Exchange 2010 - Allow authenticated user to relay as any email address?

I have a vendor that sends notification emails from job applicants through our Exchange 2010 server. Vendor service connects and authenticates as donotreply@ on a separate receive connector on port 587. The vendor service then says the email is from the applicants email address, Exchange says the client doesn't have permission to send and dumps the message. How can I allow an authenticated user to send as anyone?

*,DOMAIN\donotreply,authenticated
>,235 2.7.0 Authentication successful,
<,MAIL FROM: <applicants_email_address@their_domain.com>,
*,08D3D15AAC2344AA;2016-09-02T15:31:08.310Z;1,receiving message
>,250 2.1.0 Sender OK,
,RCPT TO: <LEGIT EXCHANGE USER>,
>,250 2.1.5 Recipient OK,
<,DATA,
>,354 Start mail input; end with <CRLF>.<CRLF>,
>,550 5.7.1 Client does not have permissions to send as this sender,
<,QUIT,
>,221 2.0.0 Service closing transmission channel,

Open in new window

LVL 2
mvalpredaAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

MAS (MVE)EE Solution GuideCommented:
Hi,
If you want a secure way allow relay only on that particular IP. Detailed step below.
https://www.experts-exchange.com/articles/2666/Allow-relaying-on-Exchange-2007-Exchange-2010-in-4-easy-steps.html

Thanks
MAS
0
mvalpredaAuthor Commented:
I read through that and it doesn't quite seem to fit what I am doing.

The vendor is not trying to send emails to an external user, they are trying to send an email to an internal user spoofing an external user.
0
MAS (MVE)EE Solution GuideCommented:
This is the commands you have to use
New-ReceiveConnector -Name AllowRelay -usage Custom -Bindings '192.168.1.100:25' -fqdn server.domain.com -RemoteIPRanges <vendorIP> -server <YOUREXCHANGESERVERNAME> -permissiongroups AnonymousUsers

Open in new window


Then run this command to allow relay on that connector
Get-ReceiveConnector AllowRelay | Add-ADPermission -User "NT AUTHORITY\ANONYMOUS LOGON" -ExtendedRights "ms-Exch-SMTP-Accept-Any-Recipient"

Open in new window


Replace 192.168.1.100 with your Exchange2010 IP

This will work for internal and external.
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

mvalpredaAuthor Commented:
Will that make it so authentication won't work any longer? They have their side set up to use authentication to send and I'm trying to work with what they already have set up.
0
ArneLoviusCommented:
When the connection is authenticated, by default it can only send as that user, there is no mechanism in Exchange to allow an authenticated connection to send as "anything"

This is why MAS suggested setting up a relay connector bound to their exit IP address and to use an anonymous (not authenticated) connection.

You may however have issues if the original senders address is covered with an SPF record.
1

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
mvalpredaAuthor Commented:
Had to have the vendor change one of their email processes to not use authentication.
0
ArneLoviusCommented:
excellent to hear :-)
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Exchange

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.