDomain.com
        HOST/SERV025.our.network.MyDomain.com
[PS] C:\Windows\system32>


Any thoughts?
0
 
LVL 23

Author Comment

by:Thomas Grassi
ID: 40607910
Hi Will

I found this

https://technet.microsoft.com/en-us/library/bb232021(v=exchg.141).aspx

Is that what you mean for me to do?

If so what should the default connector be setup ? in my post above is it correct?

I think I need a relay connector setup for all my internal devices that send smtp email to my exchange server correct?
0
 
LVL 53

Expert Comment

by:Will Szymkowski
ID: 40607994
That link is correct. If you have an application that does not use authentication for sending emails you need to create a receive connector which allows "anonymous" access and restricting this using the internal IP's of your servers where you want email to come from.

Will.
0
 
LVL 23

Author Comment

by:Thomas Grassi
ID: 40608007
Will

Great I will work on that over the weekend.

I post results

What about the other connectors they look ok ?
0
 
LVL 23

Author Comment

by:Thomas Grassi
ID: 40609160
Will

Stuck on this step

You need to be assigned permissions before you can perform this procedure. To see what permissions you need, see the "Receive connectors" entry in the Transport Permissions topic.

What would I need to do here?

Will

Can you post the correct values for the to default connectors.

I can only get internet mail is I turn on anonymous users  in the permissions groups tab

I think that might be the problem

I ran this

get-receiveconnector "default tgcs025" | add-adpermission -user "NT Authority\Anonymous LOGON" -extendedrights "Ms-Exch-SMTP-Accept-Any-Recipient"

got this result

Identity                                        User                                                   Deny    Inherited
TGCS025\Default TGCS025    NT Authority\ANonymous LOGON  False   False

Need help
0
 
LVL 53

Expert Comment

by:Will Szymkowski
ID: 40609180
Defualt Client Receive Connector Settings
Client-Network.jpgClient-Authentication.jpgClient-Permission.jpgDefault Server Receive Connector Settings
NetworkTab.jpgauthenticationTab.jpgpermissionTab.jpg
Will.
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 23

Author Comment

by:Thomas Grassi
ID: 40609189
Will

Thanks a million


My problem is that when I uncheck Anonymous Users on the Default Server Receive Connector

I do not receive outside email from the internet  

I have the checked now

What am I missing here?
0
 
LVL 53

Expert Comment

by:Will Szymkowski
ID: 40609199
What do you have configured for your perimeter Mail appliance? Smart host or Edge server? External email coming into the environment should be going to those and relaying the mail to your internal receive connectors.

Will.
0
 
LVL 23

Author Comment

by:Thomas Grassi
ID: 40609202
Will

Where do I find that info?
0
 
LVL 53

Expert Comment

by:Will Szymkowski
ID: 40609210
These would be actual servers (edge server) or an appliance that you would have setup. This is seprate from Exchange. You can check your send connectors IP Address which should be pointing to your smart host or edge server.

If you are using Edge server this can be configured from the EMC. https://technet.microsoft.com/en-us/library/bb123492(v=exchg.141).aspx

Will.
0
 
LVL 23

Author Comment

by:Thomas Grassi
ID: 40609216
Will

I do not believe I am running Edge Server not in my console tree

My Send connector does not show ip address
Use domain name system (DNS) mx records to route mail automatically is checked


thoughts?
0
 
LVL 53

Expert Comment

by:Will Szymkowski
ID: 40609220
Can you send mail externally just not receive from external sources? can you send mail internally to other mailboxes without issue?

Will.
0
 
LVL 23

Author Comment

by:Thomas Grassi
ID: 40609222
Will

Yes can send externally   Just will not receive if anonymous users is unchecked

Yes internally no problem


Could this be the problem

get-receiveconnector "default tgcs025" | add-adpermission -user "NT Authority\Anonymous LOGON" -extendedrights "Ms-Exch-SMTP-Accept-Any-Recipient"


I did that how can I check if that is in effect?

I even restarted the transport service after doing  that
0
 
LVL 53

Expert Comment

by:Will Szymkowski
ID: 40609227
Have you checked your queue viewer to see if messages are getting stuck in there? If they are what errors are present?

