How exactly should I set SMTP receive connector to authenticate?



Hi,

I can't find out a way how to configure SMTP receive connector to use
authentication

PROBLEM:
Most of our distribution groups require that user sending to them must be
authenticated. We need to send mails to these groups also from MOSS 2007
(Sharepoint) but the MOSS settings don't count with authentication and
there's no way to enter them and I don't want to tamper the source code files
yet.


MY ATTEMPT OF SOLUTION:
I figured out that if I configure SMTP host which will authenticate to the
Exchange receive connector and point MOSS outgoing mail to the SMTP host then
the messages will be coming from authenticated user and will be delivered to
the distribution groups.

Isn't this wrong assumption?


SETUP
I configured SMTP host in IIS on one W2003 server and made a remote domain
there that points to the Exchange server. I created a new receive connector
with verbose logging in Hub transport on this Exchange server and configured
to receive from the IP of the SMTP host. I verified with anonymous
authentication that this setup delivers emails.

I granted right to submit via this connector to the administrator account
and also set this account's credentials in the authentication properties of
the remote domain.
Get-ReceiveConnector "connector" | Add-ADPermission -User
"domain-lab\administrator" -ExtendedRights "ms-Exch-SMTP-Submit"

Currently the connector is configured to allow Basic, NTLM and Exchange
server authentication methods and permission groups are allowed for Exchange
users, Exchange servers, Legacy Exchange Servers and Partners (I will narrow
it when I get it working with at least something).

When I enable authentication (basic or NTLM, no TLS yet) on the IIS SMTP
host then I receive this in the Exchange's SMTPreceive log:


<connector>,08CA98F5FC5D04E7,0,exchange,iis smtp,+,,
<connector>,08CA98F5FC5D04E7,1,exchange,iis smtp,*,None,Set Session
Permissions
<connector>,08CA98F5FC5D04E7,2,exchange,iis smtp,>,"220 exchlab.domain.lab
Microsoft ESMTP MAIL Service ready at Tue, 10 Jun 2008 13:00:33 +0200",
<connector>,08CA98F5FC5D04E7,3,exchange,iis smtp,<,EHLO
sharepoint.domain.com,
<connector>,08CA98F5FC5D04E7,4,exchange,iis smtp,>,250-exchlab.domain.lab
Hello [172.16.19.239],
<connector>,08CA98F5FC5D04E7,5,exchange,iis smtp,>,250-SIZE 10485760,
<connector>,08CA98F5FC5D04E7,6,exchange,iis smtp,>,250-PIPELINING,
<connector>,08CA98F5FC5D04E7,7,exchange,iis smtp,>,250-DSN,
<connector>,08CA98F5FC5D04E7,8,exchange,iis smtp,>,250-ENHANCEDSTATUSCODES,
<connector>,08CA98F5FC5D04E7,9,exchange,iis smtp,>,250-X-ANONYMOUSTLS,
<connector>,08CA98F5FC5D04E7,10,exchange,iis smtp,>,250-AUTH NTLM LOGIN,
<connector>,08CA98F5FC5D04E7,11,exchange,iis smtp,>,250-X-EXPS GSSAPI NTLM,
<connector>,08CA98F5FC5D04E7,12,exchange,iis smtp,>,250-8BITMIME,
<connector>,08CA98F5FC5D04E7,13,exchange,iis smtp,>,250-BINARYMIME,
<connector>,08CA98F5FC5D04E7,14,exchange,iis smtp,>,250-CHUNKING,
<connector>,08CA98F5FC5D04E7,15,exchange,iis smtp,>,250-XEXCH50,
<connector>,08CA98F5FC5D04E7,16,exchange,iis smtp,>,250 XRDST,
<connector>,08CA98F5FC5D04E7,17,exchange,iis smtp,<,AUTH LOGIN,
<connector>,08CA98F5FC5D04E7,18,exchange,iis smtp,>,334 <authentication
response>,
<connector>,08CA98F5FC5D04E7,19,exchange,iis smtp,*,,Inbound authentication
failed as we reject well-known account authentication for
domain-LAB\Administrator
<connector>,08CA98F5FC5D04E7,20,exchange,iis smtp,>,535 5.7.3 Authentication
unsuccessful,
<connector>,08CA98F5FC5D04E7,21,exchange,iis smtp,-,,Remote


here i figured that administrator account is not allowed by design and
switched to another user granting him the right to use the connector too:
Get-ReceiveConnector "connector" | Add-ADPermission -User
"domain-lab\smtp-user" -ExtendedRights "ms-Exch-SMTP-Submit"


with BASIC auth:

