550 unable to relay for secondary domain

Hello experts!@

I have set up exchange to receive email for a secondary domain, for simplicity sake let's say that my primary domain is:


And the secondary domain is: foo.com

Well, in Active Directory Domains and trusts, I set up an alternate UPN suffix for foo.com and then created a user and a mailbox for this, and in exchange I set up a recipient policy to accept mail for foo.com

Earlier today a user reported that an email to @netzero.net was returned as "550 unable to relay for user@netzero.net" when they used the pop email server "mail.foo.com" however they were able to send the email through thier normal exchange account.

Any ideas on why this occurred?

(i'm happy to clarify further if this isn't enough info...just tell me what you need to know)


Who is Participating?
The SMTP Connector only deals with outbound email.
Therefore if you have created an SMTP connected with the second domain listed then you haven't fixed the problem. Remove it as it is of no use to you.

What I was more interested in was what you are entering in to the clients.
In most cases you need to authenticate to relay - that is the most secure way of dealing with relaying. You do need to set it specifically - as authentication on POP3 isn't enough.

What mechanism do you use for allowing your users to relay?
By IP address? (bad)
Authentication? (good)

Exchange doesn't allow relaying to an external email address without one of the above being set - otherwise you are an open relay.

neomage23Author Commented:

Simon, I'm not exactly sure how to answer the question...

In an attempt to answer the question, I went into the system manager and opened the properties for the default SMTP Virtual Server and clicked on the access tab and then the relay button...in the "Relay Restrictions" section I have "only the list below" selected, and there are NO COMPUTERS in the list...but I have it checked where it says "Allow all computers which successfully authenticate to relay regardless of the list above"....

I thought that perhaps this situation was related to the fact that I have no "connectors" so I went ahead and put in a connector that relayed mail through the server based on the address space "foo.com"...

but I haven't tested it yet..

what do you think?

Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

neomage23Author Commented:
Ok, I've removed the connector...but where do I "set it specifically" to authenticate to relay?

You already have it set on the server.
What you need to check is the client. That will vary depending on the client. Look for something that says "server requires authentication" or something like that.

neomage23Author Commented:
Thanks for your help on this simon...you were ABSOLUTELY right...in outlook 2003 I set the outgoing message properties to "use the same credentials" or whatever and now it works fine. Just to be safe I did a "Open Relay" test through abuse.org and everything seems to be relatively secure and safe. Thanks again for your help.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.