exchange 2003, added new domain to existing ones, unable to relay for...

Posted on 2006-04-12
Last Modified: 2008-03-10

the setup:

running ex2k3, packed out, everything was working fine.  we receive email for, and  these work fine, have been working fine for years... even before the upgrade to exchange 2003...

now, we have the requirement to add 2 more domains to the mix.  call them and

the problem:

i've set settings the same as the other domains as far as i can remember... but when sending mail to the 'new' domains, we always get "unable to relay for:"... same for

the background:
the mx and a records for all of these domains resolve to the same internet ip address, with different hostnames (,,, etc...)

the recipient addresses do actually exist and are assigned to individual users in active directory.  

in exchange system manager, in the smtp1 connector all of the domains are listed, with variuos priorities.  also, * is listed, and the checkmark at the bottom is not checked (allow relaying to these domains).  as this, everything works fine for domain1,2,3... and we're not an open relay.

if i put a checkmark there, they get their mail just fine... but leaving the * there, i assume makes us an open relay.  so i removed the *.  we can still send email as a company, to wherever... and everyone seems to get their mail ok now.

in the course of troubleshooting, i get many errors about metabase update not being able to find the specified path, like 1 error per minute, for a long time.  i have a potential fix for that, will try later tonight.  i assume that exchange just isnt talking with active directory as well as it can be, and one of them doesnt understand that domain4 and domain5 are ours.

and now, the question:

by having the * gone, and a checkmark there for relay to these domains, does this make us less secure, create a less secure environment, or have a better way of happening?

thoughts would be appreciated.
Question by:hack-4-good
    LVL 12

    Accepted Solution

    Manually adding the recipient addresses to users in Active Directory wont allow your organization to recieve emails for these two new domains.
    You need to add these two new domain addresses on one of your recipient policy.
    check your default policy or if you have manually created other policies.

    Amit Aggarwal.
    LVL 12

    Assisted Solution

    This should be helpful for you -->

    Amit Aggarwal.
    LVL 4

    Author Comment

    thank you for the link...

    i've created a new (additional) recipient policy for these domains... i opted to add a new one rather than change the default because only a few users will have these new domains.

    i applied the policies, and rebooted the server for the heck of it...

    but.. i still get 'unable to relay' if i remove the checkmark for 'allow relaying to these domains'.  if i remove that checkmark, the unable to relay error comes back...

    with that checkmarked, emails get routed properly.  with that checkmarked, i  remove the * from the address space, so we're not an open relay...

    is this 'by the book' ? am i missing something else?  that link was very detailed and i followed it to a T...
    LVL 104

    Assisted Solution

    You appear to be mixing up SMTP Connectors and Recipient Policy.

    You do NOT have to have these domains listed on any SMTP Connectors. If you have them listed then remove them. SMTP Connectors have nothing to do with inbound email, just outbound.

    The recipient policy controls inbound email and you should ensure that the policy is set for the new domains and enabled. I usually recommend copying the format of the default policy to ensure that you have got it right.

    LVL 4

    Author Comment

    very helpful, thanks

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Don't lose your head updating email signatures!

    Do your end users still have the wrong email signature? Do email signature updates bore you or fill you with a sense of dread? You can make this a whole lot easier on yourself by trusting an Exclaimer email signature management solution. Over 50 million users should you!

    You might have come across a situation when you have Exchange 2013 server in two different sites (Production and DR). After adding the Database copy in ECP console it displays Database copy status unknown for the DR exchange server. Issue is strange…
    Easy CSR creation in Exchange 2007,2010 and 2013
    In this video we show how to create a User Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Mailb…
    The basic steps you have just learned will be implemented in this video. The basic steps are shown to configure an Exchange DAG in a live working Exchange Server Environment and manage the same (Exchange Server 2010 Software is used in a Windows Ser…

    759 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    14 Experts available now in Live!

    Get 1:1 Help Now