We help IT Professionals succeed at work.

Relay Issues with SBS2008 and Exchange 2007, is there a better way?

Thanks in advance.
I have just moved all my emails overto a new SBS2008 server from a SBS2003 server, everything has gone fine users getting emails and MX records working fine. But I have a number of concerns and issues I am unsure wiith and 5 questions concerning relaying with SBS2008.

I hit an issue when I needed around 30 various devices from security cameras, NAS drives, software (Acronis backup) etc... to send me an email if they hit a failure. I basically need to relay.
Some devices have the ability to be authenticated and some do not, so I set up two hub transport rules "Allow Relay Demand Authentication" and "Allow Relay No Authentication" by creating these two as receive connectors, then created an second alternate IP address on the server especially for relays from devices to communicate with.

The first problem is with SBS2003 nearly all the systems authenticated in some way (username and password), but now most of the devices will not authenticate with SBS2008 and I have basically created a lot of open relay ports! Can I restrict the relays to be only internal senders? Can I some how get things back to the way they were with SBS2003?

The second is that if one piece of software on a server will not authenticate with SBS2008 then because the receive connectors are addressing an IP address then all software on that server has to relay with no authentication. Since I cannot have two receive connectors with rules for the same IP address. Can this be worked around?

The Third concern is that the 2008SBS server itself needs to send me alerts from the "AVG Admin Console" and the "Acronis system" but I do not seem to be able to send to the SBS2008 server from within the SBS2008 server. How can I do this?

When I had the SBS2003 server I could mount descreet sercurity camera to cover our stores area and then send emails into the network from the WAN, but I can not longer do this, Is this possible?















Comment
Watch Question

Commented:
You can add multiple receive connectors on the same listening IP Address and PORT even if you modify the network that receive connector applies to.

You can also add multiple receive connectors on the same IP Address with DIFFERENT port numbers.  This is how we handle relay for internal devices.  We add a receive connector listening on port 2525 of the same IP Address as the server.  The 2525receive connector allows unauthenticated relay for specific addresses of specific internal hosts that need it.  We just configure the internal devices to submit on port 2525 of our mail server IP address and all is well.

Commented:
I had a similar problem with a scanner that needed to scan to email.  The problem wasn't authentication, it was the spam filter in exchange 2007.  We added the sending address to the spam whitelist and everything started going through.

Here is a good guide on using the Exchange command shell to whitelist email addresses.

http://exchangepedia.com/blog/2007/01/exchange-2007-content-filter-whitelist.html
Distinguished Expert 2018
Commented:
Just to be clear, are you sure you need to RELAY. Relaying, by definition, is using the Exchange server to send mail from one outside source to an *outside* destination. If you have these devices email an account local to the Exchange infrastructure then it isn't relaying, and is what I'd strongly recommend for devices on the network. They should notify someone who is participating in the local network if there is a problem (if you are a consultant, for example) and then if you aren't, they can contact you...or you can set up email forwarding via Exchange contacts.  In general, I find very few reasons to relay device emails outside the network directly.

Author

Commented:
Thanks, for all the advice, I am going to have a look at it and absorb.
Yes, the notification emails from the internal devices do not need to email externally (except one server), so interesting comment from Cqaliher that I do not need to relay. I did try emailing without authentication but it would not work until I created a recieve connector. So I am trying to understand that what you are saying is that a device within the network can send to any internal recipient without needing to create a recieve connector?
No authentiction nedded (username, password)?

Thanks Usecomp I did have a small issue with GFI with the scanner, but got it sorted.

Remaris I like the idea of moving away from port 25 for those devices that can be setup to use a different port (got some that can only use 25).

Thanks MSAbry06 hopfully someone can use these links.

I think looking at the responses that the Relay rules needs to be
1. Do not relay unless you have to.
2. If you do try to use a different port than 25 and alternate IP.


I am going to go back to the acronis, Nas drives etc.. and see if I can do it without creating recieve connectors.
Commented:
If the recipients to a message are all internal recipients AND the devices sending the message is an internal device (indicated by its ip address), no special receive connector should be necessary, assuming your server can already receive for local recipients without a problem and that the existing connector allows the internal ip subnet. You can test this by manually attempting a message to yourself or another internal recipient from the command prompt by:
C:\> Telnet  25
HELO test.company.com
MAIL FROM:
RCPT TO:
DATA
From: "Remote User"
To: "Local User"
Subject: manual test from an internal host

This is the body of a manual test email. The blank line with just a dot will end this message.
.
quit

C:\>

Author

Commented:
@Rehamis
Yes the above internal relay test worked.

But I cannot get it to work with the acronis (or the other devices) basically my "internal relay" will not work.

I presume the recieve connector i am connecting to is "Default servername"?
The setting for this recieve connector are

Permission groups are
Exchange Users
Exchange Servers
Legacy Exchange Servers

Authentication is
Transport Layer Secutiry (TLS)
Basic Authentication
Offer Basic Authentication only after TLS
Exchange Server authentication
intergrated windows authentication

Network range is
all the internal IP's except routers.

Recieve mail is on the primary IP

When sending from the device my settings are:
I am sending on the test Acronis and other units to test this solution brought by yourself and Cqalither using the primary ip of the server as the outgoing mail server on port 25. (this is the ip listed in network tab listening ip's and the port 25)
reciepient is myself@yourcompany.com

I have left the username and password blank. (it does not work when I put the password and username in either)

But I have configured a "device user" (as a default sender) as the sender if needed, this was how I did it in SBS2003 and then gave the user and device relay permission.


The device send still fails. (unless I totally make this recieve connector require no authentication, which is probably a bad idea)

Any advice most appreciated.

Author

Commented:
Hi

Thanks, the answer is a mix of everything I have been adviced of, yes relaying internally should not be a big issue.

For the programs that required a login (manditory) I just upgraded to ones that actually gave me a choice.

As for the NAS drives that need a password, unfortunately the remaining ones have now gone to the big storage soltuion heaven in the sky and eBay, the new ones give me a choice of relay options.

For relay programs running on the server itself I found using 127.0.0.1 as the ip address the solution.