« Microsoft Lync
LinkedIn Connector for 64-bit Outlook »

Maintaining SMTP Relay in Exchange 2010 Migration

During a recent Exchange 2007 to Exchange 2010 migration I discovered that an internal Unix box wasn’t able to send mail through the new Hub Transport. Here is the test and responses seen from that host:

 
 

# sendmail -v user@publicdomain.tld
this is a test
.
user@publicdomain.tld… Connecting to Ex2007HT.corp.com. via relay…
220 Ex2007HT.corp.com Microsoft ESMTP MAIL Service ready at Fri, 21 Jan 2011 11:03:09 -0500
>>> EHLO fred.corp.com
250-Ex2007HT.corp.com Hello [10.2.2.10]
250-SIZE
250-PIPELINING
250-DSN
250-ENHANCEDSTATUSCODES
250-X-ANONYMOUSTLS
250-AUTH NTLM LOGIN
250-X-EXPS GSSAPI NTLM
250-8BITMIME
250-BINARYMIME
250-CHUNKING
250-XEXCH50
250 XRDST
>>> MAIL From:<user@corp.com> SIZE=15
250 2.1.0 Sender OK
>>> RCPT To:<user@publicdomain.tld>
250 2.1.5 Recipient OK
>>> DATA
354 Start mail input; end with <CRLF>.<CRLF>
>>> .
250 2.6.0 <201101211603.LAA09969@fred.corp.com> Queued mail for delivery user@publicdomain.tld… Sent (2.6.0 <201101211603.LAA09969@fred.corp.com> Queu ed mail for delivery) Closing connection to Ex2007HT.corp.com.
>>> QUIT		 # sendmail -v user@publicdomain.tld
this is a test
.
user@publicdomain.tld… Connecting to Ex2010HT.corp.com. via relay…
220 Ex2010HT.corp.com Microsoft ESMTP MAIL Service ready at Fri, 21 Jan 2011 11:05:36 -0500
>>> EHLO fred.corp.com
250-Ex2010HT.corp.com Hello [10.2.2.10]
250-SIZE
250-PIPELINING
250-DSN
250-ENHANCEDSTATUSCODES
250-STARTTLS
250-X-ANONYMOUSTLS
250-AUTH NTLM
250-X-EXPS GSSAPI NTLM
250-8BITMIME
250-BINARYMIME
250-CHUNKING
250-XEXCH50
250-XRDST
250 XSHADOW
>>> MAIL From:<user@corp.com> SIZE=15
250 2.1.0 Sender OK
>>> RCPT To:<user@publicdomain.tld>
550 5.7.1 Unable to relay
user@publicdomain.tld… User unknown
>>> RSET
250 2.0.0 Resetting

Reading Christian Schindler’s Sidebar in the Exchange Server 2010 Best Practices book led me to the solution.

It is a permissions issue. These permissions were revealed in the Management Console in Exchange 2003, but are now set in the Shell. The following Exchange Management Shell command revealed the current permissions for the Receive Connectors on the system:

Get-ReceiveConnector | ?{$_.Name -like “*Default*”} | Get-ADPermission | ?{$_.ExtendedRights -like “*Accept-Any*”} | ?{$_.user -like “*Anon*”} | fl *

For those not familiar with PowerShell: The ‘|’ sends the information from the previous cmdlet to the next action. In this case the action after Get-ReceiveConnector is Where-Object (‘?’ for short). The code snipet in the curly brackets then filters for a Name that contains ‘*Default*’. Once the two Receive Connectors that contain the characters ‘Default’ somewhere in their name, I ask for its AD Permissions. Those permissions are then filtered for ExtendedRights that contain the characters ‘Accept-Any’. Then those results are filtered yet again for any users that contain the characters ‘Anon’.

