Outgoing emails are not working in SPS2016 after Security Update May 2017

This article has inform you previously there may be some concequences after May 2017 Security Update for SharePoint in some special configurations.

There is a security update May 9,2017 for SharePoint Server 2016
You can find details in following KB
https://support.microsoft.com/en-us/help/3191880/description-of-the-security-update-for-sharepoint-server-2016-may-9-20

Well it is confusing, as you may know, out of the box mail configuration for SharePoint always anonymous. Thats correct.
But in some special configuration applied by customers to force SharePoint processes (w3wp or owstimer) to authenticate with their identities to Exchange server;  If aspnet:AllowAnonymousImpersonation settings was disabled for Authenticated users (well it doesn’t work for anonymous users at all) it may work.

<appSettings>
<add key=”aspnet:AllowAnonymousImpersonation” value=”false” />
</appSettings>

More details explained for this.
https://support.microsoft.com/en-us/help/2686411/sharepoint-impersonates-the-iusr-account-and-is-denied-access-to-resources
Security Warning : Well the suggested action for this settings , this should be enabled. Otherwise anonymous request will have higher rights with Application Pool Identities does.

The problem of this kind of authentication is incorrect ,not expected  for SharePoint and Microsoft considered this is a Security Issue. As Microsoft said by design it has to be anonymous. With that Security fix will prevent this. SharePoint will be always use anonymous authentication through SMTP servers.

For customers who interested force authentication , well there’s no way to disable the anonymous-only behavior but we have valid workaround for that:

  1. If you are using Exchange, you can set up a separate receive connector configured as externally secured, and restricted to the IP addresses of the SharePoint server(s) in their environment.  This will allow SharePoint to send e-mails anonymously through this receive connector, but the connector will treat the e-mails as if you were authenticated.  All other SMTP clients will continue using the regular receive connectors and any authentication policies associated with those receive connectors.
  2. Set up a smarthost SMTP relay that will accept e-mails anonymously from the SharePoint server(s), and then relay them to the company’s SMTP infrastructure using authentication.

Unable to send email from SharePoint

You have configured your SharePoint Outgoing Email but even the configuration correct you could not able to send emails from SharePoint.
For more information about how to configure outgoing emails on SharePoint please check following article:
http://technet.microsoft.com/en-us/library/cc263462.aspx

So what you can do;

First Check the ULS Logs ; You may facing following error;

Failed attempt 1 sending mail to recipients: bugra@contoso.com . Mail Subject: System Account has invited you “Blog Members”.
Error: SmtpException while sending
email: System.Net.Mail.SmtpException: The SMTP server requires a secure connection or the client was not authenticated. The server response was: 5.7.1
Client was not authenticated
at System.Net.Mail.MailCommand.CheckResponse(SmtpStatusCode statusCode,
String response)     at
System.Net.Mail.SmtpTransport.SendMail(MailAddress sender,
MailAddressCollection recipients, String deliveryNotify, Boolean allowUnicode,
SmtpFailedRecipientException&

 

Usually this problem not caused by SharePoint it self, It is happening when SharePoint connects to Exchange server but Exchange is not authorize SharePoint to send emails. Why ? Because by design SharePoint use anonymous authentication to connect Exchange and OOB you can not configure SharePoint for any other authentication for using SMTP emails . If the recieve connector of the Exchange will require authentication that would be the problem .

You can test your stmp server by telnet client for anonymous authentication. or may collect Network Monitor logs that what is the communication and what is the authentication when SharePoint is trying to send emails.

For Telnet test;
1) Start a command prompt with administrator priviledges.
2) type following command:
telnet <Your SMTP server IP> 25
type EHLO

250-SIZE 15360000
250-PIPELINING
250-DSN
250-ENHANCEDSTATUSCODES
250-AUTH NTLM ***** Server requires NTLM .
250-8BITMIME
250-BINARYMIME
250-CHUNKING
250-XEXCH50
250 XSHADOW

 

In network trace you can detect as

Frame: Number = 1087, Captured Frame Length = 316, MediaType = ETHERNET
+ Ethernet: Etype = Internet IP (IPv4),DestinationAddress:[00-50-56-B3-16-5A],SourceAddress:[38-22-D6-D4-49-80]
+ Ipv4: Src = 10.10.100.20, Dest = 10.20.100.59, Next Protocol = TCP, Packet ID = 9437, Total IP Length = 302
+ Tcp: Flags=…AP…, SrcPort=SMTP(25), DstPort=46805, PayloadLen=262, Seq=41429760 – 41430022, Ack=1350847993, Win=256 (scale factor 0x8) = 65536
– Smtp: Rsp 250 -<server> Hello [10.20.100.59], 262 bytes
– Response: 250 -<server> Hello [10.20.100.59]
ReplyCode: 250, OK, queuing for node node started, or Requested mail action okay, completed
+ ReplyMessage: -<server>  Hello [10.20.100.59] —-> Sharepoint opens session with 10.20.100.59
ReplyMessage: 250-SIZE
ReplyMessage: 250-PIPELINING
ReplyMessage: 250-DSN
ReplyMessage: 250-ENHANCEDSTATUSCODES
ReplyMessage: 250-STARTTLS
ReplyMessage: 250-X-ANONYMOUSTLS
ReplyMessage: 250-AUTH NTLM —-> Exchange providing NTLM.
     ReplyMessage: 250-X-EXPS GSSAPI NTLM
ReplyMessage: 250-8BITMIME
ReplyMessage: 250-BINARYMIME
ReplyMessage: 250-CHUNKING
ReplyMessage: 250-XEXCH50
ReplyMessage: 250-XRDST
ReplyMessage: 250 XSHADOW

For Resolution:
You can
1) Giving SharePoint Computer account mail submit priviledges
2) Creating a new Recieve Connector on Exchange for SharePoint and provide only anonymous auth.