Send problems after running 365 Hybrid Connector
Mayo, Bill
I am not 100% sure it is related, but I am guessing it is. We ran the 365 hybrid connector at end of business week last week and today are finding that copiers cannot scan to email. Copiers are configured to do SMTP and have credentials.
What I am seeing in the SmtpReceive logs is the following:
Inbound authentication failed because the client DOMAIN\PrinterAccount doesn't have submit permission.
Googling this I see where people mention an event id for this message that also includes the receive connector in question. I am not able to figure out where to find such an event to see if a connector is mentioned. When I look at our receive connectors, we don’t have anything special for the copiers and I assume it is hitting the default receive connectors that everyone else does. What is obviously different here is that these copiers are not domain joined and the credentials are being passed in a different manner than client machines.
I don’t remember all the things we did when doing the 365 setup, but I am guessing/assuming that some setting changed that affects this authentication type. Does anyone have any pointers on what to look for here?
Bill Mayo
Michael B. Smith
Add-ADPermission -Identity "ConnectorName" -User "DOMAIN\UserAccount" -ExtendedRights "ms-Exch-SMTP-Submit"
Yes, the permissions on the default connectors are modified. I don’t remember your setup, but in general, folks usually have a “anonymous” or “on-premises” connector for printers.
The IP address of an affected printer should let you examine the RemoteIPRanges of each connector and identify the relevant object.
Good luck!
--
You received this message because you are subscribed to the Google Groups "ntexchange" group.
To unsubscribe from this group and stop receiving emails from it, send an email to
ntexchange+...@googlegroups.com.
To view this discussion visit
https://groups.google.com/d/msgid/ntexchange/cc9ad791774b4363962bcd3c4fa62a4a%40pittcountync.gov.
Mayo, Bill
Thanks very much, Michael! We don’t have any special connectors for the printers’ IP range and so are going to hit the global connectors. Would it be a good idea to create a new connector for the printer range and run the command against that? Or is there a way to definitively determine which connector it is actually hitting? The 4 possibilities are:
Client Frontend SERVERNAME
Client Proxy SERVERNAME
Default Frontend SERVERNAME
Default SERVERNAME
They have almost all the same settings, with difference mostly being permission groups. They all have “Exchange Users” selected except for Default Frontend.
From: ntexc...@googlegroups.com <ntexc...@googlegroups.com>
On Behalf Of Michael B. Smith
Sent: Monday, December 1, 2025 10:27 AM
To: ntexc...@googlegroups.com
Subject: [ntexchange] RE: Send problems after running 365 Hybrid Connector
|
EXTERNAL EMAIL: This email originated from outside of Pitt County Government. Do not click any links or open any attachments unless you trust the sender and know the content is safe. |
To view this discussion visit https://groups.google.com/d/msgid/ntexchange/bdfdfc6db389436ea869d09ef69501de%40smithcons.com.
Michael B. Smith
If the printer is using port 25, then it’s hitting “Default Frontend”. If the printer is using port 587, then it’s hitting “Client Frontend”. The others are used by Exchange itself.
Yes, I would consider it a best practice to have a separate connector for just your internal uses. Note that Outlook doesn’t use connectors (well, unless you have it configured weirdly).
To view this discussion visit https://groups.google.com/d/msgid/ntexchange/60670144866e4f3ab3f243b551fb39e2%40pittcountync.gov.
Mayo, Bill
I did go ahead and create a new connector for it. For the “-user” attribute, I used a group that contains the accounts used by the printers (they all have their own account). This looks like it was accepted. It does not immediately appear that this has corrected, as getting the same message. Is using the AD group a problem?
To view this discussion visit https://groups.google.com/d/msgid/ntexchange/388fab4c8b764801a2f70115ddcd2979%40smithcons.com.
Michael B. Smith
Yes, unfortunately.
To view this discussion visit https://groups.google.com/d/msgid/ntexchange/479cc64c365743bcbfaf40076c12079c%40pittcountync.gov.
Mayo, Bill
So, you have to give the permission to every actual user account?
