Solved

SMTP Relay

Posted on 2006-11-14
16
1,727 Views
Last Modified: 2008-02-01
Ok, I know this has probably been answered 1000 time here, but humor me as I make sure I understand Exchange 2000 SMTP Relay.

I have and exchange server sitting on my active directory domain,  domain1.com and domain2.com.  My domain is behind a firewall via NAT.

Domain1.com is also my active directory domain name (I know, don't use a real public domain for my active directory, I heard that too late after configuring my network 5 years ago).  Domain2.com is only for mail receive/send.

I have a single Virtual SMTP in exchange receiving for both domains.  My send and reverse DNS are working fine as my Firewall is providing the correct broadcast IP for outbound Mail (matches my inbound IP).

I need all my internal users sending from domain1.com and domain2.com to be able to send mail.

I have a couple users that travel need to be able to send mail from the Web Interface and/or Entourage (uses HTTP connection).

How do I eliminate an open relay on exchange?
0
Comment
Question by:jeffreyscottsmith
  • 10
  • 5
16 Comments
 
LVL 18

Expert Comment

by:amaheshwari
ID: 17938212
0
 

Author Comment

by:jeffreyscottsmith
ID: 17938310
Ok, herein lies my confusion.

1. If I change my relay settings to only the list below and uncheck the "Allow All computers..." box, won't that stop my users from receiving from outside domains?

2. It sounds from this article that I should setup a connector. However, I don't see where in my case a connector provide me anything over the Virtual SMTP.

0
 
LVL 104

Accepted Solution

by:
Sembee earned 125 total points
ID: 17939411
Exchange is relay secure by default. If you haven't changed anything then it shouldn't be an open relay. Having multiple domains doesn't make your server an open relay.

I have a test for being an open relay and the most common ways you can turn the server in to an open relay on my web site: http://www.amset.info/exchange/smtp-openrelay.asp

The relay setting you have mentioned has no part to play in receiving email from external servers. Email coming in to your server for a domain that Exchange knows it is responsible for is not relaying.

The only time it would cause a problem is when you are using Outlook Express or other POP3/SMTP clients to send their email through your server. The most secure way of dealing with those is to make them authenticate when they are sending their email. You can secure the authentication process so that it cannot be abused.

Simon.
0
 

Author Comment

by:jeffreyscottsmith
ID: 17939596
Ok, So let me verfiy (bear with me please).

1. I can check "Only the list below" with the list empty on the relay tab and it shouldn't prevent any in coming email from outside domains from reaching my users?

2. I can uncheck "Allow all computers whick successfully authenticate to relay, regardless of the list above."

3  I have an internal DNS entry for mail both domains (mail.domain1.com and mail.domain2.com) pointing to the internal IP for the Virtual SMTP.

4. The Connections Button on the Access tab  for my Virtual SMTP has "All exept the list below" checked.

5. the Access Control Button has all Anonymous Access, Basic Authentication, and Integrated Windows Authentication all checked.

6. My Deliever Tab has mail.domain1.com as the fully qualified domain name.  I don't have a smart host so that is blank.

7. I don't have perform reverse DNS checked as some of our company email contacts don't have that properly configured.  Am I right to assume that if it is checked, email without a correct reverse DNS will be bounced?

8. My Outbound Security Button the the Deliver Tab only has the "Anonymous Access" checked.  The rest are blank.

Thanks again for your help and patience.

0
 
LVL 104

Expert Comment

by:Sembee
ID: 17939684
With regards to your internal DNS, Exchange doesn't care. You can have entries or not, it will not affect email flow.
The reverse DNS option on the SMTP virtual server is a waste of time. Many people would like it to reject email based on a reverse DNS lookup failure, but it doesn't. All it does is slow things down with no benefit other than an extra line in the SMTP headers about the reverse DNS lookup failing.

Everything else looks fine.

Simon.
0
 

Author Comment

by:jeffreyscottsmith
ID: 17939720
When I make my changes to the Relay Area as indicated above, do I need to restart the entire server or can I simply restart the SMTP service?

If no one is actually using POP3, I assume I can disable that service?
0
 
LVL 104

Expert Comment

by:Sembee
ID: 17939815
POP3 isn't enabled by default anyway. If you have changed that behaviour then turn it off.
You don't need to restart the entire server - just SMTP will be fine.

Simon.
0
 

Author Comment

by:jeffreyscottsmith
ID: 17939913
Ok, well I made the changes to the relay tab (only the list below and unchecking relay for authenticated users)

I am getting email to users with the Domain1.com (my domain that is my active directory domain and is listed as my FQDN) as primary domain.

However, I am not getting mail to users with domain2.com as there primary email address.

Any thoughts?
0
Integrate social media with email signatures

Is your company active on social media? Do you also use email signatures? Including social media icons in your email signature is a great way to get fans for free. Let all your email users know you’re on social media quickly and easily, in a single click.

 
LVL 104

Expert Comment

by:Sembee
ID: 17940589
There could be a host of reasons for that.
Do you get an NDR?

Is the second domain listed in recipient policy?

Simon.
0
 

Author Comment

by:jeffreyscottsmith
ID: 17940752
Ah, thanks.  It was in the recipient policy before.  Not sure why it disappeared.  I will modify and let you know if that corrected the issue.
0
 

Author Comment

by:jeffreyscottsmith
ID: 17940924
I take from what you indicated about that all domains need to be listed in the receipient policy to correctly get recieved.

I am waiting for my DNS to propagate to verity this worked.
0
 

Author Comment

by:jeffreyscottsmith
ID: 17941092
Do I need to competely restart exchange for the policy to be implemented?
0
 
LVL 104

Expert Comment

by:Sembee
ID: 17941126
Shouldn't need to.
Exchange will update itself after a little while. As long as the domain is enabled it should work.

Simon.
0
 

Author Comment

by:jeffreyscottsmith
ID: 17941313
Ok, I am resolving, but I am getting and uable to relay 550 5.7.1 error for domain2.com.
0
 

Author Comment

by:jeffreyscottsmith
ID: 17941399
Sorry, let me clarify. Domains trying to sent to domain2.com are getting the unable to Relay 550 5.7.1 error for domain2.com  domain1.com is working fine yet.
0
 

Author Comment

by:jeffreyscottsmith
ID: 17941568
Ok, Exchange SP3 rollup seemed to fix the issue.  Go figure.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Local Continuous Replication is a cost effective and quick way of backing up Exchange server data. The following article describes the steps required to configure Local Continuous Replication. Also, the article tells you how to restore from a backup…
Learn to move / copy / export exchange contacts to iPhone without using any software. Also see the issues in configuration of exchange with iPhone to migrate contacts.
To show how to generate a certificate request in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Servers >> Certificates…
The video tutorial explains the basics of the Exchange server Database Availability groups. The components of this video include: 1. Automatic Failover 2. Failover Clustering 3. Active Manager

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

24 Experts available now in Live!

Get 1:1 Help Now