Exchange 2010 + SMTP + TELNET + AUTH + TLS

BUT, Exchange has NTLM auth only: 250-AUTH NTLM

Some sites suggest:

aspNetEmail had been running fine when they were emailing through Exchange 2007, however, when they upgraded, everything quit working, and started throwing 2 main errors.

The 2 errors were:

a) “504 5.7.4 Unrecognized authentication type”
And, once (a) was resolved, (b) happened:
b) “550 5.7.1 Client does not have permission to send as this sender”

Lets talk about these 2 errors.

504 5.7.4 Unrecognized authentication type
In this particular instance, the customer was using the AuthLogin authentication scheme in aspNetEmail. However, starting in Exchange 2010, the only authentication mechanism enabled is NTLM. On their Exchange 2007 server, they had other authentication schemes enabled. So, as soon as they upgraded to Exchange 2010, aspNetEmail was throwing an exception, basically saying that AuthLogin was no longer supported.

There are 2 ways to resolve this.
a) In the code, tell aspNetEmail to use the NTLM authentication scheme. In this instance, the customer didn’t want to touch the code base. So they decided for option (b), which was:
b) Enable AuthLogin authenticaton on Exchange. To do this:
In the Exchange console under server configuration:
Select hub transport.
Right click  the client server and select properties.
Select the authentication tab.
Check the Basic Authentication checkbox.
Uncheck the Offer Basic only after TLS

You may have to restart the Exchange services.

Once this was resolved, the next error was thrown.

550 5.7.1 Client does not have permission to send as this sender
This error was being thrown because the FROM address the customer was using, was different than the Exchange mailbox they were relaying through. Like the error message implies, this is a permissions issue. To resolve this, the following steps were taken.
a)From an Exchange Command prompt, run the following command:
Add-AdPermission -Identity “Default Receive Connector” -User “NT AUTHORITY\Authenticated Users” -ExtendedRights ms-Exch-SMTP-Accept-Any-Sender

c) On the user account, in Active Directory, under Security, under the SELF account, select the Manage Send As Permission option.

I’re better off using the first way – sending credentials in a plane mode is not a good way.

If you have a ticked checkbox “Offer Basic authentication only after starting TLS” in your receive connector you won’t be able enter “AUTH LOGIN” command until you type: “STARTTLS”. But after that you won’t be able to type plain text commands – the must be encoded :).

You can try this command – unsuccess for me  now:

openssl s_client -debug -starttls smtp -crlf -connect localhost:25

OpenSSL will do the STARTTLS handshake for you and you will be able to pick up the conversation from there (decrypted automatically on the fly).

You can specify a certificate with -cert. See the man page for the full list of options.