exchange "550 5.7.1 Client does not have permissions to send as this sender"
Hi everybody,I recently have removed an user from the enterprise administrator group and since then, he can't send any email with smtp client... all he got is the following error : "550 5.7.1 Client does not have permissions to send as this sender".He can still send mail with owa and he receive his mails just fine using imap or owa.I double checked his groups and permission but didn't find anything wrong with it.I made a search on the web but didn't find the solution yet.The server is working just fine for all our other customers :/Thanks in advance.
August 25th, 2008 6:02pm
Hi,
Does this happen when the users tries to send mail from his own box or another. If another please check that the user has the send as permission.
Have a look at the following KB article how to set this up:
http://technet.microsoft.com/en-us/library/aa998291(EXCHG.80).aspx
Regards,
Johan
visit my site: www.johanveldhuis.nl
Free Windows Admin Tool Kit Click here and download it now
August 26th, 2008 12:15am
Does the SELF object not have the same rights to the mailbox as your other accounts in AD? It appears they were using the previously-gratnedAdministrative rights in order to use their own mailbox. Some non-default permissions are clearly set on the user object and/or mailbox.
August 26th, 2008 1:51am
Dear customer:
The issue seems doesnt have relationship with removing the user from the enterprise administrator group.
To proper assist you to troubleshoot the issue, please help collect to the following information:
Did the user send e-mail form his mailbox or other mailbox?
What version is your Exchange server? Is it Exchange Server 2007?
Send the complete NDR to the forum for analyze.
Does the recipient is local user/group or external recipient?
if your Exchange server is 2007, run the following command in EMS and post the result into the forum for analyze:
get-mailboxpermission identity username | fl
Thanks for your cooperation.
Rock Wang - MSFT
Free Windows Admin Tool Kit Click here and download it now
August 26th, 2008 6:21am
Hi,1. From his mailbox, he don't need the "send as" right at all.2. It's indeed exchange 2007 (version 8.00.0685.018)3. Can you tell me what's the NDR ?4. The recipient is local.5. ________________________________________________________________________________________________[PS] C:\>get-mailboxpermission -identity "[user name]" | flAccessRights : {FullAccess, SendAs, ReadPermission}Deny : FalseInheritanceType : AllUser : NT AUTHORITY\SELFIdentity : [enterprise name].com/[enterprise name]/support/[user name]IsInherited : FalseIsValid : TrueObjectState : UnchangedAccessRights : {FullAccess}Deny : FalseInheritanceType : AllUser : [DOMAIN]\[userlogin]Identity : [enterprise name].com/[enterprise name]/support/[user name]IsInherited : FalseIsValid : TrueObjectState : UnchangedAccessRights : {FullAccess}Deny : FalseInheritanceType : AllUser : S-1-5-21-xxxxxxxxxxx-xxxxxxxxxxxxxxxxxx-xxxxIdentity : [enterprise name].com/[enterprise name]/support/[user name]IsInherited : FalseIsValid : TrueObjectState : UnchangedAccessRights : {FullAccess}Deny : TrueInheritanceType : AllUser : [DOMAIN]\[backup exec account]Identity : [enterprise name].com/[enterprise name]/support/[user name]IsInherited : TrueIsValid : TrueObjectState : UnchangedAccessRights : {FullAccess, DeleteItem, ReadPermission, ChangePermission, ChangeOwner}Deny : FalseInheritanceType : AllUser : [DOMAIN]\[backup exec account]Identity : [enterprise name].com/[enterprise name]/support/[user name]IsInherited : TrueIsValid : TrueObjectState : UnchangedAccessRights : {ReadPermission}Deny : FalseInheritanceType : AllUser : [DOMAIN]\[exchange server name]$Identity : [enterprise name].com/[enterprise name]/support/[user name]IsInherited : TrueIsValid : TrueObjectState : UnchangedAccessRights : {FullAccess}Deny : FalseInheritanceType : AllUser : [DOMAIN]\[blackberry account]Identity : [enterprise name].com/[enterprise name]/support/[user name]IsInherited : TrueIsValid : TrueObjectState : UnchangedAccessRights : {FullAccess}Deny : TrueInheritanceType : AllUser : [DOMAIN]\Exchange ServersIdentity : [enterprise name].com/[enterprise name]/support/[user name]IsInherited : TrueIsValid : TrueObjectState : UnchangedAccessRights : {FullAccess}Deny : TrueInheritanceType : AllUser : [DOMAIN]\administratorIdentity : [enterprise name].com/[enterprise name]/support/[user name]IsInherited : TrueIsValid : TrueObjectState : UnchangedAccessRights : {FullAccess}Deny : TrueInheritanceType : AllUser : [DOMAIN]\Domain AdminsIdentity : [enterprise name].com/[enterprise name]/support/[user name]IsInherited : TrueIsValid : TrueObjectState : UnchangedAccessRights : {FullAccess}Deny : TrueInheritanceType : AllUser : [DOMAIN]\Enterprise AdminsIdentity : [enterprise name].com/[enterprise name]/support/[user name]IsInherited : TrueIsValid : TrueObjectState : UnchangedAccessRights : {FullAccess}Deny : TrueInheritanceType : AllUser : [DOMAIN]\Exchange Organization AdministratorsIdentity : [enterprise name].com/[enterprise name]/support/[user name]IsInherited : TrueIsValid : TrueObjectState : UnchangedAccessRights : {FullAccess}Deny : FalseInheritanceType : AllUser : [DOMAIN]\Exchange Domain ServersIdentity : [enterprise name].com/[enterprise name]/support/[user name]IsInherited : TrueIsValid : TrueObjectState : UnchangedAccessRights : {FullAccess}Deny : FalseInheritanceType : AllUser : [DOMAIN]\Exchange ServersIdentity : [enterprise name].com/[enterprise name]/support/[user name]IsInherited : TrueIsValid : TrueObjectState : UnchangedAccessRights : {FullAccess, DeleteItem, ReadPermission, ChangePermission, ChangeOwner}Deny : FalseInheritanceType : AllUser : [DOMAIN]\administratorIdentity : [enterprise name].com/[enterprise name]/support/[user name]IsInherited : TrueIsValid : TrueObjectState : UnchangedAccessRights : {ReadPermission}Deny : FalseInheritanceType : AllUser : [DOMAIN]\Exchange Domain ServersIdentity : [enterprise name].com/[enterprise name]/support/[user name]IsInherited : TrueIsValid : TrueObjectState : UnchangedAccessRights : {ReadPermission}Deny : FalseInheritanceType : AllUser : [DOMAIN]\[some other user]Identity : [enterprise name].com/[enterprise name]/support/[user name]IsInherited : TrueIsValid : TrueObjectState : UnchangedAccessRights : {ReadPermission}Deny : FalseInheritanceType : AllUser : [DOMAIN]\[blackberry admin account]Identity : [enterprise name].com/[enterprise name]/support/[user name]IsInherited : TrueIsValid : TrueObjectState : UnchangedAccessRights : {FullAccess, DeleteItem, ReadPermission, ChangePermission, ChangeOwner}Deny : FalseInheritanceType : AllUser : [DOMAIN]\Exchange ServicesIdentity : [enterprise name].com/[enterprise name]/support/[user name]IsInherited : TrueIsValid : TrueObjectState : UnchangedAccessRights : {ReadPermission}Deny : FalseInheritanceType : AllUser : [DOMAIN]\Exchange ServersIdentity : [enterprise name].com/[enterprise name]/support/[user name]IsInherited : TrueIsValid : TrueObjectState : UnchangedAccessRights : {FullAccess, DeleteItem, ReadPermission, ChangePermission, ChangeOwner}Deny : FalseInheritanceType : AllUser : [DOMAIN]\Exchange Organization AdministratorsIdentity : [enterprise name].com/[enterprise name]/support/[user name]IsInherited : TrueIsValid : TrueObjectState : UnchangedAccessRights : {ReadPermission}Deny : FalseInheritanceType : AllUser : [DOMAIN]\Exchange View-Only AdministratorsIdentity : [enterprise name].com/[enterprise name]/support/[user name]IsInherited : TrueIsValid : TrueObjectState : UnchangedAccessRights : {FullAccess, DeleteItem, ReadPermission, ChangePermission, ChangeOwner}Deny : FalseInheritanceType : AllUser : [DOMAIN]\Enterprise AdminsIdentity : [enterprise name].com/[enterprise name]/support/[user name]IsInherited : TrueIsValid : TrueObjectState : UnchangedAccessRights : {FullAccess, DeleteItem, ReadPermission, ChangePermission, ChangeOwner}Deny : FalseInheritanceType : AllUser : [DOMAIN]\Domain AdminsIdentity : [enterprise name].com/[enterprise name]/support/[user name]IsInherited : TrueIsValid : TrueObjectState : Unchanged________________________________________________________________________________________________I looked for diff with an other user and the only diff I've noticed are the absence of "SendAs" in the first right and the absence of the second right.Kind Regards.
August 26th, 2008 12:01pm
Dear customer:
Non-delivery reports (NDRs) are a type of delivery status notification. NDRs are generated whenever a message cannot be delivered. If a server detects the reason for the delivery failure, it associates the reason to a status code and a corresponding error message is written.
For more information about NDR, please refer to the following article:
Understanding Non-Delivery Reports
http://technet.microsoft.com/en-us/library/bb232118(EXCHG.80).aspx
Rock Wang - MSFT
Free Windows Admin Tool Kit Click here and download it now
August 29th, 2008 9:29am
Dear customer:
Based on my test, User NT AUTHORITY\SELF should have the following permission. Please try to remove send-as permission for NT AUTHORITY\SELF via Remove-MailboxPermission command, and check the effect.
