Exchange 2010 - need to send email from remote site

[Vanilla_Ice]

Hi,

I am looking for some assistance in solving an issue I have not come across before.

I have a client with 2 sites. Site A has an SBS 2011 server running Exchange 2010. Site B has an application that needs to send emails from an email address hosted on the server at Site A. The application requires: SMTP server address, username and password.

I have tried entering the username in the domain\username format, but it is not being accepted. Normally I would install the SBS certificate on a remote PC for Outlook Anywhere to function, but the application does not facilitate this.

Only one mailbox at Site A needs accessing in this way, and only Site B would needs access to it.

Am I right in thinking I need to setup a relay and restrict access to a single IP?

Any pointers would be gratefully received.

 

[Vanilla_Ice]

Hi, thank you for the replies.

I have now created a new receive connector. Restricted to my fixed IP for testing. This will be change to Site B's fixed IP once working.

What errors are you getting in the application log? Are you seeing any errors in the event log on the Exchange server?

The account 'SITEADOMAIN\user' provided valid credentials, but it does not have submit permissions on SMTP Receive connector 'NewConnector'; failing authentication.

I have applied to following via the Exchange Management Shell:

get-receiveconnector "NewConnector" | add-adpermission -User username -ExtendedRights ms-Exch-SMTP-Submit

I am still not able to send email via my Outlook, although the account passes the email test.

What Authentication method(s) should I be using on the connector?

Are both sites on the same subnet? Or having routing between the two?
If it were me, I'd set up a receive connector on the exchange box with the IP of the client that needs to send.

To help debug, can you telnet from the client to the exchange server and do a HELO?

The sites are on different subnets and no routing. The two sites are independent of one another.

I have followed this article to perform a HELO: https://technet.microsoft.com/en-us/library/bb123686(v=exchg.160).aspx

After entering my own email address at point 7, I receive: 550 5.7.1 Unable to relay

Not sure what to try next.

Any further advice, would be gratefully received.

 

[Vanilla_Ice]

It's easier if you grab a screen shot of the GUI of the connection and post it up for me.

One major thing that stands out is that if the sites are completely independent of each other, how do you expect the connection to reach the exchange server from the client? And your using a domain logon, but is the domain spanned across both sites? (I doubt it if they're on different subsets and no routing between the two) which then raises the question of how are you expecting to authenticate?

Please find obscured screen shots below:

I had assumed the client would connect directly across the internet, no VPN etc.

I'm not sure on method of authentication. The application at SiteB only accepts the following details: SMTP server, username and password.

I'm hoping you can spot something obvious in the screenshots above.

Thanks again.

 

[Vanilla_Ice]

Have you tried Basic Auth on the receive connector? The sending app might not support TLS.

When using Basic Auth on the connector I can send an Outlook test email from and to the account I wish to send from. The test messages can be viewed using OWA on the server at SiteA.

However, if I compose and send an email to and from the same account it fails, saying verify your network connection.

 

[Vanilla_Ice]

Thanks all

Turn on verbose logging on the send connector you created to see if it's even hitting it.

It is hitting the new connector I have created.

Does the ISP at site B allow outbound port 25?

Yes

You will need to turn off integrated authentication and enable exchange authentication. You will also need to turn on basic authentication and play with the TLS option based on if your application supports it.

When I try to enable Exchange Server Authentication, I receive the following:

Help link goes nowhere...

You will need to create an account on the exchange server/ad on site B and assign permmisons to that on the mailbox and then use those credentials in your app to connect to the exchange server. Integrated authentication will not work because your client isn't part of the same network that the exchange server is in.

I believe this is all in place. Please see below.

To break this down:

1) User. There needs to be a user to log into the exchange server
2) Mailbox. There needs to be a mailbox so once you're logged in you have something to view. User above owns this mailbox.
3) Receieve connector. This must be present to control how this user is going to connect, you use a connector if the standard/default/existing connectors have different settings.
4) Authentication. You use the connector to define the authentication and connection methods of the user.

That's it.

1) Got
2) Got
3) I have created a new receive connector as per screenshots above. If I can use the existing SBS 2011 one I will, but I would like to restrict the access to the IP of Site B.
4) Following your suggested Authentication settings - please see screenshot above.


Thanks for all your inputs. It is appreciated.

 

[Vanilla_Ice]

Currently the new connector is set using:

remote.siteadomainname.co.uk

This FQDN exists and is what I have been using when performing the Outlook test email mentioned above.

Should I change it to: hostname.domain.local ?

I am a self-taught IT admin. Site B is a long standing client that has just aquired Site A. Site A has external IT support in place but they are not being overly helpful/understanding of the requirement.

I am experienced with SBS 2003/2008/2011 but haven't needed to create an additional connector before. With my own clients，offsite email can usually be handled by OWA or Outlook Anywhere connections.

Thanks again.

 

[Vanilla_Ice]

Update: I have been able to send a test email to an external recipient using the telnet HELO command after following this guide: http://www.lazynetworkadmin.com/exchange-2010-configure-anonymous-relay-to-external-domains

Isn't there an RC by default in Exchange for Client Receive Connectors?

There is, but I was looking to limit this access to a single IP, keeping all other connector settings as they are.

This should have a binding already for Port 25, however Port 25 may not be open at the firewall level inbound for the SBS server at Site A. Indeed one thing worth considering is whether there is a proper certificate on the SBS server too which has a valid SAN name that can be assigned for SMTP.

Port 25 is open at Site A. This a SBS 2011 with a self-issued certificate (which appears to have expired). The SAN name listed within the certificate is the FQDN I am using to connect to the server.

If the Client RC does exist, then it can be used as an SMTP server, but it's best to restrict what can connect to it, even though it should by default require username/password for the mailbox in order to function anyway.

Please see my first reply above.

Still unsure as to the format the username should be entered in to mail client. Is the server expecting "sitealocaldomain\username", "username" or email address?

If Site A has a firewall, you could restrict what IP addresses are allowed to hit port 25 inbound for the SBS server in Site A instead of restricting it at the RC itself.

I would need Site A's external IT support to make such changes, but not sure if that is necessary at the moment.

Also you don't technically need to necessarily log into the mailbox in Site A to send emails as it, most mail apps can spoof the FROM address quite easily. Then you can just deal with sender reputation by ensuring that the SPF record designates Site B as a valid sender IP address/hostname for the domain in question.

This is something I had considered and is a path I am open to taking, but again I would need Site A's external IT support to make DNS changes etc

Thank you.