Hi,

when having "Proxy through client access server" enabled, Basic authentication doesn't work - instead of AUTH LOGIN, Exchange sends MAIL FROM:... right away.

Does someone know if this is a bug? I'm running CU8.

Thanks!
Stefan

Hi Stefan,

It would help us to understand, if you can elaborate the scenario a bit more.

What is your setup and how are you testing it etc.

Normally Exchange would accept anonymous incoming connections for any authoritative domain.

The authentication part comes into picture when you are either accessing your mailbox or sending email out to some outside domain. So RCPT TO: is the field that you should be interested on.

Ofcourse there would be many other scen

Hi Satyajit,

we send all outgoing mails through an appliance that requires authentication. When proxying through the CAS, Exchange just doesn't auth itself to the appliance even it should. When disabling the proxy function, the authentication works as it should.

I tested it by sending out mails, with and without the proxy function.

Hi Stef,

Thank you for your question.

By my understand, when we check Proxy through Client Access server, the Transport service uses Send connectors to communicate with the Front End Transport service on a Client Access server for outgoing message. Specifically, outgoing messages are proxied through the Front End Transport service. We could refer to the following link:

https://technet.microsoft.com/en-us/library/aa998825(v=exchg.150).aspx

So I think you misunderstand.

If there are any questions regarding this issue, please be free to let me know.

Best Regard,

Jim

Hi Stef,

This is expected behaivour, you can restrict it by removing the Anonymous check or restricting the IP range on the "Default FrontEnd Server01" Receive Connector.

EAC-> Receive Connector->Select the servername from the drop down: "Default Frondend Receive Connector"->EDIT ->

Security: Uncheck Anonymous Users

Scoping: Limit the IPs of exchange servers and application servers only + External SMTP server for incoming emails.

Basically match it with "Default Server01" settings.

Role: HubTransport corresponds to Mailbox Role,  and  FrontendTransport refers to CAS connector

NOTE:-

But this might give issues if you don't have an external SMTP server accepting emails for your domain.

For receiving emails from Internet the Receive Conenctor of the EDGE server(or HUB if its only one) needs to allow Anonymous connections. Hence its is designed by default to work without any external\additional SMTP gateway. (Which you can easily change ofcourse)

Just confirm that you don't have ms-Exch-SMTP-Accept-Any-Recipient: added permission ( as this will make your connector a open external relay)

Additional to the above settings there are some hidden permissions as well:

Use below cmdlets to compare and correct if you want to. (If the above change doesn't help)

Get-ReceiveConnector  "EXCH-1\Default EXCH-1" | Get-ADPermission | ?{$_.User -like "NT AUTHORITY\ANONYMOUS LOGON"} | ft User, ExtendedRights
Get-ReceiveConnector  "EXCH-1\Default FrontEnd EXCH-1" | Get-ADPermission | ?{$_.User -like "NT AUTHORITY\ANONYMOUS LOGON"} | ft User, ExtendedRights

Sample run: This should clear difference in the settings as discussed earlier.

[PS] C:\Windows\system32>Get-ReceiveConnector  "EXCH-1\Default EXCH-1" | Get-ADPermission | ?{$_.User -like "NT AUTHORITY\ANONYMOUS LOGON"} | ft User, ExtendedRights

User                                                         ExtendedRights
----                                                         --------------
NT AUTHORITY\ANONYMOUS LOGON                                 {ms-Exch-Store-Create-Named-Properties}
NT AUTHORITY\ANONYMOUS LOGON                                 {ms-Exch-Create-Public-Folder}
NT AUTHORITY\ANONYMOUS LOGON
NT AUTHORITY\ANONYMOUS LOGON


[PS] C:\Windows\system32>Get-ReceiveConnector  "EXCH-1\Default FrontEnd EXCH-1" | Get-ADPermission | ?{$_.User -like "NT AUTHORITY\ANONYMOUS LOGON"} | ft User, ExtendedRights

User                                                         ExtendedRights
----                                                         --------------
NT AUTHORITY\ANONYMOUS LOGON                                 {ms-Exch-SMTP-Accept-Authoritative-Domain-Sender}
NT AUTHORITY\ANONYMOUS LOGON                                 {ms-Exch-SMTP-Submit}
NT AUTHORITY\ANONYMOUS LOGON                                 {ms-Exch-Accept-Headers-Routing}
NT AUTHORITY\ANONYMOUS LOGON                                 {ms-Exch-SMTP-Accept-Any-Sender}
NT AUTHORITY\ANONYMOUS LOGON                                 {ms-Exch-Store-Create-Named-Properties}
NT AUTHORITY\ANONYMOUS LOGON                                 {ms-Exch-Create-Public-Folder}
NT AUTHORITY\ANONYMOUS LOGON
NT AUTHORITY\ANONYMOUS LOGON

You can run remove-adpermission -extendedrights to remove the extra permissions.

