pmcgrew7
asked on
Allowing some internal users to forward through Exchange 2003 SP2
We have an Exchange 2003 SP2 cluster with FrontEnd / BackEnd design. We are converting our internal users from a Netware 4.11 / NT 4 domain to W2K3 AD. Our current e-mail is a AIX 4.3 Sendmail (very prehistoric!). Basically I use the AIX Sendamil and Alias entries to transistion the users to Exchange. When the cutover is complete, I will update the DNS MX records to point to the Exchange 2003 server rather than the AIX Sendmail.
But here is my dilemma....
Our new W2K3 domain is ABC and the DNS is ABC.org. All the users are being defined to the new ABC AD and have email mailbaoxes as jdoe@ABC.org. There are few business units that have external business domains (XYZ.com) and ISPs that handle their mail (jdoe@XYZ.com). The AIX Sendmail allows the internal user to send mail out because it does not care about Windows Domains. However the users are part of ABC AD Domain and nneed to access the applications and servers in this DOMAIN. Since Exchange is so tightly intergrated will not let these users send mail as "jdoe@XYZ.com". In the Sendmail alias file, the user's ABC.org ID is directly forwarded to the XYZ.com id. Basically, they POP that XYZ mail server. So the issue is Sending through Exchange 2003 in the ABC Active Directory Domain (ABC.org DNS) as jdoe@XYZ.com.
The number of users that are like this are very small...so I do not want to add a convoluted solution or allow an open relay / spamming.
I have read about setting up Virtual Servers, Directories , Contacts etc. While it seems to be a straightforward idea, it is not clear what should work and not confuse the people needing to support the solution.
Thx...
But here is my dilemma....
Our new W2K3 domain is ABC and the DNS is ABC.org. All the users are being defined to the new ABC AD and have email mailbaoxes as jdoe@ABC.org. There are few business units that have external business domains (XYZ.com) and ISPs that handle their mail (jdoe@XYZ.com). The AIX Sendmail allows the internal user to send mail out because it does not care about Windows Domains. However the users are part of ABC AD Domain and nneed to access the applications and servers in this DOMAIN. Since Exchange is so tightly intergrated will not let these users send mail as "jdoe@XYZ.com". In the Sendmail alias file, the user's ABC.org ID is directly forwarded to the XYZ.com id. Basically, they POP that XYZ mail server. So the issue is Sending through Exchange 2003 in the ABC Active Directory Domain (ABC.org DNS) as jdoe@XYZ.com.
The number of users that are like this are very small...so I do not want to add a convoluted solution or allow an open relay / spamming.
I have read about setting up Virtual Servers, Directories , Contacts etc. While it seems to be a straightforward idea, it is not clear what should work and not confuse the people needing to support the solution.
Thx...
ASKER
No. These POP servers are located at other ISP's not serving the main company. I don't understand why they were set up that way -- possibly because we are not-for-profit and some of these buisness units need to be "separate" from the parent organization. My guess is that our current e-mail system is an extremely ancient version of Sendmail running on an equally old version of IBM AIX 4.x. I am using "aliases" in the Sendmail config to shuttle emails to Exchange 2K3 while we are converting all the users. Basically, the Sendmail still handles all the "smtp" traffic in and out of the HQ.
We have several of these little "micro business units" who are in our AD / Exchange Domain "abc.org"...and these business units want to be able to send out e-mails as their "xyz.com" (jdoe@xyz.com). We don't want to open up Exchange to unauthorized relay and difficult to find any docs that seem to clearly outline the setup for this scenario.
Since all of these people have an Exchange mailbox (<userid>@abc.org), some of these people want a direct forward of all mail to their "micro business unit" email address jdoe@xyz.com.
I looked at the link and I don't think authenticating SMTP is the answer....the users will POP from the External ISP account but need to be allowed to send out from the inside the abc.org Exchange Domain as xyx.com. Is this something that is not common or practical???
Thx...
