Pages

Wednesday, October 5, 2011

Unable to relay mail to external domain recipient through Exchange Server 2010

I ran into an issue today that got me frustrated not because I couldn’t solve right away but because I’ve come across this before but forgot what I did to solve it so now that I’ve resolved the issue, I figure I’d blog it so I can reference this blog in the future.

I encountered the problem when I completed the setup of a new Kiwi Syslog server which allowed me to send VMware Data Recovery reports and logs to and in turn email recipients so they would know whether the daily backups were successful or not.  The environment had Exchange Server 2010 as their messaging service and I’ve configured numerous Exchange Receive Connectors for mail relaying for various devices but as I completed my syslog configuration and executed a test email to be sent to my email address, the email never came.  I initially thought it was something minor such as firewall or IP address so I went ahead and checked the obvious.  After going through the configuration numerous times to verify I haven’t made any mistakes, I realized that I wasn’t anywhere closer to solving the problem.  Seeing how I wasn’t really getting anywhere, I began reviewing the logs from the syslog server which showed the following:

2011-10-05 16:45:10 PI Message to: tluk@ccs.bm, adminterence@domain.bm
2011-10-05 16:45:10 PI Message from: vdr01@domain.bm
2011-10-05 16:45:10 PI Subject: Syslog message from vc03 - vDR traffic
2011-10-05 16:45:10 PI Date: Wed, 05 Oct 2011 16:45:10 –0300
2011-10-05 16:45:20 PI Mail error: 550 5.7.1 Unable to relay

image

Then I proceeded to turn on verbose logging on the Exchange 2010 Hub Transport server’s receive connector handling the connection and navigated to the path:

C:\Program Files\Microsoft\Exchange Server\V14\TransportRoles\Logs\ProtocolLog\SmtpReceive

… where the log was written:

image

Opening up the logs showed the following:

#Software: Microsoft Exchange Server
#Version: 14.0.0.0
#Log-type: SMTP Receive Protocol Log
#Date: 2011-10-05T19:17:57.149Z
#Fields: date-time,connector-id,session-id,sequence-number,local-endpoint,remote-endpoint,event,data,context
2011-10-05T19:17:57.149Z,CAS01\VC03,08CE51AA847AC9C0,0,10.10.1.59:25,10.10.1.53:49654,+,,
2011-10-05T19:17:57.149Z,CAS01\VC03,08CE51AA847AC9C0,1,10.10.1.59:25,10.10.1.53:49654,*,SMTPSubmit SMTPAcceptAnySender SMTPAcceptAuthoritativeDomainSender AcceptRoutingHeaders,Set Session Permissions
2011-10-05T19:17:57.149Z,CAS01\VC03,08CE51AA847AC9C0,2,10.10.1.59:25,10.10.1.53:49654,>,"220 CAS01.domainnet.com Microsoft ESMTP MAIL Service ready at Wed, 5 Oct 2011 16:17:56 -0300",
2011-10-05T19:17:57.164Z,CAS01\VC03,08CE51AA847AC9C0,3,10.10.1.59:25,10.10.1.53:49654,<,EHLO vc03,
2011-10-05T19:17:57.164Z,CAS01\VC03,08CE51AA847AC9C0,4,10.10.1.59:25,10.10.1.53:49654,>,250-CAS01.domainnet.com Hello [10.10.1.53],
2011-10-05T19:17:57.164Z,CAS01\VC03,08CE51AA847AC9C0,5,10.10.1.59:25,10.10.1.53:49654,>,250-SIZE 10485760,
2011-10-05T19:17:57.164Z,CAS01\VC03,08CE51AA847AC9C0,6,10.10.1.59:25,10.10.1.53:49654,>,250-PIPELINING,
2011-10-05T19:17:57.164Z,CAS01\VC03,08CE51AA847AC9C0,7,10.10.1.59:25,10.10.1.53:49654,>,250-DSN,
2011-10-05T19:17:57.164Z,CAS01\VC03,08CE51AA847AC9C0,8,10.10.1.59:25,10.10.1.53:49654,>,250-ENHANCEDSTATUSCODES,
2011-10-05T19:17:57.164Z,CAS01\VC03,08CE51AA847AC9C0,9,10.10.1.59:25,10.10.1.53:49654,>,250-AUTH,
2011-10-05T19:17:57.164Z,CAS01\VC03,08CE51AA847AC9C0,10,10.10.1.59:25,10.10.1.53:49654,>,250-8BITMIME,
2011-10-05T19:17:57.164Z,CAS01\VC03,08CE51AA847AC9C0,11,10.10.1.59:25,10.10.1.53:49654,>,250-BINARYMIME,
2011-10-05T19:17:57.164Z,CAS01\VC03,08CE51AA847AC9C0,12,10.10.1.59:25,10.10.1.53:49654,>,250 CHUNKING,
2011-10-05T19:17:57.274Z,CAS01\VC03,08CE51AA847AC9C0,13,10.10.1.59:25,10.10.1.53:49654,<,RSET,
2011-10-05T19:17:57.274Z,CAS01\VC03,08CE51AA847AC9C0,14,10.10.1.59:25,10.10.1.53:49654,*,Tarpit for '0.00:00:05',
2011-10-05T19:18:02.290Z,CAS01\VC03,08CE51AA847AC9C0,15,10.10.1.59:25,10.10.1.53:49654,>,250 2.0.0 Resetting,
2011-10-05T19:18:02.290Z,CAS01\VC03,08CE51AA847AC9C0,16,10.10.1.59:25,10.10.1.53:49654,<,MAIL FROM: <vdr01@domain.bm>,
2011-10-05T19:18:02.290Z,CAS01\VC03,08CE51AA847AC9C0,17,10.10.1.59:25,10.10.1.53:49654,*,08CE51AA847AC9C0;2011-10-05T19:17:57.149Z;1,receiving message
2011-10-05T19:18:02.290Z,CAS01\VC03,08CE51AA847AC9C0,18,10.10.1.59:25,10.10.1.53:49654,>,250 2.1.0 Sender OK,
2011-10-05T19:18:02.305Z,CAS01\VC03,08CE51AA847AC9C0,19,10.10.1.59:25,10.10.1.53:49654,<,RCPT TO:<tluk@ccs.bm>,
2011-10-05T19:18:02.305Z,CAS01\VC03,08CE51AA847AC9C0,20,10.10.1.59:25,10.10.1.53:49654,*,Tarpit for '0.00:00:05',
2011-10-05T19:18:07.321Z,CAS01\VC03,08CE51AA847AC9C0,21,10.10.1.59:25,10.10.1.53:49654,>,550 5.7.1 Unable to relay,
2011-10-05T19:18:07.337Z,CAS01\VC03,08CE51AA847AC9C0,22,10.10.1.59:25,10.10.1.53:49654,<,QUIT,
2011-10-05T19:18:07.337Z,CAS01\VC03,08CE51AA847AC9C0,23,10.10.1.59:25,10.10.1.53:49654,>,221 2.0.0 Service closing transmission channel,
2011-10-05T19:18:07.337Z,CAS01\VC03,08CE51AA847AC9C0,24,10.10.1.59:25,10.10.1.53:49654,-,,Local

