If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.
Creating a working relay between two Exchange Servers / SMTP problems
Hi,
We have recently taken over a support contract for a company that is running two Exchange servers, one is running Exchange 6.5 and the other is running Exchange 2007. Their are 5 domains in use on both Servers, one domain is solely used on the Exchange 6.5 and 3 are solely used on the Exchange 2007. The 5th domain has some mailboxes set up on Exchange 6.5 and others set up on Exchange 2007. The MX record for this domain points to the Exchange 6.5 machine and I assume that any mailboxes encountered that reside on the Exchange 2007 machine are relayed to the Exchange 2007 machine. This was working, until the public IP address was changed on both PC's. Emails are still being received and relayed to the Exchange 2007 machine, but emails sent from the domain in sole use on the Exchange 6.5 machine are bounced back to the sender with the error "#5.7.1 smtp;550 5.7.1 Unable to relay for <email address sent to>". If I change the SMTP connector on the Exchange 6.5 machine to forward through the ISP SMTP server (smtp.eclipse.co.uk) then the emails send fine, but the relay between the Exchange 6.5 machine and Exchange 2007 machine stops working.
Can anyone offer any clues as to why this is happening?
We have recently taken over a support contract for a company that is running two Exchange servers, one is running Exchange 6.5 and the other is running Exchange 2007. Their are 5 domains in use on both Servers, one domain is solely used on the Exchange 6.5 and 3 are solely used on the Exchange 2007. The 5th domain has some mailboxes set up on Exchange 6.5 and others set up on Exchange 2007. The MX record for this domain points to the Exchange 6.5 machine and I assume that any mailboxes encountered that reside on the Exchange 2007 machine are relayed to the Exchange 2007 machine. This was working, until the public IP address was changed on both PC's. Emails are still being received and relayed to the Exchange 2007 machine, but emails sent from the domain in sole use on the Exchange 6.5 machine are bounced back to the sender with the error "#5.7.1 smtp;550 5.7.1 Unable to relay for <email address sent to>". If I change the SMTP connector on the Exchange 6.5 machine to forward through the ISP SMTP server (smtp.eclipse.co.uk) then the emails send fine, but the relay between the Exchange 6.5 machine and Exchange 2007 machine stops working.
Can anyone offer any clues as to why this is happening?
Who is Participating?
Experts Exchange Solution brought to you by
Enjoy your complimentary solution view.
Get every solution instantly with Premium.
Start your 7-day free trial.
I wear a lot of hats...
"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.
Relaying in Exchange 2007 as per:
http://exchangepedia.com/blog/2007/01/exchange-server-2007-how-to-allow.html
http://exchangepedia.com/blog/2007/01/exchange-server-2007-how-to-allow.html
Thanks for this. I've got rid of the original problem. However, I'm now getting the following bouncebacks when mail is sent internally from the Exchange 6.5 server to the Exchange 2007 server:-
exchange.<domain>.com #5.7.1 smtp;554 5.7.1 Spam blocked <IP address of Exchange 6.5 server> found in dnsbl.sorbs.net
and the following bounceback when sent to some external addresses:-
exchange.<domain>.com #5.5.0 smtp;554 Transaction Failed Spam Message not queued
I've checked the list at sorbs.net and the IP address is listed here, but on no other SPAM blacklist. I can't understand why the Exchange 2007 Server would be blocking emails from IP's blacklisted in dnsbl.sorbs.net when all the Anti-Spam features in Exchange 2007 are turned off. Sorbs.net robots have refused a request to de-list the IP address for reasons I cannot understand from their email and FAQ's. Any ideas how I can stop Exchange 2007 checking SPAM blacklists, and how we can de-list from sorbs.net?
exchange.<domain>.com #5.7.1 smtp;554 5.7.1 Spam blocked <IP address of Exchange 6.5 server> found in dnsbl.sorbs.net
and the following bounceback when sent to some external addresses:-
exchange.<domain>.com #5.5.0 smtp;554 Transaction Failed Spam Message not queued
I've checked the list at sorbs.net and the IP address is listed here, but on no other SPAM blacklist. I can't understand why the Exchange 2007 Server would be blocking emails from IP's blacklisted in dnsbl.sorbs.net when all the Anti-Spam features in Exchange 2007 are turned off. Sorbs.net robots have refused a request to de-list the IP address for reasons I cannot understand from their email and FAQ's. Any ideas how I can stop Exchange 2007 checking SPAM blacklists, and how we can de-list from sorbs.net?
