Exchange 2003 (within SBS 2003 R2) giving 5.7.3 unable to send as this user to some users only.
Hi, I have a simple SBS 2003 R2 setup. I created a second SMTP virtual server (under MyServer\ protocols\ SMTP \), listening on port 587, and disallowed anonymous access on this, under properties\access\access control\anonymous access. However I find that existing users can not submit mail on this port. They successfully authenticate ("235 2.7.0 Authentication successful.") but when they try "mail from:x@mydomain.com" they receive the error response "454 5.7.3 Client does not have permission to Send As this sender." The from email address value is the same as the primary SMTP email address specified in AD users and computers for that user. If I create a new user however, it can send without issues. There seems to be some obscure permission that has been assigned to the new user which is not assigned to current users. All users can send to the default server listening on port 25. If I enable anonymous access on the smtp server, it still sends the AUTH NTLM but I get the expected 250 2.1.0 myaddress@mydomain.com....Sender OK. Can anyone suggest how I can extract a list of exchange AD permissions from an old and new user to find out what is different between the two. It does not appear to be an issue with the relaying settings as the message stream is exited before the client says "RCPT TO". The setting checkbox under Access\ Relay restrictions\ "Allow all computers which successfully authenticate to relay, regardless of the list above" is ticked. And "Authenticated Users" has been granted "Submit" and "Relay" allowed under Access\ Authentication \ Users. Failed SMTP transaction from wireshark. 220 myserver.mydomain.local Microsoft ESMTP MAIL Service, Version: 6.0.3790.3959 ready at Wed, 24 Jun 2009 16:45:26 +0100 EHLO [clientip] 250-myserver.mydomain.local Hello [clientip] 250-TURN 250-SIZE 250-ETRN 250-PIPELINING 250-DSN 250-ENHANCEDSTATUSCODES 250-8bitmime 250-BINARYMIME 250-CHUNKING 250-VRFY 250-X-EXPS GSSAPI NTLM LOGIN 250-X-EXPS=LOGIN 250-AUTH GSSAPI NTLM LOGIN 250-AUTH=LOGIN 250-X-LINK2STATE 250-XEXCH50 250 OK AUTH NTLM ABCDEFGHIJKLMNOPQRSTUVWXYZ 334 ABCDEFGHIJKLMNOPQRSTUVWXYZ= ABCDEFGHIJKLMNOPQRSTUVWXYZ 235 2.7.0 Authentication successful. MAIL FROM:<me@mydomain.com> SIZE=394 454 5.7.3 Client does not have permission to Send As this sender. Someone else who had this problem at the link: http://www.apijunkie.com/APIJunkie/blog/post/2007/11/SMTP-535-573-Authentication-unsuccessful-error-on-Exchange-server-2003.aspx Thanks in advance.
June 24th, 2009 8:16pm

Hi, I suggest that you manually telnet to Exchange Server to check whether the issue can be reproduced: 1. Telnet exchange 587 2. Type Ehlo 3. TypeAuth Login 4. Type: Username 5. Type: Password Note: Username and password need to be encoded by using Base64. 6. If Authentication is successful, please type: Mail from: User@domain.com to check whether the issue occurs again. If the issue does not occur by using above method, I guess that another users credential is used to authenticate to Exchange Server. The issue may relate to Client Side Configuration issue. If the issue occurs again by using above method, please check the problem user by using ADUC. Please check whether the Self Account has Send As permission. Mike
Free Windows Admin Tool Kit Click here and download it now
June 25th, 2009 10:49am

Thanks Mike, I got the same message when I manually log in using AUTH LOGIN as I do for AUTH NTLM. Authentication is successful, but client does not have permission. The SELF account is listed with submit permissions under ESM \ Servers\ MyServer \ Protocols \ SMTP \ new virtual server \ Properties \ Access \ Authentication \ Users. I couldn't find the Send As Permission under ADUC, so I started the MMC plugin, ADSIEDIT from the windows 2003 support tools and found it there. In case anyone else is looking... MMC.exe \ADSI Edit \ Domain \ DC\ mydomain, DC= local \ OU=MyBusiness \ OU=Users \ OU = SBSUsers CN=problemUsername Properties \Security \ Self \ Send As \ Allow Which solved the issue.
June 29th, 2009 3:05pm

Oops. It's the fault, but windows resets it after a time. And now I can see the Send As under ADUC \ Username \properties\ security \ SELF. Must be losing it. According to http://articles.techrepublic.com.com/5100-10878_11-6180310.html if a user is a member of Administrators Account Operators Server Operators Print Operators Backup Operators Domain Admins Schema Admins Enterprise Admins Cert Publishers then it will have this ACL reset every hour. But for the particular test user I'm working with, this is not apparently the case. It's a member of Domain User, Domain Power User, Mobile Users, Remote Desktop Users, Remote web workplace users, VPN Access group I'll try working with the dsacls mentioned in the article.
Free Windows Admin Tool Kit Click here and download it now
June 29th, 2009 7:39pm

Hi, I understand that the Send As permission has been resetted after an hour. Please let me know whethe the dsacls method is able to solve the issue. In addition, Microsoft has a KB article which described the issue: The "Send As" right is removed from a user object after you configure the "Send As" right in the Active Directory Users and Computers snap-in in Exchange Server http://support.microsoft.com/kb/907434/en-us Mike
June 30th, 2009 5:00am

Hi, Whether the dsacls method is able to resolve the problem?Mike
Free Windows Admin Tool Kit Click here and download it now
July 2nd, 2009 12:59pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics