Solved

Allowing some internal users to forward through Exchange 2003 SP2

Posted on 2006-06-13
11
288 Views
Last Modified: 2010-08-05
We have an Exchange 2003 SP2 cluster with FrontEnd / BackEnd design.  We are converting our internal users from a Netware 4.11 / NT 4 domain to W2K3 AD.  Our current e-mail is a AIX 4.3 Sendmail (very prehistoric!).  Basically I use the AIX Sendamil and Alias entries to transistion the users to Exchange.  When the cutover is complete, I will update the DNS MX records to point to the Exchange 2003 server rather than the AIX Sendmail.

But here is my dilemma....

Our new W2K3 domain is ABC and the DNS is ABC.org.  All the users are being defined to the new ABC AD and have email mailbaoxes as jdoe@ABC.org.  There are few business units that have external business domains (XYZ.com) and ISPs that handle their mail  (jdoe@XYZ.com).  The AIX Sendmail allows the internal user to send mail out because it does not care about Windows Domains.  However the users are part of ABC AD Domain and nneed to access the applications and servers in this DOMAIN.  Since Exchange is so tightly intergrated will not let these users send mail as "jdoe@XYZ.com".  In the Sendmail alias file, the user's ABC.org ID is directly forwarded to the XYZ.com id.  Basically, they POP that XYZ mail server.  So the issue is Sending through Exchange 2003 in the ABC Active Directory Domain (ABC.org DNS) as jdoe@XYZ.com.

The number of users that are like this are very small...so I do not want to add a convoluted solution or allow an open relay / spamming.  

I have read about setting up Virtual Servers, Directories , Contacts etc.  While it seems to be a straightforward idea, it is not clear what should work and not confuse the people needing to support the solution.  

Thx...
0
Comment
Question by:pmcgrew7
  • 5
  • 4
11 Comments
 
LVL 104

Expert Comment

by:Sembee
ID: 16975829
If the users are popping off another server, can they not send through that server as well?

Failing that, simply configure authentication on their client and then configure authenticated relaying on the Exchange server.
http://www.amset.info/exchange/smtp-relaysecure.asp

Simon.
0
 

Author Comment

by:pmcgrew7
ID: 16978750
No.  These POP servers are located at other ISP's not serving the main company.  I don't understand why they were set up that way -- possibly because we are not-for-profit and some of these buisness units need to be "separate" from the parent organization.  My guess is that our current e-mail system is an extremely ancient version of Sendmail running on an equally old version of IBM AIX 4.x.  I am using "aliases" in the Sendmail config to shuttle emails to Exchange 2K3 while we are converting all the users.  Basically, the Sendmail still handles all the "smtp" traffic in and out of the HQ.  

We have several of these little "micro business units" who are in our AD / Exchange Domain "abc.org"...and these business units want to be able to send out e-mails as their "xyz.com" (jdoe@xyz.com).  We don't want to open up Exchange to unauthorized relay and difficult to find any docs that seem to clearly outline the setup for this scenario.  

Since all of these people have an Exchange mailbox (<userid>@abc.org), some of these people want a direct forward of all mail to their "micro business unit" email address jdoe@xyz.com.  

I looked at the link and I don't think authenticating SMTP is the answer....the users will POP from the External ISP account but need to be allowed to send out from the inside the abc.org Exchange Domain as xyx.com.  Is this something that is not common or practical???

Thx...
0
 
LVL 104

Expert Comment

by:Sembee
ID: 16979254
By sending through Exchange, how do you mean?

Do you mean the clients are using Outlook as an Exchange client?
or Do you mean that the clients are connecting to Exchange as if it was another SMTP/POP3 server?

Depending on the answer to that question depends on the solution.

If it is the latter, then relaying through your Exchange server using authentication is the way that it needs to be done. Your users are sending email out to external email addresses then they are relaying email - so you have to control that some way.

If it is the former, then things get a lot more complicated.
Exchange will not allow you to send email as an address that it is not responsible for, as that is considered spoofing. The domain name would have to appear in the recipient policy on the Exchange server. That will then cause issues with delivery of email from other Exchange clients to non-Exchange accounts.

Simon.
0
 

Author Comment

by:pmcgrew7
ID: 16979836
The users are being configured to use Outlook as an Exchange Client (also using OWA) -- no POP/IMAP etc.  Right now, we have approx 33% converted to Exchange.  Since there is a lack of clear docs on this issue, I figured the solution must not be straight forward.   But this can't be all that uncommon....

In a somewhat related issue, I have got a user who has this software that monitors temperature sensors.  It runs on XP Pro and has IIS running.  I can't find a document that shows how to get IIS on this machine to send mail to Exchange server...right now it is "relaying" to Exchange via the Sendmail server...but still can't get it to send mail off-location (ie. to a cell phone e-mail 1234567890@cingular.com).
0
Are your corporate email signatures appalling?

Is it scary how unprofessional your email signatures look? Do users create their own terrible designs and give themselves stupid job titles? You can make this a lot easier for yourself by choosing an email signature management solution from Exclaimer today.

 
LVL 104

Expert Comment

by:Sembee
ID: 16980139
As far as Microsoft are concerned, your problem is not common. Exchange is still skewed towards the enterprise. It operates on a policy of one user = one email address and the same email address is used for inbound and outbound email. You can have aliases on the accounts, but those are for inbound only - all outbound email still goes out with same email address on it.

For Exchange to allow email to go out with email from a domain on it, the domain must be in recipient policy. The presence of a domain in recipient policy means that Exchange thinks it is responsible for all email delivered to that domain.

As you have the email on two servers you will need to share the SMTP name space. The options for that are covered in this KB article.  http://support.microsoft.com/default.aspx?kbid=321721

The issue with the device that does temperature monitoring is related. You need to allow the Exchange server to relay email from that device, or relay through an external server. I tend to relay email from devices like that through the ISPs SMTP server - let someone else worry about relaying settings.

Simon.
0
 

Author Comment

by:pmcgrew7
ID: 16980223
All our IP's are NAT'd behind a single IP....so the temperature monitor PC is not distiguishable.  It is in a separte building several miles away.

Can we set up a separate Recipient Policy for each of these little "domains" and assign to the users who need to send e-mail out of the corp w/ a different domain?  

Part of me thinks that we should find a Windows "smtp" package for just these few exceptions...unfortunately, we use a A/V gateway thant scans all inbound SMTP and then forwards it to a single server (right now that is the Sendmail AIX machine).  It can't "split" the inbound based on the recipient.
 
0
 
LVL 104

Expert Comment

by:Sembee
ID: 16980452
If you set a recipient policy for each of those domains - ie a separate policy, not adding the domains to the default policy - then do NOT set a filter, no users will get email addresses on those domains automatically. You can then set the email addresses on the accounts on an as required basis.

The trick comes with co-existence of the email addresses with the other server.
The way that I would do it would be to set MX records for those domains in your Windows AD domain, that points to the Sendmail machine. Then disable the option in the recipient policy that states that Exchange is responsible for all email for that domain. When email is received on the server for an email address that Exchange doesn't recognise, then the message is sent to the server listed in the MX records. By putting MX records in to your local DNS, you stop the Exchange server from looking on the internet.

Ideally, you should have the email for those users coming to the Exchange server rather than being popped off the server. Use an alias or something like that to get the email to come to the Exchange server instead of being delivered to the mailbox on that machine. If your long term aim is to get all email being served by the Exchange server then at some point you will need to switch the email delivery point from the sendmail machine to Exchange.

Simon.
0
 

Author Comment

by:pmcgrew7
ID: 16985241
I did more diggiing....  what about the explanation / solution on this web site?  

http://www.msexchange.org/tutorials/MF010.html

The current Sendmail server is going away...it has had increasing become problmatic and the machine is too old to to run current AIX releases.  I am sure there are many who feel Exchange is not "best" solution for e-mail.  But given staff resources, we really need to have stuff that plays nicely with each other.  Since we went with contverting to MS W2K3 AD / DNS, it made sense to stick w/ complete MS solution.   ISPs use Exchange for themselves and host multple client domains on them too. If I set up as per article above won't I just have to set the appropriate smpt address as the primary?  I am not sure how that will work trying to send to people outside of Exchange Domain(s).  
0
 
LVL 104

Accepted Solution

by:
Sembee earned 250 total points
ID: 16985416
That is effectively what I have proposed.

However where I have differed is that I don't recommend making changes to the default recipient policy. When additional domains are involved, I will always create an additional policy - leaving the original one alone.

As long as you set the correct default SMTP address, then all will be well.
One note of caution - make sure that all users have an email address in the default domain as well. It doesn't have to be their default address, but they do need to have one for things like OWA to work correctly.

Simon.
0

Featured Post

What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Following basic email etiquette rules will help you write a professional email and achieve a good, lasting impression with your contacts.
This article explains in simple steps how to renew expiring Exchange Server Internal Transport Certificate.
In this video we show how to create a Contact in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Contact ta…
In this Micro Video tutorial you will learn the basics about Database Availability Groups and How to configure one using a live Exchange Server Environment. The video tutorial explains the basics of the Exchange server Database Availability grou…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now