我有一台 Exchange 2010 服务器,它拒绝在单独的接收连接器上进行 SMTP 登录,原因不明。对于群件,我必须在接收连接器上启用“身份验证登录”。接收连接器上启用了“基本身份验证”和“Exchange 用户”组。
[PS] C:\Windows\system32>Get-ReceiveConnector -Identity "*MAILRELAY NAME REMOVED" | fl
RunspaceId : b578795d-0460-41eb-87b8-e7b223867968
AuthMechanism : BasicAuth
Banner :
BinaryMimeEnabled : True
Bindings : {*IP-ADDRESS REMOVED*:25}
ChunkingEnabled : True
DefaultDomain :
DeliveryStatusNotificationEnabled : True
EightBitMimeEnabled : True
BareLinefeedRejectionEnabled : False
DomainSecureEnabled : False
EnhancedStatusCodesEnabled : True
LongAddressesEnabled : False
OrarEnabled : False
SuppressXAnonymousTls : False
AdvertiseClientSettings : False
Fqdn : *FQDN REMOVED*
Comment :
Enabled : True
ConnectionTimeout : 00:10:00
ConnectionInactivityTimeout : 00:05:00
MessageRateLimit : unlimited
MessageRateSource : IPAddress
MaxInboundConnection : 5000
MaxInboundConnectionPerSource : 20
MaxInboundConnectionPercentagePerSource : 2
MaxHeaderSize : 64 KB (65,536 bytes)
MaxHopCount : 60
MaxLocalHopCount : 12
MaxLogonFailures : 3
MaxMessageSize : 10 MB (10,485,760 bytes)
MaxProtocolErrors : 5
MaxRecipientsPerMessage : 200
PermissionGroups : ExchangeUsers, Custom
PipeliningEnabled : True
ProtocolLoggingLevel : Verbose
RemoteIPRanges : {*IP-ADDRESS REMOVED*}
RequireEHLODomain : False
RequireTLS : False
EnableAuthGSSAPI : False
ExtendedProtectionPolicy : None
LiveCredentialEnabled : False
TlsDomainCapabilities : {}
Server : *HOSTNAME REMOVED*
SizeEnabled : Enabled
TarpitInterval : 00:00:05
MaxAcknowledgementDelay : 00:00:30
AdminDisplayName :
ExchangeVersion : 0.1 (8.0.535.0)
Name : *MAILRELAY NAME REMOVED*
DistinguishedName : CN=*MAILRELAY NAME REMOVED*,CN=SMTP Receive Connectors,CN=Protocols,CN=*HOSTNAME REMOVED,CN=Serv
ers,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Grou
ps,CN=First Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,D
C=*DOMAIN NAME REMOVED*,DC=local
Identity : *HOSTNAME REMOVED*\*MAILRELAY NAME REMOVED*
Guid : ea8993a2-85df-45fb-81ec-ccc09630f2a2
ObjectCategory : *DOMAIN NAME REMOVED*.local/Configuration/Schema/ms-Exch-Smtp-Receive-Connector
ObjectClass : {top, msExchSmtpReceiveConnector}
WhenChanged : 30.10.2018 15:16:45
WhenCreated : 30.10.2018 14:07:02
WhenChangedUTC : 30.10.2018 14:16:45
WhenCreatedUTC : 30.10.2018 13:07:02
OrganizationId :
OriginatingServer : *FQDN REMOVED*
IsValid : True
stmp-receive 日志的一个示例如下:
220 *FQDN REMOVED* Microsoft ESMTP MAIL Service ready at Tue, 30 Oct 2018 14:37:03 +0100",
ehlo test,
250-*FQDN REMOVED* Hello [*IP-ADDRESS REMOVED*],
250-SIZE 10485760,
250-PIPELINING,
250-DSN,
250-ENHANCEDSTATUSCODES,
250-AUTH LOGIN,
250-8BITMIME,
250-BINARYMIME,
250 CHUNKING,
auth login,
334 <authentication response>,
334 <authentication response>,
Inbound AUTH LOGIN failed because of LogonDenied
User Name: *USERNAME REMOVED*
Tarpit for '0.00:00:05',
535 5.7.3 Authentication unsuccessful,
我迄今为止尝试过:
- 使用“匿名身份验证”,启用后,组件可以发送邮件。但是不能启用匿名身份验证(我必须将所有客户端 IP 地址添加到接收连接器,因为组件客户端本身似乎会尝试登录到 Exchange 服务器。)
- 与 Exchange 服务器的 Telnet 会话看起来很像我提供的群件登录跟踪,在发出“auth login”和 base64 中的凭据后,我刚刚从服务器收到“535 5.7.3 身份验证不成功”
- 尝试了不同样式的用户名:域\用户名、用户名@域、仅用户名,结果都一样。
- 为接收连接器添加了用户名的明确权限(
Get-ReceiveConnector -Identity "*MAILRELAY NAME REMOVED*" | Add-ADPermission -User "*USERNAME REMOVED*" -ExtendedRights ms-Exch-SMTP-Submit
)并检查它们是否到位 - 检查是否存在任何拒绝该用户登录的 ADPermission(
Get-ReceiveConnector -Identity "*MAILRELAY NAME REMOVED" | Get-ADPermission | ft ExtendedRights,User,Deny
),结果不存在。 - 切换到另一个用户进行测试(域用户,域管理员),一切相同
任何想法都值得赞赏。
由于群件日志似乎存在某些不准确或格式错误的问题,因此这里是我的 telnet 会话以供进一步参考。
220 *FQDN REMOVED* Microsoft ESMTP MAIL Service ready at Wed, 31 Oct 2018 11:14:57 +0100
ehlo test
250-*FQDN REMOVED* Hello [*IP REMOVED*]
250-SIZE 10485760
250-PIPELINING
250-DSN
250-ENHANCEDSTATUSCODES
250-AUTH LOGIN
250-8BITMIME
250-BINARYMIME
250 CHUNKING
auth login
334 VXNlcm5hbWU6
*BASE64 ENCODED USERNAME* ([email protected])
334 UGFzc3dvcmQ6
*BASE64 ENCODED PASSWORD*
535 5.7.3 Authentication unsuccessful