Exchange 2010 distribution groups don't accept internal mails through smtp

groups exchange-2010

In Exchange 2010 I have distribution group called [email protected]. It's allowed to be used only for internal mail. It works fine when sending emails thru OWA or directly thru Outlook RPC. However it doesn't work thru authenticated SMTP (for some time users will have to use pop3/smtp instead of RPC due to management decision) giving an error like below:

#550 5.7.1 RESOLVER.RST.AuthRequired; authentication required ##

It seems SMTP even thou it's authenticated (users aren't able to send without authentication so they use authentication to be able to send normal emails as well) is treated as not internal email. Is there a way to make it work without having to enable the address for everyone in the world?


Solution 1:

I have not found a way to make this work with SMTP AUTH clients without opening the group to the world. I think it's preferable to maintain the "Require that all users are authenticated" setting enabled on your "all" distribution group, so this may not be possible with your setup.

Solution 2:

To allow SMTP users to be able to send emails to distribution groups with "Require that all users are authenticated" flag enabled on the group one has to add the "ms-Exch-SMTP-Accept-Authentication-Flag" to the Receive Connectors.

Lets verify current settings on connector:

Get-ReceiveConnector "EXCHANGE1\Client EXCHANGE1" | Get-ADPermission
-User "NT AUTHORITY\Authenticated Users" | ft user,extendedrights

NT AUTHORITY\Authenticated Users                  {ms-Exch-SMTP-Accept-Any-Sender} 
NT AUTHORITY\Authenticated Users                  {ms-Exch-SMTP-Accept-Any-Recipient} 
NT AUTHORITY\Authenticated Users                  {ms-Exch-Accept-Headers-Routing} 
NT AUTHORITY\Authenticated Users                  {ms-Exch-Bypass-Anti-Spam} 
NT AUTHORITY\Authenticated Users                  {ms-Exch-SMTP-Submit}

With this setup it doesn't work. So we add ms-Exch-SMTP-Accept-Authentication-Flag to SMTP connector using this command:

Get-ReceiveConnector "EXCHANGE1\Client EXCHANGE1" | Add-ADPermission
-User 'NT Authority\Authenticated Users' -ExtendedRights ms-Exch-SMTP-Accept-Authentication-Flag

And we verify it's added with this command:

Get-ReceiveConnector "EXCHANGE1\Client EXCHANGE1" | Get-ADPermission
-User "NT AUTHORITY\Authenticated Users" | ft user,extendedrights

NT AUTHORITY\Authenticated Users                  {ms-Exch-SMTP-Accept-Any-Sender} 
NT  AUTHORITY\Authenticated Users                 {ms-Exch-SMTP-Accept-Any-Recipient} 
NT AUTHORITY\Authenticated Users                  {ms-Exch-Accept-Headers-Routing} 
NT AUTHORITY\Authenticated Users                  {ms-Exch-SMTP-Accept-Authentication-Flag}
NT AUTHORITY\Authenticated Users                  {ms-Exch-Bypass-Anti-Spam} 
NT AUTHORITY\Authenticated Users                  {ms-Exch-SMTP-Submit}

Note: {ms-Exch-SMTP-Accept-Authentication-Flag} which wasn't there before.

And that's all. After that it works. In my case I had to set it up on 2 connectors (2 Exchange servers).

Related

Debian Open port 81
How to get mod_proxy_fcgi on CentOS/Red Hat 6 with Apache 2.2?
How to handle external and internal DNS on windows 2012
How can I tell which package updates will require a reboot or service restart?
Nginx, PHP-FPM with 2 apps in subfoders
linux redhat 5.4 - swap while memory is still available
Nginx as a proxy for tomcat with subdirectory
How to make hard drive standby (spin down) on a timer?
Best practice to trunk two GB switches?
WMI query between two different AD sites?
Ubuntu PHP-FPM not starting
How do I disable the "Shutdown" in the ctrl+alt+delete menu for authenticated user, but leave the power button on computer enabled?