How does Sharepoint determine security for an email sent to a list?

Question

I have a list that is email enabled. When I check the permissions on the library itself, it says I have contribute rights so I can view, add, update, and delete list items and documents. When I email a document to the list, if I don't have 'Accept e-mail messages from any sender' selected, the email never gets into the list. When 'Accept e-mail messages based on document library permissions' is selected, the mail item appears in the Drop folder and then the timer service comes around and the item is removed, but never delivered into the list.

I imagine Sharepoint is looking at something in the email and not seeing that my email account is the same as my AD account's email. But maybe that isn't the case. Is it described somewhere how Sharepoint determines who can email into a list beyond 'be in the security group'? How does it parse the message and then do the look up?

EDIT

Here's the message from the ULS viewer when document library permissions is on

An error occurred while processing the incoming e-mail file c:\inetpub\mailroot\drop\ed79adfc01cf76a40000000c.eml. The error was: Access denied. You do not have permission to perform this action or access this resource..

So, it's like it is trying to put the document into the list but can't? Or does the service that the timer runs under need some sort of rights to AD?

EDIT The x-sender is just x-sender: kndiko@wisc.edu and this resolves to a user in active directory. In my ULS, when the email is removed from the Drop folder, there are seven entries:

Found 1 trusted forests: ad.domain.com Found 0 trusted forests Leaving Monitored Scope (SPClaimProvider.FillResolveClaim()). Execution Time=1037.34825236168 Leaving Monitored Scope (SPClaimProviderOperations.ResolveClaim()). Execution Time=1076.94246056412 An error occurred while processing the incoming e-mail file c:\inetpub\mailroot\drop\a63cbe3601cf76b200000012.eml. The error was: Access denied. You do not have permission to perform this action or access this resource.. The Incoming E-Mail service has completed a batch. The elapsed time was 00:00:03.1824817. The service processed 1 message(s) in total. Errors occurred processing 1 message(s): Message ID: <01e301cf76b2$a6510ea0$f2f32be0$@domain.com> Leaving Monitored Scope (Timer Job job-email-delivery). Execution Time=3196.55270432415

Further Edits The server involved is the only web front end and SMTP server. There is no exchange server as email is handled by an external entity. There is a central AD server that everyone is authenticated against and has been importing users correctly. We are using Sharepoint 15.0.4569.1506 with all other servers running that version. Claims authentication by default to our AD server as well.

No other events in the event log. Only the same events listed above underneath Microsoft->SharePointProducts->Shared->Operational.

Answer 1

I'm guessing that something is going wrong with the AD lookup.

Are there 2 or more AD accounts that have the same email address?

If so, when SharePoint tries to lookup the user in AD by email address, the system will be unsure of which user sent the email. Authentication will fail and the email will never arrive in the document library.

Check out this blog post for more details.