Hi
I am in the process of setting up a new Exchange 2013 mail domain in a resource forest to co-exist with the existing Exchange 2010 Sp3 environment while I migrate the ~500 mail boxes. So far it's going surprisingly well in all areas except Send &
receive connector authentication, which is giving me a bad feeling.
Lets call the new 2013 domain NC (nc.ac.uk) and the old 2010 one TA (ta.ac.uk)
Send connectors are configured on TA to send to an internal smart-host using exchange authentication, with a matching receive connector on NC which will accept connections from Exchange Servers, Legacy Exchange and Exchange Users. This works - we can
send to Distribution groups and users in NC and the headers shows a bunch of useful stuff under X-MS-Exchange-Organisation-AuthXXX
What doesn't work is reverse traffic from NC back to TA. The connectors are configured in the same way as far as I can tell, but any email sent between domains fails to send with the NC Send-connector set to "Exchange Server" authentication. The error i'm receiving is "550 5.7.1 Client does not have permissions to send as this sender".
We cannot convert these connectors to allowing anonymous because there are hundreds of distribution groups which don't accept anonymous email.
Life gets even more complicated as there are linked accounts in play between the Resource domain (NC) and the User domain (TA) which i fear may be causing the problems.
Can anyone help me untangle this mess?
here's a send-connector log for bonus points:
2016-11-08T15:42:55.182Z,ta,08D407C6026125DD,1,172.18.18.12:27095,172.18.16.150:25,+,,
2016-11-08T15:42:55.197Z,ta,08D407C6026125DD,2,172.18.18.12:27095,172.18.16.150:25,<,"220 PLAEXC01.admin.tower Microsoft ESMTP MAIL Service ready at Tue, 8 Nov 2016 15:43:01 +0000",
2016-11-08T15:42:55.197Z,ta,08D407C6026125DD,3,172.18.18.12:27095,172.18.16.150:25,>,EHLO nc-pl-mail-1.nc.ac.uk,
2016-11-08T15:42:55.197Z,ta,08D407C6026125DD,4,172.18.18.12:27095,172.18.16.150:25,<,250 PLAEXC01.domain.local Hello [172.18.18.12] SIZE PIPELINING DSN ENHANCEDSTATUSCODES X-ANONYMOUSTLS AUTH X-EXPS GSSAPI NTLM 8BITMIME BINARYMIME CHUNKING XEXCH50
XRDST XSHADOW,
2016-11-08T15:42:55.197Z,ta,08D407C6026125DD,5,172.18.18.12:27095,172.18.16.150:25,>,X-ANONYMOUSTLS,
2016-11-08T15:42:55.197Z,ta,08D407C6026125DD,6,172.18.18.12:27095,172.18.16.150:25,<,220 2.0.0 SMTP server ready,
2016-11-08T15:42:55.244Z,ta,08D407C6026125DD,7,172.18.18.12:27095,172.18.16.150:25,*," CN=mail.ta, OU=Domain Control Validated CN=TERENA SSL CA 2, O=TERENA, L=Amsterdam, S=Noord-Holland, C=NL 609F7579CFAE2F51BBC98023F5247411 58591A1F8B2F27F20C11CBA109FAE4C0DADF0734
mail.ta;autodiscover.ta",Remote certificate Certificate subject Certificate issuer name Certificate serial number Certificate thumbprint Certificate subject alternate names
2016-11-08T15:42:55.244Z,ta,08D407C6026125DD,8,172.18.18.12:27095,172.18.16.150:25,*,,"TLS protocol SP_PROT_TLS1_0_CLIENT negotiation succeeded using bulk encryption algorithm CALG_AES_256 with strength 256 bits, MAC hash algorithm CALG_SHA1 with strength
160 bits and key exchange algorithm CALG_ECDH_EPHEM with strength 256 bits"
2016-11-08T15:42:55.244Z,ta,08D407C6026125DD,9,172.18.18.12:27095,172.18.16.150:25,*,58591A1F8B2F27F20C11CBA109FAE4C0DADF0734,Received certificate Certificate thumbprint
2016-11-08T15:42:55.244Z,ta,08D407C6026125DD,10,172.18.18.12:27095,172.18.16.150:25,>,EHLO nc-pl-mail-1.nc.ac.uk,
2016-11-08T15:42:55.244Z,ta,08D407C6026125DD,11,172.18.18.12:27095,172.18.16.150:25,<,250 PLAEXC01.admin.tower Hello [172.18.18.12] SIZE PIPELINING DSN ENHANCEDSTATUSCODES AUTH X-EXPS EXCHANGEAUTH GSSAPI NTLM X-EXCHANGEAUTH SHA256 8BITMIME BINARYMIME
CHUNKING XEXCH50 XRDST XSHADOW,
2016-11-08T15:42:55.244Z,ta,08D407C6026125DD,12,172.18.18.12:27095,172.18.16.150:25,>,X-EXPS EXCHANGEAUTH SHA256 ,
2016-11-08T15:42:55.244Z,ta,08D407C6026125DD,13,172.18.18.12:27095,172.18.16.150:25,>,<Binary Data>,
2016-11-08T15:42:55.260Z,ta,08D407C6026125DD,14,172.18.18.12:27095,172.18.16.150:25,<,235 <authentication information>,
2016-11-08T15:42:55.260Z,ta,08D407C6026125DD,15,172.18.18.12:27095,172.18.16.150:25,*,None,Set Session Permissions
2016-11-08T15:42:55.260Z,ta,08D407C6026125DD,16,172.18.18.12:27095,172.18.16.150:25,*,,sending message with RecordId 4140348473387 and InternetMessageId <adffb56f5c544963aefa1b1e086dbdf0@nc.ac.uk>
2016-11-08T15:42:55.260Z,ta,08D407C6026125DD,17,172.18.18.12:27095,172.18.16.150:25,>,MAIL FROM:<source@nc.ac.uk> SIZE=8212,
2016-11-08T15:42:55.260Z,ta,08D407C6026125DD,18,172.18.18.12:27095,172.18.16.150:25,>,RCPT TO:<dest@ta.ac.uk>,
2016-11-08T15:42:55.260Z,ta,08D407C6026125DD,19,172.18.18.12:27095,172.18.16.150:25,<,250 2.1.0 Sender OK,
2016-11-08T15:42:55.260Z,ta,08D407C6026125DD,20,172.18.18.12:27095,172.18.16.150:25,<,250 2.1.5 Recipient OK,
2016-11-08T15:42:55.260Z,ta,08D407C6026125DD,21,172.18.18.12:27095,172.18.16.150:25,>,BDAT 3092 LAST,
2016-11-08T15:42:55.260Z,ta,08D407C6026125DD,22,172.18.18.12:27095,172.18.16.150:25,<,550 5.7.1 Client does not have permissions to send as this sender,
2016-11-08T15:42:55.275Z,ta,08D407C6026125DD,23,172.18.18.12:27095,172.18.16.150:25,>,QUIT,
2016-11-08T15:42:55.275Z,ta,08D407C6026125DD,24,172.18.18.12:27095,172.18.16.150:25,<,221 2.0.0 Service closing transmission channel,
2016-11-08T15:42:55.275Z,ta,08D407C6026125DD,25,172.18.18.12:27095,172.18.16.150:25,-,,Local