451 4.4.0 Primary target IP address responded with: "451 5.7.3 Cannot achieve Exchange Server authentication."

  • Article

 

So this is a quick post but worth mentioning as these cases seem to crop up every once in a while.

The error in the title usually occurs after creating a second receive connector dedicated for an app relay or some other anonymous type access.

So lets walk through the steps that usually get us here.-

You create a second connector for relay aptly titled “app relay” here-

image

Then check off anonymous since our app is not authenticating to Exchange (note since we want this app to not only submit mail to this connector but also relay off it to other destinations we would need to grant the anonymous security principle the ms-Exch-SMTP-Accept-Any-Recipient extended right on this connector as well. Another less preferred method is to select Externally Secured as a Authentication type but both get us into the same issue.).

image          

Finally we add the remote IP range for our app.

image

 

Now it is the last two steps that get us into trouble.  Exchange needs to have Exchange Server Authentication selected in order to send internal intra org mail flow. However for our relay to work we don’t need this set nor is it by default.

image

However the real aspect to remember here is when receiving email from a remote host Exchange will always use the more SPECIFICALLY scoped receive connector based on the remote IP range.

So all things being equal if we have two receive connectors and one has an remote IP range as such-

image

And the other is-

image

And we receive an incoming SMTP connection from a host with say an IP of 192.168.62.10 we will ALWAYS us the second connector. This is regardless of the authentication type or permissions groups defined on the connector itself

Now if our internal Exchange servers happen to fall within the 192.168.62.0 subnet then we will use the App Relay receive connector and since it does not have Exchange Servers defined as a permissions group and/or Exchange Server Authentication selected we get the error that is the title of this post.

 

The take away here is when creating a dedicated receive connector for app relay or some other purpose ensure that the remote IP range defined on the connector does not include any internal Exchange servers.