AccessRights : {FullAccess, ReadPermission}
Deny : False
InheritanceType : All
User : NT AUTHORITY\SELF
Identity : 144771DC.com/Users/mary
IsInherited : False
IsValid : True
ObjectState : Unchanged
For more information about Remove-MailboxPermission, please refer to the following article:
http://technet.microsoft.com/en-us/library/bb125153(EXCHG.80).aspx
Remove-MailboxPermission
If above steps doesnt resolve the issue, please back up the e-mail and delete the mailbox and recreate it, and check the effect.
Hope it helps. If anything is unclear, please feel free to let me know.
Rock Wang - MSFT
August 29th, 2008 9:52am
Hello Jerome,I have encountered similar symptoms as you. There were a user1 which (but only from some email clients) constantly received "Client does not have permissions to send as this sender" upon sending his messages. There were another user (user2), with almost identical configuration without such a problem. By comparing all possible parameters (email client settings, exchange account settings and permissions, domain account settings and permissions) i discovered that user2 (with working configuration) is member of domain admins group (user1 is not member of this group) For testing purposes I added user1 to domain admin group and since that send problem for user1 did not occur. Of course this is not possible resolution of this problem. p.s. sorry for my English. p.p.s. it is exchange2003.
Free Windows Admin Tool Kit Click here and download it now
September 2nd, 2008 3:31pm
Dear customer,
Have you solved your problem yet? If anything is unclear, please feel free to ask me.
Rock Wang - MSFT
September 2nd, 2008 3:34pm
I am having a similar issue, however there's a twist. If I connect using an IMAP client on my machine sending works just fine. If I connect using a different machine same IMAP software, Icannot send and Iget the "5.7.1 Client does not..." error.
My machine is Windows Vista using Thunderbird 2.0 and the other machine is Windows XP using Thunderbird 2.0.
Exchange 2007 SP1 and it does not matter whether I connect from inside the network or outside the network (internet).
I've searched the forums and found messages talking about the error with a making mention of the session not having the ms-Exch-SMTP-Accept-Authoritative-Domain-Sender permission, but this is the same user connecting from 2 different machines.
Any help would be greatly appreciated.
Scott
Free Windows Admin Tool Kit Click here and download it now
September 2nd, 2008 8:40pm
I've been having a similar issue. Turns out my users were members of the "Print Operators." I just removed them and resolved the problem. I did however come across this article which may help you.
http://support.microsoft.com/?kbid=907434
From what I've read it looks like it can happen even if users used to be part of a protected group and have been removed.
September 4th, 2008 8:20pm
I have the same issue. User1 is a member of Domain Admins, User2 is not. User1 doesn't have any send as permissions on his mailbox. User2 had NT AUTHORITY\SELF as well as a few others. Both users mailboxes/users were migrated from another domain and exchange. User2 gets error cannot send as sender. How can I fix?
Free Windows Admin Tool Kit Click here and download it now
October 10th, 2009 11:44am
My problem was that my senders were using the edge server as the smtp server and by default it doesn't have authenticated users to send messages as the authoratative domain. Once that permissions was added to the connector users were able to use smtp from it.
October 20th, 2009 6:09am
Well the discuss has been great, it is/was a combination of all the discussions that actually solves the problem for all.
1) the NT_Authority\self resolution has more details than presented. Charlie on another forum gave this clue:
go the the Exchange management console and select the user. Right Click, go to the send as permissions option.. check that
User NT AUTHORITY\SELF is listed. If not add it.
2) Another user identifed the following power shell as necessary
[PS] C:\Windows\system32>add-adpermission "ConnectorName" -User "domain\user or group" -ExtendedRights ms-Exch-S
MTP-Accept-Authoritative-Domain-Sender
Note the double quotes when your connector has a space in it. aka "domain users"
You have to perform this on both your internal and external connector, then restart the transport and hub services. These steps were left off many forums.
Note the '-' in front of ExtendedRights. This was originally presented without this '-' and there is a command -AccessRights ExtendedRight which lead many to a goose chase.
3) The discussion above is about one user having sendas on another. The topic was about the actual User1 not being able to send as 'User1' whereas the dialog was User2 sending as User1. The above steps are for User1 not being able to send as User1.
4) If you get an error, it is necesary to remove the account or repair it within Outlook, or else the error will 'stick' until you do.
Thanks for everyones help, I hope the above steps saves the next soul some hours.
D-B-S
Free Windows Admin Tool Kit Click here and download it now
July 20th, 2010 7:31pm
This resolved my issue, thank you.
July 13th, 2011 1:24am
1) the NT_Authority\self resolution has more details than presented. Charlie on another forum gave this clue:
go the the Exchange management console and select the user. Right Click, go to the send as permissions option.. check that
User NT AUTHORITY\SELF is listed. If not add it.
This one solved it for me - I had been temporarily in my admin group, removed myself, and then found I could not send mail from an smtp client (which uses and exchange connector as an authenticated relay). Resetting the NT_AUTHORY\SELF entry got it back working
again/Bee
Free Windows Admin Tool Kit Click here and download it now
April 25th, 2012 1:39am