I recently had an issue with an application relaying e-mail via an Exchange 2013 Client Access Server. The error i was getting on the logs was:
“The account ‘Domain\AccountName’ provided valid credentials, but it does not have submit permissions on SMTP Receive connector ‘Receive Connector Name’; failing authentication”
The application was configured to authenticate with a valid username and password, on the front-end transport service of the Client Access server, which was listening on port 25.
So why was this happening? The answer is simple, the receive connector used was not allowing authenticated relay of emails.
The Client Access Server in question had several receive connectors, and how do we know which one is that specific server/application using? Well it will use the more specific receive connector, meaning that if your application server IP is 10.1.1.1 and that IP is specified on the “RemoteIPRanges” attribute of the receive connector, than that is the receive connector being used, and it’s there that you need to look and see what authentication options is the receive connector advertising.
To check the Remote IP Ranges of a receive connector you can use the Exchange Admin Centre, and go to the Scoping tab on the receive connector properties.
If the IP address of your application server is not specified on any receive connector, chances are it will use the default receive connector to try and relay (or any other that accepts all IP ranges), or if your default receive connector is not allowing relay from any IP (it shouldn’t so if it is you should change it) the relay would be denied and you’re looking at a different error than the one i am blogging about today.
But back to the authentication problem. I checked which receive connector was being used, and went to check the authentication options. I verified that “Exchange Users” and not selected. Problem found! Selected Exchange users, tried again, and job done! See below my receive connector security options, for guidance:
In my case this was good enough to sort the issue. Allowing authenticated users to submit on that specific receive connector. But if you want to allow just a specific user, or make sure that a specific user can submit on a specific receive connector, you can also run the following Exchange Management Shell cmdlet:
Get-ReceiveConnector “<ConnectorName>” | Add-ADPermission -User “UserName” -ExtendedRights ms-Exch-SMTP-Submit
For more information on the cmdlet above go to:
I hope the above was helpful! As always, any questions or queries let me know.