Monday, September 21, 2015

Configuring Receive Connectors for Application Authentication

Hi folks,

I have recently had an adventure with Exchange 2013 which I want to share with you. I have installed a new Exchange 2013 server into my environment.

The bad surprise awaited me when configuring an application server to send email via Exchange server. Application was configured to issue STARTTLS command. Server was configured with the appropriate certificate (which in addition to the load balanced host name should be containing SMTP server's host name. However when attempting to send a test email i got error: 535 5.7.3 Authentication unsuccessful.

It was especially surprising, especially because I could login using clients like OWA. The answer actually was in PermissionGroups of the front-end receive connector which by default doesn't include  the "Exchange Users" group.

To make my application authenticating against Exchange servers I had to configure default front-end connector to include "Exchange users" group into permissions group. If you are running  Exchange 2010 you do it on the receive connector or you can do the same on the back end connector on the mailbox server (which is actually a default setting on Exchange 2013).

Set-ReceiveConnector "Default Frontend ServerName" -PermissionGroups ExchangeUsers,ExchangeServers,ExchangeLegacyServers

As a result i have got so desired 235 2.7.0 Authentication successful response and email was successfully submitted and sent to its recipients.