Before posting I reviewed the associated links to see if something stood out. It possibly did, but here is the issue/questions we have.
Environment:
Exchange 2016 CU19
Requirement:
Leverage authenticated mail relay for applications and devices that can use it.
Understanding:
By default Exchange allows for you to send Authenticated relay via port 587 provided you meet the following two criteria.
1. AD user with an Exchange mailbox
2. The "From" field matches the AD email address used
ERROR:
Send-MailMessage : Mailbox unavailable. The server response was: 5.7.60 SMTP; Client does not have permissions to send as this sender
We keep receiving the above error if we try port 465 or 2525 as well. To test we used Powershell plugging in the following commands.
Launch Powershell as UserA
$creds = Get-Credentials
Username: domain.com\UserA
Password: password
Send-MailMessage -From UserA@domain.com -To UserB@domain.com -Subject TEST -SmtpServer mail.domain.com -Port 587 -Credential $creds
Same result when trying ports 2525 and 465
Leveraging this method is ideal as we do not need to manage IP addresses to lock it down per connector, but we have yet to get it to work. When trying to test with the application itself we ran into No compatible authentication mechanisms found and An error occurred while attempting to establish an SSL or TLS connection. I believe the second error here is caused by not associating a certificate to the default connectors that use port 465, 587, and 2525. Did not feel comfortable modifying the defaults so we opted to test with creating a new connector all together (details below)
Since we were unable to get the above working lets do what we did for Anonymous mail relay and setup a new Authenticated relay we can lock down via IPs.
Created new connector called Authenticated
Security Mechanism:
a. Transport Layer Security (TLS
b. Basic Authentication
c. Integrated Windows authenticationPermission groups:
a. Exchange usersScoped to specific IP over port 25
Same errors as above. Have been able to get a different error generated when trying to use the default method over TCP 587, 465, and 2525 related to certificated, but I did not want to add the certificate to the default connectors.
Question is can I leverage the default connectors to Authenticate clients? If so is the following command the only thing needed to get around the error we are seeing? Or is it possibly a better idea to use a new connector like in the example above to plugin the IPs needed etc? DHCP and VPN pools is why we were looking to default methods as maintaining the scoped IPs can become challenging as they are constantly changing.
Possible Fix:
Organization Wide:
Get-ReceiveConnector "Server\Authenticated" | Add-ADPermission -User "NT AUTHORITY\Authenticated Users" -ExtendedRights "ms-Exch-SMTP-Accept-Any-Sender"
OR
Individual:
Get-ReceiveConnector "Server\Authenticated" | Add-ADPermission -User "UserA@domain.com" -ExtendedRights "ms-Exch-SMTP-Accept-Any-Sender"
What am I missing? Any assistance or guidance would be appreciated.
Thank you,
CWT