From: ntexc...@googlegroups.com <ntexc...@googlegroups.com>
On Behalf Of Michael B. Smith
Sent: Monday, December 1, 2025 11:07 AM
To: ntexc...@googlegroups.com
Subject: [ntexchange] RE: Send problems after running 365 Hybrid Connector
Yes, unfortunately.
From: ntexc...@googlegroups.com <ntexc...@googlegroups.com>
On Behalf Of Mayo, Bill
Sent: Monday, December 1, 2025 11:05 AM
To: ntexc...@googlegroups.com
Subject: [ntexchange] RE: Send problems after running 365 Hybrid Connector
I did go ahead and create a new connector for it. For the “-user” attribute, I used a group that contains the accounts used by the printers (they all have their own account). This looks like it was accepted. It does not immediately appear that this has corrected, as getting the same message. Is using the AD group a problem?
From: ntexc...@googlegroups.com <ntexc...@googlegroups.com>
On Behalf Of Michael B. Smith
Sent: Monday, December 1, 2025 10:57 AM
To: ntexc...@googlegroups.com
Subject: [ntexchange] RE: Send problems after running 365 Hybrid Connector
If the printer is using port 25, then it’s hitting “Default Frontend”. If the printer is using port 587, then it’s hitting “Client Frontend”. The others are used by Exchange itself.
Yes, I would consider it a best practice to have a separate connector for just your internal uses. Note that Outlook doesn’t use connectors (well, unless you have it configured weirdly).
From: ntexc...@googlegroups.com <ntexc...@googlegroups.com>
On Behalf Of Mayo, Bill
Sent: Monday, December 1, 2025 10:37 AM
To: ntexc...@googlegroups.com
Subject: [ntexchange] RE: Send problems after running 365 Hybrid Connector
Thanks very much, Michael! We don’t have any special connectors for the printers’ IP range and so are going to hit the global connectors. Would it be a good idea to create a new connector for the printer range and run the command against that? Or is there a way to definitively determine which connector it is actually hitting? The 4 possibilities are:
Client Frontend SERVERNAME
Client Proxy SERVERNAME
Default Frontend SERVERNAME
Default SERVERNAME
They have almost all the same settings, with difference mostly being permission groups. They all have “Exchange Users” selected except for Default Frontend.
From: ntexc...@googlegroups.com <ntexc...@googlegroups.com>
On Behalf Of Michael B. Smith
Sent: Monday, December 1, 2025 10:27 AM
To: ntexc...@googlegroups.com
Subject: [ntexchange] RE: Send problems after running 365 Hybrid Connector
To view this discussion visit https://groups.google.com/d/msgid/ntexchange/f37563bb35a24ddca80db21c7fc10ee1%40smithcons.com.
Michael B. Smith
PowerShell, my friend, PowerShell. 😊
They fixed this in EOL, but not on-premises.
Just do one until you get the perms right and then duplicate them.
To view this discussion visit https://groups.google.com/d/msgid/ntexchange/f3ba7fb7d20f40759d59a5b41bfad9da%40pittcountync.gov.
Mayo, Bill
10-4. Is there some other permission that might need to be applied here?
To view this discussion visit https://groups.google.com/d/msgid/ntexchange/319a5479f6e04bc0aa19159e55966847%40smithcons.com.
Michael B. Smith
This article talks about anonymous relay – but the same permissions have to be set, just for non-anonymous relay.
https://learn.microsoft.com/en-us/exchange/mail-flow/connectors/allow-anonymous-relay
It gives you two options: an “easy to configure” option that grants too many permissions and a “requires PowerShell” option that grants exactly what you need.
To view this discussion visit https://groups.google.com/d/msgid/ntexchange/9425a8f889484733911f3f3fca2582ba%40pittcountync.gov.
Mayo, Bill
Looks like maybe I got this worked using the information you provided. As always, your assistance is greatly appreciated!
To view this discussion visit https://groups.google.com/d/msgid/ntexchange/ce5b03ad0dc444e986d18bac73d734dc%40smithcons.com.