2

I'm trying to set up WSUS to send email reports.

To make that happen, I created a new receive connector on our Exchange server. I've limited that server to the IP address of the server that hosts our WSUS role. I've then enabled anonymous access to the connector.

Yet, when I test the settings, I get an error similar to:

System.Net.Mail.SmtpException: 5.7.1 Client does not have permissions to send as this sender
Oliver Salzburg
  • 4,505
  • 16
  • 53
  • 80

2 Answers2

6

No offense meant, I know you were simply trying to answer your own question and post for the SF community, but I would say you are doing it wrong.

You should setup your Receive connector as a proper relay, with the permissions tab set to Exchange Server not Anonymous and your Authentication Tab set to Externally Secured. Then lock the Receiver down to only accept messages from the WSUS server's IP address.

Using Anonymous permissions isn't the right way to handle it in general...

EDIT: in order to clarify and answer some questions in the comments, see this Technet article: http://technet.microsoft.com/en-us/library/bb232021%28v=exchg.141%29.aspx even though it isn't exactly the easiest to follow.

You have 2 roads to go down...if you choose to go with "Anonymous" then you have to run a shell command to allow anonymous connections the proper ADPermission, something that can't be done in the EMC. This in effect will be the same as the way I'm stating, however some apps will still act like they have to send a username/pwd, so in the past my results have been mixed using this.

So...I stick with the 2nd option they give of "Externally Secured". However, that requires (as mentioned in the article) that the permissions be set to Exchange Servers. What happens is mentioned in this article: http://technet.microsoft.com/en-us/library/bb690954%28v=exchg.141%29.aspx -- stating:

Use this option if the incoming connections to this Receive connector are secured by external means. For example, use this option if the connection is physically secured over a private network or by using Internet Protocol security (IPsec). When you select this option, you make an assertion of external security that can't be programmatically verified by Exchange. Before you select this authentication method, you must first select the Exchange servers permissions group on the Permission Groups tab.

So in essence you are saying with that Receive Connector "trust anything that comes from this set of inbound IPs I'm allowing", no auth, no prompts, no nothing, just take the email and send it out.

Hope that helps.

TheCleaner
  • 32,352
  • 26
  • 126
  • 188
  • Well, I'm definitely open for better solutions. I just didn't want to create an account for this purpose and we were already using connectors like that for other devices (RAID controllers, UPS) that didn't play well with the Exchange server. – Oliver Salzburg Feb 05 '14 at 22:11
  • 1
    No account needed...by setting it this way your Exchange server will accept anything from your WSUS server without question. I've done it plenty of times for WSUS. I'm not saying your way won't work though, just that this way is the standard way of allowing servers to relay email through Exchange that you trust to do so without any authentication other than a source IP. – TheCleaner Feb 05 '14 at 22:16
  • TheCleaner, can you expand a little on the difference between 'anonymous' and 'exchange server' is, eg. does setting permissions to 'exchange server' allow the photocopier to relay or just WSUS? – BlueCompute Feb 05 '14 at 22:44
  • It allows anything from that source IP that was allowed on the connector to relay. If you want it locked down per app from a particular IP then you'd need real authentication at that point, not a simple relay. – TheCleaner Feb 05 '14 at 22:49
  • Or are you asking about the specific difference between each of those permission choices? – TheCleaner Feb 05 '14 at 22:55
  • I'm unclear on how using 'exchange server' rather than 'anonymous' differs in practice when the receive connector is limited to specific IPs. – BlueCompute Feb 05 '14 at 23:20
  • @BlueCompute - OK, I get what you are asking. You can look here on Technet: http://technet.microsoft.com/en-us/library/bb232021%28v=exchg.141%29.aspx but I'll edit/update my answer as well...look for the EDIT: portion. – TheCleaner Feb 06 '14 at 14:01
  • 1
    Got it. "You must set the value for the PermissionGroups parameter to ExchangeServers when you set the AuthMechanisms parameter to a value of ExternalAuthoritative". The effect is broadly similar to if you allow anonymous relay using the shell, but the relaying client may not handle that properly. Thanks. – BlueCompute Feb 06 '14 at 14:48
1

If you have a receive connector set up for anonymous access, you can simply enter whatever username and password you want in the WSUS email settings. No extra account is required.

Oliver Salzburg
  • 4,505
  • 16
  • 53
  • 80