Solved

Final Destination and MX record

Posted on 2003-11-05
8
745 Views
Last Modified: 2010-03-05
Hi
I just setup my MX record on DNS server to receive my emails on this new machine. It is running an Exchange server.
When I send an email, it reject it and says relay access denyed!!

How can I fix MS exchange 2000  to accept the email and know that it is the final destination for the email.


Thanks
Nav
 
0
Comment
Question by:Nav444
  • 4
  • 3
8 Comments
 
LVL 35

Expert Comment

by:Bembi
Comment Utility
Exchange management Console:
Setup a recipient policy or change the existing default recipient policy for your domain and make sur than a SMTP and X400 entry exists and is activated.

As far as your recipient update service has run or as far as you have run it manually, every user in your domain should have a valid e-mail address.

Go to your virtual smtp server and click
- "Access" and "Relay" and activate "All computers on the list", leave the list empty and activate "all computers with have authenticated..." at the bottom of the dialog.
 - "Access" and "Authentication" and activate "anonymous" and "windows integrated".

To receive e-mail from inside, just connect your clients to the "Exchange server". For clients using not exchange server but pop3 / smtp, you have to setup the server settings on the client and make sure, that the senders address is within the address space of your exchange server.
To receive e-mail from the internet, place your MX record on a public DNS, which can be found from servers at the internet (usually your provider). Also you should provide an DNS A-Record for your server on the same DNS.

Make sure, that no router or firewall blocks port 25 and you do not use a dial up connection or a dynamic IP address.  
0
 

Author Comment

by:Nav444
Comment Utility
Hi Bembi
Thanks for your reply. I did all you said, but still I get relay access rejected!!

any clue?

I have following on my DNS.

foo.com.         MX    10 mail2.foo.com.
mail2   A       122.105.125.22
foo.com.        A       122.105.125.28
www             CNAME   foo.com.
ftp             CNAME   foo.com.
mail            CNAME   foo.com.

As you see IP on second line and third line are not same. Because as I said before, the exchange server is on other remote machine.
Do you think this DNS setting is correct?
When I ping mail2.foo.com. I get responses and shows the correct IP.
[ps. foo.com and ip addresses are not real in my example]


I really appreciate it if you chould help.
Nav444



0
 
LVL 35

Expert Comment

by:Bembi
Comment Utility
You can check your server by:
Dos promt:
nslookup
set type=mx
foo.com

this should respond a MX record, which points to mail2.foo.com and an A Record pointing to 122.105.125.22

Yuur server (Exchange must have this IP and it must listen on port 25 for this ip.

Additionally you have to make sure, that mails are forwarded to this IP. Also make sure, that the same test from the internet shows the same results. As you must have a agreement with your provider to host your own (public DNS), your internal settings are irrelevant, as long as somewhere else exists a public MX record for your domain.

Make sure, your server is listening on port 25 on this IP (or all IPs = 0.0.0.0)
Go to your exchange server and type at the dos promt:
netstat -na

you should get either

TCP 0.0.0.0:25 - 0.0.0.0 - Listening

or

TCP 122.105.125.22:25 - 0.0.0.0 - Listening


DNS Settings:
the foo.com do not have an A Record, additionally CNAME never points to a domain.
I assume you mean:

superior folder ... which simply points to your local machine (the DNS server)

and a CNAME should be

mail   CNAME   myreallyservername.foo.com




0
 

Author Comment

by:Nav444
Comment Utility
Thanks.
That is right. DNS server, a Mail server and web server are all on a Linux machine that is hosted in a remote location, and I have full administration access to it.
This machine was running for passed 3 years. We have about 20 different domains running on it and few of them using the same sendmail Mail server.

Now all I am trying is to move only the mail server for one of those domains to another location on a Exchange server, while the WebServer and rest are still on Linux machine.

The exchange server is also in running condition. We are using it over  WAN between two offices. Two offices are connected with VPN.

Well, exchange is listening to port 25. and when type the domain name in here http://www.dnsstuff.com/, it can find MS and A record.