We have several of these little "micro business units" who are in our AD / Exchange Domain "abc.org"...and these business units want to be able to send out e-mails as their "xyz.com" (jdoe@xyz.com). We don't want to open up Exchange to unauthorized relay and difficult to find any docs that seem to clearly outline the setup for this scenario.
Since all of these people have an Exchange mailbox (<userid>@abc.org), some of these people want a direct forward of all mail to their "micro business unit" email address jdoe@xyz.com.
I looked at the link and I don't think authenticating SMTP is the answer....the users will POP from the External ISP account but need to be allowed to send out from the inside the abc.org Exchange Domain as xyx.com. Is this something that is not common or practical???
Thx...
By sending through Exchange, how do you mean?
Do you mean the clients are using Outlook as an Exchange client?
or Do you mean that the clients are connecting to Exchange as if it was another SMTP/POP3 server?
Depending on the answer to that question depends on the solution.
If it is the latter, then relaying through your Exchange server using authentication is the way that it needs to be done. Your users are sending email out to external email addresses then they are relaying email - so you have to control that some way.
If it is the former, then things get a lot more complicated.
Exchange will not allow you to send email as an address that it is not responsible for, as that is considered spoofing. The domain name would have to appear in the recipient policy on the Exchange server. That will then cause issues with delivery of email from other Exchange clients to non-Exchange accounts.
Simon.
Do you mean the clients are using Outlook as an Exchange client?
or Do you mean that the clients are connecting to Exchange as if it was another SMTP/POP3 server?
Depending on the answer to that question depends on the solution.
If it is the latter, then relaying through your Exchange server using authentication is the way that it needs to be done. Your users are sending email out to external email addresses then they are relaying email - so you have to control that some way.
If it is the former, then things get a lot more complicated.
Exchange will not allow you to send email as an address that it is not responsible for, as that is considered spoofing. The domain name would have to appear in the recipient policy on the Exchange server. That will then cause issues with delivery of email from other Exchange clients to non-Exchange accounts.
Simon.
ASKER
The users are being configured to use Outlook as an Exchange Client (also using OWA) -- no POP/IMAP etc. Right now, we have approx 33% converted to Exchange. Since there is a lack of clear docs on this issue, I figured the solution must not be straight forward. But this can't be all that uncommon....
In a somewhat related issue, I have got a user who has this software that monitors temperature sensors. It runs on XP Pro and has IIS running. I can't find a document that shows how to get IIS on this machine to send mail to Exchange server...right now it is "relaying" to Exchange via the Sendmail server...but still can't get it to send mail off-location (ie. to a cell phone e-mail 1234567890@cingular.com).
In a somewhat related issue, I have got a user who has this software that monitors temperature sensors. It runs on XP Pro and has IIS running. I can't find a document that shows how to get IIS on this machine to send mail to Exchange server...right now it is "relaying" to Exchange via the Sendmail server...but still can't get it to send mail off-location (ie. to a cell phone e-mail 1234567890@cingular.com).
As far as Microsoft are concerned, your problem is not common. Exchange is still skewed towards the enterprise. It operates on a policy of one user = one email address and the same email address is used for inbound and outbound email. You can have aliases on the accounts, but those are for inbound only - all outbound email still goes out with same email address on it.
For Exchange to allow email to go out with email from a domain on it, the domain must be in recipient policy. The presence of a domain in recipient policy means that Exchange thinks it is responsible for all email delivered to that domain.
As you have the email on two servers you will need to share the SMTP name space. The options for that are covered in this KB article. http://support.microsoft.com/default.aspx?kbid=321721
The issue with the device that does temperature monitoring is related. You need to allow the Exchange server to relay email from that device, or relay through an external server. I tend to relay email from devices like that through the ISPs SMTP server - let someone else worry about relaying settings.
Simon.
For Exchange to allow email to go out with email from a domain on it, the domain must be in recipient policy. The presence of a domain in recipient policy means that Exchange thinks it is responsible for all email delivered to that domain.
