Solved

Exchange 2010 - Relay Access Denied on sent messages

Posted on 2010-11-09
7
1,809 Views
Last Modified: 2012-05-10
Hi all,

I recently got a new Fiber line in the office to replace our current provider. Upon testing, I have discovered a small problem with the mail system.

The configuration is as such: We have an Exchange 2010 server that sends out all our mail. For incoming mail ONLY, we use Microsoft Forefront (outgoing mail does not pass through forefront). The reverse DNS lookup on our external mail IP goes to mail.ourdomain.com which then points to Forefront. This has always been the case (the mechanics of the environment haven't changed, just the external IP address)

The problem is that now, we have people who cannot send email to recipients at ONE domain (they too are using Forefront for their MX record). They receive a Relay Access Denied error from our Exchange server. All emails to other domains are sending problem free. This issue did not exist prior to changing the ISP.

I have tried changing the reverse DNS to point to our external mail IP (no success) and I have telnetted into both my mail server and the recipient mail server and neither shows a Relay Access Denied when I type in the rcpt to: command.

Does anyone have any idea?
0
Comment
Question by:ITCraig
  • 3
  • 2
  • 2
7 Comments
 
LVL 8

Expert Comment

by:ShareefHuddle
ID: 34093676
Try to have the other company flush dns on Forefront server.
0
 

Author Comment

by:ITCraig
ID: 34093757
In both cases, this is hosted Forefront. I do not believe you can flush DNS on the Microsoft servers. Am I wrong?
0
 
LVL 8

Expert Comment

by:ShareefHuddle
ID: 34093764
Well there really isn't a reason to use both Internet connections at the same time. Plus it is no fun to configure for overflow. Although you can use your verizon for local Internet and mpls only for MAN traffic and other sites internet. Yes connect the switches set your gateway for all devices to your 5510 and had route in 5510 to point all mpls traffic to your mpls router.
0
Are end users causing IT problems again?

You’ve taken the time to design and update all your end user’s email signatures, only to find out they’re messing up the HTML, changing the font and ruining the imagery. What can you do to prevent this? Find out how you can save your signatures from end users today.

 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 34095755
Yes, you are wrong, you can flush dns on Windows servers.

Although Forefront only inspects inbound mail in your setup, I assume the ip address that email is being received upon at your external router is also the same IP address that outbound mail leaves the external router?

How long ago did you change the external IP address and the 'A' record that relates to your mail MX record?
0
 

Accepted Solution

by:
ITCraig earned 0 total points
ID: 34095817
Thanks Keith. I know you can flush dns in Windows, but being a hosted service, I cannot flush the DNS on Microsoft's servers stored in a data facility who knows where.

I changed the DNS records more than a week ago. This problem only became apparent this week. Because this is running through Forefront, the MX on my domian never changed - since it points to the Forefront server (on which I changed the IP to deliver mail to).
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 34095976
I guess I am missing something here - have I picked this up correctly?

In your opening post, your nslookup of your MX record resolves to mail.ourdomain.com - lets say this is 5.5.5.5
Performing a reverse lookup of 5.5.5.5 gives you mail.ourdomain.com

Traffic is moved from here (presumably the external IP of your external router) to the Forefront box and from there forwarded internally to the Exchange services.
Mail leaves your Exchange and directly goes to the external router - I assume does some form of NAT and leaves as 5.5.5.5 as the source address on route to wherever it is going?
0
 

Author Closing Comment

by:ITCraig
ID: 34740689
I was able to resolve the issue separately.

To clarify, Microsoft Forefront can be hosted inside a company's outer perimeter or it can be hosted by Microsoft at one of their facilities and a company just points their MX record to the Microsoft servers and they forward the mail to the company's mail server. That is the service I had been referring to.

Thanks everyone for your comments.
0

Featured Post

Free book by J.Peter Bruzzese, Microsoft MVP

Are you using Office 365? Trying to set up email signatures but you’re struggling with transport rules and connectors? Let renowned Microsoft MVP J.Peter Bruzzese show you how in this exclusive e-book on Office 365 email signatures. Better yet, it’s free!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Utilizing an array to gracefully append to a list of EmailAddresses
Following basic email etiquette rules will help you write a professional email and achieve a good, lasting impression with your contacts.
In this video we show how to create an Address List in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Organization >> Ad…
CodeTwo Sync for iCloud (http://www.codetwo.com/sync-for-icloud?sts=6554) automatically synchronizes your Outlook 2016, 2013, 2010 or 2007 folders with iCloud folders available via iCloud Control Panel. This lets you automatically sync them with…

910 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now