Configuring Authenticated Access to Exchange
Typically, SMTP uses port 25. However, an alternative SMTP "submission" port has been reserved on port 587. For Exchange 2007 and 2010, installation will create a "Default" module listening on port 25 as well as a "Client" module listening on port 587.
For authenticated access, create a module listening on port 587. The important requirements for Mail Express are that the module accept "basic authentication" and that an appropriate user (with the necessary permissions) be made available to the Mail Express system. (See also Configuring Anonymous Access to Exchange.)
Configuring Mail Express for Authenticated Access
After you have configured the Exchange Server for authenticated access as described below, depending on the version of Exchange, you must configure Mail Express to access the "Client" module that you defined.
-
On the Mail Express Mail Server Configuration page, in the Host box provide the mail server domain and in the Port box specify port 587.
-
If you enabled encryption, select the Connect using SSL check box, then do one of the following:
-
Select the Always trust certificates from Exchange Server check box and don’t upload a file. This option is useful for testing, but is less secure that the next option.
-
Clear the Always trust certificates from Exchange Server and then click Choose File to upload the Public Certificate of the of the Certificate Authority that signed the Exchange Server’s Public Certificate (typically this is the Public Certificate for the Active Directory server).
-
Because the "Client" module accepts Exchange users, we want to ensure that the Use Exchange authentication check box is selected. In the illustration, the Exchange user is mail.express@dev.globalscape.com. With this configuration, the From address and Reply to address will be used in messages generated by the Mail Express system. The From address will also be used in the SMTP transfer with Exchange after authentication and must reflect the mailbox for the user specified in the Username box. You can set the Reply to address to whomever the administrator wants to monitor those messages.
See also Testing the Mail Server Configuration.
(Mail Express has not been tested on Exchange 2016.)
Exchange 2013
-
In the Exchange admin center, in the left menu, click mail flow.
-
Next to Select server, specify the exchange server to configure (if there is more than one), then in the top menu, click receive connectors.
-
On the receive connectors page, click the plus sign + to add a new connector. The new receive connector dialog box appears.
-
Provide the following information, then click next:
-
Under Network adapter bindings, click the plus sign + to specify the IP addresses and port that Mail Express is to use, then click finish. (For SSL connections, the default is port 587.)
-
After the receive connector is created, double-click it in the list.
-
The receive connector's properties appear. Click security.
-
Select the following check boxes:
-
Transport Layer Security (TLS)
-
Basic authentication
-
Offer basic authentication only after starting TLS
-
Integrated Windows authentication
-
Exchange servers
-
Ensure the Anonymous users check box is not selected, then click save.
-
Grant permission to the Mail Express user. When Mail Express users send packages via the web portal, Mail Express generates email on their behalf, which it then directs to the Exchange server. The ability to "impersonate" another user requires a special permission. The user whose credentials with which Mail Express will be authenticating requires the "Accept any Sender" permission when impersonating external addresses and "Accept Authoritative Domain Sender" when impersonating local addresses.
The first command in the image above is:
Add-ADPermission "Client ADSERVER" –User "Mail Express" –ExtendedRights ms-Exch-SMTP-Accept-Authoritative-Domain-Sender
The second command is:
Add-ADPermission "Client ADSERVER" –User "Mail Express" –ExtendedRights ms-Exch-SMTP-Accept-Any-Sender
The format of the commands shown in the image above is:
Add-ADPermission "${SMTP_MODULE}" –User "${MAIL_EXPRESS_USER}" –ExtendedRights ${REQUIRED_PERMISSION}
Where:
"${SMTP_MODULE}" is the name of the module
"${MAIL_EXPRESS_USER}" is the account created for Mail Express
${REQUIRED_PERMISSION} is one of the permissions, ms-Exch-SMTP-Accept-Authoritative-Domain-Sender or ms-Exch-SMTP-Accept-Any-Sender
Exchange 2007 and 2010
-
In the Exchange Management Console, click Server Configuration > Hub Transport > ADSERVER > Client ADSERVER, then right-click Client ADSERVER and click Properties. The Client ADSERVER Properties dialog box appears.
-
Click the Network tab.
-
Under Use these local IP addresses to receive mail, the Local IP address(es) and Port appear. Verify that the receive connector is listening on port 587. The actual port number is not significant as long as the Mail Express Server is configured to use the some port. If necessary, click Add or Edit to add or change the listening port, then click OK.
-
Click the Authentication tab.
-
Select the following check boxes, then click OK:
-
Basic Authentication—The most important requirement of this module is that it allows "basic authentication."
-
Transport Layer Security (TLS)—Requires encryption so that the user password cannot be intercepted in transit.
-
Offer Basic Authentication only after starting TLS—Ensures that the client's password is sent encrypted.
-
Click the Permission Groups tab.
-
In conjunction with the "basic authentication" we want to ensure that Exchange is authenticating against Exchange users and not accepting anonymous users. Ensure the Exchange users check box is selected that the Anonymous users check box is not selected, then click OK to close the Properties dialog box and save your settings.
-
Grant permission to the Mail Express user. When Mail Express users send packages via the web portal, Mail Express generates email on their behalf, which it then directs to the Exchange server. The ability to "impersonate" another user requires a special permission. In Exchange 2007/2010, the user whose credentials with which Mail Express will be authenticating requires the "Accept any Sender" permission when impersonating external addresses and "Accept Authoritative Domain Sender" when impersonating local addresses.
Do one of the following:
The first command in the image above is:
Add-ADPermission "Client ADSERVER" –User "Mail Express" –ExtendedRights ms-Exch-SMTP-Accept-Authoritative-Domain-Sender
The second command is:
Add-ADPermission "Client ADSERVER" –User "Mail Express" –ExtendedRights ms-Exch-SMTP-Accept-Any-Sender
The format of the commands shown in the image above is:
Add-ADPermission "${SMTP_MODULE}" –User "${MAIL_EXPRESS_USER}" –ExtendedRights ${REQUIRED_PERMISSION}
Where:
"${SMTP_MODULE}" is the name of the module
"${MAIL_EXPRESS_USER}" is the account created for Mail Express
${REQUIRED_PERMISSION} is one of the permissions, ms-Exch-SMTP-Accept-Authoritative-Domain-Sender or ms-Exch-SMTP-Accept-Any-Sender
-
Alternatively, use "ADSI Edit" to graphically add the required permissions. The "ADSI Edit" application can usually be found at %SystemRoot%\system32\adsiedit.msc. Locate SMTP Receive Connectors which are under Configuration.Services.Microsoft Exchange. (Parts of the path will be specific to your installation.)
-
-
Right-click the "Client" receive connector (Client ADSERVER), then click Properties.
-
Click the Security tab, then click Add to specify the user account with which the Mail Express Server will authenticate.
-
Ensure that the Accept any Sender and Accept Authoritative Domain Sender permission's Allow check boxes for that user are selected, and that every other permission's Allow check box is cleared.
