Solved

Exchange 2010 - Relay Access Denied on sent messages

Posted on 2010-11-09
7
1,807 Views
Last Modified: 2012-05-10
Hi all,

I recently got a new Fiber line in the office to replace our current provider. Upon testing, I have discovered a small problem with the mail system.

The configuration is as such: We have an Exchange 2010 server that sends out all our mail. For incoming mail ONLY, we use Microsoft Forefront (outgoing mail does not pass through forefront). The reverse DNS lookup on our external mail IP goes to mail.ourdomain.com which then points to Forefront. This has always been the case (the mechanics of the environment haven't changed, just the external IP address)

The problem is that now, we have people who cannot send email to recipients at ONE domain (they too are using Forefront for their MX record). They receive a Relay Access Denied error from our Exchange server. All emails to other domains are sending problem free. This issue did not exist prior to changing the ISP.

I have tried changing the reverse DNS to point to our external mail IP (no success) and I have telnetted into both my mail server and the recipient mail server and neither shows a Relay Access Denied when I type in the rcpt to: command.

Does anyone have any idea?
0
Comment
Question by:ITCraig
  • 3
  • 2
  • 2
7 Comments
 
LVL 8

Expert Comment

by:ShareefHuddle
ID: 34093676
Try to have the other company flush dns on Forefront server.
0
 

Author Comment

by:ITCraig
ID: 34093757
In both cases, this is hosted Forefront. I do not believe you can flush DNS on the Microsoft servers. Am I wrong?
0
 
LVL 8

Expert Comment

by:ShareefHuddle
ID: 34093764
Well there really isn't a reason to use both Internet connections at the same time. Plus it is no fun to configure for overflow. Although you can use your verizon for local Internet and mpls only for MAN traffic and other sites internet. Yes connect the switches set your gateway for all devices to your 5510 and had route in 5510 to point all mpls traffic to your mpls router.
0
Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 34095755
Yes, you are wrong, you can flush dns on Windows servers.

Although Forefront only inspects inbound mail in your setup, I assume the ip address that email is being received upon at your external router is also the same IP address that outbound mail leaves the external router?

How long ago did you change the external IP address and the 'A' record that relates to your mail MX record?
0
 

Accepted Solution

by:
ITCraig earned 0 total points
ID: 34095817
Thanks Keith. I know you can flush dns in Windows, but being a hosted service, I cannot flush the DNS on Microsoft's servers stored in a data facility who knows where.

I changed the DNS records more than a week ago. This problem only became apparent this week. Because this is running through Forefront, the MX on my domian never changed - since it points to the Forefront server (on which I changed the IP to deliver mail to).
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 34095976
I guess I am missing something here - have I picked this up correctly?

In your opening post, your nslookup of your MX record resolves to mail.ourdomain.com - lets say this is 5.5.5.5
Performing a reverse lookup of 5.5.5.5 gives you mail.ourdomain.com

Traffic is moved from here (presumably the external IP of your external router) to the Forefront box and from there forwarded internally to the Exchange services.
Mail leaves your Exchange and directly goes to the external router - I assume does some form of NAT and leaves as 5.5.5.5 as the source address on route to wherever it is going?
0
 

Author Closing Comment

by:ITCraig
ID: 34740689
I was able to resolve the issue separately.

To clarify, Microsoft Forefront can be hosted inside a company's outer perimeter or it can be hosted by Microsoft at one of their facilities and a company just points their MX record to the Microsoft servers and they forward the mail to the company's mail server. That is the service I had been referring to.

Thanks everyone for your comments.
0

Featured Post

Why do Marketing keep bothering you?

Is your marketing department constantly asking for new email signature updates? Are they requesting a different design for every department? Do they need yet another banner added? Don’t let it get you down! There is an easy way to manage all of these requests...

Join & Write a Comment

Disabling the Directory Sync Service Account in Office 365 will stop directory synchronization from working.
If you don't know how to downgrade, my instructions below should be helpful.
This video discusses moving either the default database or any database to a new volume.
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now