I ran into an issue today that got me frustrated not because I couldn’t solve right away but because I’ve come across this before but forgot what I did to solve it so now that I’ve resolved the issue, I figure I’d blog it so I can reference this blog in the future.
I encountered the problem when I completed the setup of a new Kiwi Syslog server which allowed me to send VMware Data Recovery reports and logs to and in turn email recipients so they would know whether the daily backups were successful or not. The environment had Exchange Server 2010 as their messaging service and I’ve configured numerous Exchange Receive Connectors for mail relaying for various devices but as I completed my syslog configuration and executed a test email to be sent to my email address, the email never came. I initially thought it was something minor such as firewall or IP address so I went ahead and checked the obvious. After going through the configuration numerous times to verify I haven’t made any mistakes, I realized that I wasn’t anywhere closer to solving the problem. Seeing how I wasn’t really getting anywhere, I began reviewing the logs from the syslog server which showed the following:
2011-10-05 16:45:10 PI Message to: tluk@ccs.bm, adminterence@domain.bm
2011-10-05 16:45:10 PI Message from: vdr01@domain.bm
2011-10-05 16:45:10 PI Subject: Syslog message from vc03 - vDR traffic
2011-10-05 16:45:10 PI Date: Wed, 05 Oct 2011 16:45:10 –0300
2011-10-05 16:45:20 PI Mail error: 550 5.7.1 Unable to relay
Then I proceeded to turn on verbose logging on the Exchange 2010 Hub Transport server’s receive connector handling the connection and navigated to the path:
C:\Program Files\Microsoft\Exchange Server\V14\TransportRoles\Logs\ProtocolLog\SmtpReceive
… where the log was written:
Opening up the logs showed the following:
#Software: Microsoft Exchange Server
#Version: 14.0.0.0
#Log-type: SMTP Receive Protocol Log
#Date: 2011-10-05T19:17:57.149Z
#Fields: date-time,connector-id,session-id,sequence-number,local-endpoint,remote-endpoint,event,data,context
2011-10-05T19:17:57.149Z,CAS01\VC03,08CE51AA847AC9C0,0,10.10.1.59:25,10.10.1.53:49654,+,,
2011-10-05T19:17:57.149Z,CAS01\VC03,08CE51AA847AC9C0,1,10.10.1.59:25,10.10.1.53:49654,*,SMTPSubmit SMTPAcceptAnySender SMTPAcceptAuthoritativeDomainSender AcceptRoutingHeaders,Set Session Permissions
2011-10-05T19:17:57.149Z,CAS01\VC03,08CE51AA847AC9C0,2,10.10.1.59:25,10.10.1.53:49654,>,"220 CAS01.domainnet.com Microsoft ESMTP MAIL Service ready at Wed, 5 Oct 2011 16:17:56 -0300",
2011-10-05T19:17:57.164Z,CAS01\VC03,08CE51AA847AC9C0,3,10.10.1.59:25,10.10.1.53:49654,<,EHLO vc03,
2011-10-05T19:17:57.164Z,CAS01\VC03,08CE51AA847AC9C0,4,10.10.1.59:25,10.10.1.53:49654,>,250-CAS01.domainnet.com Hello [10.10.1.53],
2011-10-05T19:17:57.164Z,CAS01\VC03,08CE51AA847AC9C0,5,10.10.1.59:25,10.10.1.53:49654,>,250-SIZE 10485760,
2011-10-05T19:17:57.164Z,CAS01\VC03,08CE51AA847AC9C0,6,10.10.1.59:25,10.10.1.53:49654,>,250-PIPELINING,
2011-10-05T19:17:57.164Z,CAS01\VC03,08CE51AA847AC9C0,7,10.10.1.59:25,10.10.1.53:49654,>,250-DSN,
2011-10-05T19:17:57.164Z,CAS01\VC03,08CE51AA847AC9C0,8,10.10.1.59:25,10.10.1.53:49654,>,250-ENHANCEDSTATUSCODES,
2011-10-05T19:17:57.164Z,CAS01\VC03,08CE51AA847AC9C0,9,10.10.1.59:25,10.10.1.53:49654,>,250-AUTH,
2011-10-05T19:17:57.164Z,CAS01\VC03,08CE51AA847AC9C0,10,10.10.1.59:25,10.10.1.53:49654,>,250-8BITMIME,
