External SMTP Relay with Authentication

I am having trouble setting up a receive connector in Exchange 2016 for an internal application to send emails to external contacts using authentication.  I had this working fine but the other day I installed Recipient Filtering and now my internal application can't send email to external contacts.

I would like to setup a receive connector which sends mail to external contacts and uses authentication (External SMTP Relay with Authentication)

I have followed instructions on creating a new connector that are found on: https://practical365.com/exchange-server/exchange-2016-smtp-relay-connector/ but no luck so far.

Here is what is logged for the receive connector (logs are sanitized):
220 EXCH02.aaaaaa.lan Microsoft ESMTP MAIL Service ready,
EHLO proteus,
250  EXCH02.aaaaaa.lan Hello [192.168.177.10] SIZE 37748736 PIPELINING DSN ENHANCEDSTATUSCODES STARTTLS X-ANONYMOUSTLS AUTH NTLM LOGIN X-EXPS GSSAPI NTLM 8BITMIME BINARYMIME CHUNKING XRDST,
RSET,
Tarpit for '0.00:00:05' due to '250 2.0.0 Resetting',
250 2.0.0 Resetting,
AUTH LOGIN,
334 <authentication response>,
334 <authentication response>,
SMTPSubmit SMTPSubmitForMLS SMTPAcceptAnyRecipient SMTPAcceptAuthenticationFlag SMTPAcceptAnySender SMTPAcceptAuthoritativeDomainSender BypassAntiSpam BypassMessageSizeLimit SMTPSendEXCH50 SMTPAcceptEXCH50 AcceptRoutingHeaders AcceptForestHeaders AcceptOrganizationHeaders SendRoutingHeaders SendForestHeaders SendOrganizationHeaders SMTPSendXShadow SMTPAcceptXShadow SMTPAcceptXProxyFrom SMTPAcceptXSessionParams SMTPAcceptXMessageContextADRecipientCache SMTPAcceptXMessageContextExtendedProperties SMTPAcceptXMessageContextFastIndex SMTPAcceptXAttr SMTPAcceptXSysProbe,Set Session Permissions
domainName/adminXXXXXX,authenticated
ASyncBackendLocator.BeginGetDatabaseToServerMappingInfo for user adminXXXXXX@aaaaaa.com.
AsyncBackendLocator.EndGetDatabaseToServerMappingInfo for user adminXXXXXX@aaaaaa.com
Setting up client proxy session to destination(s): EXCH02.aaaaaa.lan
Setting up client proxy session failed with error: 451 4.5.0 Require XAnonymousTls to send mail
Setting up client proxy session failed with error: 451 4.4.395 Target host responded with error. -> 451 4.5.0 Require XAnonymousTls to send mail
SMTPAcceptAnyRecipient,Set Session Permissions
451 4.7.0 Temporary server error. Please try again later. PRX4 ,

Open in new window


Settings for the Receive Connector are as follows:
AuthMechanism                             : Tls, BasicAuth
BinaryMimeEnabled                         : True
Bindings                                  : {0.0.0.0:25}
ChunkingEnabled                           : True
DeliveryStatusNotificationEnabled         : True
EightBitMimeEnabled                       : True
SmtpUtf8Enabled                           : True
BareLinefeedRejectionEnabled              : False
DomainSecureEnabled                       : False
EnhancedStatusCodesEnabled                : True
LongAddressesEnabled                      : False
OrarEnabled                               : False
SuppressXAnonymousTls                     : False
ProxyEnabled                              : False
AdvertiseClientSettings                   : False
Fqdn                                      : remote.aaaaaa.com
ServiceDiscoveryFqdn                      :
TlsCertificateName                        : <I>CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US<S>CN=remote.aaaaaa.com
Comment                                   :
Enabled                                   : True
ConnectionTimeout                         : 00:10:00
ConnectionInactivityTimeout               : 00:05:00
MessageRateLimit                          : Unlimited
MessageRateSource                         : IPAddress
MaxInboundConnection                      : 5000
MaxInboundConnectionPerSource             : 20
MaxInboundConnectionPercentagePerSource   : 2
MaxHeaderSize                             : 256 KB (262,144 bytes)
MaxHopCount                               : 60
MaxLocalHopCount                          : 12
MaxLogonFailures                          : 3
MaxMessageSize                            : 36 MB (37,748,736 bytes)
MaxProtocolErrors                         : 5
MaxRecipientsPerMessage                   : 200
PermissionGroups                          : ExchangeUsers
PipeliningEnabled                         : True
ProtocolLoggingLevel                      : Verbose
RemoteIPRanges                            : {192.168.xxx.yyy}
RequireEHLODomain                         : False
RequireTLS                                : False
EnableAuthGSSAPI                          : False
ExtendedProtectionPolicy                  : None
LiveCredentialEnabled                     : False
TlsDomainCapabilities                     : {}
Server                                    : EXCH02
TransportRole                             : FrontendTransport
RejectReservedTopLevelRecipientDomains    : False
RejectReservedSecondLevelRecipientDomains : False
RejectSingleLabelRecipientDomains         : False
AcceptConsumerMail                        : False
SizeEnabled                               : Enabled
TarpitInterval                            : 00:00:05
AuthTarpitInterval                        : 00:00:05
MaxAcknowledgementDelay                   : 00:00:30
AdminDisplayName                          :
ExchangeVersion                           : 0.1 (8.0.535.0)
Name                                      : External SMTP
IsValid                                   : True

