Relay Issues with SBS2008 and Exchange 2007, is there a better way?
Thanks in advance.
I have just moved all my emails overto a new SBS2008 server from a SBS2003 server, everything has gone fine users getting emails and MX records working fine. But I have a number of concerns and issues I am unsure wiith and 5 questions concerning relaying with SBS2008.
I hit an issue when I needed around 30 various devices from security cameras, NAS drives, software (Acronis backup) etc... to send me an email if they hit a failure. I basically need to relay.
Some devices have the ability to be authenticated and some do not, so I set up two hub transport rules "Allow Relay Demand Authentication" and "Allow Relay No Authentication" by creating these two as receive connectors, then created an second alternate IP address on the server especially for relays from devices to communicate with.
The first problem is with SBS2003 nearly all the systems authenticated in some way (username and password), but now most of the devices will not authenticate with SBS2008 and I have basically created a lot of open relay ports! Can I restrict the relays to be only internal senders? Can I some how get things back to the way they were with SBS2003?
The second is that if one piece of software on a server will not authenticate with SBS2008 then because the receive connectors are addressing an IP address then all software on that server has to relay with no authentication. Since I cannot have two receive connectors with rules for the same IP address. Can this be worked around?
The Third concern is that the 2008SBS server itself needs to send me alerts from the "AVG Admin Console" and the "Acronis system" but I do not seem to be able to send to the SBS2008 server from within the SBS2008 server. How can I do this?
When I had the SBS2003 server I could mount descreet sercurity camera to cover our stores area and then send emails into the network from the WAN, but I can not longer do this, Is this possible?
I have just moved all my emails overto a new SBS2008 server from a SBS2003 server, everything has gone fine users getting emails and MX records working fine. But I have a number of concerns and issues I am unsure wiith and 5 questions concerning relaying with SBS2008.
I hit an issue when I needed around 30 various devices from security cameras, NAS drives, software (Acronis backup) etc... to send me an email if they hit a failure. I basically need to relay.
Some devices have the ability to be authenticated and some do not, so I set up two hub transport rules "Allow Relay Demand Authentication" and "Allow Relay No Authentication" by creating these two as receive connectors, then created an second alternate IP address on the server especially for relays from devices to communicate with.
The first problem is with SBS2003 nearly all the systems authenticated in some way (username and password), but now most of the devices will not authenticate with SBS2008 and I have basically created a lot of open relay ports! Can I restrict the relays to be only internal senders? Can I some how get things back to the way they were with SBS2003?
The second is that if one piece of software on a server will not authenticate with SBS2008 then because the receive connectors are addressing an IP address then all software on that server has to relay with no authentication. Since I cannot have two receive connectors with rules for the same IP address. Can this be worked around?
The Third concern is that the 2008SBS server itself needs to send me alerts from the "AVG Admin Console" and the "Acronis system" but I do not seem to be able to send to the SBS2008 server from within the SBS2008 server. How can I do this?
When I had the SBS2003 server I could mount descreet sercurity camera to cover our stores area and then send emails into the network from the WAN, but I can not longer do this, Is this possible?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
@Rehamis
Yes the above internal relay test worked.
But I cannot get it to work with the acronis (or the other devices) basically my "internal relay" will not work.
I presume the recieve connector i am connecting to is "Default servername"?
The setting for this recieve connector are
Permission groups are
Exchange Users
Exchange Servers
Legacy Exchange Servers
Authentication is
Transport Layer Secutiry (TLS)
Basic Authentication
Offer Basic Authentication only after TLS
Exchange Server authentication
intergrated windows authentication
Network range is
all the internal IP's except routers.
Recieve mail is on the primary IP
When sending from the device my settings are:
I am sending on the test Acronis and other units to test this solution brought by yourself and Cqalither using the primary ip of the server as the outgoing mail server on port 25. (this is the ip listed in network tab listening ip's and the port 25)
reciepient is myself@yourcompany.com
I have left the username and password blank. (it does not work when I put the password and username in either)
But I have configured a "device user" (as a default sender) as the sender if needed, this was how I did it in SBS2003 and then gave the user and device relay permission.
The device send still fails. (unless I totally make this recieve connector require no authentication, which is probably a bad idea)
Any advice most appreciated.
Yes the above internal relay test worked.
But I cannot get it to work with the acronis (or the other devices) basically my "internal relay" will not work.
I presume the recieve connector i am connecting to is "Default servername"?
The setting for this recieve connector are
Permission groups are
Exchange Users
Exchange Servers
Legacy Exchange Servers
Authentication is
Transport Layer Secutiry (TLS)
Basic Authentication
Offer Basic Authentication only after TLS
Exchange Server authentication
intergrated windows authentication
Network range is
all the internal IP's except routers.
Recieve mail is on the primary IP
When sending from the device my settings are:
I am sending on the test Acronis and other units to test this solution brought by yourself and Cqalither using the primary ip of the server as the outgoing mail server on port 25. (this is the ip listed in network tab listening ip's and the port 25)
reciepient is myself@yourcompany.com
I have left the username and password blank. (it does not work when I put the password and username in either)
But I have configured a "device user" (as a default sender) as the sender if needed, this was how I did it in SBS2003 and then gave the user and device relay permission.
The device send still fails. (unless I totally make this recieve connector require no authentication, which is probably a bad idea)
Any advice most appreciated.
ASKER
Hi
Thanks, the answer is a mix of everything I have been adviced of, yes relaying internally should not be a big issue.
For the programs that required a login (manditory) I just upgraded to ones that actually gave me a choice.
As for the NAS drives that need a password, unfortunately the remaining ones have now gone to the big storage soltuion heaven in the sky and eBay, the new ones give me a choice of relay options.
For relay programs running on the server itself I found using 127.0.0.1 as the ip address the solution.
Thanks, the answer is a mix of everything I have been adviced of, yes relaying internally should not be a big issue.
For the programs that required a login (manditory) I just upgraded to ones that actually gave me a choice.
As for the NAS drives that need a password, unfortunately the remaining ones have now gone to the big storage soltuion heaven in the sky and eBay, the new ones give me a choice of relay options.
For relay programs running on the server itself I found using 127.0.0.1 as the ip address the solution.
ASKER
Yes, the notification emails from the internal devices do not need to email externally (except one server), so interesting comment from Cqaliher that I do not need to relay. I did try emailing without authentication but it would not work until I created a recieve connector. So I am trying to understand that what you are saying is that a device within the network can send to any internal recipient without needing to create a recieve connector?
No authentiction nedded (username, password)?
Thanks Usecomp I did have a small issue with GFI with the scanner, but got it sorted.
Remaris I like the idea of moving away from port 25 for those devices that can be setup to use a different port (got some that can only use 25).
Thanks MSAbry06 hopfully someone can use these links.
I think looking at the responses that the Relay rules needs to be
1. Do not relay unless you have to.
2. If you do try to use a different port than 25 and alternate IP.
I am going to go back to the acronis, Nas drives etc.. and see if I can do it without creating recieve connectors.