SMTP Relay Error 550 5.7.60 Client does not have permissions to send as this sender

Our LMS (learning management system) software for the University generates emails between the professors and students via smtp relaying.   I have configured a local server and can use smtp relaying to send files from the server to mailboxes - so we know the configuration is correct.   However, when we try to relay from the LMS software (off site vendor) we get the "SMTP 550 5.7.60 SMTP; Client does not have permissions to send as this sender"


We found this article:http://o365info.com/smtp-relay-in-office-365-environment/   which indicated that if we created a security group in Office365 and used group delegation to give the account configured in the smtp relay send as permissions it should work.   We did, but it doesn't.   We then tested this further by selecting a single professor's account and giving the relay account send as permission directly, and it worked.   To recap, if we assign "send as" rights individually it works, but in group it does not.

Do I have to visit everyone of out 1000+ mailboxes and do this configuration manually or is there a way to apply this change directly to all accounts or via the all group?  Thank you in advance for your help.

Jay Krob

   Director of Information Systems

   Kansas Wesleyan University

 
Question Info

Last updated August 14, 2018 Views 93,915 Applies to:

Seems you are using authenticated relay, for which you do need permissions in order to send as/on behalf of another user. Instead, you can try configuring the "direct send" method as detailed in this article: technet.microsoft.com/.../dn554323.aspx

43 people were helped by this reply

·

Did this solve your problem?

Sorry this didn't help.

Great! Thanks for marking this as the answer.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this response?

Thanks for your feedback.

We read the information on the direct send, but we can't use it because it 1) requires a real world ip address for the SPF record and 2) we do send to some outside address for students who are in the registration process and have not yet been issued their internal domain email address.   Any other possible solutions?

Thanks,

Jay Krob

  Director of Information Systems

  Kansas Wesleyan University

1 person was helped by this reply

·

Did this solve your problem?

Sorry this didn't help.

Great! Thanks for marking this as the answer.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this response?

Thanks for your feedback.

Hi Jay,

Currently, there’re three ways of SMTP reply in Office 365.

1. SMTP client submission
2. Direct send (cannot send to external users)
3. SMTP replay (static IP required)

Besides that, Internet Information Server (IIS) for relay with Office 365 is a special scenario of SMTP client submission.

From the information above, #2 and #3 don’t apply to you. From the link article, it seems that you’re using the IIS reply. Could you please confirm this?

If so, have you tried the “add an alias” method mentioned in the article?
If not, please let us know your detailed SMTP configuration.

In addition, what does “visit everyone of out 1000+ mailboxes” mean? 

Thanks,
Brook

Did this solve your problem?

Sorry this didn't help.

Great! Thanks for marking this as the answer.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this response?

Thanks for your feedback.

Correct.   We are using the IIS relay.   We are using SMTP via an IIS install on a brand new server.   We created the smtp connector in IIS with the email address that the LMS Software is using.   We know the SMTP is configured correctly because I can make a text file on the server, put it in the SMTP pickup queue and it will be delivered (tested with both our domain and gmail accounts).

SMTP configuration done using these instructions :  Installing SMTP server for relaying (server 2012)

technet.microsoft.com/.../dn592151(v=exchg.150).aspx  

There is no alias to add as it is sending from it’s address *** Email address is removed for privacy *** to the end user.   The problem is that this software will see an email from *** Email address is removed for privacy *** (which could be any user in our system) with in it’s system and then generate the email as from that user.   If we go into the specific user and give the lms.email id “send as” permissions (within Office365) then it will work.  We did not have to do this with the on premise server we had prior to moving to Office365 and the LMS software provider says the rest of their clients set this up without any issues.  The info they sent is below, but it didn’t work either.

Requirements for Office 365 SMTP relay

• Static IP address or address range: Most devices or applications are unable to use a certificate for authentication. To authenticate your device or application, use one or more static IP addresses that are not shared with another organization.

• Connector: You must set up a connector in Exchange Online for email sent from your device or application.

• Port: Port 25 is required and must not be blocked on your network or by your ISP.

