5.7.1 Client does not have permissions to send as this sender - or "Leeloo Dallas, MultiPass."

After my recent upgrade to Exchange 2010, I began having issues with sending out service account emails.  Usually I use distribution group addresses for FROM fields to help easily tell which system was responsible for sending emails.  For example, my AD Reports are sent out to an "AD Reports" distribution group with a SMTP FROM address of "ADReports@xxxx.com".  So this helps to keep things simple.

In Exchange 2003 (bless its heart), it wasn't set to authenticate FROM fields with any precision, so you could put just about anything in there and it would blithely send it on its way.

In Exchange 2010 however, now there's checking if a FROM field matches an object in the Exchange organization (even if it's just a distribution group).  If there's a match, the "Send As" permission will be checked and if it doesn't pass, an SMTP error "5.7.1 Client does not have permissions to send as this sender" will be generated.  This was the issue I ran into once I pointed my reporting tools to the new Exchange's SMTP server.

To fix this, you must grant the "Send As" permission to the authenticating account trying to send the email.  If you are trying to send as a different mailbox, this is a simple task.  (Right-click the mailbox, choose "Manage Send As Permissions", and adjust accordingly)  However, if you are trying to send as a Distribution Group this is trickier and requires Powershell.

The following command will allow you to grant the "Send As" permission on a Distribution Group.
"Add-ADPermission -Identity <Distribution Group> -User <User or Security Group> -ExtendedRights Send-As"


Quote explanation:  If you're wondering about the quote at the top of the article, it refers to one of my favorite movies.  "The Fifth Element" starring Bruce Willis, Gary Oldman, and a young Milla Jovovich before her Resident Evil days.  The quote is from Ms. Jovovich's character Leeloo who is an alien on Earth.  She is trying to use an ID card called a Multipass to board a spaceship.  Not knowing the language, she simply holds up her ID and continually says "Leeloo Dallas, Multipass" over and over again.  Fortunately, Bruce Willis' character arrives on the scene in time to help poor Leeloo past the ticketing agent before the authorities are called on her.

The relevancy to this article is simply that my reporting server was sending its ID to my Exchange 2010 server over and over again, expecting a different result each time.

And this is why they say if you have to explain a joke it isn't funny...

Exchange Management Console login issue with quota request exceeded - or "I'm giving her all (the Kerberos requests) she's got, Captain!"

I've been having issues with some of my Exchange servers being unable to open the Exchange Management Console.  When attempting to make the initial connection to the Exchange Management service on the specified server the following error is given:

The following error occurred while attempting to connect to the specified Exchange server 'xxxxx':
The attempt to connect to <server FQDN>/Powershell using "Kerberos" authentication failed:  Connecting to remote server failed with the following error message : The WS-Management service cannot process the request.  The system load quota of 1000 requests per 2 seconds has been exceeded.  Send future requests at a slower rate or raise the system quota.  The next request from this user will not be approved for at least 124275504 milliseconds.

Thanks to Jason Shave for his elegantly simple solution to this convuluted error:

The server had recently received a new SSL certificate using the Exchange 2010 certificate provisioning and assignment process in the GUI. Unfortunately the IIS service hadn't been restarted yet and the URL used for remote PowerShell was using a certificate which wasn't trusted or valid anymore.

A quick "IISRESET" on the server resulted in my fix.

You can see Jason's original post here regarding this issue.