Solved

Help with exchange 2007 recieve connector

Posted on 2011-02-13
16
718 Views
Last Modified: 2012-05-11
I am installing a new server with Exchange 2007. I have two recieve connectors. one with the FQDN of the internal server (i.e. server.domain.local) and one for the Internet with a FQDN for the public address of the server (i.e. mail.domain.com). When I try to telnet to port 25 on this server from an external location, I get "220 server.domain.local Microsoft ESMTP MAIL Service", when I would expect "220 mail.domain.com Microsoft ESMTP MAIL Service". If I proceed with the test then in response to the "rcpt to" statement, I get "550 5.7.1 Unable to relay for administrator@domain.com". I am interpreting this as the internal connector recieveing external email, but I do now know how or why.  The only clue I have is an error in the event log "Receive connector 192.168.1.1:25 requires Transport Layer Security (TLS) before the MailFrom command can be run, but the server can't achieve it. Check the authentication settings of this connector."

While I have googled this, it does not mean much to me. The implication would be that I have somehow messed up the certificate for the recieve connector, but I do not know if this is correct or how to correct it. I am afraid certificates are a bit of a black art to me!

Can anyone advise/help?

Thanks
Alan

Other information:
The internal connector is set to TLS authentication with Basic, Exchange and Intergrated also ticked. Permissions are all set except partners
The Internet connector is set to TLS authentication and permissions to only anonymous.
0
Comment
Question by:solplus
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 6
  • 3
16 Comments
 
LVL 7

Expert Comment

by:Cuteadder
ID: 34883397
in the Exchange powershell...

set-ReceiveConnector "Default **SERVERNAME**" -permissiongroups:"ExchangeUsers,ExchangeServers,ExchangeLegacyServers,AnonymousUsers"

changing **SERVERNAME** for your server name...
0
 

Author Comment

by:solplus
ID: 34883436
Thanks for the quick response, but having run that, I am still getting response from "server.domain.local" instead of "mail.domain.com" and end up with the message  "Unable to relay for administrator".

The event log yet again has two entries which coincide in time with my test "Receive connector <IP Address>:25 requires Transport Layer Security (TLS) before the MailFrom command can be run, but the server can't achieve it. Check the authentication settings of this connector." One for the real IP of the connector and one for 127.0.0.1.

Regards
Alan
 
0
 
LVL 10

Expert Comment

by:Korbus
ID: 34883550
your server needs someway to distiguish between connections from your LAN and from the WAN.  You can assign multiple IP addresses to the NIC, and bind each to a different Recieve connector.

Your router may also be able to alter the port on wich incomming connections are recieved, this would also provide a way to distiguish the LAN vs WAN requests,
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 

Author Comment

by:solplus
ID: 34883731
I have. I put the internal network range onto the internal connector and everything else on to the Internet connector! It is either ignoring it or as I have read elsewhere it cannot match the connector with a certificate and so drops through to the default connector. I have no idea how to test/prove this or how to correct it if it is the problem.
Thanks
Alan
0
 
LVL 10

Expert Comment

by:Korbus
ID: 34883744
So you are distingushing by the source IP address?  
Thats not really what I meant.  I meant create a new destination IP address on your server, and forward to that IP, all incomming WAN connections (using your router port forwarding rules).
0
 
LVL 7

Expert Comment

by:Cuteadder
ID: 34883781
is this when your sending from or sending to the exchange server?
0
 
LVL 7

Expert Comment

by:Cuteadder
ID: 34883786
Another setup step is for the send connector

Organization > hub transport > send connectors
new send connector
*
use mx


address space needs to be * as this will be the domains you send to...
0
 
LVL 7

Expert Comment

by:Cuteadder
ID: 34883787
and you need to set the accepted domains...
0
 

Author Comment

by:solplus
ID: 34884027
Sorry, as I said in my initial question, these are my recieve connectors, sending is working fine.
Re Korbus, we are not port forwarding, the server has a public IP which is nat'ed to the internal IP address of the servers network interface.
0
 
LVL 7

Expert Comment

by:Cuteadder
ID: 34884166
Server Config > hub transport > right click on default recieve connector

change the FQDN
0
 
LVL 7

Expert Comment

by:Cuteadder
ID: 34884193
as for the 550.5.7.1 error

have you setup the authoritative domains?
0
 

Author Comment

by:solplus
ID: 34884251
Re: Internal connector FQDN. As far as I can tell the default connectors FQDN is exactly what is should be i.e. ServerName.LocalDomain. What would you have me change it to?

The Internet connectors FQDN is mail.PublicDomain.com. Again, I believe this to be correct, but please tell me otherwise?

Re: "Authorative Domains". Where do I check/set this/these?

Thanks
Alan
0
 
LVL 7

Expert Comment

by:Cuteadder
ID: 34884270
FQDN example: mail.domain.com like mail.yahoo.com

Auth domain: org config > hub transport > accepted domains > make sure your domains are in there: domain.com or yahoo.com
(atleast it is in exchange 2010)
0
 
LVL 10

Expert Comment

by:Korbus
ID: 34885326
"we are not port forwarding, the server has a public IP which is nat'ed to the internal IP "
Wait, so you are forwarding ALL traffic to your mail server?  Not just SMTP,HTTP,HTTPS from the internet?  I dont think that's a good idea, security wise.
NAT providers (weather an ISA server, linux box, or sonicwall device) support port forwarding.

Shot in the dark on why it's not working: the source address you are filtering public vs private on, is being processed as the NAT gateway, rather than the remote server's address.



0
 

Accepted Solution

by:
solplus earned 0 total points
ID: 34895624
Found the answer at Tech Republic (http://www.techrepublic.com/forum/questions/101-242315). Apparently, this happens if you install the SMTP role/service along with Exchange 2007. I had (intuitively) installed this just as I had on all previous versions. When I uninstalled SMTP, inbound mail started working again!
0
 

Author Closing Comment

by:solplus
ID: 34936290
The link to the solution is give in my previous comment. A description of the reason is given in http://www.techrepublic.com/blog/networking/mail-delivery-and-smtp-changes-in-exchange-2007/389.
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Follow this checklist to learn more about the 15 things you should never include in an email signature from personal quotes, animated gifs and out-of-date marketing content.
After hours on line I found a solution which pointed to the inherited Active Directory permissions . You have to give/allow permissions to the "Exchange trusted subsystem" for the user in the Active Directory...
To show how to create a transport rule in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Rules tab.:  To cr…
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…

710 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question