<connector>,08CA98F5FC5D04E9,1,exchange,iis smtp,*,None,Set Session
Permissions
<connector>,08CA98F5FC5D04E9,2,exchange,iis smtp,>,"220 exchlab.domain.lab
Microsoft ESMTP MAIL Service ready at Tue, 10 Jun 2008 13:16:44 +0200",
<connector>,08CA98F5FC5D04E9,3,exchange,iis smtp,<,EHLO
sharepoint.domain.com,
<connector>,08CA98F5FC5D04E9,4,exchange,iis smtp,>,250-exchlab.domain.lab
Hello [172.16.19.239],
<connector>,08CA98F5FC5D04E9,5,exchange,iis smtp,>,250-SIZE 10485760,
<connector>,08CA98F5FC5D04E9,6,exchange,iis smtp,>,250-PIPELINING,
<connector>,08CA98F5FC5D04E9,7,exchange,iis smtp,>,250-DSN,
<connector>,08CA98F5FC5D04E9,8,exchange,iis smtp,>,250-ENHANCEDSTATUSCODES,
<connector>,08CA98F5FC5D04E9,9,exchange,iis smtp,>,250-X-ANONYMOUSTLS,
<connector>,08CA98F5FC5D04E9,10,exchange,iis smtp,>,250-AUTH NTLM LOGIN,
<connector>,08CA98F5FC5D04E9,11,exchange,iis smtp,>,250-X-EXPS GSSAPI NTLM,
<connector>,08CA98F5FC5D04E9,12,exchange,iis smtp,>,250-8BITMIME,
<connector>,08CA98F5FC5D04E9,13,exchange,iis smtp,>,250-BINARYMIME,
<connector>,08CA98F5FC5D04E9,14,exchange,iis smtp,>,250-CHUNKING,
<connector>,08CA98F5FC5D04E9,15,exchange,iis smtp,>,250-XEXCH50,
<connector>,08CA98F5FC5D04E9,16,exchange,iis smtp,>,250 XRDST,
<connector>,08CA98F5FC5D04E9,17,exchange,iis smtp,<,AUTH LOGIN,
<connector>,08CA98F5FC5D04E9,18,exchange,iis smtp,>,334 <authentication
response>,
<connector>,08CA98F5FC5D04E9,19,exchange,iis smtp,*,,Inbound AUTH LOGIN
failed because of LogonDenied
<connector>,08CA98F5FC5D04E9,20,exchange,iis smtp,>,535 5.7.3 Authentication
unsuccessful,


with NTLM AUTH:

....same as above...
<connector>,08CA98ECC0E653C2,17,exchange,sharepoint,<,AUTH NTLM,
<connector>,08CA98ECC0E653C2,18,exchange,sharepoint,>,334 <authentication
response>,
<connector>,08CA98ECC0E653C2,19,exchange,sharepoint,*,,Inbound Negotiate
failed because of LogonDenied
<connector>,08CA98ECC0E653C2,20,exchange,sharepoint,>,535 5.7.3
Authentication unsuccessful,

I granted the smtp-user right to logon locally just to be exclude this is
not the case but I'm still getting the Inbound AUTH LOGIN failed because of
LogonDenied error.

And I also granted these permission for the smtp-user on that connector:
ms-Exch-SMTP-Accept-Authoritative-Domain
ms-Exch-Bypass-Anti-Spam
ms-Exch-Bypass-Message-Size-Limit
ms-Exch-SMTP-Submit
ms-Exch-SMTP-Accept-Any-Recipient
ms-Exch-SMTP-Accept-Authentication-Flag
ms-Exch-SMTP-Accept-Any-Sender
but without any success, still the same error.

I don't know what more can I do to get this working. Please share your
knowledge or ideas if you know more.

Thanks!
.



Relevant Pages

  • Re: Problems sending email in SBS 2008
    ... The default connector has the following ticks on the Authentication ... Ticked - Exchange Server Authentication ...
    (microsoft.public.windows.server.sbs)
  • Re: Problems sending email in SBS 2008
    ... I should change on the default connector? ... The default connector has the following ticks on the Authentication ... Ticked - Exchange Server Authentication ...
    (microsoft.public.windows.server.sbs)
  • Re: Problems sending email in SBS 2008
    ... The default connector has the following ticks on the Authentication tab of ... Ticked - Basic Authentication ... do this without compromising security elsewhere in the Exchange server. ... account she also has an additional POP3 account that she receives ...
    (microsoft.public.windows.server.sbs)
  • Re: Problems sending email in SBS 2008
    ... use my new connector that I created so that I don't alter the default ... The default connector has the following ticks on the Authentication ... Ticked - Exchange Server Authentication ...
    (microsoft.public.windows.server.sbs)
  • Re: Forwarding Mail with Unresolved Recipients in Exch2000
    ... You can set authentication in either the SMTP VS or SmallBusiness Connector. ... I believe settings in the Connector will override the SMTP VS settings. ...
    (microsoft.public.backoffice.smallbiz2000)