I recently came across an issue where I was unable to send email as a service account as part of a scheduled task that was running a PowerShell script. I checked the SMTP receive logs in Exchange and came across the following error:
Inbound authentication failed because the client username doesn't have submit permission.
Clearly, this would be a permission issue on our receive connector. To modify those permissions, open up ADSI edit on a domain controller, and browse to the following location:
- Configuration>Services>Microsoft Exchange>CN=<organization_name>CN=Administrative Groups>CN=Exchange Administrative Group>CN=Servers>CN=<server_name>CN=Protocols>CN=SMTP Receive Connector
Now, right click on the receive connector you’re using, and on the permissions tab add in the following user. The error above spoke specifically about about submit permission, however I found if you didn’t get the permissions quite right, you’d get the following error:
550 5.7.1 Client does not have permissions to send as this sender.
The permissions you’d need to set are:
- Accept and Sender
- Accept Authoritative Domain Sender
- Submit Messages to any Recipient
- Submit Messages to Server