Avatar of elemist
elemist
 asked on

Smart Host failover

Hi,

Here's the scenario.

1 x SBS 2011 Exchange Server
1 x Untangle Firewall/Load Balancer/Internet Fail over
2 x ADSL Connections with Static IP

The SBS server sits behind the Untangle Server which has both ADSL Connections connected to it.

Originally we had the Server using our ISP's outbound mail servers as a smart host to relay mail out. However once the connection failed over/ or load balanced over to the alternate connection which is from another provider the smart host rejects the email as its coming from outside their network.

So then we reverted to sending mail out directly from the Server - however my fear has come through and it appears we have been black listed by a number of people.

How do people handle this kind of fail over/load balancing solution?

Could i set the default gateway on the server to the primary connections router and use the smart filter?

It wouldn't be hard to reconfigure the server to the alternate connection if we have issues with the primary connection. Just updating the smart filter...
ExchangeSBSNetworking

Avatar of undefined
Last Comment
Andrew Oakeley

8/22/2022 - Mon
arnold

Resolve the reasons your server got blacklisted rather than concentrating on dealing with the route it uses to send.
Not addressing the blacklisting will merely delay and will likely later on will get the server blacklisted on the other ip.
ArneLovius

I would agree with arnold, solve the direct problem, don't try to work around it.

Have you actually been blacklisted, or are you on a blocklist for some other reason, such as a lack of reverse dns, address seen as a dynamic address etc

Do you have reverse DNS entries for the exist IP addresses used by out bound email ?

Do you have a SPF record for your domain that lists the exit IP addresses ?

Are you configured as an open relay ?
elemist

ASKER
I've almost got the blacklisting issue resolved.. But i'm more interested in preventing this from occurring in the future.

I've outbound port 25 from all client workstations, so now only our exchange server can send outbound on that port. Hopefully reducing the chances of this happening again.

But i still think using a smart host on the outbound is alot easier for us. If anything's going to get black listed, it won't be our server - instead it will be our ISP's and they have a whole team of people dedicated to resolving issues like that.

I know it sounds selfish. But at the end of the day my customer pays me by the hour. Whilst we do everything possible within the budget to prevent this from happening, obviously there's still a chance it will.

So back to my main question.

Is there any way to do fail over for outbound mail whilst using a smart host?
I started with Experts Exchange in 2004 and it's been a mainstay of my professional computing life since. It helped me launch a career as a programmer / Oracle data analyst
William Peck
arnold

To address your point that the smart host provider will have their server blacklisted.
The first thing they do once they get notified or discover that their server is blacklisted and seeing the reason as a mailing coming from you, they will blacklist your server or deny your server connections/relaying.

So instead of affecting emails going from your server to some having issues because they use the blacklist, your ISP blacklisting your server will result in no emails being delivered.

You could define internally a host that maps to each ISPs smarthost.
You would then define a static route for each smart host to only go through the interface of that provider.

On the router.
Ip route host <smarthost1> isp1_interface
Ip route host <smarthost2> isp2_interface

In localdns
Smarthost.mydomain.com. 60 in a <smarthost1>
Smarthost.mydomain.com. 60 in a <smarthost2>

This way your exchange will distribute the email through your providers.

Presumably your domains MX points to both ISPs for incoming mail.
ASKER CERTIFIED SOLUTION
Jeffrey Kane - TechSoEasy

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
Andrew Oakeley

Depending on the firewall you are using to load you might be able to create a firewall to achieve this.

1. Set the firewall internal ip to be your smart host
2. Create the opposite of your normal port forward rule, so that port 25 traffic with destination of your firewall internal up is forwarded to the mail server of whatever connection is currently live.

Personally I think jeffs plan of using an authenticated smart host is easier!
elemist

ASKER
Thanks Jeff and aoakley!

Jeff - thats my current plan. I've found one provider only excepts authenticated connections AFTER a pop connection is established first. Which is a giant pain given we don't use pop mail at all from them.

I'm waiting to hear back from the other provider to see whether they allow it.

aoakley,

Trying to get my head around the idea.. It sounds plausable, the internal forwarding makes sense - but how would you get it to route to the relevant provider depending on which connection it goes out on?
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
Jeffrey Kane - TechSoEasy

I don't see how you can set your firewall's internal IP as the smart-host.  I don't think Exchange will accept that the local IP of the firewall is valid for an external smart-host without some additional monkeying around with the connector's settings, and this very well may compromise the security of the server.

@aoakley:  have you ever done this before?

FYI, if you use a third-party relay service you will never get blacklisted.

Jeff
TechSoEasy
Andrew Oakeley

@jeff. Yes i have done. Frequently. With routers like the mikrotik where you can have a script execute when the wan interface changes it works very well. Not for the faint hearted though I do think your solution of getting a smtp relay with auth is better for the average user.  But if you are wanting to keep everything "in house" my soln does work.
Jeffrey Kane - TechSoEasy

Fair enough... it just does seem as though there can be way too many issues with that setup.

Jeff
TechSoEasy
Your help has saved me hundreds of hours of internet surfing.
fblack61
Andrew Oakeley

It's actually surprisingly stable! Think of it like a reverse port forward :)

An authenticated smtp relay as Jeff suggested is a far simpler method and the one I suggest you use...