How do I set up Exchange 2003 to send email on a different IP address based on email address?

john2885
john2885 used Ask the Experts™
on
MS Exchange Experts,

At my location we have 2 firms that share a domain controller and Exchange store, however each firm has a separate domain (i.e. domain1.com and domain2.com).  We currently have an issue in which some of our outbound email gets caught in SPAM filters due to reverse DNS lookups not matching forward DNS lookups.  Right now have 2 PTR records for the same public IP address.  This triggers SPAM filters as the expectation is that each domain will have one PTR record.  Our planned solution is to have MS Exchange 2003 relay mail on separate private IP addresses based on email address, then have a firewall rule that will forward local SMTP traffic out on separate public IPs based on the internal IP.  For example, we have our MS Exchange Server (also the domain controller) set up with two private local IPs (let's say they are 192.168.1.251 and 192.168.1.253).  If a user sends email from domain1.com it will go out on local IP 192.168.1.251 and if another user sends email from domain2.com it will go out on 192.168.1.253.  On the firewall, we should be able to set up a rule that will take SMTP traffic from 251 and forward it on one of our public IPs and do the same for 253 on a different IP.  Is this possible and if so, how would we set it up?
We will be implementing this with a Cisco ASA 5505 firewall and MS Exchange 2003 on Server 2003 Enterprise Edition
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Alan HardistyCo-Owner
Top Expert 2011

Commented:
With Exchange 2003 you can only specify outbound email based on recipient domain, not sending domain, so this is not going to be possible unless someone has a better knowledge of Exchange and knows a way of doing this that I don't.
George SasIT Engineer

Commented:
Well , you could try this with 2 SMTP connectors.
Not sure it will work correctly as I don't have a test bench to test.

1 SMTP connector with address space * and cost 10 will deliver messages trough first IP address.
At the delivery restrictions you will have a rule : By default messages from everyone are REJECTED , and only accept messages from : And here you add your first domain users.

2 SMTP connector with cost 20 and address space * will deliver messages to second IP and the delivery restrictions will say REJECTED and accept messages from : and here you add the second domain.

You could try and see if it works this way , else I don't think you can do it with one exchange server.
Co-Owner
Top Expert 2011
Commented:
GeoSs - I believe that your suggestion will result in most (if not all) messages from the 2nd internal domain being rejected and never going anywhere.
You simply cannot ask Exchange to decide which connector to send over unless your specify the recipient domain.
Internal domains send via the connector with the lowest cost and that's it.  If it gets rejected at the first connector, it fails.  Even if you set up a second connector with a cost of 1 and restrict accepting messages from internal domain 2, some messages will get lucky and some will fail - it will be a 50/50 split.  There is no guaranteed way to do this based on internal sending domain on a single server.
Success in ‘20 With a Profitable Pricing Strategy

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

George SasIT Engineer
Commented:
alanhardisty: You might be right you might be wrong :)

If you have the 2 SMTP connectors with the same address space but with different costs , exchange will try first the lower cost and if it can't deliver trough that it will try the cost 20. As I said , I never tried this so can't say for sure it will work.

The most simple way to do this is with 2 exchange servers and split the users or simply use the SPF records in the DNS.
You could just call your firewall something like mail.antispamdomain.com or something and point both MX records to it plus use the SPF records to designate the allowed senders.
Expert of the Quarter 2009
Expert of the Year 2009
Commented:
Exchange will not route based on the sender, it can only route based on the recipient. There is no way of forcing it to do so.

The SMTP Connector method outlined above does not work.
If you have two connectors, one of cost 10 and one of cost 20, both with the address space of * then Exchange will ignore the second connector.
Exchange will try and use the lowest cost connector that matches the address space that it is sending to. If that connector rejects the message then it will not try the second connector, it will simply NDR the email.
The only thing you can do with SMTP connectors with the address space of * is load balance, with the cost identical.

If you are hosting multiple domains on an Exchange server the simple solution is to use the same DNS records for both domains - so the same host name for the MX record host. You can only have one PTR record per IP address, if you have set two then that isn't valid.
Antispam filters are not looking at whether the domain on the reverse DNS record matches the email domain - if they did then they would be rejecting email from all of the major providers (Hotmail email all comes from hotmail.com, even if you have hotmail.co.uk, ditto for Yahoo, Gmail, most of the major USA providers).

Simon.
George SasIT Engineer

Commented:
K , was not sure about the connectors as I never tried it but your second option it's what I also suggested but I've not been so specific as you did.
Expert of the Quarter 2009
Expert of the Year 2009

Commented:
Girish_2500 - Neither of those articles are appropriate. Try reading the question rather than just throwing some terms in to Google.

Simon.

Author

Commented:
Simon,

The antispam filters aren't using the domain name from the email address, but they are doing a reverse lookup on the IP address, then taking the resulting domain and doing a forward lookup.  That is what is causing our issue - we are running into some that refuse mail immediately if they see 2 PTR records for an IP.  I think we might be able to solve it like the way you refer to hotmail.

Author

Commented:
Thanks experts.  That's about what I thought, although it occurs to me that if we just have one PTR record that might solve all of our problems, as I believe the spam filters just want the forward and reverse lookups to match.
Simon:
My apologies to everyone. I will do as you suggested.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial