How to get WSUS to send emails without authenticating on our mail server


I'm trying to set up WSUS to send email reports.

To make that happen, I created a new receive connector on our Exchange server. I've limited that server to the IP address of the server that hosts our WSUS role. I've then enabled anonymous access to the connector.

Yet, when I test the settings, I get an error similar to:

System.Net.Mail.SmtpException: 5.7.1 Client does not have permissions to send as this sender

Best Answer

No offense meant, I know you were simply trying to answer your own question and post for the SF community, but I would say you are doing it wrong.

You should setup your Receive connector as a proper relay, with the permissions tab set to Exchange Server not Anonymous and your Authentication Tab set to Externally Secured. Then lock the Receiver down to only accept messages from the WSUS server's IP address.

Using Anonymous permissions isn't the right way to handle it in general...

EDIT: in order to clarify and answer some questions in the comments, see this Technet article: even though it isn't exactly the easiest to follow.

You have 2 roads to go down...if you choose to go with "Anonymous" then you have to run a shell command to allow anonymous connections the proper ADPermission, something that can't be done in the EMC. This in effect will be the same as the way I'm stating, however some apps will still act like they have to send a username/pwd, so in the past my results have been mixed using this.

So...I stick with the 2nd option they give of "Externally Secured". However, that requires (as mentioned in the article) that the permissions be set to Exchange Servers. What happens is mentioned in this article: -- stating:

Use this option if the incoming connections to this Receive connector are secured by external means. For example, use this option if the connection is physically secured over a private network or by using Internet Protocol security (IPsec). When you select this option, you make an assertion of external security that can't be programmatically verified by Exchange. Before you select this authentication method, you must first select the Exchange servers permissions group on the Permission Groups tab.

So in essence you are saying with that Receive Connector "trust anything that comes from this set of inbound IPs I'm allowing", no auth, no prompts, no nothing, just take the email and send it out.

Hope that helps.

Related Topic