Hi Everybody,

while deploying Exchange 2013 (first Exchange server in organization) I recognized that authorized users are only allowed to send as users configured recording their mailbox.

Now we have users/devices sending with SMTP (no Outlook!) that should be allowed to send as any sender (for who no mailbox might be configured)

We have some internal ReceiveConnector configured (SMTP-LAN-Relay) and I have set extended permissions with:

[PS] C:\Windows\system32>Add-AdPermission -Identity "SMTP-LAN-Relay" -User "NT-AUTORITT\Authentifizierte Benutzer" -ExtendedRights ms-Exch-SMTP-Accept-Any-Sender

I can see these permissions also when quering the permissions

[PS] C:\Windows\system32>Get-ReceiveConnector |Get-ADPermission|where {$_.User -like '*authentifi*'}|ft identity,user,extendedrights,accessrights

Identity                              User                                  ExtendedRights                       AccessRights
--------                              ----                                  --------------                       ------------
VM-EXCHANGE01\Default VM-EXCHANGE01   NT-AUTORITT\Authentifizierte Benu... {ms-Exch-SMTP-Submit}                {ExtendedRight}
VM-EXCHANGE01\Default VM-EXCHANGE01   NT-AUTORITT\Authentifizierte Benu... {ms-Exch-Bypass-Anti-Spam}           {ExtendedRight}
VM-EXCHANGE01\Default VM-EXCHANGE01   NT-AUTORITT\Authentifizierte Benu... {ms-Exch-Accept-Headers-Routing}     {ExtendedRight}
VM-EXCHANGE01\Default VM-EXCHANGE01   NT-AUTORITT\Authentifizierte Benu... {ms-Exch-SMTP-Accept-Any-Recipient}  {ExtendedRight}
VM-EXCHANGE01\Default VM-EXCHANGE01   NT-AUTORITT\Authentifizierte Benu...                                      {ReadProperty}
VM-EXCHANGE01\Client Proxy VM-EXCH... NT-AUTORITT\Authentifizierte Benu... {ms-Exch-SMTP-Submit}                {ExtendedRight}
VM-EXCHANGE01\Client Proxy VM-EXCH... NT-AUTORITT\Authentifizierte Benu... {ms-Exch-Bypass-Anti-Spam}           {ExtendedRight}
VM-EXCHANGE01\Client Proxy VM-EXCH... NT-AUTORITT\Authentifizierte Benu... {ms-Exch-Accept-Headers-Routing}     {ExtendedRight}
VM-EXCHANGE01\Client Proxy VM-EXCH... NT-AUTORITT\Authentifizierte Benu... {ms-Exch-SMTP-Accept-Any-Recipient}  {ExtendedRight}
VM-EXCHANGE01\Client Proxy VM-EXCH... NT-AUTORITT\Authentifizierte Benu...                                      {ReadProperty}
VM-EXCHANGE01\SMTP-Anywhere-Relay     NT-AUTORITT\Authentifizierte Benu... {ms-Exch-SMTP-Accept-Any-Sender}     {ExtendedRight}
VM-EXCHANGE01\SMTP-Anywhere-Relay     NT-AUTORITT\Authentifizierte Benu... {ms-Exch-SMTP-Accept-Any-Recipient}  {ExtendedRight}
VM-EXCHANGE01\SMTP-Anywhere-Relay     NT-AUTORITT\Authentifizierte Benu... {ms-Exch-Accept-Headers-Routing}     {ExtendedRight}
VM-EXCHANGE01\SMTP-Anywhere-Relay     NT-AUTORITT\Authentifizierte Benu... {ms-Exch-Bypass-Anti-Spam}           {ExtendedRight}
VM-EXCHANGE01\SMTP-Anywhere-Relay     NT-AUTORITT\Authentifizierte Benu... {ms-Exch-SMTP-Submit}                {ExtendedRight}
VM-EXCHANGE01\SMTP-Anywhere-Relay     NT-AUTORITT\Authentifizierte Benu...                                      {ReadProperty}
VM-EXCHANGE01\Outbound Proxy Front... NT-AUTORITT\Authentifizierte Benu...                                      {ReadProperty}
VM-EXCHANGE01\Client Frontend VM-E... NT-AUTORITT\Authentifizierte Benu... {ms-Exch-SMTP-Accept-Any-Recipient}  {ExtendedRight}
VM-EXCHANGE01\Client Frontend VM-E... NT-AUTORITT\Authentifizierte Benu... {ms-Exch-Accept-Headers-Routing}     {ExtendedRight}
VM-EXCHANGE01\Client Frontend VM-E... NT-AUTORITT\Authentifizierte Benu... {ms-Exch-Bypass-Anti-Spam}           {ExtendedRight}
VM-EXCHANGE01\Client Frontend VM-E... NT-AUTORITT\Authentifizierte Benu... {ms-Exch-SMTP-Submit}                {ExtendedRight}
VM-EXCHANGE01\Client Frontend VM-E... NT-AUTORITT\Authentifizierte Benu...                                      {ReadProperty}
VM-EXCHANGE01\SMTP-DMZ-NoRelay        NT-AUTORITT\Authentifizierte Benu... {ms-Exch-Accept-Headers-Routing}     {ExtendedRight}
VM-EXCHANGE01\SMTP-DMZ-NoRelay        NT-AUTORITT\Authentifizierte Benu... {ms-Exch-Bypass-Anti-Spam}           {ExtendedRight}
VM-EXCHANGE01\SMTP-DMZ-NoRelay        NT-AUTORITT\Authentifizierte Benu... {ms-Exch-SMTP-Accept-Any-Recipient}  {ExtendedRight}
VM-EXCHANGE01\SMTP-DMZ-NoRelay        NT-AUTORITT\Authentifizierte Benu... {ms-Exch-SMTP-Submit}                {ExtendedRight}
VM-EXCHANGE01\SMTP-DMZ-NoRelay        NT-AUTORITT\Authentifizierte Benu... {ms-Exch-SMTP-Accept-Any-Sender}     {ExtendedRight}
VM-EXCHANGE01\SMTP-DMZ-NoRelay        NT-AUTORITT\Authentifizierte Benu...                                      {ReadProperty}
VM-EXCHANGE01\SMTP-MX-NoRelay         NT-AUTORITT\Authentifizierte Benu...                                      {ReadProperty}

