Exchange 2016 User SMTP
Say you have an on-premise Exchange 2016 server. Furthermore, say that some of your users would like to use alternative mail clients like mutt or Thunderbird to access their emails. How do you do this? It is pretty straightforward except for one thing.
For this example, let's assume:
- There is a user named "Alexandra Lopez" with username "alexandra"
- The domain is "contoso.com" and the shortform is "contoso"
- The server is called "mailserver.contoso.com"
IMAP
First, ensure the following services are running:
- Microsoft Exchange IMAP4
- Microsoft Exchange IMAP4 Backend
Next, ensure that the mail account in question is enabled for IMAP or POP.
get-casmailbox -id 'Alexandra Lopez' | set-casmailbox -ImapEnabled $true
Note that the IMAP4 services are disabled by default, but that
every mailbox has ImapEnabled set to true (!).
SMTP
This ought to be easy, but it isn't. By default there is a receive connector called "Client Frontend MAILSERVER" which listens for Exchange users on port 587. But if you try to send mail via port 587, you get the following error message:
Mailbox unavailable. The server response was: 5.7.60 SMTP; Client does
not have permissions to send as this sender
What's going on? The answer is on the Internet, but it is hidden in a comment on a blog post. Unlike Exchange 2010, when mail is received by Exchange 2016 it actually passes through TWO receive connectors: a "Frontend" connector and a "Hub" connector. It is the hub connector that is failing to authenticate the user.
One solution is to make a group that SMTP users will be part of, make a new hub connector, and assign that group permissions to use that hub connector.
First, make an Active Directory group called "SMTP Senders". Add
alexandra to this group.
Next, go into Exchange Admin Center, navigate to receive connectors, and make a new receive connector called "SMTP Sender Proxy". Give it the following configuration:
- Role: Hub Transport
- Type: Custom
- Network adapter bindings: bind to "(All available IPv4)", or whatever network card you want. Make the adapter bind to port 465 (maybe this port is not important? I am not sure)
- Remote network settings: Use the IP address of your mail server, since this proxy is strictly internal.
Use the following authentication types:
- TLS
- Basic (only after TLS)
- Integrated Windows Authentication
- Exchange Server Authentication
(You may not actually need all of these. I think you probably do not need "Integrated Windows Authentication" or "Exchange Server Authentication")
For permission groups, allow "Exchange Servers" and "Exchange Users".
This creates a new Hub Transport receive connector, but it does not give permissions to your "SMTP Senders" group to send mail through it. To do this you need to add the following extended permissions to the receive connector:
- "ms-Exch-SMTP-Accept-Any-Recipient"
- "ms-Exch-SMTP-Accept-Authoritative-Domain-Sender"
- "ms-Exch-Accept-Headers-Routing"
- "ms-Exch-SMTP-Submit"
You assign these permissions via Powershell. Here is an example:
Get-ReceiveConnector "CONTOSO\SMTP Sender Proxy" |
Add-ADpermission -user "CONTOSO\SMTP Senders" -extendedrights
"ms-Exch-SMTP-Accept-Any-Recipient"
This allows the SMTP senders to send mail as themselves. If you want a smarthost setup where an Exchange account can send mail on behalf of other people, you need an additional right:
- "ms-Exch-SMTP-Accept-Any-Sender"
but that is not what we want for individual mail users.
If you are lucky, at this point the alexandra account should be able
to send mail via SMTP using a username and password.