One question to you, is your CAS+MBX co-located, if not which server is the application server sending email to and on which port. It should be pointed to the Mailbox server not the CAS.

References:

Default frontend receive connector settings

https://community.office365.com/en-us/f/156/t/2351

By my understand, when we check Proxy through Client Access server, the Transport service uses Send connectors to communicate with the Front End Transport service on a Client Access server for outgoing message. Specifically, outgoing messages are proxied through the Front End Transport service. We could refer to the following link:

https://technet.microsoft.com/en-us/library/aa998825(v=exchg.150).aspx

So I think you misunderstand.

Hi Jim,

correct - by why do you think I misunderstand? I want to proxy my outgoing mails through the front end transport service in order to reach my appliance.

So, why does Exchange fail to authenticate with AUTH LOGIN when proxying through the front end transport service? Exchange properly authenticates when not proxying through the front end transport service...

Hi Satyajit,

I don't understand - I don't have an issue with my receive connector, but with my send connector. It's only about sending out mails :)

My CAS and MBX servers are not co-located.

BR
Stef

Hi Stef,

Before I explain, can you please confirm.

Where is the application server pointing to:  CAS or MBX - in both cases, with "Proxy through Client Access server,  ON and OFF.

Where you seem to be confused, is by thinking Send Connector is accepting your ApplicationServer emails.

When you are sending email from your application server, exchange is listening on port 25 and hence accepts it. Basically this service that is listening is the Receive Connector part. Hence when you send email to Exchange via port25 SMTP, you are essentially sending it to the Receive Connector.

Once email is accepted, by one of the matching ReceiveConnectors, it is internally processed and then the Send Connector is used to send out email to external party if required. (Internal is routed within via hidden sendconnectors)

You can have one server01 with only recieve connectors and another server02 with only SendConnectors. In that case if you try sending email from application server to server02 would fail.

Now as you have CAS and MBX separate, both will listen on port25, MBX without anonymous, and CAS with anonymous.

Checking the option I had mentioned would resolve your issue. Let me know, if you need any more details.

Reference:

Allowing application servers to relay off Exchange Server 2007

http://blogs.technet.com/b/exchange/archive/2006/12/28/3397620.aspx

Connectors

https://technet.microsoft.com/en-us/library/jj657461(v=exchg.150).aspx

Create a Receive connector to receive email from a system not running Exchange(network appliance that uses SMTP)

https://technet.microsoft.com/en-us/library/jj657467(v=exchg.150).as

Hi Stef,

When we check this option, outgoing message are proxies thought the front end transport server, this behavior will occur in Exchange CAS server not proxy to other application. If you use application in organization for outbound message, we just configure the send connector for all outbound message to flow to application.

If there are any questions regarding this issue, please be free to let me know.

Best Regard,

Jim

Hi Stef,

I seemed to have fully mis-understood your requirement\issue.

I guess it is a SMTP anti-spam appliance between the Exchange and the Internet which requires authentication of some sort.

Then as Jim mentioned you should bypass CAS, if you already have an external appliance.

Mailbox server and Client Access server installed on different computers   In this configuration, the Client Access server is bypassed for inbound mail flow. Mail flows from the Transport service on the Edge Transport server to the Transport service on the Mailbox server.

Network ports required for mail flow with Edge Transport servers

A subscribed Edge Transport server that's installed in your perimeter network basically eliminates SMTP mail flow through the Client Access server. Specifically:

• Outbound mail from the Exchange organization never flows through a Client Access server. Mail always flows from a Mailbox server in the subscribed Active Directory site to the Edge Transport server (regardless of the version of Exchange on the Edge Transport server).

• Inbound mail never flows through a standalone Client Access server. Mail flows from the Edge Transport server to a Mailbox server in the subscribed Active Directory site.