image

What I noticed to be consistent was the error:

550 5.7.1 Unable to relay

The hunch I immediately had was that Exchange was not allowing me to relay email out to a recipient at a domain that wasn’t internal so I went ahead to do a few telnet tests:

To an external email address

220 CAS01.domain.com Microsoft ESMTP MAIL Service ready at Wed, 5 Oct 2011 16:24:14 –0300
helo
250 CAS01.domain.com Hello [10.10.1.53]
mail from:vdr01@domain.bm
250 2.1.0 Sender OK
rcpt to:tluk@ccs.bm
550 5.7.1 Unable to relay

image

To an internal email address

220 CAS01.domain.com Microsoft ESMTP MAIL Service ready at Wed, 5 Oct 201
1 16:26:49 -0300
helo
250 CAS01.domain.com Hello [10.10.1.53]
mail from:vdr01@domain.bm
250 2.1.0 Sender OK
rcpt to:adminerence@domain.bm
250 2.1.5 Recipient OK

image

Solution

What the telnet tests revealed was that I had no issues relaying mail to domains that Exchange hosted internally which was no surprise because the receive connector I used was allowing other scanners and printers to relay email.  This was when I remembered that Exchange handled mail relay requests for internal and external domains based on the settings configured in the Authentication tab for the Receive Connector.  Opening the receive connector’s properties and navigating to the Authentication tab will show the following options:

  • Transport Layer Security (TLS)
    • Enable Domain Security (Mutual Auth TLS)
  • Basic Authentication
    • Offer Basic authentication only after starting TLS
  • Exchange Server authentication
  • Integrated Windows authentication
  • Externally Secured (for example, with IPsec)

image

Without dragging this on, the security mechanism to enable so relaying servers can send to external recipients is the option:

Externally Secured (for example, with IPsec)

With this option selected, you will also notice that it will also be mandatory to select the option:

Exchange servers

image

The configuration shown above

Authentication –> Externally Secured (for example, with IPsec)

Permissions Group –> Exchange servers

… will allow you to relay emails out to an external recipient with an internal email address.  If you were to use an external domain as the sender address, you’ll also need to check the option:

Permissions Group –> Anonymous

image

Hope this helps anyone who might be experiencing the same problem as I did today and I’m glad I’ll be able to reference this post when I get that “déjà vu” feeling again in the future when I’m bound to come across this again.

at

25 comments:

  1. Stuart WeaverOctober 31, 2011 at 10:19 PM

    Thanks Terrence!

    Google sent me here and you solved my problem. Much appreciated.

