3

This is a rather convoluted problem but I hope that someone out there has experienced a similar situation. Here are the facts of what is happening:

  • We have a single Exchange 2010 server that is internet facing, hence no Edge server.
  • We have several users with mailboxes in a group called NoInternetMail. This group is intended to block these users from sending and receiving internet mail. They are still allowed to receive mail from other users inside the company.
  • We are achieving this block with Transport rules. The incoming rule looks like this:

Transport Rule

  • The rule has been tested and found to be working.
  • Now enter the Canon copier we have on our production floor that many of these employees use, it is an ImageRunner 2270. I have created a receive connector specifically for this copier so it can send scans via SMTP on our Exchange server. The receive connector is scoped to just the copier and configured for anonymous access. I have also added the permissions to the connector allowing to send to any recipient as any sender. Also, This copier is only meant to send scans to employees, not to the internet.
  • The receive connector is working, however, any emails from this Canon copier sent to a user in the NoInternetMail group are blocked by the transport rule outlined above.
  • The Canon copier appears to use NTLM auth when communicating with SMTP. I have created a user called ProductionCopier in our AD and have configured the Canon copier to use this login when authenticating to the receive connector.
  • The main issue is that I have tried various combinations of authenticated and anonymous connections but neither will allow the Canon to send mail to users in the NoInternetMail group. I can send email no problem anonymous or authenticated to any user outside of the NoInternetMail group.
  • According to Microsoft (https://technet.microsoft.com/en-us/library/dd638183(v=exchg.141).aspx) the criteria for what is considered "Outside the Organization" does not apply here. Specifically because the Canon copier's domain name is equivalent to the authoritative domain name specified in Exchange.

I could create a mailbox for the ProductionCopier user but I'd rather not. I'm not sure what the problem is here other than maybe just incompatible setups and limited knowledge. I'm not an expert Exchange user by any means but I have spent several days researching this problem and am still at a loss.

Other Notes:

  1. Here is a screenshot of the email being blocked by the transport rule from the Tracking Log Explorer: Transport Rule kicking in

  2. The SMTP logs for the receive connector confirm that the Canon copier is using NTLM authentication and is succeeding:

    SMTP protocol log

palemouse
  • 41
  • 5

2 Answers2

1

I would be very surprised if the copier was using NTLM authentication. Basic Authentication is more likely. Therefore I would start by changing the authentication settings to use basic. You also need to disable anonymous access on the connector and restart Transport. If anonymous is enabled and the recipient is internal, then authentication will never be tested, so it could be that your authentication isn't being used at all, because anonymous matches.

Simon.

Sembee
  • 2,854
  • 1
  • 7
  • 11
  • Thanks for the reply. I disabled anonymous on the receiver and also verified what auth method the Canon copier was trying to use by turning on logging. I am 100% sure it is using NTLM authentication (see above). Even with the authentication occurring, the transport rule is still blocking emails from the Canon sent to a user in the NoInternetMail group. – palemouse Dec 11 '15 at 18:41
  • Turn on logging if you haven't already, to verify it is using the connector that you are expecting it to. If you have turned off anonymous then that suggests the settings on the connector itself are incorrect. Have you tried setting up an anonymous relay connector? That can often be easier than using authentication. – Sembee Dec 11 '15 at 22:01
  • I think maybe I am not clear enough with the question. The Receive Connector appears to be working perfectly fine. The main issue is that the NoInternetMail (blocks mail from outside the organization sent to a user in the NoInternetMail security group) transport rule is blocking emails from the Canon copier. It doesn't seem to matter what combination of connector settings I use, the transport rule still kicks in and blocks them emails. It's odd to me that it considers this Canon copier "Outside the organization" when it is in fact authenticating with a legitimate user account. – palemouse Dec 12 '15 at 20:45
1

After carefully studying the various log files available (primarily the Tracking logs) I believe I have arrived at a conclusion. The Transport rule considers the Canon copier "Outside the organization" because of the domain it uses. Microsoft states this in their documentation, but it is not clear exactly how it determines this. The FROM value of the message headers appeared to come from my domain (productioncopier@mydomain.com) but the Message-ID does not. The Message-ID had something like Canon2270@Canon2270.mydomain.com. Even though it was showing as a subdomain to my domain, the rule still considered this email to be "Outside the Organization". Once I created this exception in the Transport Rule, it began to deliver messages from the Canon copier to users in the NoInternetMail group.

From Wikipedia on Message-ID: "Message-IDs, if present, are generated by the client program sending the email (mail user agent, or MUA) or by the first mail server"

So I guess the Canon Copier decides on how to format that ID when it generates the email and sends it out. I have searched through every setting available on the copier and cannot find a way to change this. Alas, it's not the best solution, but it works.

palemouse
  • 41
  • 5
  • 1
    I think the transport rule exception is a good solution. I'm not sure about your reasoning regarding "outside the organization". Exchange servers in an organization know about each other so messages internal to the organization will be clearly different from outside. If the copier is like pretty much all other copiers, it basically impersonates an outside SMTP server to send its mail. – Todd Wilcox Dec 13 '15 at 05:05
  • I have done some testing and can confirm the behaviour you are seeing. It would appear that outside the organisation applies to anything that comes in from outside, so anything that isn't MAPI or Web Services. An SMTP connection is considered "outside". – Sembee Dec 14 '15 at 17:08