Connectivity issue with AS400 to Exchange server

Question

We are experiencing issues with a server trying to connect to Microsoft exchange and connector of AS400

The software that's on the connector AS400 has an email address, it should go out and check that email address and its we set it as sharedmailbox but it can never connect as that it shows that it doesnt have permssion.

our Exchange is in the cloud while the domain controllers are on-premise. our server can send emails but cannot retrieve replies from Exchange, indicating connectivity problems.

Troubleshooting made:

We tried to do message trace as Reciepient is ******@contoso.com and the sender is random user and its showing delivered it looks like the message is in exchange but the AS400 is not connecting to the mailbox of ******@contoso.com

the emails are getting delivered to the mailbox of ******@contoso.com. but the AS400 does not have access to this mailbox to read the message.

Answer 1

While AS400 supports POP/IMAP for email retrieval, it doesn't say if it supports Modern Authentication on this documentation - https://www.ibm.com/docs/en/app-connect/11.0.0?topic=messages-receiving-emails

Microsoft deprecated basic authentication a long time ago and offers a more secure connection for POP/IMAP using OAuth 2.0 - https://learn.microsoft.com/en-us/exchange/client-developer/legacy-protocols/how-to-authenticate-an-imap-pop-smtp-application-by-using-oauth

Without Modern Auth, AS400 cannot connect to the mailbox through these protocols.

If the sole purpose is to receive email rather than retrieve (mailbox access), you can create a transport rule or Inbox rule to forward/redirect a copy of all emails or specific emails (condition based) to AS400 using Outbound connector. Ensure that the mailbox account is allowed for external forwarding using Outbound AntiSpam policy in Defender.

Answer 2

Hi Montoya, Mabelle

Thank you for reaching out to the Q&A Forum.

Based on the behavior you described (sending works, but receiving fails with a permission error), I would like to share some information from my research that I hope will be helpful that this is likely due to how Exchange Online handles authentication for Shared Mailboxes and Legacy Protocols.

Shared Mailboxes are disabled user objects by design, they cannot log in directly. An application must authenticate as a licensed user who has permission to access that shared mailbox. And most importantly, Microsoft has retired Basic Authentication (User + Password) for reading emails via POP3 and IMAP. If your AS400 connector software relies on Basic Auth and does not support Modern Authentication (OAuth 2.0), Exchange Online will reject the connection immediately. This often manifests as a generic "Permission Denied" or connection error.

Here are some recommended solutions you may consider:

• Verify OAuth Support: Check if the AS400 software supports "Modern Authentication" (OAuth). If it only asks for a username and password, it may not be able to connect directly to Exchange Online anymore without an update or a middleware "bridge."
• Use a Service Account: Do not attempt to put the Shared Mailbox credentials into the AS400. Instead, create a licensed user (Service Account), grant that user Full Access to the Shared Mailbox, and use the Service Account’s credentials in the AS400.
• If the AS400 supports IMAP, the username field often requires a specific format to access a delegated mailbox. Try entering the username as: ******@domain.com\SharedMailboxAlias

If the connection still fails, the specific error will be visible in the Azure Active Directory (Entra ID) Sign-in Logs. Please check the logs for the Service Account. If you see a failure reason stating "Application is using Basic Authentication," then the AS400 software is too old to connect directly and will require an intermediary relay or an update.

Here is some additional information you can refer to:

Deprecation of Basic authentication in Exchange Online | Microsoft Learn

Authenticate an IMAP, POP or SMTP connection using OAuth | Microsoft Learn

I hope this information proves helpful.

---

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Answer 3

It sounds like the AS400 server is having permission issues when trying to access the mailbox associated with the email address ******@contoso.com. Here are some steps you can take to troubleshoot and potentially resolve the issue:

1. Check Permissions: Ensure that the AS400 server has the necessary permissions to access the mailbox. You may need to grant the AS400 service account access to the mailbox in Exchange.
2. Mailbox Configuration: Verify that the mailbox for ******@contoso.com is configured correctly and is not blocked from access by any policies or settings.
3. ActiveSync Configuration: If the AS400 is using ActiveSync to connect, ensure that the ActiveSync settings are correctly configured and that the device is not blocked from synchronizing with the mailbox.
4. Message Trace: Since you have already performed a message trace and confirmed that emails are delivered, you should also check if there are any errors or warnings related to the AS400 server in the Exchange logs.
5. Network Connectivity: Ensure that there are no network issues between the AS400 server and the Exchange server. This includes checking firewall settings and ensuring that the necessary ports are open for communication.
6. Review Exchange Logs: Look at the Exchange server logs for any entries that might indicate why the AS400 server is unable to connect or retrieve messages from the mailbox.
7. Consult Documentation: Review any documentation related to integrating AS400 with Exchange to ensure that all configuration steps have been followed correctly.

If these steps do not resolve the issue, you may need to consult with your Exchange administrator for further assistance in diagnosing the connectivity problem.