2011-10-05T19:17:57.164Z,CAS01\VC03,08CE51AA847AC9C0,11,10.10.1.59:25,10.10.1.53:49654,>,250-BINARYMIME,
2011-10-05T19:17:57.164Z,CAS01\VC03,08CE51AA847AC9C0,12,10.10.1.59:25,10.10.1.53:49654,>,250 CHUNKING,
2011-10-05T19:17:57.274Z,CAS01\VC03,08CE51AA847AC9C0,13,10.10.1.59:25,10.10.1.53:49654,<,RSET,
2011-10-05T19:17:57.274Z,CAS01\VC03,08CE51AA847AC9C0,14,10.10.1.59:25,10.10.1.53:49654,*,Tarpit for '0.00:00:05',
2011-10-05T19:18:02.290Z,CAS01\VC03,08CE51AA847AC9C0,15,10.10.1.59:25,10.10.1.53:49654,>,250 2.0.0 Resetting,
2011-10-05T19:18:02.290Z,CAS01\VC03,08CE51AA847AC9C0,16,10.10.1.59:25,10.10.1.53:49654,<,MAIL FROM: <vdr01@domain.bm>,
2011-10-05T19:18:02.290Z,CAS01\VC03,08CE51AA847AC9C0,17,10.10.1.59:25,10.10.1.53:49654,*,08CE51AA847AC9C0;2011-10-05T19:17:57.149Z;1,receiving message
2011-10-05T19:18:02.290Z,CAS01\VC03,08CE51AA847AC9C0,18,10.10.1.59:25,10.10.1.53:49654,>,250 2.1.0 Sender OK,
2011-10-05T19:18:02.305Z,CAS01\VC03,08CE51AA847AC9C0,19,10.10.1.59:25,10.10.1.53:49654,<,RCPT TO:<tluk@ccs.bm>,
2011-10-05T19:18:02.305Z,CAS01\VC03,08CE51AA847AC9C0,20,10.10.1.59:25,10.10.1.53:49654,*,Tarpit for '0.00:00:05',
2011-10-05T19:18:07.321Z,CAS01\VC03,08CE51AA847AC9C0,21,10.10.1.59:25,10.10.1.53:49654,>,550 5.7.1 Unable to relay,
2011-10-05T19:18:07.337Z,CAS01\VC03,08CE51AA847AC9C0,22,10.10.1.59:25,10.10.1.53:49654,<,QUIT,
2011-10-05T19:18:07.337Z,CAS01\VC03,08CE51AA847AC9C0,23,10.10.1.59:25,10.10.1.53:49654,>,221 2.0.0 Service closing transmission channel,
2011-10-05T19:18:07.337Z,CAS01\VC03,08CE51AA847AC9C0,24,10.10.1.59:25,10.10.1.53:49654,-,,Local
What I noticed to be consistent was the error:
550 5.7.1 Unable to relay
The hunch I immediately had was that Exchange was not allowing me to relay email out to a recipient at a domain that wasn’t internal so I went ahead to do a few telnet tests:
To an external email address
220 CAS01.domain.com Microsoft ESMTP MAIL Service ready at Wed, 5 Oct 2011 16:24:14 –0300
helo
250 CAS01.domain.com Hello [10.10.1.53]
mail from:vdr01@domain.bm
250 2.1.0 Sender OK
rcpt to:tluk@ccs.bm
550 5.7.1 Unable to relay
To an internal email address
220 CAS01.domain.com Microsoft ESMTP MAIL Service ready at Wed, 5 Oct 201
1 16:26:49 -0300
helo
250 CAS01.domain.com Hello [10.10.1.53]
mail from:vdr01@domain.bm
250 2.1.0 Sender OK
rcpt to:adminerence@domain.bm
250 2.1.5 Recipient OK
Solution
What the telnet tests revealed was that I had no issues relaying mail to domains that Exchange hosted internally which was no surprise because the receive connector I used was allowing other scanners and printers to relay email. This was when I remembered that Exchange handled mail relay requests for internal and external domains based on the settings configured in the Authentication tab for the Receive Connector. Opening the receive connector’s properties and navigating to the Authentication tab will show the following options:
- Transport Layer Security (TLS)
- Enable Domain Security (Mutual Auth TLS)
- Basic Authentication
- Offer Basic authentication only after starting TLS
- Exchange Server authentication
- Integrated Windows authentication
- Externally Secured (for example, with IPsec)
Without dragging this on, the security mechanism to enable so relaying servers can send to external recipients is the option:
Externally Secured (for example, with IPsec)
With this option selected, you will also notice that it will also be mandatory to select the option:
