Last week one of our clients that we are migrating from Exchange 2003 to Exchange 2010 had a interesting problem.
We configured for him a receive connector that allows open relay from certain IP addresses. Everything worked fine until he tried to change the display name when sending an email via SMTP. No matter what was set in the email header, when the recipient was receiving it, the display name of the email sender was the one that was defined in Active Directory. This is a normal behavior when you send an email in Exchange via SMTP with authentication but in this case there was no authentication configured.
If you search the internet for ways to configure open relay in Exchange 2010, you will notice (as specified on Microsoft web site http://technet.microsoft.com/en-us/library/bb232021.aspx) that there are two ways to obtain that, and one of them is to configure the receive connector as Externally Secured. This option works fine but is not exactly an anonymous connection to the receive connector, in fact the SMTP connection is authenticated as one from an Exchange server.
To be able to change the display name for sender when sending SMTP via open relay in Exchange 2010 you need to configure the receive connector by allowing Relay Permission for Anonymous Connections, not by using the Externally Secured configuration. To obtain that use the following cmdlets
New-ReceiveConnector -Name "Anonymous Relay" -Usage Custom -PermissionGroups AnonymousUsers -Bindings 10.2.3.4:25 -RemoteIpRanges 192.168.5.77
Get-ReceiveConnector "Anonymous Relay" | Add-ADPermission -User "NT AUTHORITY\ANONYMOUS LOGON" -ExtendedRights "Ms-Exch-SMTP-Accept-Any-Recipient"
We configured for him a receive connector that allows open relay from certain IP addresses. Everything worked fine until he tried to change the display name when sending an email via SMTP. No matter what was set in the email header, when the recipient was receiving it, the display name of the email sender was the one that was defined in Active Directory. This is a normal behavior when you send an email in Exchange via SMTP with authentication but in this case there was no authentication configured.
If you search the internet for ways to configure open relay in Exchange 2010, you will notice (as specified on Microsoft web site http://technet.microsoft.com/en-us/library/bb232021.aspx) that there are two ways to obtain that, and one of them is to configure the receive connector as Externally Secured. This option works fine but is not exactly an anonymous connection to the receive connector, in fact the SMTP connection is authenticated as one from an Exchange server.
To be able to change the display name for sender when sending SMTP via open relay in Exchange 2010 you need to configure the receive connector by allowing Relay Permission for Anonymous Connections, not by using the Externally Secured configuration. To obtain that use the following cmdlets
New-ReceiveConnector -Name "Anonymous Relay" -Usage Custom -PermissionGroups AnonymousUsers -Bindings 10.2.3.4:25 -RemoteIpRanges 192.168.5.77
Get-ReceiveConnector "Anonymous Relay" | Add-ADPermission -User "NT AUTHORITY\ANONYMOUS LOGON" -ExtendedRights "Ms-Exch-SMTP-Accept-Any-Recipient"
I created Receive Connector using Your instructions, but it does not work. Outlook still display sender Display Name from Active Directory instead from message header. Is there anything else I can do?
ReplyDeleteThank You Very Much.
Ondrej Krhut
Ondrej,
DeleteCheck if you added the correct IP address in the -RemoteIPRanges option. The solution is correct but you have to connect to the receive connector from the right IP address.
Paul
When I track the message, I can find, it use correct ReceiveConnector:
ReplyDeleteClientIp : 10.168.23.11
ServerIp : 10.168.23.72
ServerHostname : exca01
ConnectorId : EXCA01\Anonymous Relay EXCA01
And that Connector have this server IP in RemoteIPRanges:
RemoteIPRanges : {10.168.23.23, 10.168.23.40-10.168.23.45, 10.168.23.9-10.168.23.15, ...
We are currently on Exchange 2010 SP2 (14.2.247.5).
Do You have any other suggestion?
Thank You very much.
Ondrej Krhut
You should check not to have any other type of authentication on that connector. I don't have any other idea but it should work without any problem.
DeletePaul
Hello again.
ReplyDeleteI would like to apologize. I tested it again Yesterday manually using telnet and It really worked!
But from our application it still does not work same as on ex2007 (thats why i thought it didnt work), it makes name resolution for sender address. I dont know why, but its probably not problem of receive connector. (With EX2007 as entering HUB server to exchange organization it worked correctly)
I did another test. I created email manually using telnet. It was delivered correctly. But when I forwarded it as an attachment, sender inside the atachment was resolved from AD again. So sending this email trought exchange organization will modify also the message attachment, although the message header is not used for email routing and recipient determination. (I thing it didnt work this way, when message came trought Ex2007 Hub transport server).
I will try to check up the sending web app, but it used such kind of common DotNet sending component.
Sorry for my english. Hope You understand.
Thank You for Your help and suggestions
Best regards Ondrej Krhut
Hello Ondrej,
DeleteIt's good that you sorted somehow :)
Best regards,
Paul
Hello
ReplyDeleteThis is my Final Reply, just FYI.
It looks the problem was in version of Windows server and his SMTP service, acting as local (cashing only) SMTP server for guaranted emails delivery, in case of central SMTP outage.
So when email came trought Windows 2008 Server's SMTP, the sender name was resolved from AD (which was unexpected and not correct). When used Windows 2008R2 (or WS2012) server's SMTP, the sender name is displayed correctly from email header, as we need.
Have a nice day Ondrej Krhut
Thank you, your experience is much appreciated and helped us a a a lot ! Connector + Windows 2008 R2 did the trick ;) Kind regards.
ReplyDelete