We have a number of devices that send email through our Exchange 2010 server. These devices all authenticate using a domain user prior to sending the message and this was working fine on 2010. We are now migrating to Exchange 2016 and I am trying to configure the receive connector to allow the same thing but I can't get it to work. Here is the configuration of my receive connector:
[PS] C:\>Get-ReceiveConnector "EX2016\default frontend EX2016" | fl
RunspaceId : 68459e4b-3af8-411d-a616-7db360d20905
AuthMechanism : Tls, Integrated, BasicAuth, BasicAuthRequireTLS, ExchangeServer
Banner :
BinaryMimeEnabled : True
Bindings : {[::]:25, 0.0.0.0:25}
ChunkingEnabled : True
DefaultDomain :
DeliveryStatusNotificationEnabled : True
EightBitMimeEnabled : True
SmtpUtf8Enabled : False
BareLinefeedRejectionEnabled : False
DomainSecureEnabled : True
EnhancedStatusCodesEnabled : True
LongAddressesEnabled : False
OrarEnabled : False
SuppressXAnonymousTls : False
ProxyEnabled : False
AdvertiseClientSettings : False
Fqdn : EX2016.example.com
ServiceDiscoveryFqdn :
TlsCertificateName :
Comment :
Enabled : True
ConnectionTimeout : 00:10:00
ConnectionInactivityTimeout : 00:05:00
MessageRateLimit : Unlimited
MessageRateSource : IPAddress
MaxInboundConnection : 5000
MaxInboundConnectionPerSource : 20
MaxInboundConnectionPercentagePerSource : 2
MaxHeaderSize : 256 KB (262,144 bytes)
MaxHopCount : 60
MaxLocalHopCount : 5
MaxLogonFailures : 3
MaxMessageSize : 25 MB (26,214,400 bytes)
MaxProtocolErrors : 5
MaxRecipientsPerMessage : 200
PermissionGroups : AnonymousUsers, ExchangeServers, ExchangeLegacyServers
PipeliningEnabled : True
ProtocolLoggingLevel : Verbose
RemoteIPRanges : {::-ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff, 0.0.0.0-255.255.255.255}
RequireEHLODomain : False
RequireTLS : False
EnableAuthGSSAPI : False
ExtendedProtectionPolicy : None
LiveCredentialEnabled : False
TlsDomainCapabilities : {}
Server : EX2016
TransportRole : FrontendTransport
RejectReservedTopLevelRecipientDomains : False
RejectReservedSecondLevelRecipientDomains : False
RejectSingleLabelRecipientDomains : False
SizeEnabled : Enabled
TarpitInterval : 00:00:05
MaxAcknowledgementDelay : 00:00:30
AdminDisplayName :
ExchangeVersion : 0.1 (8.0.535.0)
Name : Default Frontend EX2016
DistinguishedName : CN=Default Frontend EX2016,CN=SMTP Receive
Connectors,CN=Protocols,CN=EX2016,CN=Servers,CN=Exchange
Administrative Group (###########),CN=Administrative Groups,CN=Org
Unit,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=caymanport,
DC=com
Identity : EX2016\Default Frontend EX2016
ObjectCategory : example.com/Configuration/Schema/ms-Exch-Smtp-Receive-Connector
ObjectClass : {top, msExchSmtpReceiveConnector}
WhenChanged : 20/09/2016 8:21:49 AM
WhenCreated : 08/09/2016 8:02:11 AM
WhenChangedUTC : 20/09/2016 1:21:49 PM
WhenCreatedUTC : 08/09/2016 1:02:11 PM
OrganizationId :
Id : EX2016\Default Frontend EX2016
OriginatingServer : dc.example.com
IsValid : True
ObjectState : Unchanged
And this is the SMTP log of a connection attempt:
+,,
>,"220 EX2016.example.com Microsoft ESMTP MAIL Service ready at Tue, 20 Sep 2016 07:18:27 -0500",
<,EHLO printer.example.com,
>,250 EX2016.example.com Hello [172.16.113.55] SIZE 26214400 PIPELINING DSN ENHANCEDSTATUSCODES STARTTLS X-ANONYMOUSTLS AUTH NTLM X-EXPS GSSAPI NTLM 8BITMIME BINARYMIME CHUNKING XRDST,
<,AUTH NTLM,
>,334 <authentication response>,
>,334 <authentication response>,
*,,Inbound Negotiate failed because of LogonDenied
*,,User Name: NULL
*,Tarpit for '0.00:00:05' due to '535 5.7.3 Authentication unsuccessful',
>,535 5.7.3 Authentication unsuccessful,
-,,Remote(SocketError)
I don't think I should be using an anonymous relay connector because I am authenticating with a domain user/password. What am I doing wrong?
Edit: I should note that these printers need to be able to send email externally as well as internally.
Best Answer
First, I wouldn't have touched the default Receive Connector. In these instances I always create a new Receive Connector. Therefore I would put things back as they were. You don't want an authentication enabled receive connector on port 25 exposed to the internet - that is asking for authenticated user attacks.
Then create a new Receive Connector. You will need to use PWS for this because the ECP GUI currently only creates backend types, whereas you want a frontend. Lock it down to the specific IP address of the devices. You then need to enable the authentication types and Exchange Users under Permission groups - basically the same as Client Frontend Receive Connector, but on a different port and probably without TLS.
Then restart the MS Exchange Transport service.