Open in new window


I have also set the permission for the account which i'd like to authenticate with for the receive connector
Get-ReceiveConnector 'External SMTP' | Add-ADPermission -User adminXXXXXX -ExtendedRights "Ms-Exch-SMTP-Accept-Any-Recipient"

Open in new window


According to the logs, the username and password are put in correctly since "authenticated" is written in the logs. So why is it complaining about XAnonymousTls?

In addition, if I add "Anonymous Users" to the permission group for the connector and remove the username/password in the application then i'm able to send email to external clients but i'd prefer to set this up with authentication.

What am I missing here?
MedrxAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

AmitIT ArchitectCommented:
Do this, from  your application server. Use telnet tool and connect to your Exchange server and then send a mail using telnet. Let me know, if that works. Next you check protocol logs. In that you will find, what exactly going on.

Refer:
https://technet.microsoft.com/en-us/library/aa995718(v=exchg.65).aspx
https://technet.microsoft.com/en-us/library/dd302434(v=exchg.160).aspx
0
MedrxAuthor Commented:
From the app server I used the SMTP Diag Tool so that I didn't have to convert to base64 for the authentication.  This is what was returned:
Connecting to mail server.
Connected.
220 EXCH02.aaaaaa.lan Microsoft ESMTP MAIL Service
EHLO proteus
250-EXCH02.aaaaaa.lan Hello [192.168.xxx.yyy]
250-SIZE 37748736
250-PIPELINING
250-DSN
250-ENHANCEDSTATUSCODES
250-STARTTLS
250-X-ANONYMOUSTLS
250-AUTH NTLM LOGIN
250-X-EXPS GSSAPI NTLM
250-8BITMIME
250-BINARYMIME
250-CHUNKING
250 XRDST
AUTH NTLM <base64 encoding>
334 <base64 encoding>
451 4.7.0 Temporary server error. Please try again later. PRX4 
Forcing disconnection from SMTP server.
QUIT
221 2.0.0 Service closing transmission channel
Disconnected.

Error: SMTP protocol error. 451 4.7.0 Temporary server error. Please try again later. PRX4 .
Failed to send message

Open in new window


The Protocol Log on the Exchange server has the same log as I posted in my initial post.  Same errors: 4.5.0 and 4.4.395
0
ArneLoviusCommented:
If the sending server is internal, I would tend to create a relay capable connector that does not require authentication, and then tie it down to specific IP addresses.

Unless your sending application is capable of STARTTLS so that the credentials are not sent in plaintext...
0
10 Tips to Protect Your Business from Ransomware

Did you know that ransomware is the most widespread, destructive malware in the world today? It accounts for 39% of all security breaches, with ransomware gangsters projected to make $11.5B in profits from online extortion by 2019.

MedrxAuthor Commented:
I would like to get the connector working with authentication as it was working fine before.  If I turn on anonymous on the connector then it works, but that is not what i'm looking to get an answer on.
0
AmitIT ArchitectCommented:
Are you able to resolve it?
0
MedrxAuthor Commented:
Yes, I was able to solve this issue.

The issue was due to some silly changes I made.
  • I ended up installing a certificate for the Client Proxy receive connector
  • In order to apply the certificate, I unchecked "Exchange Server Authentication" and "Exchange Servers" otherwise I was getting error about the fqdn

Turns out that when an app sends email on port 25, the receive connector then needs to pass the email to the Client Proxy receive connector.  But in order for all this to work properly, Exchange Server Authentication needs to be enabled - this is why it threw the error "Require XAnonymousTls to send mail".  So I undid the above changes and things returned to normal.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
AmitIT ArchitectCommented:
thanks for sharing the solution. You can close this question.
0
MedrxAuthor Commented:
I found the solution myself.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Exchange

From novice to tech pro — start learning today.