exchange 2003, added new domain to existing ones, unable to relay for...


the setup:

running ex2k3, packed out, everything was working fine.  we receive email for, and  these work fine, have been working fine for years... even before the upgrade to exchange 2003...

now, we have the requirement to add 2 more domains to the mix.  call them and

the problem:

i've set settings the same as the other domains as far as i can remember... but when sending mail to the 'new' domains, we always get "unable to relay for:"... same for

the background:
the mx and a records for all of these domains resolve to the same internet ip address, with different hostnames (,,, etc...)

the recipient addresses do actually exist and are assigned to individual users in active directory.  

in exchange system manager, in the smtp1 connector all of the domains are listed, with variuos priorities.  also, * is listed, and the checkmark at the bottom is not checked (allow relaying to these domains).  as this, everything works fine for domain1,2,3... and we're not an open relay.

if i put a checkmark there, they get their mail just fine... but leaving the * there, i assume makes us an open relay.  so i removed the *.  we can still send email as a company, to wherever... and everyone seems to get their mail ok now.

in the course of troubleshooting, i get many errors about metabase update not being able to find the specified path, like 1 error per minute, for a long time.  i have a potential fix for that, will try later tonight.  i assume that exchange just isnt talking with active directory as well as it can be, and one of them doesnt understand that domain4 and domain5 are ours.

and now, the question:

by having the * gone, and a checkmark there for relay to these domains, does this make us less secure, create a less secure environment, or have a better way of happening?

thoughts would be appreciated.
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Manually adding the recipient addresses to users in Active Directory wont allow your organization to recieve emails for these two new domains.
You need to add these two new domain addresses on one of your recipient policy.
check your default policy or if you have manually created other policies.

Amit Aggarwal.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
This should be helpful for you -->

Amit Aggarwal.
hack-4-goodAuthor Commented:
thank you for the link...

i've created a new (additional) recipient policy for these domains... i opted to add a new one rather than change the default because only a few users will have these new domains.

i applied the policies, and rebooted the server for the heck of it...

but.. i still get 'unable to relay' if i remove the checkmark for 'allow relaying to these domains'.  if i remove that checkmark, the unable to relay error comes back...

with that checkmarked, emails get routed properly.  with that checkmarked, i  remove the * from the address space, so we're not an open relay...

is this 'by the book' ? am i missing something else?  that link was very detailed and i followed it to a T...
You appear to be mixing up SMTP Connectors and Recipient Policy.

You do NOT have to have these domains listed on any SMTP Connectors. If you have them listed then remove them. SMTP Connectors have nothing to do with inbound email, just outbound.

The recipient policy controls inbound email and you should ensure that the policy is set for the new domains and enabled. I usually recommend copying the format of the default policy to ensure that you have got it right.

hack-4-goodAuthor Commented:
very helpful, thanks
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.