Are both these servers in the same Exchange Organization? From the way it is configured I would say not. If they are in separate orgs then do the following.
For the internal domains set up a separate SMTP connectors so the messages go internally rather than via the internet, so the messages from Exchange 6.5 to to Exchange 2007 would come from the 6.5 server's internal IP address rather than from the internet IP address and will therefore not be found in block lists.
So on Exchange 2003 setup a new SMTP connector with the address space of the Exchange 2007 domains, set this connector to forward direct to the Exchange 2007 server. Change your internet connector (the one with the address space of *) to a slightly higher cost (like 5 if it is 1 now) so the domain messages go over their SMTP connector and not just out to the internet
Do the same on Exchange 2007 and setup Send Connectors to send the Exchange 2003 domain mails direct to it instead of via the internet. Only send internal domains via the internet if you have external AV scanning and you want that extra level of protection for your "internal messages".
Configuring SMTP send connectors on Exchange 2007 is mentioned here:
http://www.petri.co.il/configuring-exchange-2007-send-connectors.htm
For the internal domains set up a separate SMTP connectors so the messages go internally rather than via the internet, so the messages from Exchange 6.5 to to Exchange 2007 would come from the 6.5 server's internal IP address rather than from the internet IP address and will therefore not be found in block lists.
So on Exchange 2003 setup a new SMTP connector with the address space of the Exchange 2007 domains, set this connector to forward direct to the Exchange 2007 server. Change your internet connector (the one with the address space of *) to a slightly higher cost (like 5 if it is 1 now) so the domain messages go over their SMTP connector and not just out to the internet
Do the same on Exchange 2007 and setup Send Connectors to send the Exchange 2003 domain mails direct to it instead of via the internet. Only send internal domains via the internet if you have external AV scanning and you want that extra level of protection for your "internal messages".
Configuring SMTP send connectors on Exchange 2007 is mentioned here:
http://www.petri.co.il/configuring-exchange-2007-send-connectors.htm
Experts Exchange Solution brought to you by
Your issues matter to us.
Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.
Start your 7-day free trial
For SORBS de-listing:
Check your domains using mxtoolbox.com and make sure they are not listed as "open relay" domains.
You aren't using dynamic IP addresses for your Exchange Servers are you?
Other than that give yourself the postmaster@yourdomain.com e-mail address or access to that mailbox if it exists and then fill in the SORBS forms with that e-mail address and they should delist you. I have found that filling in the forms with a valid postmaster e-mail address certainly helps.
Check your domains using mxtoolbox.com and make sure they are not listed as "open relay" domains.
You aren't using dynamic IP addresses for your Exchange Servers are you?
Other than that give yourself the postmaster@yourdomain.com e-mail address or access to that mailbox if it exists and then fill in the SORBS forms with that e-mail address and they should delist you. I have found that filling in the forms with a valid postmaster e-mail address certainly helps.
When I do an SMTP check on the domain, I get the following result:-
May be an open relay.
0 seconds - Good on Connection time
0.874 seconds - Good on Transaction time
Reverse DNS FAILED! This is a problem.
Warning - Reverse DNS does not match SMTP Banner
Strangely, it doesn't appear on the Sorbs blacklist here when doing a blacklist: check. When you check Sorbs directly, the IP address is blacklisted as part of a block. Re-reading the email, I think that's why they refused the request - because it was part of a block of IP addresses that had been blacklisted.
The Exchange Servers are on Static IP addresses.
I've tried setting up a Send connector on Exchange 2003 - never used Exchange 2003 so I'm unfamiliar with "Bridgeheads" and the such. Hopefully, I've set it up right.
Does this mean I'd also be able to set up another SMTP connector to forward mail sent to certain domains through the ISP's SMTP server? This could temporarily resolve the IP block issue when sending to certain domains.
