Solved

Exchange 2010 - Allow authenticated user to relay as any email address?

Posted on 2016-09-02
7
64 Views
Last Modified: 2016-09-06
I have a vendor that sends notification emails from job applicants through our Exchange 2010 server. Vendor service connects and authenticates as donotreply@ on a separate receive connector on port 587. The vendor service then says the email is from the applicants email address, Exchange says the client doesn't have permission to send and dumps the message. How can I allow an authenticated user to send as anyone?

*,DOMAIN\donotreply,authenticated
>,235 2.7.0 Authentication successful,
<,MAIL FROM: <applicants_email_address@their_domain.com>,
*,08D3D15AAC2344AA;2016-09-02T15:31:08.310Z;1,receiving message
>,250 2.1.0 Sender OK,
,RCPT TO: <LEGIT EXCHANGE USER>,
>,250 2.1.5 Recipient OK,
<,DATA,
>,354 Start mail input; end with <CRLF>.<CRLF>,
>,550 5.7.1 Client does not have permissions to send as this sender,
<,QUIT,
>,221 2.0.0 Service closing transmission channel,

Open in new window

0
Comment
Question by:mvalpreda
  • 3
  • 2
  • 2
7 Comments
 
LVL 25

Expert Comment

by:-MAS
ID: 41781938
Hi,
If you want a secure way allow relay only on that particular IP. Detailed step below.
https://www.experts-exchange.com/articles/2666/Allow-relaying-on-Exchange-2007-Exchange-2010-in-4-easy-steps.html

Thanks
MAS
0
 
LVL 2

Author Comment

by:mvalpreda
ID: 41781971
I read through that and it doesn't quite seem to fit what I am doing.

The vendor is not trying to send emails to an external user, they are trying to send an email to an internal user spoofing an external user.
0
 
LVL 25

Expert Comment

by:-MAS
ID: 41782043
This is the commands you have to use
New-ReceiveConnector -Name AllowRelay -usage Custom -Bindings '192.168.1.100:25' -fqdn server.domain.com -RemoteIPRanges <vendorIP> -server <YOUREXCHANGESERVERNAME> -permissiongroups AnonymousUsers

Open in new window


Then run this command to allow relay on that connector
Get-ReceiveConnector AllowRelay | Add-ADPermission -User "NT AUTHORITY\ANONYMOUS LOGON" -ExtendedRights "ms-Exch-SMTP-Accept-Any-Recipient"

Open in new window


Replace 192.168.1.100 with your Exchange2010 IP

This will work for internal and external.
0
The curse of the end user strikes again      

You’ve updated all your end user’s email signatures. Hooray! But guess what? They’re playing around with the HTML, adding stupid taglines and ruining the imagery. Find out how you can save your signatures from end users today.

 
LVL 2

Author Comment

by:mvalpreda
ID: 41782056
Will that make it so authentication won't work any longer? They have their side set up to use authentication to send and I'm trying to work with what they already have set up.
0
 
LVL 36

Accepted Solution

by:
ArneLovius earned 500 total points
ID: 41782810
When the connection is authenticated, by default it can only send as that user, there is no mechanism in Exchange to allow an authenticated connection to send as "anything"

This is why MAS suggested setting up a relay connector bound to their exit IP address and to use an anonymous (not authenticated) connection.

You may however have issues if the original senders address is covered with an SPF record.
1
 
LVL 2

Author Closing Comment

by:mvalpreda
ID: 41786724
Had to have the vendor change one of their email processes to not use authentication.
0
 
LVL 36

Expert Comment

by:ArneLovius
ID: 41786744
excellent to hear :-)
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Disabling the Directory Sync Service Account in Office 365 will stop directory synchronization from working.
Find out what you should include to make the best professional email signature for your organization.
In this video we show how to create a Distribution Group in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >>…
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…

911 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now