Solved

What should I set the Fully Qualified Domain Name to if I have 3 Exchange servers

Posted on 2009-07-05
13
302 Views
Last Modified: 2012-05-07
Hi,
I've got a site with 3 exchange servers.  There's a problem with some email from some users not be recieved by outside recipients and I think there's a spam checking issue.  Whilst I've checked Spam-lists etc, I think one of the problems is setting the correct Fully Qualifed Domain Name for each Server.

The site uses several email domains, say Dom1.com, Dom2.com etc. They are all used to various degress but Dom1.com is the main one.

What should I set the FQDN to on each server?  SHould I use the masquade text box too?

(I've put the question to 500 points because I'd appreciate an explanation as well as an answer)

Thanks Experts!
0
Comment
Question by:jmsjms
  • 7
  • 4
  • 2
13 Comments
 
LVL 65

Accepted Solution

by:
Mestha earned 250 total points
ID: 24781161
When you have multiple servers the FQDN value becomes key for internal Exchange routing.
Are the servers split in to separate routing groups?
Are you routing email to the internet through just one of those servers?

The fact that you are using multiple domain names is completely immaterial. When it comes to remote sites, what they are looking for is a reverse DNS entry that resolves, and preferably a matching ehlo/helo, which is the FQDN set on the SMTP virtual server.

When it comes to multiple servers, the FQDN should be unique and should resolve INTERNALLY to the correct IP address, as well as externally. Therefore even if the email is being routed through one specific machine, the FQDN should be unique.

I blogged on how the FQDN value burnt my fingers over two years ago.
http://blog.sembee.co.uk/archive/2007/02/19/40.aspx

Basically, with the information you have provided, answering your question isn't possible. It could be any number of values.

Simon.
0
 
LVL 11

Assisted Solution

by:kyodai
kyodai earned 250 total points
ID: 24781667
Agreed, there are too many information missing to give a precise answer, what i would think is crucial here is whether you use a single smarthost/Mail Gateway/Bridgehead server. In our company we have 8 different Internet Domains we must handle for mail, but we use an ironport Gateway (2 SG and 2 AV in a redundant setup) to fetch out spam/Viruses. Like you we have all 3 exchange servers (Handling the 8 domains with a total of ~3500 mailboxes) on one single site. We have just set up the DNS accordingly so all domains have MX records that points to our ironports. The ironports are set up to accept mail for all 8 domains and route it to our internal Exchange Bridgeheads, these route according to domain name to the right exchange server. We have only one domain with the FQDN as the 1st registered domain (The other 7 came later on). so the exchange servers (i may not give out real info so i anonymize it) FQDN would be exchange1.olddomain.com, exchange2.olddomain.com and so on although they host mailboxes for totally different domains. The Helo/ehlo on the ironport also just reflects our olddomain.com, as for technical reasons you obviously can have 1 per machine, but we have never had problems with that. If you however use the exchange servers directly connected to the Internet so they are the SMTP gateway the FQDN might be a problem, in this case you should take a deep look into Simons blog or directly call him (I heard he gives remote support and consulting for fair rates)  ;)
0
 

Author Comment

by:jmsjms
ID: 24783584
Thanks for your responses.  Hopefully this should give enough info to sort this out then...
-The Servers are in one routing group.
-The routing group has a SMTP connector that sends email to a SMTP Gateway (provided by the ISP).
-Each has it's own SMTP connector (I'm not sure if these settings are used or wether the Routing Group SMTP connector is the only one used).

From reading your answers, can I confirm, that I need to give each server a unique FQDN that resolves internally and externally?

Would I therefore have to create MX records for each, even though external email only goes to one of the servers? Or would just a host name do?
0
 

Author Comment

by:jmsjms
ID: 24783689
With regard to how the mail comes in, the MX record (which points to the FQDN of the main server) points to the IP address of the Router/FIrewall.  i.e. not the actual internal IP of the Mail server.  This OK?

0
 
LVL 65

Expert Comment

by:Mestha
ID: 24784059
If you are sending email out through the ISPs SMTP server, then the FQDN doesn't matter. It will have no part to play in the delivery of the email messages. Therefore I would just set them to be the server's real name and leave it at that.

If your inbound email is flowing, then don't touch anything on the DNS.

Servers that are doing checks for spam will not be connecting to your server, they will be connecting to your ISPs server, because all they are interested in is whether the server that is delivering the email to them is valid or not.

Simon.
0
 

Author Comment

by:jmsjms
ID: 24785483
Well this is a header from the site to my yahoo address (account name/domains changed)

Notice that the header has a "Received: from mail.thedomain.com " which is the FQDN of the server.

It also refers to MAILSERVER.localdomain.local. which is the local FQDN of the server.