Also as you can see you might want to implement something like Edge Transport Server or Smart Host because by default they can receive Anonymous messages. All messages from the internet are anonymous which is why in your case you need to have anonymous checked to receive email.

The preferred method would be creating a receive connector from your Edge server or smart host allowing only those IP's to send anonymously to your receive connectors.

Take a look at the following article as it illustrates the same concept i have just mentioned above.
http://www.msexchange.org/articles-tutorials/exchange-server-2010/planning-architecture/smtp-routing-exchange-2010-part2.html

Will.
0
 
LVL 23

Author Comment

by:Thomas Grassi
ID: 40609236
My queue is clean no errors on the queues


The only message I get is this from time to time

Type :            Warning
Date :            2/13/2015
Time :            8:14:05 PM
Event :            1035
Source :            MSExchangeTransport
Category :      SmtpReceive
User :            N/A
Computer :      TGCS025.our.network.tgcsnet.com
Description:
The description for Event ID ( 1035 ) in Source ( MSExchangeTransport ) could not be found.
Either the component that raises this event is not installed on the computer or the installation is corrupted.You can install or repair the component or try to change Description Server.

The following information was included with the event (insertion strings):
LogonDenied
Default TGCS025
Ntlm
203.125.141.216


According to the article I need Anonymous Users checked to get internal and external email flowing so we are right with this.

Do I need another license to set up an Edge Server?

So I think my default connectors are good now.

I have one connector for port 1025 which is working ok

I have to others for port 25 relay will disable both of those and create a new one to see if that helps


Thoughts
0
 
LVL 23

Author Comment

by:Thomas Grassi
ID: 40609766
Will

I am getting the same issue I had when we first started working on my Exchange 2010 install and you helped me with.

I am getting attempts of spoofing emails trying to use my domain name as there email
example  my domain is mydomain.com  my email is tom@mydomain.com
I am seeing the xyz@mydomain.com

I found this
https://social.technet.microsoft.com/Forums/en-US/58c243da-5f77-4909-bc72-9fba82041c17/preventing-email-spoofing-on-exchange-server-0710-13?forum=exchangesvrsecuremessaging

But in there they are saying to take of anonymous users  if I do that then my internet email will stop working.


I ran this
get-receiveconnector "default tgcs025" | add-adpermission -user "NT Authority\Anonymous LOGON" -extendedrights "Ms-Exch-SMTP-Accept-Any-Recipient"


I think I need to remove Any-receipient


Thoughts.


PS can you also reply to the post above too Thanks again for all your help

PSS Will forgot I now have ORF Fusion running
0
 
LVL 23

Author Comment

by:Thomas Grassi
ID: 40610407
Will

Update removed accepted any recipient using aside it.msc

Now not getting spoofing

I will keep eye out for error 1035

New connector is working
0
 
LVL 53

Expert Comment

by:Will Szymkowski
ID: 40610465
Perfect, glad it is working for you.

Will.
0
 
LVL 23

Author Closing Comment

by:Thomas Grassi
ID: 40610891
Will

Thanks as I said will keep eye out for event id 1035

I have two other open questions that you think you could take a look at?

http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/Q_28616876.html

and

http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/Q_28616245.html


Thanks again for all your help
0
 
LVL 53

Expert Comment

by:Will Szymkowski
ID: 40610940
Sure I will take a look at them in a few.

Will.
0
 
LVL 23

Author Comment

by:Thomas Grassi
ID: 40621556
Will

I am still getting the 1035 error but only on external email attempts.

All internal email is working fine.

So is external email

But why do I get this 1035 error?
0

Featured Post

How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

Join & Write a Comment

Learn to move / copy / export exchange contacts to iPhone without using any software. Also see the issues in configuration of exchange with iPhone to migrate contacts.
Scam emails are a huge burden for many businesses. Spotting one is not always easy. Follow our tips to identify if an email you receive is a scam.
In this video we show how to create a Shared Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Sha…
This video discusses moving either the default database or any database to a new volume.

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now