• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 888
  • Last Modified:

Creating a working relay between two Exchange Servers / SMTP problems

Hi,

We have recently taken over a support contract for a company that is running two Exchange servers, one is running Exchange 6.5 and the other is running Exchange 2007. Their are 5 domains in use on both Servers, one domain is solely used on the Exchange 6.5 and 3 are solely used on the Exchange 2007. The 5th domain has some mailboxes set up on Exchange 6.5 and others set up on Exchange 2007. The MX record for this domain points to the Exchange 6.5 machine and I assume that any mailboxes encountered that reside on the Exchange 2007 machine are relayed to the Exchange 2007 machine. This was working, until the public IP address was changed on both PC's. Emails are still being received and relayed to the Exchange 2007 machine, but emails sent from the domain in sole use on the Exchange 6.5 machine are bounced back to the sender with the error "#5.7.1 smtp;550 5.7.1 Unable to relay for <email address sent to>". If I change the SMTP connector on the Exchange 6.5 machine to forward through the ISP SMTP server (smtp.eclipse.co.uk) then the emails send fine, but the relay between the Exchange 6.5 machine and Exchange 2007 machine stops working.

Can anyone offer any clues as to why this is happening?
0
Robox1
Asked:
Robox1
  • 13
  • 9
1 Solution
 
MegaNuk3Commented:
So let me get this right... Exchange 2003 (6.5) is sending mails out via the Exchange 2007 server? Why is it set to do that? Exchange should be set to send internet mail out to servers via DNS or sent to smart host (ISP) DNS is preferred because the Exchange server will attempt direct delivery to mailservers of that domain and not wait for something else to forward it (like ISP SMTP server).

You probably have the old IP address of the 6.5 server listed on the Exchange 2007 for allowed relaying, this needs to be updated.
0
 
MegaNuk3Commented:
0
 
Robox1Author Commented:
Thanks for this. I've got rid of the original problem. However, I'm now getting the following bouncebacks when mail is sent internally from the Exchange 6.5 server to the Exchange 2007 server:-

exchange.<domain>.com #5.7.1 smtp;554 5.7.1 Spam blocked <IP address of Exchange 6.5 server> found in dnsbl.sorbs.net

and the following bounceback when sent to some external addresses:-

exchange.<domain>.com #5.5.0 smtp;554 Transaction Failed Spam Message not queued

I've checked the list at sorbs.net and the IP address is listed here, but on no other SPAM blacklist. I can't understand why the Exchange 2007 Server would be blocking emails from IP's blacklisted in dnsbl.sorbs.net when all the Anti-Spam features in Exchange 2007 are turned off. Sorbs.net robots have refused a request to de-list the IP address for reasons I cannot understand from their email and FAQ's. Any ideas how I can stop Exchange 2007 checking SPAM blacklists, and how we can de-list from sorbs.net?
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 
MegaNuk3Commented:
Are both these servers in the same Exchange Organization? From the way it is configured I would say not. If they are in separate orgs then do the following.

For the internal domains set up a separate SMTP connectors so the messages go internally rather than via the internet, so the messages from Exchange 6.5 to to Exchange 2007 would come from the 6.5 server's internal IP address rather than from the internet IP address and will therefore not be found in block lists.

So on Exchange 2003 setup a new SMTP connector with the address space of the Exchange 2007 domains, set this connector to forward direct to the Exchange 2007 server. Change your internet connector (the one with the address space of *) to a slightly higher cost (like 5 if it is 1 now) so the domain messages go over their SMTP connector and not just out to the internet

Do the same on Exchange 2007 and setup Send Connectors to send the Exchange 2003 domain mails direct to it instead of via the internet. Only send internal domains via the internet if you have external AV scanning and you want that extra level of protection for your "internal messages".

Configuring SMTP send connectors on Exchange 2007 is mentioned here:
http://www.petri.co.il/configuring-exchange-2007-send-connectors.htm

0
 
MegaNuk3Commented:
For SORBS de-listing:
Check your domains using mxtoolbox.com and make sure they are not listed as "open relay" domains.

You aren't using dynamic IP addresses for your Exchange Servers are you?

Other than that give yourself the postmaster@yourdomain.com e-mail address or access to that mailbox if it exists and then fill in the SORBS forms with that e-mail address and they should delist you. I have found that filling in the forms with a valid postmaster e-mail address certainly helps.
0
 
Robox1Author Commented:
When I do an SMTP check on the domain, I get the following result:-

 May be an open relay.
 0 seconds - Good on Connection time
 0.874 seconds - Good on Transaction time
 Reverse DNS FAILED! This is a problem.
 Warning - Reverse DNS does not match SMTP Banner

Strangely, it doesn't appear on the Sorbs blacklist here when doing a blacklist: check. When you check Sorbs directly, the IP address is blacklisted as part of a block. Re-reading the email, I think that's why they refused the request - because it was part of a block of IP addresses that had been blacklisted.

The Exchange Servers are on Static IP addresses.

I've tried setting up a Send connector on Exchange 2003 - never used Exchange 2003 so I'm unfamiliar with "Bridgeheads" and the such. Hopefully, I've set it up right.

Does this mean I'd also be able to set up another SMTP connector to forward mail sent to certain domains through the ISP's SMTP server? This could temporarily resolve the IP block issue when sending to certain domains.

0
 
Robox1Author Commented:
To confirm, I entered the following:-

In the "Local Bridgeheads", I chose the only SMTP Virtual Server that was available.

In the "Forward all mail through this connector to the following smart hosts", I entered the IP address of the Exchange 2007 Server in square brackets.

In the "Address Space" tab, I entered the domains served by the Exchange 2007 server with a cost of 1.

I then changed the other SMTP connector with the address space * to a cost of 5.

Is there anything else I need to do, or is that it?
0
 
MegaNuk3Commented:
That's it, now test and Exchange 2003 should be able to send to Exchange 2007 no problems.
0
 
MegaNuk3Commented:
As for Sorbs, yes, you could set the intenet address space * connector to send via your ISP's SMTP server for now... Or leave it that way forever, if you want, but I prefer to send to mailservers direct.

You need to do a whois on your domain/IP address and that should then say in there somewhere "ISP static address" then just forward that info to sorbs using the postmaster account and they should then remove you because you are not a dynamic address. I had to do this for a client once where an RBL had them listed as coming from a dynamic address pool when they were using a static IP address. WHOIS said static and once I sent them an e-mail/filled in their form from the postmaster e-mail address, the RBL delisted the IP address.
0
 
Robox1Author Commented:
Thanks for your help so far... Seems like the Sorbs problem is solve. However, when sending from domains on the Exchange 2003 Server to domains on the Exchange 2007 Server after adding the SMTP connector as suggested, we're getting bouncebacks about 48 hours later as such:-

Could not deliver the message in the time limit specified.  Please retry or contact your administrator.
    <exchange.<domain>.com #4.4.7>
0
 
MegaNuk3Commented:
Can you telnet into port 25 of the Exchange 2007 server from the Exchange 2003 and send a test message to one of the Exchange 2007 domains from the internal Exchange 2003 domain?

http://support.microsoft.com/kb/153119/en-us

telnet ex2007servername 25
EHLO myE2k3domain.com
MAIL FROM: validuser@myE2k3domain.com
RCPT TO: internaluser@myE2k7domain.com notify=success,failure
DATA
Subject: This is a test message from E2k3 to E2k7
test time: 16:18
.
QUIT
0
 
Robox1Author Commented:
I'm getting as far as MAIL FROM: but getting:-

220 gw-serv.<domain>.local Microsoft ESMTP MAIL Service ready at Mon, 29 Mar 20
10 10:54:46 +0100
EHLO <domain>.com
250-gw-serv.<domain>.local Hello [IP ADDRESS]
250-SIZE
250-PIPELINING
250-DSN
250-ENHANCEDSTATUSCODES
250-X-ANONYMOUSTLS
250-AUTH NTLM
250-X-EXPS GSSAPI NTLM
250-8BITMIME
250-BINARYMIME
250-CHUNKING
250-XEXCH50
250 XRDST
MAIL FROM: <user>@<2k3domain>.com
501 5.1.7 Invalid address
MAIL FROM: <another user>@<2k3domain>.com
501 5.5.4 Unrecognized parameter
RCPT TO: <user>@<2k7domain>.com notify=success,failure
503 5.5.2 Need mail command