May be an open relay.
0 seconds - Good on Connection time
0.874 seconds - Good on Transaction time
Reverse DNS FAILED! This is a problem.
Warning - Reverse DNS does not match SMTP Banner
Strangely, it doesn't appear on the Sorbs blacklist here when doing a blacklist: check. When you check Sorbs directly, the IP address is blacklisted as part of a block. Re-reading the email, I think that's why they refused the request - because it was part of a block of IP addresses that had been blacklisted.
The Exchange Servers are on Static IP addresses.
I've tried setting up a Send connector on Exchange 2003 - never used Exchange 2003 so I'm unfamiliar with "Bridgeheads" and the such. Hopefully, I've set it up right.
Does this mean I'd also be able to set up another SMTP connector to forward mail sent to certain domains through the ISP's SMTP server? This could temporarily resolve the IP block issue when sending to certain domains.
To confirm, I entered the following:-
In the "Local Bridgeheads", I chose the only SMTP Virtual Server that was available.
In the "Forward all mail through this connector to the following smart hosts", I entered the IP address of the Exchange 2007 Server in square brackets.
In the "Address Space" tab, I entered the domains served by the Exchange 2007 server with a cost of 1.
I then changed the other SMTP connector with the address space * to a cost of 5.
Is there anything else I need to do, or is that it?
In the "Local Bridgeheads", I chose the only SMTP Virtual Server that was available.
In the "Forward all mail through this connector to the following smart hosts", I entered the IP address of the Exchange 2007 Server in square brackets.
In the "Address Space" tab, I entered the domains served by the Exchange 2007 server with a cost of 1.
I then changed the other SMTP connector with the address space * to a cost of 5.
Is there anything else I need to do, or is that it?
As for Sorbs, yes, you could set the intenet address space * connector to send via your ISP's SMTP server for now... Or leave it that way forever, if you want, but I prefer to send to mailservers direct.
You need to do a whois on your domain/IP address and that should then say in there somewhere "ISP static address" then just forward that info to sorbs using the postmaster account and they should then remove you because you are not a dynamic address. I had to do this for a client once where an RBL had them listed as coming from a dynamic address pool when they were using a static IP address. WHOIS said static and once I sent them an e-mail/filled in their form from the postmaster e-mail address, the RBL delisted the IP address.
You need to do a whois on your domain/IP address and that should then say in there somewhere "ISP static address" then just forward that info to sorbs using the postmaster account and they should then remove you because you are not a dynamic address. I had to do this for a client once where an RBL had them listed as coming from a dynamic address pool when they were using a static IP address. WHOIS said static and once I sent them an e-mail/filled in their form from the postmaster e-mail address, the RBL delisted the IP address.
Thanks for your help so far... Seems like the Sorbs problem is solve. However, when sending from domains on the Exchange 2003 Server to domains on the Exchange 2007 Server after adding the SMTP connector as suggested, we're getting bouncebacks about 48 hours later as such:-
Could not deliver the message in the time limit specified. Please retry or contact your administrator.
<exchange.<domain>.com #4.4.7>
Could not deliver the message in the time limit specified. Please retry or contact your administrator.
<exchange.<domain>.com #4.4.7>
Can you telnet into port 25 of the Exchange 2007 server from the Exchange 2003 and send a test message to one of the Exchange 2007 domains from the internal Exchange 2003 domain?
http://support.microsoft.com/kb/153119/en-us
telnet ex2007servername 25
EHLO myE2k3domain.com
MAIL FROM: validuser@myE2k3domain.com
RCPT TO: internaluser@myE2k7domain.
DATA
Subject: This is a test message from E2k3 to E2k7
test time: 16:18
.
QUIT
http://support.microsoft.com/kb/153119/en-us
telnet ex2007servername 25
EHLO myE2k3domain.com
MAIL FROM: validuser@myE2k3domain.com
RCPT TO: internaluser@myE2k7domain.
DATA
Subject: This is a test message from E2k3 to E2k7
test time: 16:18
.