Unfortunately this setting is not working at all, that means I still get errors

5.7.1 Client does not have permissions to send as this sender

when sending as nomailboxexists@domain.tld while authenticating as my.user@domain.local
I also tried ms-Exch-SMTP-Accept-Authoritative-Domain-Sender already instead of Accept-Any-Sender, no change.

Any ideas? Any help?

Thanks a lot in advance!

Matt

That right doesn't control "Send As", it allows all authenticated users to submit messages that are destined outside your Exchange organization, i.e., relay mail.

Is the AnonymousUsers in the PermissionsGroups property of the receive connector?

Hi Ed,

Thanks for your input, but are you really sure about this? I think what you mean is accept-any-recipient

It is documented that the receiveconnector right ms-Exch-SMTP-Accept-Any-Sender is used to bypass anti-spoofing checks. Thats exactly what I want. But it seems that their is an issue on Exch 2013 with Frontend-Transport connectors and this right. With Hub-TransPort it is working:

http://social.technet.microsoft.com/Forums/exchange/en-US/611d9d06-c3dd-4483-b5cd-96ff30ef34d8/exchange2013-msexchsmtpacceptanysender-not-working-with-frontendtransport#611d9d06-c3dd-4483-b5cd-96ff30ef34d8

http://www.networksteve.com/exchange/topic.php/550_5.7.1_Unable_to_relay_for_external_domains_on_Exchange_2013/?TopicId=37788&Posts=1

Looking at the second link you provided, what you are doing is what I said, enabling SMTP relay.  The way I've always done that is to create a receive connector limited to the source IP addresses that are allowed to send to it, and then adding the right to the connector.  It would be something like this:

New-ReceiveConnector -Name Relay -Bindings 0.0.0.0:25 -RemoteIpRanges 123.123.123.123 -PermissionGroups AnonymousUsers

Add-AdPermission ...

Hi Ed,

but these are two different thinks! Even when not wanting to have relay enabled (accept-any-recipient) the bypass of anti-spooing with accept-any-sender is not working with frontend-transport connectors for authentitcated users - only for anonymous (what I dont want here).

Creating a new connector with the given command is creating a Hub-Transport connector in EX2K13, what is not inteded to be used for client communication.