Exchange 2013 / X-MS-Exchange-Organization-AuthAs


All external mails shows as "X-MS-Exchange-Organization-AuthAs: internal"

How to change to anonymous?

(We have a WatchGuard XCS as spam)

Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

viktor grantExchange ServersCommented:

Check the following command:

Get-DistributionGroupMember “group name” | *RequireSenderAuthenticationEnabled*

It is true?

Is your Watchguard an internal address on the same subnet as the Exchange HUB?

mikeydkAuthor Commented:

>Get-DistributionGroupMember “group name” | *RequireSenderAuthenticationEnabled*

Sorry - what distribution group?

>Is your Watchguard an internal address on the same subnet as the Exchange HUB?

Yes, same as the Exchange HUB.

viktor grantExchange ServersCommented:
Hi Mike,

Since the emails gets delivered to the Watchguard first, can you block the DL recipient there?

Could change only for testing to change the IP for Watchguard?

Check Out How Miercom Evaluates Wi-Fi Security!

It's not just about Wi-Fi connectivity anymore. A wireless security breach can cost your business large amounts of time, trouble, and expense. Plus, hear first-hand from Miercom on how WatchGuard's Wi-Fi security stacks up against the competition plus a LIVE demo!

mikeydkAuthor Commented:
Sorry, we are not able to change IP on our Watchguard.
btanExec ConsultantCommented:
Maybe reference this as the users have been authenticated internally otherwise use the Anonymous user authentication instead. See more in
The only time Exchange will treat email as internal by default is the submission of email by an authenticated user, via either SMTP or an Outlook/OWA/ActiveSync client to which the user is authenticating directly with Exchange.

One way would be to create a receive connector which is dedicated to receiving email from your intranet application server (lock the receive connector to only receive from specific IPs, then specify the web server). You can then use the shell to add permissions on the receive connector for the anonymous account to submit email which bypasses anti-spam
Jian An LimSolutions ArchitectCommented:
look closely on get-receiveconnector | ft name,remoteIPranges,authe*,permi*

look at the IP address that send from externally (usually from firewall) and make sure the authentication and permission is not custom or exchangeserver / externally trusted  

if you could put the result out here and i can tell you which one got into trouble
mikeydkAuthor Commented:
@Jian An Lim

Jian An LimSolutions ArchitectCommented:
I am looking at the IP from Relay **** and the IP address.

did the IP address covers within watchguard?

can you generate in format list?
## first command will make sure it list more than 16 IP address if you have more than that)

$FormatEnumerationLimit =-1
get-receiveconnector | fl name,remoteIPranges,authe*,permi*

I prefer text file (you can style it in code or quote)

I believe your authentication and permission is exchangeserver and externallysecured and the IP address of watchguard is in here.
Any IP address in the list is considered trusted.
mikeydkAuthor Commented:
@Jian An Lim

>did the IP address covers within watchguard?

Yes, the Watchguard IP is show in the "Relay ****"

How do I make the Watchguard "anonymous"? (or?)

Jian An LimSolutions ArchitectCommented:

so we know we can remove the IP address out of it.

By default, if you did not make any changes to your "Default Frontend ****"
then it is safe to remove,

just to confirm it has these settings, if it looks different don't remove the IP address!!!
TransportRole    : FrontendTransport
AuthMechanism    : Tls, Integrated, BasicAuth, BasicAuthRequireTLS, ExchangeServer
PermissionGroups : AnonymousUsers, ExchangeServers, ExchangeLegacyServers

Open in new window

Jian An LimSolutions ArchitectCommented:
to remove the IP address, you can easily do it via the GUI interface.

If not, you can use powershell refer to this article
mikeydkAuthor Commented:

But, if I remove the Watchguard IPs... is it still able to deliver mail to the exchange server?

All other IPs in the relay **** are printers. (SMTP) if not added to the relay .. they are unable to connect using SMTP.

I believe my Watchguard also deliver mails by SMTP?

Sorry for my lack of knowledge...
Jian An LimSolutions ArchitectCommented:
the default settings is the printer should relay email internally not but not externally
i.e. if you are sending from printer to <internaluser> it should not require any connector. but you send from printer to <ExternalUser> then you definitely need to put a connector.

to confirm, you can post this
get-receiveconnector "*\default*" | fl name,TransportRole,authe*,permi*

If you 100% worry, we can create a new connector and only provides watchguard IP address.

what you need to tick is anonymous only (and make sure you put frontendtransport)

DEtails step can be found here.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Jian An LimSolutions ArchitectCommented:
working in multiple thread with OP and work towards an solution
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.