QUIT
I'm getting as far as MAIL FROM: but getting:-
220 gw-serv.<domain>.local Microsoft ESMTP MAIL Service ready at Mon, 29 Mar 20
10 10:54:46 +0100
EHLO <domain>.com
250-gw-serv.<domain>.local
250-SIZE
250-PIPELINING
250-DSN
250-ENHANCEDSTATUSCODES
250-X-ANONYMOUSTLS
250-AUTH NTLM
250-X-EXPS GSSAPI NTLM
250-8BITMIME
250-BINARYMIME
250-CHUNKING
250-XEXCH50
250 XRDST
MAIL FROM: <user>@<2k3domain>.com
501 5.1.7 Invalid address
MAIL FROM: <another user>@<2k3domain>.com
501 5.5.4 Unrecognized parameter
RCPT TO: <user>@<2k7domain>.com notify=success,failure
503 5.5.2 Need mail command
All email addresses exist...
220 gw-serv.<domain>.local Microsoft ESMTP MAIL Service ready at Mon, 29 Mar 20
10 10:54:46 +0100
EHLO <domain>.com
250-gw-serv.<domain>.local
250-SIZE
250-PIPELINING
250-DSN
250-ENHANCEDSTATUSCODES
250-X-ANONYMOUSTLS
250-AUTH NTLM
250-X-EXPS GSSAPI NTLM
250-8BITMIME
250-BINARYMIME
250-CHUNKING
250-XEXCH50
250 XRDST
MAIL FROM: <user>@<2k3domain>.com
501 5.1.7 Invalid address
MAIL FROM: <another user>@<2k3domain>.com
501 5.5.4 Unrecognized parameter
RCPT TO: <user>@<2k7domain>.com notify=success,failure
503 5.5.2 Need mail command
All email addresses exist...
Ok and if you try and send a message as if it is coming in from the internet?
MAIL FROM: youraddress@hotmail.com does it accept it?
MAIL FROM: youraddress@hotmail.com does it accept it?
This is what I get when trying to send from a Hotmail address:-
220 gw-serv.<2k7domain>.local Microsoft ESMTP MAIL Service ready at Mon, 29 Mar 20
10 11:21:49 +0100
EHLO <2k3domain>.com
250-gw-serv.<2k7domain>.lo
250-SIZE
250-PIPELINING
250-DSN
250-ENHANCEDSTATUSCODES
250-X-ANONYMOUSTLS
250-AUTH NTLM
250-X-EXPS GSSAPI NTLM
250-8BITMIME
250-BINARYMIME
250-CHUNKING
250-XEXCH50
250 XRDST
MAIL FROM: <me>@hotmail.co.uk
500 5.3.3 Unrecognized command
RCPT TO: <user>@<2k7domain>.com
500 5.3.3 Unrecognized command
220 gw-serv.<2k7domain>.local Microsoft ESMTP MAIL Service ready at Mon, 29 Mar 20
10 11:21:49 +0100
EHLO <2k3domain>.com
250-gw-serv.<2k7domain>.lo
250-SIZE
250-PIPELINING
250-DSN
250-ENHANCEDSTATUSCODES
250-X-ANONYMOUSTLS
250-AUTH NTLM
250-X-EXPS GSSAPI NTLM
250-8BITMIME
250-BINARYMIME
250-CHUNKING
250-XEXCH50
250 XRDST
MAIL FROM: <me>@hotmail.co.uk
500 5.3.3 Unrecognized command
RCPT TO: <user>@<2k7domain>.com
500 5.3.3 Unrecognized command
I take it where you have <me> you have something real like mymailaddress and are not actually typing <>?
Do you have an Edge Transport server configured or anything else? Are you hitting the internet facing exchange 2007 server with the telnet commands?
Maybe we should simply change the E2k3 SMTP connector to send the External/Internet IP address of the Exchange 2007 server for those domains or just use DNS... which is pretty much the same as having no internal SMTP connector...
Do you have an Edge Transport server configured or anything else? Are you hitting the internet facing exchange 2007 server with the telnet commands?