• Licensing: SMTP relay doesn’t use a specific Office 365 mailbox to send email. This is why it’s important that only licensed users send email from devices or applications configured for SMTP relay. If you have senders using devices or LOB applications who don’t have an Office 365 mailbox license, obtain and assign an Exchange Online Protection license to each unlicensed sender. This is the least expensive license that allows you to send email via Office 365.

How to configure Office 365 SMTP relay

This method allows Office 365 to relay emails on your behalf by authenticating using your public IP address (or a certificate). This requires a connector to be set up for your Office 365 account. If your device or application supports or requires user name and password authentication, consider the SMTP client submission method instead. Quick configuration details follow. If you prefer full instructions, check the next section.

Device or application setting Value

Server/smart host Your MX endpoint, e.g. yourcontosodomain-com.mail.protection.outlook.com

Port Port 25

TLS/StartTLS Enabled

Email address Any email address for one of your Office 365 verified domains. This email address does not need a mailbox.

If you have set up Exchange Hybrid or have a connector configured for mail flow from your email server to Office 365, it is likely that no additional setup will be required for this scenario. Otherwise, create a mail flow connector to support this scenario:

Connector setting Value

From Your organization's email server

To Office 365

Domain restrictions: IP address/range Your on-premises IP address or address range that the device or application will use to connect to Office 365.

We recommend adding an SPF record to avoid having messages flagged as spam. If you are sending from a static IP address, add it to your SPF record in your domain registrar’s DNS settings as follows:

I’ve tried creating several connectors, but could not make this work.  

2 people were helped by this reply

·

Did this solve your problem?

Sorry this didn't help.

Great! Thanks for marking this as the answer.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this response?

Thanks for your feedback.

hi jay,

thanks for the information.

it’s not feasible to grant a group of people’s send as permission to one user.
your scenario is a little different from the normal smtp client submission, in which the from address of the lms should be defined. anyway, the scenario that the lms address and the iis server address are different is not supported for client submission.

office 365 smtp reply uses static ip for authentication and the application from address can be anonymous. if you can use the smtp reply, would you like to try it?

thanks,
brook

2 people were helped by this reply

·

Did this solve your problem?

Sorry this didn't help.

Great! Thanks for marking this as the answer.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this response?

Thanks for your feedback.

We are experiencing the same issue. Did you ever find a solution?

In our case it is our internal phone system sending voicemail messages between internal users. They come "From" the user who recorded the message, rather than from the central account. So we get the "Client does not have permissions to send as this sender" message, just like yours.

Did this solve your problem?

Sorry this didn't help.

Great! Thanks for marking this as the answer.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this response?

Thanks for your feedback.

Hi Benjamin,

Thanks for visiting our community. 

Despite the same error information, the root causes could be different. Could you please start a new thread about this? 
There’ll be an engineer focusing on the issue. Doing this will also make the thread logical and therefore better the community service. Thank you for your understanding. 

Regards, 
Brook 

Did this solve your problem?

Sorry this didn't help.

Great! Thanks for marking this as the answer.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this response?

Thanks for your feedback.

Actually we found a solution in our case. I don't know if it will help the OP, but for us the problem was that the "sender" address being used by our phone system differs from both the From address and the address/account being used to authenticate with 365 in the IIS relay. So while we had given the authenticating account proper Send As / On Behalf Of permissions to the From address account, we had not done so for the "sender" address account. We had to look at the actual email header to notice that From and Sender were not using the same address. From there just giving the "sender" account permissions on each From user did the trick.

Jay, in your case it seems like you know the permissions you need to add to each user, its just a question of how to add it to everyone efficiently. Could you perhaps use a Powershell script to do all mailboxes at once, rather than doing each one by hand?

Perhaps check out this link, and read the "Use shell to assign permissions" section:

technet.microsoft.com/.../jj919240(v=exchg.150).aspx

Good luck

39 people were helped by this reply

·

Did this solve your problem?

Sorry this didn't help.

Great! Thanks for marking this as the answer.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this response?

Thanks for your feedback.