Here's another little problem I stumbled across today. During the migration from Exchange 2010 to Exchange 2016, a user was no longer able to receive emails from external senders after the spam filters were switched to the Exchange 2016 servers (SenderNotAuthenticatedForMailbox).
This problem only occurred when the mail routing was changed to the Exchange 2016 servers. The mailbox of the user in question had already been on the new servers for some time.
As already mentioned, the problem only affected one user. The following error was displayed in the message tracking for mails sent from external senders to the user in question:
[{LED=550 5.7.134 RESOLVER.RST.SenderNotAuthenticatedForMailbox; authentication required; Delivery restriction check failed because the sender was not authenticated when sending to this mailbox};{MSG=};{FQDN=};{IP=};{LRT=}]
In this case, the sender receives an NDR with the corresponding error text. Apparently, the Exchange 2016 servers now require authentication from the sender following the change in mail routing. This naturally fails for external senders. The corresponding setting is more familiar from distribution groups, where it is possible to prevent external senders from sending to internal distribution lists (e.g. alle@firma.de).
The solution in this case was therefore very trivial: the option "Request authentication of all senders" was activated for the user. So that the user can also receive mails from external senders, who of course do not authenticate themselves on the Exchange server, this option must be deactivated again.
The option can be found in the mailbox functions:
The option "Request authentication for all senders" can now be deactivated here:
If several users are affected, the Exchange Management Shell can be used to find out which users are affected. The following command can be used for this purpose:
|
1
|
get-mailbox -resultsize unlimited | where {$_RequireSenderAuthenticationEnabled -match "true"} |
To deactivate the option for all users, the following command can be used again:
|
1
|
get-mailbox -resultsize unlimited | where {$_RequireSenderAuthenticationEnabled -match "true"} | set-mailbox -RequireSenderAuthenticationEnabled $false |
Incidentally, the behavior described here also applies to Exchange 2013 and Exchange 2019. It is interesting to note that this problem only occurred after the mail routing changeover. The option in question had apparently already been activated for the user for some time, as the admin audit log of the Exchange server did not provide any entries indicating that this option had only recently been activated.
I then created a test user with a mailbox on the Exchange 2016 servers and simulated the situation. A mail without authentication which is received via Exchange 2010 and routed to Exchange 2016 is delivered. Another mail without authentication which is received via Exchange 2016 is rejected (SenderNotAuthenticatedForMailbox)
This behavior is now quite interesting, if the mail arrives at an Exchange 2010 server, it forwards the mail from an external user to the Exchange 2016 server on which the user's mailbox is located. Authentication now appears to take place at Exchange Server level. Exchange 2016 therefore seems to assume that if the mail was received via an Exchange 2010 server, it was authenticated. I have tried to illustrate this graphically here:
Does anyone happen to have an Exchange environment in coexistence at hand and can confirm or refute this behavior? I would be happy to receive feedback on this.
Tip: The Exchange Audit Log can be checked with the following command:
|
1
|
Search-AdminAuditLog -Cmdlets set-mailbox -Parameters RequireSenderAuthenticationEnabled |