We help IT Professionals succeed at work.

Enable internal exchange Server to send mail to external Relay.

799 Views
Last Modified: 2013-11-30
Hi-

I need some Exchange advise. We have an exchange server 2003 that is internal. 192.168.*.* This server also has an external interface on it. We would like for all e-mail to be relayed through another external server. This external server is actually the mx record for our domain, and does all content and rule based filtering through Trend-micro IMSS. The problem we are running into is that we see the external interface on the internal exchange server is sending out mail. And since it is not registered as the mail record. WE are getting blocked as a spam source once a week. (we are not an open relay from the testing I have done.)

Here is more information:

Under our Default SMTP Virtual server Properties.

IP address: All Unassigned <-- Should this be set to the Internal interface IP Address?

Access TAb: Relay Restrictions Button, Radial clicked for, Only the list below, in this list we have multiple entries. some IIS servers that are external, some internal groups defined by our IP internal address, and a couple of IP's I have no idea what they are.. This is also a red-flag for me right now. We also have Allow all computers which successfully authenticate to relay checked.

Under the Delivery Tab: FQDN of the Internal server.

In our Routing Groups:

  We have forward all mail through this connector through the following smarthost. The external server's IP is entered in [serverip].

How to I set up our internal Exchange server to relay mail to the external server that has the mx record for the Domain. Any help would be appreciated..
Comment
Watch Question

The fact that your sending server is not your MX record would not cause you to be blacklisted.  You likely have some other problem.  This server has two NICs, one with a public IP?  

If you do want all mail to flow through to the other server,  you need to make sure your lowest cost SMTP/Routing connector is set to forward all mail to your other server, and that the address space for SMTP addresses has the wildcard "*"

Author

Commented:
Yes, that is correct. There is an IP on the server that is a public IP. No idea why this was done in the past. But I have been tasked with figuring out why we are constantly getting blacklisted. I am just grasping for anything at this point.

Is the forwarding controlled by the entries in the address space for the Routing Group Connectors? WE do not have anything related to our Domain in this box. We do have a few other Domains that are not ours listed though.

Author

Commented:
I tried adding the wildcard and all outgoing mail stopped
It is possible that your external server is denying relaying from this computer.  You should modify the SMTP Virtual Server on the external server to allow relay from this server.  Also,  can you please let me know everything you have on your current sending server's connector list?
The above assumes your other server is Exchange...There will be another way to do it for other mail servers.

Author

Commented:
I tried a test this morning. I disabled the external interface on my internal server. Added the smtp routing for the internal interface on my external imss box. Everything looked as if it was being sent to the Internal server. But the mail que was filling up. And no external e-mail was coming in. On my internal server. I added  external server as a smart host in the Default virtual server delivery tab. Not sure that it had a positive affect. I eventually went back to the original config. and enabled the external interface. WE are seeing a lot of traffic through the checkpoint firewall from this external interface. I have reason to believe this is why we are getting blacklisted.

DO you want the list from the internal server? Or the external server that should be relaying?
The external server does not have exchange installled. Just IMSS from TrendMicro.
You can check the SMTP logs on the internal server to see why it was not allowed to relay through the IMSS server.  I am not familiar with IMSS; can it do outbound filtering as well?  It is likely you would have to tell it to accept relaying from your internal server.  

This is besides the point, as again your outbound server getting blacklisted is not because it is not the MX record.  It is probably actually sending out SPAM.  To lock it down a bit, you should only allow SMTP traffic in to your exchange server from the recieving server(the Trend server)   This would prevent NDR attacks and the like.  You should speak with your ISP and have a Reverse DNS record set up for your outbound server's IP that points to the A record that your exchange server advertises itself as(Properties on SMTP virtual server> Delivery>Advanced>Fully-qualified Domain Name).  You will have to make sure it advertises itself as a name that resolvs back to it's IP  You may even want to set up an SPF record for your domain.  I have seen that sbc/att has been blacklisting a lot of people for things like the RDNS record.  Who is blacklisting you, does it give a specific resason code?

See the following site for help creating your SPF record(likely not required but it can help):
http://old.openspf.org/wizard.html 
This one is on us!
(Get your first solution completely free - no credit card required)
UNLOCK SOLUTION

Author

Commented:
Ok.. anoter newb question.."you should only allow SMTP traffic in to your exchange server from the recieving server(the Trend server)" <--- where is this done at?

spamhaus.org, and CBL, barracudacentral are the main ones. The strange this is that the IP listed in the blacklist is our firewall. So it must be coming from an internal source.
 
Properties on SMTP Virtual server, Access Tab, Connection button.
Again though, what blacklist were you on and was there a specific reason/error code cited?

Author

Commented:
i think the reason stated was cutwail/botnet

Gain unlimited access to on-demand training courses with an Experts Exchange subscription.

Get Access
Why Experts Exchange?

Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.

Jim Murphy
Programmer at Smart IT Solutions

When asked, what has been your best career decision?

Deciding to stick with EE.

Mohamed Asif
Technical Department Head

Being involved with EE helped me to grow personally and professionally.

Carl Webster
CTP, Sr Infrastructure Consultant
Empower Your Career
Did You Know?

We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE

Ask ANY Question

Connect with Certified Experts to gain insight and support on specific technology challenges including:

  • Troubleshooting
  • Research
  • Professional Opinions
Unlock the solution to this question.
Join our community and discover your potential

Experts Exchange is the only place where you can interact directly with leading experts in the technology field. Become a member today and access the collective knowledge of thousands of technology experts.

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.