From a user Mon Jul  6 12:37:01 2009

Return-Path: <A.User@thedomain.com>

Authentication-Results: mta123.mail.ird.yahoo.com  from=thedomain.com; domainkeys=neutral (no sig); from=thedomain.com; dkim=neutral (no  sig)

Received: from 81.103.221.47  (EHLO mtaout01-winn.ispmail.ntl.com) (81.103.221.47)

  by mta123.mail.ird.yahoo.com with SMTP; Mon, 06 Jul 2009 12:37:53 +0000

Received: from aamtaout02-winn.ispmail.ntl.com ([81.103.221.35])

          by mtaout01-winn.ispmail.ntl.com

          (InterMail vM.7.08.04.00 201-2186-134-20080326) with ESMTP

          id <20090706123752.UDUJ6742.mtaout01-winn.ispmail.ntl.com@aamtaout02-winn.ispmail.ntl.com>

          for <me@yahoo.co.uk>; Mon, 6 Jul 2009 13:37:52 +0100

Received: from mail.thedomain.com ([80.194.75.131])

          by aamtaout02-winn.ispmail.ntl.com

          (InterMail vG.2.02.00.01 201-2161-120-102-20060912) with ESMTP

          id <20090706123752.HBVA21638.aamtaout02-winn.ispmail.ntl.com@mail.thedomain.com>

          for <me@yahoo.co.uk>; Mon, 6 Jul 2009 13:37:52 +0100

Content-class: urn:content-classes:message

Subject: Test

MIME-Version: 1.0

Content-Type: multipart/related;

	boundary="----_=_NextPart_001_01C9FE36.930FD211";

	type="multipart/alternative"

Date: Mon, 6 Jul 2009 13:37:01 +0100

Message-ID: <3E715E520A8A6743B6317475A5CC2CEA1C8D@MAILSERVER.localdomain.local>

Thread-Topic: Test

Thread-Index: Acn+J+zzRNuJyqQyQyCzYga2tKcDKgADoiuy

References: <3E715E520A8A6743B6317475A5CC2CEA295A@MAILSERVER.localdomain.local>

From: "A User" <A.User@thedomain.com>

To: <me@yahoo.co.uk>

Content-Length: 12643

Open in new window

0
Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

 

Author Comment

by:jmsjms
ID: 24785498
So yahoo is only  checking against mtaout01-winn.ispmail.ntl.com?

0
 
LVL 65

Expert Comment

by:Mestha
ID: 24785778
If you are sending email out through NTLs server, then that is the only thing they are looking for. It doesn't matter that the email originated from the another system - the receiving server doesn't care.

Simon.
0
 

Author Comment

by:jmsjms
ID: 24785847
Thanks for confirming that Simon.  

The ISP asked for the FQDN of the MAIL servers. It could be that the ISP checks the FQDN.  I've sent a request to find out what they use it for.

If they dont need it to be resolvable externally then I'll use the host@local domain FQDN.

If they do then I'll setup Internet resolvable FQDN for the servers and sort out a local forward lookupzone to ensure local clients can reach them.

This sound like a plan?  Thanks again.


0
 
LVL 65

Expert Comment

by:Mestha
ID: 24785956
What ISP asked for the FQDN?
When you are using a smart host to route email, it is impossible to know what is happening to the messages. All you can do is track the messages were sent to the smart host, that is all.
In this scenario, the smarthost is the internet facing server, as the others route the email through them. Therefore the internal reference is completely immaterial.

I don't think setting the FQDN to a public name will help because that isn't what the remote servers are looking at. All it does is make a cleaner header, which 99.9% of people don't even look at.

Simon.
0
 

Author Comment

by:jmsjms
ID: 24786222
Sorry should have been clearer.  The site is linked to the Internet via the ISP.  This ISP also offers a SMTP gateway and they asked for the FQDN of the main server(s).

I dont know why they are asking for it, so I've asked them and am awaiting a response.  

0
 
LVL 11

Expert Comment

by:kyodai
ID: 24787680
Well in this case it is really unclear why they ask for FQDN, all they need is your external IP that is listening to port 21 (It will probably be your firewall that has a rule to NAT that IP/Port to the exchange server in your network who is routing all the mails. The ISP does definitely not need an FQDN name, as in your own network you could change it on a daily base if you find that funny, ISP just needs to set his mail routing to route all mails for your intenet domain to your External IP with the port 21 NATed to your exchange. You could even supply several of your external IPs if you have more than 1 server set  up to do mail routing. They dont need your FQDN as they could not use it anyways, in a private network you could use all possible and impossible FQDN, they should not be interested what's behind your firewall, if you use nasty animal names for the FQDN or myhostsucks.com is none of their business this is your internal network, asking for such info sounds already like social engineering. ;)  I am curious what they will reply, but probably just that it was a mistake...
0
 

Author Comment

by:jmsjms
ID: 24803975
Yep I thought it was weird.  I've just had a message back saying that they only check IP address for SMTP relay authentication.  Beforehand they said they used FQDN and Email domain....

Anyway, I've made some changes that seem to have fixed things. They are:

1- Setup an individual FQDN that is resolvable on the Internet on each Mail server.  
2- Changed the IP setting on each servers SMTP Connector from 'Any' to their internal IP. (From Simons Blog entry).

Although this shouldn't have made a difference I can now get emails from the mail server to my own email account when I couldn't before.

THanks very much to both of you.



.


0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
This article explains in simple steps how to renew expiring Exchange Server Internal Transport Certificate.
In this video we show how to create an email address policy in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Mail Flow…
In this video we show how to create a mailbox database in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Servers >> Data…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now