Maybe we should simply change the E2k3 SMTP connector to send the External/Internet IP address of the Exchange 2007 server for those domains or just use DNS... which is pretty much the same as having no internal SMTP connector...
"I take it where you have <me> you have something real like mymailaddress and are not actually typing <>?"
Of course!!
"Do you have an Edge Transport server configured or anything else? Are you hitting the internet facing exchange 2007 server with the telnet commands?"
No and Yes
"Maybe we should simply change the E2k3 SMTP connector to send the External/Internet IP address of the Exchange 2007 server for those domains or just use DNS... which is pretty much the same as having no internal SMTP connector..."
That's how it is set up currently, is this wrong? Should I change it to use the internal IP address, or Server name? Remember, we had to do this originally to prevent any internally sent email from passing through the internet due to a blacklisted IP address, so using DNS would put us back to square one...
Of course!!
"Do you have an Edge Transport server configured or anything else? Are you hitting the internet facing exchange 2007 server with the telnet commands?"
No and Yes
"Maybe we should simply change the E2k3 SMTP connector to send the External/Internet IP address of the Exchange 2007 server for those domains or just use DNS... which is pretty much the same as having no internal SMTP connector..."
That's how it is set up currently, is this wrong? Should I change it to use the internal IP address, or Server name? Remember, we had to do this originally to prevent any internally sent email from passing through the internet due to a blacklisted IP address, so using DNS would put us back to square one...
I thought you said the SORBS issue was now solved?
Have a look at this article on how to setup the connectors between Exchange 2003 and Exchange 2007 that are in separate Orgs/forests:
http://technet.microsoft.com/en-us/library/bb123546(EXCHG.80).aspx
Scroll down to the "Exchange 2007 to Exchange 2003" section and read on from there.
Have a look at this article on how to setup the connectors between Exchange 2003 and Exchange 2007 that are in separate Orgs/forests:
http://technet.microsoft.com/en-us/library/bb123546(EXCHG.80).aspx
Scroll down to the "Exchange 2007 to Exchange 2003" section and read on from there.
I meant that by adding a second SMTP connector that sends mail to certain domains through the ISP's SMTP server has solved the problem with getting bouncebacks stating the IP has been blacklisted... Should have made this clearer! Sorbs still have the IP address blacklisted, although the ISP are on the case...
Will look through that document. Would it just be easier adding the domains on the Exchange 2007 server to the SMTP connector that sends through the ISP's SMTP server for now? At least, until the ISP can get Sorbs to de-list the IP Address.
Will look through that document. Would it just be easier adding the domains on the Exchange 2007 server to the SMTP connector that sends through the ISP's SMTP server for now? At least, until the ISP can get Sorbs to de-list the IP Address.
Have a look at Option 1 on here which should allow your E2k3 server to bypass spam checking when communicating with the Exchange 2007 server:
http://msexchangeteam.com/archive/2006/12/28/432013.aspx
this doesn't require a certificate or TLS. something like this probably already existed if it was working before, so just confirm that the correct IP address of the Exchange 2003 server is listed in the Receive Connector.
http://msexchangeteam.com/archive/2006/12/28/432013.aspx
this doesn't require a certificate or TLS. something like this probably already existed if it was working before, so just confirm that the correct IP address of the Exchange 2003 server is listed in the Receive Connector.
Thanks for the points. Did you get it all working (sending internally) or did they finally remove you off the SORBS blacklist?
Yeah, I ended up creating an SMTP connector to send internal mail and mail to problem domains via the ISP SMTP Server. Worked fine after that! Thanks for the pointers, couldn't have figured it out without them.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Email Protocols
From novice to tech pro — start learning today.
-
Microsoft ApplicationsCertification: MOS Microsoft Office Specialist - Word 2013 Part … 198 lessons
-
Microsoft ApplicationsCertification: MOS Microsoft Office Specialist - Outlook 2013 Par… 191 lessons
Experts Exchange Solution brought to you by
Enjoy your complimentary solution view.
Get every solution instantly with Premium.
Start your 7-day free trial.
You probably have the old IP address of the 6.5 server listed on the Exchange 2007 for allowed relaying, this needs to be updated.