Allow external domain to send on behalf of user
Hello all:
We have a need to use an external web site that manages a time share arrangement. The site sends out emails whenever someone makes a change to the schedule. The site wants to make the email look like it is coming from our internal
user's email address. The problem is that Exchange 2010 thinks this is a spoofed email and blocks it, sending a copy to the admin (me). Then I have to go in and manually forward these messages.
I tried using the Set-SenderIDConfig command as followsfor the true sender but it did not seem to work:
Set-SenderIDConfig -BypassedSenderDomains
reservations@acme.com
Set-SenderIDConfig -BypassedSenderDomains app.server.externalisp.com
A representative message that I receive is as follows (names and addresses changed):
Delivery has failed to these recipients or groups:
user@ourdomain.com
A problem occurred during the delivery of this message to this e-mail address. Try sending this message again. If the problem continues, please contact your helpdesk.
The following organization rejected your message: mail.ourdomain.com.
Diagnostic information for administrators:
Generating server: app.server.externalisp.com
user@ourdomain.com
mail.ourdomain.com #<mail.ourdomain.com #5.0.0 smtp; 550 rejecting spoofed message> #SMTP#
Original message headers:
Received: by app.server.externalisp.com (Postfix, from userid 48) id
DDWWEED163; Thu, 28 Jul 2011 09:28:59 -0500 (CDT)
Reply-To: <user@ourdomain.com>
To: <somebody@gmail.com>
From: Acme Reservation System <reservations@acme.com>
Subject: Acme Reservation System - Updated User Record
CC: <user@ourdomain.com>
X-Mailer: Acme Mail Generator
X-Originator-IP: 168.192.11.54
Message-ID: <314159@app.server.externalisp.com>
Date: Thu, 28 Jul 2011 09:28:59 -0500
MIME-Version: 1.0
Content-Type: text/plain
Can someone tell me what I'm doing wrong?
Regards,
July 28th, 2011 11:16am
Are you sure this is Exchange throwing the error? Sounds like a 3rd party program or server. I also see postfix in your NDR. As you can see, this is what actually happens when a message is spoofed (and senderID is enforced):
220 exchange.demolab.local Microsoft ESMTP MAIL Service ready at Thu, 28 Jul 2
011 17:42:27 -0400
ehlo
250-Exchange-A.demolab.local Hello [::1]
250-SIZE
250-PIPELINING
250-DSN
250-ENHANCEDSTATUSCODES
250-STARTTLS
250-X-ANONYMOUSTLS
250-AUTH NTLM LOGIN
250-X-EXPS GSSAPI NTLM
250-8BITMIME
250-BINARYMIME
250-CHUNKING
250-XEXCH50
250-XRDST
250 XSHADOW
mail from:mikecrowley@mikecrowley.us
250 2.1.0 Sender OK
rcpt to:mikecrowley@mikecrowley.us
250 2.1.5 Recipient OK
data
354 Start mail input; end with <CRLF>.<CRLF>
hello!
.
550 5.7.1 Sender ID (PRA) Not Permitted
Mike Crowley | MVP
My Blog --
Planet Technologies
Free Windows Admin Tool Kit Click here and download it now
July 28th, 2011 5:55pm
To answer your question: you'd create a special receive connector for the web site with "externally secured" as the authentication mechanism.
This bypasses anti-spam and other checks.
As you can see, I’ve spoofed my address again, but this time it works:
220 web-site Microsoft ESMTP MAIL Service ready at Thu, 28 Jul 2011 17:57:19 -0400
ehlo
250-web-site-connector Hello [10.123.123.6]
250-SIZE 10485760
250-PIPELINING
250-DSN
250-ENHANCEDSTATUSCODES
250-AUTH
250-8BITMIME
250-BINARYMIME
250-CHUNKING
250-XEXCH50
250 XSHADOW
mail from:mikecrowley@mikecrowley.us
250 2.1.0 Sender OK
rcpt to:mikecrowley@mikecrowley.us
250 2.1.5 Recipient OK
data
354 Start mail input; end with <CRLF>.<CRLF>
Hello again!
.
250 2.6.0 <0b43e3e4-75d1-4a73-b02c-129625536f83@EXCHANGE-A.demolab.local> [Inter
nalId=1] Queued mail for delivery
Sample commands to create the connector:
new-ReceiveConnector -Name 'Web Site Submissions' -Usage 'Custom' -Bindings '0.0.0.0:25' -RemoteIPRanges '<web site’s IP>' -Server '<your server>'
Set-ReceiveConnector -AuthMechanism 'Tls, ExternalAuthoritative' -PermissionGroups 'AnonymousUsers, ExchangeServers' -Identity 'Your server>\Web Site Submissions'
Mike Crowley | MVP
My Blog --
Planet Technologies
July 28th, 2011 6:21pm
Much thanks Mike, I'll give it a try.
Free Windows Admin Tool Kit Click here and download it now
August 2nd, 2011 3:01pm
How did this work out?
Mike Crowley | MVP
My Blog --
Planet Technologies
August 6th, 2011 10:49am