Users Without Permissions to Relay Messages Can Still Send Messages Through the SMTP Virtual Server (818778)


The information in this article applies to:

  • Microsoft Exchange Server 2003 Enterprise Edition
  • Microsoft Exchange Server 2003 Standard Edition

SYMPTOMS

When you configure relay restrictions for the Simple Mail Transfer Protocol (SMTP) virtual server to deny the Submit Permission permission to a user so that the user cannot relay messages through the virtual server, you may find that the user can successfully send messages.

This problem occurs even though you restrict relay access and configure permissions for the user by taking the following actions in the Relay Restrictions dialog box. (To reach the Relay Restrictions dialog box, in Exchange System Manager, right-click the SMTP virtual server, click Properties, click the Access tab, and then click Relay.)
  • You click to clear the Allow all computers which successfully authenticate to relay, regardless of the list above check box.
  • You click Users, and then in the Permissions for Submit and Relay dialog box, you click to select the Deny check box that is next to the Submit Permission permission for the user.

CAUSE

This problem may occur if anonymous access is enabled for the SMTP virtual server. In Exchange Server 2003, when you click to clear the Allow all computers which successfully authenticate to relay, regardless of the list above check box in the Relay Restrictions dialog box to configure relay permissions for specific users or computers, anonymous access is not automatically disabled on the SMTP virtual server. You must manually disable anonymous access to the SMTP virtual server.

WORKAROUND

To work around this issue, manually disable anonymous access for the SMTP virtual server:
  1. Click Start, point to Programs, point to Microsoft Exchange, and then click System Manager.
  2. In the console tree, expand Servers, expand ServerName, expand Protocols, and then expand SMTP.
  3. In the right pane, right-click the SMTP virtual server (for example, Default SMTP VirtualServer), and then click Properties.
  4. Click the Access tab.
  5. Under Access control, click Authentication.
  6. Click to clear the Anonymous access check box, click OK, and then click OK.

STATUS

Microsoft has confirmed that this is a problem in the Microsoft products that are listed at the beginning of this article.

MORE INFORMATION

When anonymous access is disabled and you deny the Submit Permission permission to a user so that the user cannot relay messages through the SMTP virtual server, if the user tries to send a message, they receive a message similar to the following message:
The message could not be sent because the server rejected the sender's e-mail address. The sender's e-mail address was 'EmailAddress'. Subject 'Subject', Account: 'Account', Server: 'Server', Protocol: SMTP, Server Response: '454 5.7.3 Client does not have permission to submit mail to this server.', Port: 25, Secure(SSL): No, Server Error: 454, Error Number: 0x800CCC78
Modification Type:MinorLast Reviewed:11/10/2005
Keywords:kbnofix kbBug KB818778
©2004 Microsoft Corporation. All rights reserved.