All email addresses exist...
0
 
MegaNuk3Commented:
Ok and if you try and send a message as if it is coming in from the internet?
 MAIL FROM: youraddress@hotmail.com does it accept it?
0
 
Robox1Author Commented:
This is what I get when trying to send from a Hotmail address:-

220 gw-serv.<2k7domain>.local Microsoft ESMTP MAIL Service ready at Mon, 29 Mar 20
10 11:21:49 +0100
EHLO <2k3domain>.com
250-gw-serv.<2k7domain>.local Hello [IP ADDRESS]
250-SIZE
250-PIPELINING
250-DSN
250-ENHANCEDSTATUSCODES
250-X-ANONYMOUSTLS
250-AUTH NTLM
250-X-EXPS GSSAPI NTLM
250-8BITMIME
250-BINARYMIME
250-CHUNKING
250-XEXCH50
250 XRDST
MAIL FROM: <me>@hotmail.co.uk
500 5.3.3 Unrecognized command
RCPT TO: <user>@<2k7domain>.com
500 5.3.3 Unrecognized command
0
 
MegaNuk3Commented:
I take it where you have <me> you have something real like mymailaddress and are not actually typing <>?

Do you have an Edge Transport server configured or anything else? Are you hitting the internet facing exchange 2007 server with the telnet commands?

Maybe we should simply change the E2k3 SMTP connector to send the External/Internet IP address of the Exchange 2007 server for those domains or just use DNS... which is pretty much the same as having no internal SMTP connector...

0
 
Robox1Author Commented:
"I take it where you have <me> you have something real like mymailaddress and are not actually typing <>?"
Of course!!

"Do you have an Edge Transport server configured or anything else? Are you hitting the internet facing exchange 2007 server with the telnet commands?"
No and Yes

"Maybe we should simply change the E2k3 SMTP connector to send the External/Internet IP address of the Exchange 2007 server for those domains or just use DNS... which is pretty much the same as having no internal SMTP connector..."
That's how it is set up currently, is this wrong? Should I change it to use the internal IP address, or Server name? Remember, we had to do this originally to prevent any internally sent email from passing through the internet due to a blacklisted IP address, so using DNS would put us back to square one...
0
 
MegaNuk3Commented:
I thought you said the SORBS issue was now solved?

Have a look at this article on how to setup the connectors between Exchange 2003 and Exchange 2007 that are in separate Orgs/forests:
http://technet.microsoft.com/en-us/library/bb123546(EXCHG.80).aspx

Scroll down to the "Exchange 2007 to Exchange 2003" section and read on from there.
0
 
Robox1Author Commented:
I meant that by adding a second SMTP connector that sends mail to certain domains through the ISP's SMTP server has solved the problem with getting bouncebacks stating the IP has been blacklisted... Should have made this clearer! Sorbs still have the IP address blacklisted, although the ISP are on the case...

Will look through that document. Would it just be easier adding the domains on the Exchange 2007 server to the SMTP connector that sends through the ISP's SMTP server for now? At least, until the ISP can get Sorbs to de-list the IP Address.
0
 
MegaNuk3Commented:
Have a look at Option 1 on here which should allow your E2k3 server to bypass spam checking when communicating with the Exchange 2007 server:

http://msexchangeteam.com/archive/2006/12/28/432013.aspx

this doesn't require a certificate or TLS. something like this probably already existed if it was working before, so just confirm that the correct IP address of the Exchange 2003 server is listed in the Receive Connector.
0
 
MegaNuk3Commented:
Thanks for the points. Did you get it all working (sending internally) or did they finally remove you off the SORBS blacklist?
0
 
Robox1Author Commented:
Yeah, I ended up creating an SMTP connector to send internal mail and mail to problem domains via the ISP SMTP Server. Worked fine after that! Thanks for the pointers, couldn't have figured it out without them.
0
 
MegaNuk3Commented:
no problem.
0

Featured Post

Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

  • 13
  • 9
Tackle projects and never again get stuck behind a technical roadblock.
Join Now