SBS2003 from POP3 connector to full service Exchange

Posted on 2011-03-21
Last Modified: 2012-05-11
i have SBS2003 server installed nad  working fine as DC, Exchange with pop3 connector behind DSL connection, sharepoint services and rest of bunch. Finaly company decited to invest in proper link so we can now "unleash" exchange in full power haha. Im planning to configure SBS to be a l mail server with domain hosted on it, no www , just MX, its behind Zywall35 UTM firewall with static IP.
Can i have some advices or howto first steps and what to do and not to do?
thx in advance!
Question by:bbmservis
LVL 76

Accepted Solution

Alan Hardisty earned 200 total points
ID: 35180863
Okay - first of all - make sure you open TCP Port 25 on your firewall and forward that to your SBS server.

Make sure you have Anti-Spam software installed and configured on your server otherwise you will get plenty of spam!

Change your MX records to point to your Fixed IP Address (assuming you have a fixed IP Address) e.g., MX = so you have to change the A record for MAIL on your domain to point to the IP Address of your server.

Make sure you call your ISP once you have change your MX records and get them to configure Reverse DNS to something like so that you don't get problem sending out mail as some will reject you if you don't.

After a week or so - ditch the POP3 collection.


Assisted Solution

Thomas_Roes earned 100 total points
ID: 35180995
You might also consider this:

Have your ISP configure al least one backup-SMTP server (most do). (MX with higher number).

But also consider this: Your provider and/or hosted anti-spam/anti-virus providers also have options to set NO MX records to your server. Instead, all mail is first send to your providers mailservers. They optionally filter/scan/archive or whatever service they provide, your email and then send the email to you (as long as  your server is on-line).
This way, you can open up port-25 not to the whole world, but only to the range where your provider's mailservers are. Just some extra security.

If your port-25 is open to the whole world, a small configuration flaw can turn your server inbto an open relay. If that happens, you'll not be sending mail for a while because you will get blocked very soon on a lot of SMTP-blacklists.

Good luck,

Thomas Roes
LVL 13

Assisted Solution

connectex earned 100 total points
ID: 35182121
Also some messageing anti-virus licensing also have hosted anti-spam solutions. I know Trend Micro includes this. So double check before you spend money on a anti-spam solution.
Free Webinar: AWS Backup & DR

Join our upcoming webinar with experts from AWS, CloudBerry Lab, and the Town of Edgartown IT to discuss best practices for simplifying online backup management and cutting costs.

LVL 58

Assisted Solution

by:Cliff Galiher
Cliff Galiher earned 100 total points
ID: 35184779
I'm going to add some advice here that I haven't seen yet. While all the advice here is valid (checking ports, checking A/V, etc) when you change that MX record, you risk the chance of mail not getting delivered, and that is usually not a good thing.

When switching from pop3 to SMTP, I follow the following steps:

1) Check internal configuration (firewall, AV, etc) to best *estimate* that mail flow works.

2) I then add an A record for the server to the public DNS records (I do not yet change the MX record!)

3) While I'm in the public DNS records (usually hosted), I take note of the existing TTL of the MX record and change it to a very low number. For this example, lets say I change it from 3 days to 1 hour.

4) While usually not necessary to *receive* email, while you are in DNS, might as well check any SPF/SenderID records and make sure your new public IP is appropriately listed. This can be additive to any smarthosts and old servers so it won't impact the existing configuration.

5) I verify that the server *can* receive mail from the outside world by using This can be done *before* the MX record is changed because you now have an A record to test against. You can verify that mail comes in to a test account created for the purpose so you also know the pop3 connector was not in play (as the test account would not have a pop3 entry.)

6) After the old TTL has expired (so in this example, after 3 days has passed since the TTL was changed) I change the MX record to point to the new A record and change the TTL to a nice large number again (with today's DNS hosts, 1 day is my usual default.)

7) After an hour has passed (hence the reason for the change to a one hour TTL) you can safely disable the pop3 connector.

8) Now that you are receving email properly, you can also transition off smarthosts if that is your ultimate plan (usually a smarthost is used in tandem with a pop3 connector) and adjust your SenderID/SPF records accordingly removing old servers as you move away from them.

The purpose behind changing the TTL and then waiting the 3 days is to minimize the window where mail will be both directly delivered *and* still be coming down through the pop3 connector. If you have both running concurrently and someone reports a message has gone "missing" troubleshooting is very nasty and time-consuming. By waiting the 3 days (or old TTL more specifically) before switching the MX record, you are ensuring that mail is still *only* coming in via the pop3 connector, and then when you make the switch, because of the very short TTL, you are ensuring that the switch propogates quickly and that mail will quickly *only* be coming from SMTP servers.

Additionally, the added step of testing via before making the switch helps verify that your firewall and AV configuration are correct before making the MX change so that, if there *are* configuration issues, they are caught while mail is still coming down via pop3. It is a safety net to allow you to fully verify your configuration while avoiding the risk of delivery issues.

When done properly, the service interruption is insignificant, near seamless, and also nearly bulletproof.



Author Comment

ID: 35331011
hi all & sorry for inactivity , been gone for couple days.
thank you for all yours tips, all very helpfull.
1 more question, is it possible to have only MX on my box and WWW on different location(it is allready hosted elswhere and it is limited to Linux platform), is there somekind of limitation on SBS2003 Exchange?
LVL 76

Assisted Solution

by:Alan Hardisty
Alan Hardisty earned 200 total points
ID: 35331359
You can happily point your MX and WWW records to completely different IP addresses without any problems at all.

The only real limitation with SBS is the number of users it can handle (75 maximum).


Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

MS Outlook is a world-class email client application that is mainly used for e-communication globally.  In this article, we will discuss the basic idea about MS Outlook, its advanced features, and types of MS Outlook File formats.
How to resolve IMCEAEX NDRs in Exchange or Exchange Online related to invalid X500 addresses.
In this video we show how to create a Resource Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: Navigate to the Recipients >> Resources tab.: "Recipients" is our default selection …
This video discusses moving either the default database or any database to a new volume.

756 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question