Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1747
  • Last Modified:

SMTP Relay

Ok, I know this has probably been answered 1000 time here, but humor me as I make sure I understand Exchange 2000 SMTP Relay.

I have and exchange server sitting on my active directory domain,  domain1.com and domain2.com.  My domain is behind a firewall via NAT.

Domain1.com is also my active directory domain name (I know, don't use a real public domain for my active directory, I heard that too late after configuring my network 5 years ago).  Domain2.com is only for mail receive/send.

I have a single Virtual SMTP in exchange receiving for both domains.  My send and reverse DNS are working fine as my Firewall is providing the correct broadcast IP for outbound Mail (matches my inbound IP).

I need all my internal users sending from domain1.com and domain2.com to be able to send mail.

I have a couple users that travel need to be able to send mail from the Web Interface and/or Entourage (uses HTTP connection).

How do I eliminate an open relay on exchange?
0
jeffreyscottsmith
Asked:
jeffreyscottsmith
  • 10
  • 5
1 Solution
 
amaheshwariCommented:
0
 
jeffreyscottsmithAuthor Commented:
Ok, herein lies my confusion.

1. If I change my relay settings to only the list below and uncheck the "Allow All computers..." box, won't that stop my users from receiving from outside domains?

2. It sounds from this article that I should setup a connector. However, I don't see where in my case a connector provide me anything over the Virtual SMTP.

0
 
SembeeCommented:
Exchange is relay secure by default. If you haven't changed anything then it shouldn't be an open relay. Having multiple domains doesn't make your server an open relay.

I have a test for being an open relay and the most common ways you can turn the server in to an open relay on my web site: http://www.amset.info/exchange/smtp-openrelay.asp

The relay setting you have mentioned has no part to play in receiving email from external servers. Email coming in to your server for a domain that Exchange knows it is responsible for is not relaying.

The only time it would cause a problem is when you are using Outlook Express or other POP3/SMTP clients to send their email through your server. The most secure way of dealing with those is to make them authenticate when they are sending their email. You can secure the authentication process so that it cannot be abused.

Simon.
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
jeffreyscottsmithAuthor Commented:
Ok, So let me verfiy (bear with me please).

1. I can check "Only the list below" with the list empty on the relay tab and it shouldn't prevent any in coming email from outside domains from reaching my users?

2. I can uncheck "Allow all computers whick successfully authenticate to relay, regardless of the list above."

3  I have an internal DNS entry for mail both domains (mail.domain1.com and mail.domain2.com) pointing to the internal IP for the Virtual SMTP.

4. The Connections Button on the Access tab  for my Virtual SMTP has "All exept the list below" checked.

5. the Access Control Button has all Anonymous Access, Basic Authentication, and Integrated Windows Authentication all checked.

6. My Deliever Tab has mail.domain1.com as the fully qualified domain name.  I don't have a smart host so that is blank.

7. I don't have perform reverse DNS checked as some of our company email contacts don't have that properly configured.  Am I right to assume that if it is checked, email without a correct reverse DNS will be bounced?

8. My Outbound Security Button the the Deliver Tab only has the "Anonymous Access" checked.  The rest are blank.

Thanks again for your help and patience.

0
 
SembeeCommented:
With regards to your internal DNS, Exchange doesn't care. You can have entries or not, it will not affect email flow.
The reverse DNS option on the SMTP virtual server is a waste of time. Many people would like it to reject email based on a reverse DNS lookup failure, but it doesn't. All it does is slow things down with no benefit other than an extra line in the SMTP headers about the reverse DNS lookup failing.

Everything else looks fine.

Simon.
0
 
jeffreyscottsmithAuthor Commented:
When I make my changes to the Relay Area as indicated above, do I need to restart the entire server or can I simply restart the SMTP service?

If no one is actually using POP3, I assume I can disable that service?
0
 
SembeeCommented:
POP3 isn't enabled by default anyway. If you have changed that behaviour then turn it off.
You don't need to restart the entire server - just SMTP will be fine.

Simon.
0
 
jeffreyscottsmithAuthor Commented:
Ok, well I made the changes to the relay tab (only the list below and unchecking relay for authenticated users)

I am getting email to users with the Domain1.com (my domain that is my active directory domain and is listed as my FQDN) as primary domain.

However, I am not getting mail to users with domain2.com as there primary email address.

Any thoughts?
0
 
SembeeCommented:
There could be a host of reasons for that.
Do you get an NDR?

Is the second domain listed in recipient policy?

Simon.
0
 
jeffreyscottsmithAuthor Commented:
Ah, thanks.  It was in the recipient policy before.  Not sure why it disappeared.  I will modify and let you know if that corrected the issue.
0
 
jeffreyscottsmithAuthor Commented:
I take from what you indicated about that all domains need to be listed in the receipient policy to correctly get recieved.

I am waiting for my DNS to propagate to verity this worked.
0
 
jeffreyscottsmithAuthor Commented:
Do I need to competely restart exchange for the policy to be implemented?
0
 
SembeeCommented:
Shouldn't need to.
Exchange will update itself after a little while. As long as the domain is enabled it should work.

Simon.
0
 
jeffreyscottsmithAuthor Commented:
Ok, I am resolving, but I am getting and uable to relay 550 5.7.1 error for domain2.com.
0
 
jeffreyscottsmithAuthor Commented:
Sorry, let me clarify. Domains trying to sent to domain2.com are getting the unable to Relay 550 5.7.1 error for domain2.com  domain1.com is working fine yet.
0
 
jeffreyscottsmithAuthor Commented:
Ok, Exchange SP3 rollup seemed to fix the issue.  Go figure.
0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

  • 10
  • 5
Tackle projects and never again get stuck behind a technical roadblock.
Join Now