As you have the email on two servers you will need to share the SMTP name space. The options for that are covered in this KB article. http://support.microsoft.com/default.aspx?kbid=321721
The issue with the device that does temperature monitoring is related. You need to allow the Exchange server to relay email from that device, or relay through an external server. I tend to relay email from devices like that through the ISPs SMTP server - let someone else worry about relaying settings.
Simon.
ASKER
All our IP's are NAT'd behind a single IP....so the temperature monitor PC is not distiguishable. It is in a separte building several miles away.
Can we set up a separate Recipient Policy for each of these little "domains" and assign to the users who need to send e-mail out of the corp w/ a different domain?
Part of me thinks that we should find a Windows "smtp" package for just these few exceptions...unfortunately
Can we set up a separate Recipient Policy for each of these little "domains" and assign to the users who need to send e-mail out of the corp w/ a different domain?
Part of me thinks that we should find a Windows "smtp" package for just these few exceptions...unfortunately
If you set a recipient policy for each of those domains - ie a separate policy, not adding the domains to the default policy - then do NOT set a filter, no users will get email addresses on those domains automatically. You can then set the email addresses on the accounts on an as required basis.
The trick comes with co-existence of the email addresses with the other server.
The way that I would do it would be to set MX records for those domains in your Windows AD domain, that points to the Sendmail machine. Then disable the option in the recipient policy that states that Exchange is responsible for all email for that domain. When email is received on the server for an email address that Exchange doesn't recognise, then the message is sent to the server listed in the MX records. By putting MX records in to your local DNS, you stop the Exchange server from looking on the internet.
Ideally, you should have the email for those users coming to the Exchange server rather than being popped off the server. Use an alias or something like that to get the email to come to the Exchange server instead of being delivered to the mailbox on that machine. If your long term aim is to get all email being served by the Exchange server then at some point you will need to switch the email delivery point from the sendmail machine to Exchange.
Simon.
The trick comes with co-existence of the email addresses with the other server.
The way that I would do it would be to set MX records for those domains in your Windows AD domain, that points to the Sendmail machine. Then disable the option in the recipient policy that states that Exchange is responsible for all email for that domain. When email is received on the server for an email address that Exchange doesn't recognise, then the message is sent to the server listed in the MX records. By putting MX records in to your local DNS, you stop the Exchange server from looking on the internet.
Ideally, you should have the email for those users coming to the Exchange server rather than being popped off the server. Use an alias or something like that to get the email to come to the Exchange server instead of being delivered to the mailbox on that machine. If your long term aim is to get all email being served by the Exchange server then at some point you will need to switch the email delivery point from the sendmail machine to Exchange.
Simon.
ASKER
I did more diggiing.... what about the explanation / solution on this web site?
http://www.msexchange.org/tutorials/MF010.html
The current Sendmail server is going away...it has had increasing become problmatic and the machine is too old to to run current AIX releases. I am sure there are many who feel Exchange is not "best" solution for e-mail. But given staff resources, we really need to have stuff that plays nicely with each other. Since we went with contverting to MS W2K3 AD / DNS, it made sense to stick w/ complete MS solution. ISPs use Exchange for themselves and host multple client domains on them too. If I set up as per article above won't I just have to set the appropriate smpt address as the primary? I am not sure how that will work trying to send to people outside of Exchange Domain(s).
http://www.msexchange.org/tutorials/MF010.html
The current Sendmail server is going away...it has had increasing become problmatic and the machine is too old to to run current AIX releases. I am sure there are many who feel Exchange is not "best" solution for e-mail. But given staff resources, we really need to have stuff that plays nicely with each other. Since we went with contverting to MS W2K3 AD / DNS, it made sense to stick w/ complete MS solution. ISPs use Exchange for themselves and host multple client domains on them too. If I set up as per article above won't I just have to set the appropriate smpt address as the primary? I am not sure how that will work trying to send to people outside of Exchange Domain(s).
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Failing that, simply configure authentication on their client and then configure authenticated relaying on the Exchange server.
http://www.amset.info/exchange/smtp-relaysecure.asp
Simon.