May be my problem is this: The IP of exchange server, does not have any Domain Name.
so I can not do what you said:
mail   CNAME   myreallyservername.foo.com

www.foo.com is domain of Linux Machine, where I want to hold the web server.

do you think I should create a domain name for IP address of Exchange? then only I can set everything?

also I do not understand this:
"Additionally you have to make sure, that mails are forwarded to this IP" after DNS server, there should be Exchange server. So no need of forwarding!!

I hope I am not very confusing. I really appreciate if you could help me with this problem.

Nav444


0
The curse of the end user strikes again      

You’ve updated all your end user’s email signatures. Hooray! But guess what? They’re playing around with the HTML, adding stupid taglines and ruining the imagery. Find out how you can save your signatures from end users today.

 
LVL 7

Expert Comment

by:Makr_Watson27
Comment Utility
You mention your getting relay errors when sending mail.
Is this mail from your exchange clients to the outside world
or
Mail from the outside world to you exchange server
0
 
LVL 35

Accepted Solution

by:
Bembi earned 20 total points
Comment Utility
1.) You have a Windows 2000 Server with Exchange 2000 and Active Directory. That means, your server must have a domain name as your server must be a member of this domain.

try
nslookup IP_Address of Exchange Server

you should get back mymailserver.mydomain.com

Additionally you have a email-domain within your exchange server, which must not be the same than your W2K domain. But the mail, you send to your server, must include the email-domain of your exchange server, otherwise exchange assumes relay and will reject the mail (what is absolutely correct).

If you send a mail i.e. from yahoo to your server, you address your mail with myuser.foo.com. The (public) MX record for foo.com points to the servername (i.e. mail.mydomain.com) and for this server (myserver.mydomain.com) you have an A-Record, so that external servers can get the IP. As you get relay messages, I would say, your server gets the mails.

If your server gets the mail, it first looks, if any user of your exchange server has a mailbox with this email domain (myuser.foo.com). If not, exchange searches for a routing advise and if there is no route to any other location it checks, if relay is open. If yes, your exchange server tries to find the responsible target server, and if not, the mail is rejected.

Note that you have to create a Recipient Policy for foo.com within your exchange server, so that the exchange server knows, which is its own email-domain. It is not enough to simply add an e-mail adress in active directory. The email domain gets valid, after the recipient update service of exchange has run (either automatically within the configured time scope or manually).

As long as this has not happened, your email-domain is unknown and has your server has not alternative route and relay is closed, the mail will be rejected.

0
 

Author Comment

by:Nav444
Comment Utility
Thanks for your clear explanation, I think I should create the mailbox and recipient policy. But I do not know how to do it exactly.

This exchange already has a mail box that works internally. I want to have a different mailbox. Like first one works with username@myfirstsite.com and new one should work with username@foo.com

I just created a policy, and it did not worked. i think I should do some other settings too.
Can you give me some hint.

Thanks
Nav444
0
 
LVL 35

Expert Comment

by:Bembi
Comment Utility
The policy may need some time if it is applied. Dependend from your settings and configuration, it may take about 15 minutes.

Each policy has a filter, where you can filter the users / mailboxes, which should be affected by the policy, and an address space for SMTP like "@foo.com".

Within your filter (1st tab of the policy - button change) you have a "Search now" button to see the result of the filter
On the second tab (Email addresses) assign a name space for the affected users, you have seen before.

As you can not change the filter for the default policy (affects all users), you may have to create a new policy, if only a few users are affected. So you can i.e. create a policy for foo.com as well as for myfirstsite.com with different affected users.

If you want to assign both addresses to all users, you can add the second SMTP address to the default policy.

If you add an email address, there is a checkbox saying "This sever is responsible for all mails to this domain". This setting says, that the server is the only server, which is responsible for this email domain.

If both addresses should be reached from the internet, you have to provide a public mx record for each of your domains.
You can use http://www.checkdns.net/ to check your domain, if it can bee seen from the internet.

0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

Easy CSR creation in Exchange 2007,2010 and 2013
Check out this infographic on what you need to make a good email signature that will work perfectly for your organization.
In this video we show how to create a Contact in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Contact ta…
This video discusses moving either the default database or any database to a new volume.

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now