Solved

SBS2003 from POP3 connector to full service Exchange

Posted on 2011-03-21
6
419 Views
Last Modified: 2012-05-11
hi,
i have SBS2003 server installed nad  working fine as DC, Exchange with pop3 connector behind DSL connection, sharepoint services and rest of bunch. Finaly company decited to invest in proper link so we can now "unleash" exchange in full power haha. Im planning to configure SBS to be a l mail server with domain hosted on it, no www , just MX, its behind Zywall35 UTM firewall with static IP.
Can i have some advices or howto first steps and what to do and not to do?
thx in advance!
0
Comment
Question by:bbmservis
6 Comments
 
LVL 76

Accepted Solution

by:
Alan Hardisty earned 200 total points
ID: 35180863
Okay - first of all - make sure you open TCP Port 25 on your firewall and forward that to your SBS server.

Make sure you have Anti-Spam software installed and configured on your server otherwise you will get plenty of spam!

Change your MX records to point to your Fixed IP Address (assuming you have a fixed IP Address) e.g., MX = mail.domain.com so you have to change the A record for MAIL on your domain to point to the IP Address of your server.

Make sure you call your ISP once you have change your MX records and get them to configure Reverse DNS to something like mail.domain.com so that you don't get problem sending out mail as some will reject you if you don't.

After a week or so - ditch the POP3 collection.

Alan
0
 
LVL 3

Assisted Solution

by:Thomas_Roes
Thomas_Roes earned 100 total points
ID: 35180995
You might also consider this:

Have your ISP configure al least one backup-SMTP server (most do). (MX with higher number).

But also consider this: Your provider and/or hosted anti-spam/anti-virus providers also have options to set NO MX records to your server. Instead, all mail is first send to your providers mailservers. They optionally filter/scan/archive or whatever service they provide, your email and then send the email to you (as long as  your server is on-line).
This way, you can open up port-25 not to the whole world, but only to the range where your provider's mailservers are. Just some extra security.

If your port-25 is open to the whole world, a small configuration flaw can turn your server inbto an open relay. If that happens, you'll not be sending mail for a while because you will get blocked very soon on a lot of SMTP-blacklists.

Good luck,

Thomas Roes
0
 
LVL 13

Assisted Solution

by:connectex
connectex earned 100 total points
ID: 35182121
Also some messageing anti-virus licensing also have hosted anti-spam solutions. I know Trend Micro includes this. So double check before you spend money on a anti-spam solution.
0
Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

 
LVL 56

Assisted Solution

by:Cliff Galiher
Cliff Galiher earned 100 total points
ID: 35184779
I'm going to add some advice here that I haven't seen yet. While all the advice here is valid (checking ports, checking A/V, etc) when you change that MX record, you risk the chance of mail not getting delivered, and that is usually not a good thing.

When switching from pop3 to SMTP, I follow the following steps:

1) Check internal configuration (firewall, AV, etc) to best *estimate* that mail flow works.

2) I then add an A record for the server to the public DNS records (I do not yet change the MX record!)

3) While I'm in the public DNS records (usually hosted), I take note of the existing TTL of the MX record and change it to a very low number. For this example, lets say I change it from 3 days to 1 hour.

4) While usually not necessary to *receive* email, while you are in DNS, might as well check any SPF/SenderID records and make sure your new public IP is appropriately listed. This can be additive to any smarthosts and old servers so it won't impact the existing configuration.

5) I verify that the server *can* receive mail from the outside world by using testexchangeconnectivity.com. This can be done *before* the MX record is changed because you now have an A record to test against. You can verify that mail comes in to a test account created for the purpose so you also know the pop3 connector was not in play (as the test account would not have a pop3 entry.)

6) After the old TTL has expired (so in this example, after 3 days has passed since the TTL was changed) I change the MX record to point to the new A record and change the TTL to a nice large number again (with today's DNS hosts, 1 day is my usual default.)

7) After an hour has passed (hence the reason for the change to a one hour TTL) you can safely disable the pop3 connector.

8) Now that you are receving email properly, you can also transition off smarthosts if that is your ultimate plan (usually a smarthost is used in tandem with a pop3 connector) and adjust your SenderID/SPF records accordingly removing old servers as you move away from them.

The purpose behind changing the TTL and then waiting the 3 days is to minimize the window where mail will be both directly delivered *and* still be coming down through the pop3 connector. If you have both running concurrently and someone reports a message has gone "missing" troubleshooting is very nasty and time-consuming. By waiting the 3 days (or old TTL more specifically) before switching the MX record, you are ensuring that mail is still *only* coming in via the pop3 connector, and then when you make the switch, because of the very short TTL, you are ensuring that the switch propogates quickly and that mail will quickly *only* be coming from SMTP servers.

Additionally, the added step of testing via testexchangeconnectivity.com before making the switch helps verify that your firewall and AV configuration are correct before making the MX change so that, if there *are* configuration issues, they are caught while mail is still coming down via pop3. It is a safety net to allow you to fully verify your configuration while avoiding the risk of delivery issues.

When done properly, the service interruption is insignificant, near seamless, and also nearly bulletproof.

-Cliff


0
 

Author Comment

by:bbmservis
ID: 35331011
hi all & sorry for inactivity , been gone for couple days.
thank you for all yours tips, all very helpfull.
1 more question, is it possible to have only MX on my box and WWW on different location(it is allready hosted elswhere and it is limited to Linux platform), is there somekind of limitation on SBS2003 Exchange?
0
 
LVL 76

Assisted Solution

by:Alan Hardisty
Alan Hardisty earned 200 total points
ID: 35331359
You can happily point your MX and WWW records to completely different IP addresses without any problems at all.

The only real limitation with SBS is the number of users it can handle (75 maximum).

Alan
0

Featured Post

Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

Join & Write a Comment

Resolve DNS query failed errors for Exchange
Check out this infographic on what you need to make a good email signature that will work perfectly for your organization.
In this video we show how to create an Accepted Domain in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Ac…
The video tutorial explains the basics of the Exchange server Database Availability groups. The components of this video include: 1. Automatic Failover 2. Failover Clustering 3. Active Manager

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now