Lastly, the ‘fl’ formats the output into the following list format. However, without the ‘*’, you will only get a subset of the attributes displayed below:

PSComputerName : Ex2010HT.corp.com
RunspaceId : d402fc47-4e1d-4e56-85ef-acb28a5257ce
AccessRights : {ExtendedRight}
ExtendedRights : {ms-Exch-SMTP-Accept-Any-Sender}
ChildObjectTypes :
InheritedObjectType :
Properties :
Deny : False
InheritanceType : All
User : NT AUTHORITY\ANONYMOUS LOGON
Identity : Ex2007HT\Default Ex2007HT
IsInherited : False
IsValid : True
 

PSComputerName : Ex2010HT.corp.com
RunspaceId : d402fc47-4e1d-4e56-85ef-acb28a5257ce
AccessRights : {ExtendedRight}
ExtendedRights : {ms-Exch-SMTP-Accept-Any-Recipient}
ChildObjectTypes :
InheritedObjectType :
Properties :
Deny : False
InheritanceType : All
User : NT AUTHORITY\ANONYMOUS LOGON
Identity : Ex2007HT\Default Ex2007HT
IsInherited : False
IsValid : True
 

PSComputerName : Ex2010HT.corp.com
RunspaceId : d402fc47-4e1d-4e56-85ef-acb28a5257ce
AccessRights : {ExtendedRight}
ExtendedRights : {ms-Exch-SMTP-Accept-Any-Sender}
ChildObjectTypes :
InheritedObjectType :
Properties :
Deny : False
InheritanceType : All
User : NT AUTHORITY\ANONYMOUS LOGON
Identity : Ex2010HT\Default Ex2010HT
IsInherited : False
IsValid : True

The results above list 2 entries for the 2007 Hub Transport, but only 1 entry for the 2010 Hub Transport. Anonymous is missing for the ability to send to any recipient. The following command will add the permission for that Receive Connector:

Get-ReceiveConnector “Ex2010HT\Default Ex2010HT” | Add-ADPermission -User “NT AUTHORITY\ANONYMOUS LOGON” -ExtendedRights “ms-Exch-SMTP-Accept-Any-Recipient” 

You should see the following results:

Identity                                User                                                   Deny     Inherited
——–                                   —-                                                     —-         ———
Ex2010HT\Default …     NT AUTHORITY\ANON…        False     False 

Now when running the first command to view the Receive Connectors permissions, this entry is now listed in addition to the original three:

PSComputerName : Ex2010HT.corp.com
RunspaceId : d402fc47-4e1d-4e56-85ef-acb28a5257ce
AccessRights : {ExtendedRight}
ExtendedRights : {ms-Exch-SMTP-Accept-Any-Recipient}
ChildObjectTypes :
InheritedObjectType :
Properties :
Deny : False
InheritanceType : All
User : NT AUTHORITY\ANONYMOUS LOGON
Identity : Ex2010HT\Default Ex2010HT
IsInherited : False
IsValid : True 

Rerunning the test from the Unix host now produces the desired results:

# sendmail -v user@publicdomain.tld
here is another test…
.
user@publicdomain.tld.. Connecting to Ex2010HT.corp.com. via relay…
220 Ex2010HT.corp.com Microsoft ESMTP MAIL Service ready at Wed, 26 Jan 2011 14:03:48 -0500
>>> EHLO fred.corp.com
250-Ex2010HT.corp.com Hello [10.2.2.10]
250-SIZE
250-PIPELINING
250-DSN
250-ENHANCEDSTATUSCODES
250-STARTTLS
250-X-ANONYMOUSTLS
250-AUTH NTLM LOGIN
250-X-EXPS GSSAPI NTLM
250-8BITMIME
250-BINARYMIME
250-CHUNKING
250-XEXCH50
250-XRDST
250 XSHADOW
>>> MAIL From:<user@corp.com> SIZE=24
250 2.1.0 Sender OK
>>> RCPT To:<user@publicdomain.tld >
250 2.1.5 Recipient OK
>>> DATA
354 Start mail input; end with <CRLF>.<CRLF>
>>> .
250 2.6.0 <201101261903.OAA23002@fred.corp.com> [InternalId=113247] Queued mail
for delivery
user@publicdomain.tld … Sent (2.6.0 <201101261903.OAA23002@fred.corp.com> [Int
ernalId=113247] Queued mail for delivery)
Closing connection to Ex2010HT.corp.com.
>>> QUIT
221 2.0.0 Service closing transmission channel

The only other thing I would do differently is to create a new Receive Connector for this relay function to maintain separation from default configuration and clarify of purpose.
I hope this helps someone.

Advertisement
Explore posts in the same categories: Exchange

This entry was posted on January 26, 2011 at 11:38 am and is filed under Exchange. You can subscribe via RSS 2.0 feed to this post's comments.

Tags: , , , , ,

You can comment below, or link to this permanent URL from your own site.

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Cancel

Connecting to %s

Follow

Get every new post delivered to your Inbox.