Exchange servers
The configuration shown above
Authentication –> Externally Secured (for example, with IPsec)
Permissions Group –> Exchange servers
… will allow you to relay emails out to an external recipient with an internal email address. If you were to use an external domain as the sender address, you’ll also need to check the option:
Permissions Group –> Anonymous
Hope this helps anyone who might be experiencing the same problem as I did today and I’m glad I’ll be able to reference this post when I get that “déjà vu” feeling again in the future when I’m bound to come across this again.
25 comments:
Thanks Terrence!
Google sent me here and you solved my problem. Much appreciated.
Thanks you got us working
Thanks for your help, worked a treat!
Thanks SO much for this! One little setting that didn't make sense to check and that was it. Took me two days to finally decide to see if someone else has ever had this problem! Nicely Done.
Will this allow you to open yourself to become a spamming server since you have selected anonymous?
Thanks Terence! You saved my bacon today.
Thanks a lor
Am sure the steps are okay but Telnet is still unable to relay!
I am also experiencing relay problems. I am trying to configure exchange to allow a Ricoh copier/scanner to relay to external recipients. I created a new connector per the instructions, but I still get 550 5.7.1 Unable to relay.
Brilliant, works a treat. Thanks
... missing the “Ms-Exch-SMTP-Accept-Any-Recipient” , this is preventing the scanner to relay off the exchange server. You can add this permission by opening the EMS (Exchange Management Shell” and issuing the command:
Get-ReceiveConnector "" | Add-ADPermission -User "NT AUTHORITY\ANONYMOUS LOGON" -ExtendedRights "Ms-Exch-SMTP-Accept-Any-Recipient"
Get-ReceiveConnector "" | Add-ADPermission -User "NT AUTHORITY\ANONYMOUS LOGON" -ExtendedRights "Ms-Exch-SMTP-Accept-Any-Recipient"
Works!!!! thanks a lot
Thak worked for me. You are a champ! Thanks mate
it works fine!!
We were getting crazy with this!
Thank you very much Terence!!
Thank you for your aticle. It's really usefull info.
Been looking for an answer to this question for a while! Thanks a bunch.
Gold dust! Thank you so much!
I am facing a problem where I want to send email to exchange server 2010 using powershell for test. I have made a new connector, with 'Anonymous' option enabled , but I still get the error -Exception calling "Send" with "1" argument(s): "The SMTP server requires a secure connection or the client was not auth
enticated. The server response was: 5.7.1 Client was not authenticated"
MY problem solve after add "ms-Exch-SMTP-Accept-Any-Recipient"permission on receive connector
Get-ReceiveConnector -Identity "relay-xxx" |ADD-ADPermission -User "NT
AUTHORITY\ANONYMOUS LOGON" -ExtendedRights "ms-Exch-SMTP-Accept-Any-Recipient"
Hello Terence,
My problem is that i'am not allowed to send anonymous, I have to use, for security reasons, TLS and Integrated Windows authentication and as permission group Exchange users. When I use these settings i'am not allowed to send emails. What can I do to resolve this problem?
Brilliant. Thanks for the solution. Was struggling for about 4 hours with randomly selecting and deselecting options.
Add "ms-Exch-SMTP-Accept-Any-Recipient" permission on receive connector.
Thanks for the solution.
Youre amazing
Post a Comment