This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(195.2, 62%, 28%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERE%3C/text%3E%3C/svg%3E)
Hi,
During legacy migration to new onprem exchange SE, when we try to move the arbitration mailbox “systemMailbox{pii removed}” (Offline Address Book) to the new Exchange SE server, our authenticated relay stops working on the new and old servers. Its the last arbitration mailbox to be moved.
“Test email failed. Mailbox unavailable. The server response was: 5.7.60 SMTP; Client does not have permissions to send as this sender”
but if that arbitration is located on a old server database all works fine. Any idea why and how to fix this?
Kind regards
The problem you are facing with the authenticated relay stopping after moving the arbitration mailbox SystemMailbox{bb558c35-97f1-4cb9-8ff7-d53741dc928c} to the new Exchange server may be linked to permission issues related to that mailbox. When this arbitration mailbox is on the new server, it might not have the necessary permissions for the authenticated relay to function correctly.
To troubleshoot and resolve this issue, consider the following steps:
Enable-Mailbox -Arbitration -Identity "SystemMailbox{bb558c35-97f1-4cb9-8ff7-d53741dc928c}"
.\Setup /preparead /IAcceptExchangeServerLicenseTerms
Enable-Mailbox -Arbitration -Identity "SystemMailbox{bb558c35-97f1-4cb9-8ff7-d53741dc928c}"
Get-WebServicesVirtualDirectory -Server <servername> | fl *mrsproxy*
Get-WebServicesVirtualDirectory -Server <servername> | Set-WebServicesVirtualDirectory -MRSProxyEnabled:$true
After completing these steps, test the authenticated relay again to see if the issue persists. This should help in resolving the problem with the relay when the arbitration mailbox is moved to the new server.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(32, 54%, 13%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESN%3C/text%3E%3C/svg%3E)
Please note that our forum is a public platform, and we will modify your question to hide your personal information in the description. Kindly ensure that you hide any personal or organizational information the next time you post an error or other details to protect personal data.
Thank you for reaching out to Microsoft Q&A forum
As far as I know, this behavior occurs because applications or devices typically authenticate with a service account that has no associated mailbox, a common legacy configuration that previously allowed sending from any address without explicit Send As permissions. In older Exchange versions, when such a mailbox-less account submits mail, the Frontend Transport service proxies the session to the server hosting this particular arbitration mailbox, where the Send As check was historically lenient.
Based on my research, as states in Allow anonymous relay on Exchange servers, the supported solution is to stop relying on the legacy "mailbox-less authenticated user" behavior and instead configure a dedicated internal application relay Receive Connector.
You can use the below cmdlet to see if it can resolve your problem:
# Create a dedicated Frontend relay connector on port 25
New-ReceiveConnector -Name "Internal Application Relay" `
-Server YOUR_EXCHANGE_SERVER_NAME `
-TransportRole FrontendTransport `
-Custom `
-Bindings 0.0.0.0:25 `
-RemoteIPRanges 192.168.1.0/24,10.0.0.0/8 # <-- Only app/device subnets
# Require TLS; allow (but not require) Basic SMTP auth if some senders can authenticate.
Set-ReceiveConnector "Internal Application Relay" `
-AuthMechanism "TLS,BasicAuth,BasicAuthRequireTLS" `
-PermissionGroups "AnonymousUsers"
# Grant extended rights to allow sender/recipient override and submission
Get-ReceiveConnector "Internal Application Relay" | Add-ADPermission `
-User "NT AUTHORITY\ANONYMOUS LOGON" `
-ExtendedRights `
"ms-Exch-Smtp-Accept-Any-Sender",
"ms-Exch-Smtp-Accept-Any-Recipient",
"ms-Exch-Smtp-Submit",
"ms-Exch-Smtp-Accept-Authoritative-Domain"
Notes:
AnonymousUsers is correct for IP-scoped relays. The extended rights are applied to ANONYMOUS LOGON, which is the right principal for port‑25, IP‑trusted submissions.BasicAuth available can be useful for certain apps; if none of your devices can authenticate at SMTP, you can omit BasicAuth and keep TLS only.Hope my answer will help you, for any further concern, kindly let me know in the comment section.
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
Hi and thanks.
But are you saying that in Exchange SE we cannot have authenticated ad user emailing without a mailbox?
Anon relay works fine.
Or am I misunderstanding you?
Regards
Yes, in Exchange Server Subscription Edition, you can no longer reliably use an authenticated AD user that has no mailbox for SMTP submission (port 587) once the relevant arbitration mailboxes are hosted on the SE server.
The legacy “method” completely depended on the Frontend Transport service proxying the session to the OAB arbitration mailbox (SystemMailbox{bb558c35-…}), which historically had extremely permissive self-Send-As rights. That proxy path is broken/unreliable in Exchange SE, so the 5.7.60 error occurs under normal conditions.
Anonymous relay continues to work perfectly because it does not use the submission service at all because it uses a dedicated Receive Connector with ms-Exch-SMTP-Accept-Any-Sender / ms-Exch-Bypass-Anti-Spam etc., completely bypassing the Send-As checks that apply to authenticated submission.
Just writing to see how things are going with this issue.
Have you had a chance to check the replies provided?
Any update would be appreciated.