asked on
Enable internal exchange Server to send mail to external Relay.
Hi-
I need some Exchange advise. We have an exchange server 2003 that is internal. 192.168.*.* This server also has an external interface on it. We would like for all e-mail to be relayed through another external server. This external server is actually the mx record for our domain, and does all content and rule based filtering through Trend-micro IMSS. The problem we are running into is that we see the external interface on the internal exchange server is sending out mail. And since it is not registered as the mail record. WE are getting blocked as a spam source once a week. (we are not an open relay from the testing I have done.)
Here is more information:
Under our Default SMTP Virtual server Properties.
IP address: All Unassigned <-- Should this be set to the Internal interface IP Address?
Access TAb: Relay Restrictions Button, Radial clicked for, Only the list below, in this list we have multiple entries. some IIS servers that are external, some internal groups defined by our IP internal address, and a couple of IP's I have no idea what they are.. This is also a red-flag for me right now. We also have Allow all computers which successfully authenticate to relay checked.
Under the Delivery Tab: FQDN of the Internal server.
In our Routing Groups:
We have forward all mail through this connector through the following smarthost. The external server's IP is entered in [serverip].
How to I set up our internal Exchange server to relay mail to the external server that has the mx record for the Domain. Any help would be appreciated..
I need some Exchange advise. We have an exchange server 2003 that is internal. 192.168.*.* This server also has an external interface on it. We would like for all e-mail to be relayed through another external server. This external server is actually the mx record for our domain, and does all content and rule based filtering through Trend-micro IMSS. The problem we are running into is that we see the external interface on the internal exchange server is sending out mail. And since it is not registered as the mail record. WE are getting blocked as a spam source once a week. (we are not an open relay from the testing I have done.)
Here is more information:
Under our Default SMTP Virtual server Properties.
IP address: All Unassigned <-- Should this be set to the Internal interface IP Address?
Access TAb: Relay Restrictions Button, Radial clicked for, Only the list below, in this list we have multiple entries. some IIS servers that are external, some internal groups defined by our IP internal address, and a couple of IP's I have no idea what they are.. This is also a red-flag for me right now. We also have Allow all computers which successfully authenticate to relay checked.
Under the Delivery Tab: FQDN of the Internal server.
In our Routing Groups:
We have forward all mail through this connector through the following smarthost. The external server's IP is entered in [serverip].
How to I set up our internal Exchange server to relay mail to the external server that has the mx record for the Domain. Any help would be appreciated..
Email ProtocolsExchangeWindows Server 2003
Last Comment
joeb1
ASKER
Yes, that is correct. There is an IP on the server that is a public IP. No idea why this was done in the past. But I have been tasked with figuring out why we are constantly getting blacklisted. I am just grasping for anything at this point.
Is the forwarding controlled by the entries in the address space for the Routing Group Connectors? WE do not have anything related to our Domain in this box. We do have a few other Domains that are not ours listed though.
Is the forwarding controlled by the entries in the address space for the Routing Group Connectors? WE do not have anything related to our Domain in this box. We do have a few other Domains that are not ours listed though.
ASKER
I tried adding the wildcard and all outgoing mail stopped
It is possible that your external server is denying relaying from this computer. You should modify the SMTP Virtual Server on the external server to allow relay from this server. Also, can you please let me know everything you have on your current sending server's connector list?
The above assumes your other server is Exchange...There will be another way to do it for other mail servers.
ASKER
I tried a test this morning. I disabled the external interface on my internal server. Added the smtp routing for the internal interface on my external imss box. Everything looked as if it was being sent to the Internal server. But the mail que was filling up. And no external e-mail was coming in. On my internal server. I added external server as a smart host in the Default virtual server delivery tab. Not sure that it had a positive affect. I eventually went back to the original config. and enabled the external interface. WE are seeing a lot of traffic through the checkpoint firewall from this external interface. I have reason to believe this is why we are getting blacklisted.
DO you want the list from the internal server? Or the external server that should be relaying?
The external server does not have exchange installled. Just IMSS from TrendMicro.
DO you want the list from the internal server? Or the external server that should be relaying?
The external server does not have exchange installled. Just IMSS from TrendMicro.
You can check the SMTP logs on the internal server to see why it was not allowed to relay through the IMSS server. I am not familiar with IMSS; can it do outbound filtering as well? It is likely you would have to tell it to accept relaying from your internal server.
This is besides the point, as again your outbound server getting blacklisted is not because it is not the MX record. It is probably actually sending out SPAM. To lock it down a bit, you should only allow SMTP traffic in to your exchange server from the recieving server(the Trend server) This would prevent NDR attacks and the like. You should speak with your ISP and have a Reverse DNS record set up for your outbound server's IP that points to the A record that your exchange server advertises itself as(Properties on SMTP virtual server> Delivery>Advanced>Fully-qu
See the following site for help creating your SPF record(likely not required but it can help):
http://old.openspf.org/wizard.html
This is besides the point, as again your outbound server getting blacklisted is not because it is not the MX record. It is probably actually sending out SPAM. To lock it down a bit, you should only allow SMTP traffic in to your exchange server from the recieving server(the Trend server) This would prevent NDR attacks and the like. You should speak with your ISP and have a Reverse DNS record set up for your outbound server's IP that points to the A record that your exchange server advertises itself as(Properties on SMTP virtual server> Delivery>Advanced>Fully-qu
See the following site for help creating your SPF record(likely not required but it can help):
http://old.openspf.org/wizard.html
ASKER CERTIFIED SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER
Ok.. anoter newb question.."you should only allow SMTP traffic in to your exchange server from the recieving server(the Trend server)" <--- where is this done at?
spamhaus.org, and CBL, barracudacentral are the main ones. The strange this is that the IP listed in the blacklist is our firewall. So it must be coming from an internal source.
spamhaus.org, and CBL, barracudacentral are the main ones. The strange this is that the IP listed in the blacklist is our firewall. So it must be coming from an internal source.
Properties on SMTP Virtual server, Access Tab, Connection button.
Again though, what blacklist were you on and was there a specific reason/error code cited?
ASKER
i think the reason stated was cutwail/botnet
If you do want all mail to flow through to the other server, you need to make sure your lowest cost SMTP/Routing connector is set to forward all mail to your other server, and that the address space for SMTP addresses has the wildcard "*"