This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(316.8, 4%, 40%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ES%3C/text%3E%3C/svg%3E)
We have an Exchange 2013 server on-premise which has to be kept up for a little while longer until fully having phased out some old mailboxes. Until recently we used an external Mail Gateway with it but now it handles spam filtering and spoofing protection on its own. The thing is: Since Sender ID is turned on, it cannot be used as an anonymous relay by our internal ERP host to send out mails any longer. That's because the ERP uses external sender addresses which of course don't pass SPF checking when being sent from an internal host inside the local network. Now, I thought of two viable options here:
5.7.1 Client does not have permissions to send as this sender
That is despite setting the same ExtendedRights to the respective user that are set to NT AUTHORITY\ANONYMOUS LOGON which are
ms-Exch-SMTP-Accept-Any-Sender ms-Exch-SMTP-Accept-Any-Recipient ms-Exch-SMTP-Accept-Authoritative-Domain-Sender ms-Exch-Accept-Headers-Routing ms-Exch-SMTP-Submit ms-Exch-Store-Create-Named-Properties ms-Exch-Create-Public-Folder
Additionally, I added the external sender address to the user's proxyAddresses property like so:
SMTP:******@external-domain.com
Still, it won't let me do it. However, it works using a Domain Admin account and then there is also the fact that it works anonymously with the permissions of NT AUTHORITY\ANONYMOUS LOGON (which is not an option because then would be Sender ID checking).
What additional settings/permissions are required for a user to be able to send mails using any sender address?
In case it is not possible to send mail using any sender address as authenticated user, is there any way to bypass Sender ID for SMTP sessions originating from a specific host which is on the same local network as the Exchange Server?
Edit: I could add an SPF record allowing the ERP host's IP address for every external sender domain to the domain's local DNS server to get around the Sender ID problem when using an anonymous relay. But that seems kind of messy and I'd like to avoid it.
Found it:
It was necessary to set "Externally secured (for example, with IPSec)" as Authentication and "Exchange Servers" as Permission group for the connector. Sender ID will then not be checked by this connector using it either anonymously or authenticated.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(246.4, 22%, 33%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EKY%3C/text%3E%3C/svg%3E)
Hi @SAMFS,
If you cannot send anonymously as ERP host, would it be possible to create an account for the ERP host on Exchange, then authenticate and send as that account to bypass Gateway check?
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
Hi @Kael Yao-MSFT ,
that is what I tried. But when trying to send as authenticated user, I'm always getting
5.7.1 Client does not have permissions to send as this sender
regardless of the permissions/Extended Rights I set for that user. Do you know the complete set of permissions and other settings needed for that? Is there some log specifying what exactly is missing when the above error occurs?