    ReplyDelete
  2. AnonymousJanuary 20, 2012 at 7:03 PM

    Thanks you got us working

    ReplyDelete
  3. AnonymousApril 11, 2012 at 5:17 AM

    Thanks for your help, worked a treat!

    ReplyDelete
  4. BillMay 24, 2012 at 11:15 AM

    Thanks SO much for this! One little setting that didn't make sense to check and that was it. Took me two days to finally decide to see if someone else has ever had this problem! Nicely Done.

    ReplyDelete
  5. BillMay 24, 2012 at 11:16 AM

    This comment has been removed by the author.

    ReplyDelete
  6. UnknownMay 28, 2012 at 12:23 PM

    Will this allow you to open yourself to become a spamming server since you have selected anonymous?

    ReplyDelete
  7. AnonymousJune 5, 2012 at 7:14 PM

    Thanks Terence! You saved my bacon today.

    ReplyDelete
  8. UnknownJune 13, 2012 at 12:16 PM

    Thanks a lor

    ReplyDelete
  9. AnonymousJune 20, 2012 at 7:51 AM

    Am sure the steps are okay but Telnet is still unable to relay!

    ReplyDelete
  10. UnknownJune 21, 2012 at 3:15 PM

    I am also experiencing relay problems. I am trying to configure exchange to allow a Ricoh copier/scanner to relay to external recipients. I created a new connector per the instructions, but I still get 550 5.7.1 Unable to relay.

    ReplyDelete
  11. AnonymousJuly 13, 2012 at 8:51 AM

    Brilliant, works a treat. Thanks

    ReplyDelete
  12. AnonymousAugust 2, 2012 at 3:42 PM

    ... missing the “Ms-Exch-SMTP-Accept-Any-Recipient” , this is preventing the scanner to relay off the exchange server. You can add this permission by opening the EMS (Exchange Management Shell” and issuing the command:

    Get-ReceiveConnector "" | Add-ADPermission -User "NT AUTHORITY\ANONYMOUS LOGON" -ExtendedRights "Ms-Exch-SMTP-Accept-Any-Recipient"

    ReplyDelete
  13. AnonymousAugust 3, 2012 at 2:24 AM

    Get-ReceiveConnector "" | Add-ADPermission -User "NT AUTHORITY\ANONYMOUS LOGON" -ExtendedRights "Ms-Exch-SMTP-Accept-Any-Recipient"

    Works!!!! thanks a lot

    ReplyDelete
  14. AndrewMarch 20, 2013 at 10:33 PM

    Thak worked for me. You are a champ! Thanks mate

    ReplyDelete
  15. David SotoMarch 26, 2013 at 6:48 AM

    it works fine!!
    We were getting crazy with this!
    Thank you very much Terence!!

    ReplyDelete
  16. AnonymousApril 8, 2013 at 5:32 AM

    Thank you for your aticle. It's really usefull info.

    ReplyDelete
  17. AnonymousJune 5, 2013 at 1:54 PM

    Been looking for an answer to this question for a while! Thanks a bunch.

    ReplyDelete
  18. AnonymousAugust 13, 2013 at 12:29 PM

    Gold dust! Thank you so much!

    ReplyDelete
  19. AnonymousAugust 30, 2013 at 7:00 AM

    I am facing a problem where I want to send email to exchange server 2010 using powershell for test. I have made a new connector, with 'Anonymous' option enabled , but I still get the error -Exception calling "Send" with "1" argument(s): "The SMTP server requires a secure connection or the client was not auth
    enticated. The server response was: 5.7.1 Client was not authenticated"

    ReplyDelete
  20. AnonymousSeptember 25, 2013 at 12:30 AM

    MY problem solve after add "ms-Exch-SMTP-Accept-Any-Recipient"permission on receive connector

    Get-ReceiveConnector -Identity "relay-xxx" |ADD-ADPermission -User "NT
    AUTHORITY\ANONYMOUS LOGON" -ExtendedRights "ms-Exch-SMTP-Accept-Any-Recipient"

    ReplyDelete
  21. AnonymousMay 6, 2014 at 10:30 AM

    Hello Terence,

    My problem is that i'am not allowed to send anonymous, I have to use, for security reasons, TLS and Integrated Windows authentication and as permission group Exchange users. When I use these settings i'am not allowed to send emails. What can I do to resolve this problem?

    ReplyDelete
  22. AnonymousApril 20, 2015 at 4:24 PM

    Brilliant. Thanks for the solution. Was struggling for about 4 hours with randomly selecting and deselecting options.

    ReplyDelete
  23. PhotographerMarch 23, 2016 at 10:37 AM

    Add "ms-Exch-SMTP-Accept-Any-Recipient" permission on receive connector.

    ReplyDelete
  24. Alhaji GGJune 14, 2016 at 11:31 AM

    Thanks for the solution.

    ReplyDelete
  25. AnonymousApril 23, 2019 at 3:17 PM

    Youre amazing

    ReplyDelete