Smart Host failover

elemist
elemist used Ask the Experts™
on
Hi,

Here's the scenario.

1 x SBS 2011 Exchange Server
1 x Untangle Firewall/Load Balancer/Internet Fail over
2 x ADSL Connections with Static IP

The SBS server sits behind the Untangle Server which has both ADSL Connections connected to it.

Originally we had the Server using our ISP's outbound mail servers as a smart host to relay mail out. However once the connection failed over/ or load balanced over to the alternate connection which is from another provider the smart host rejects the email as its coming from outside their network.

So then we reverted to sending mail out directly from the Server - however my fear has come through and it appears we have been black listed by a number of people.

How do people handle this kind of fail over/load balancing solution?

Could i set the default gateway on the server to the primary connections router and use the smart filter?

It wouldn't be hard to reconfigure the server to the alternate connection if we have issues with the primary connection. Just updating the smart filter...
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Distinguished Expert 2017

Commented:
Resolve the reasons your server got blacklisted rather than concentrating on dealing with the route it uses to send.
Not addressing the blacklisting will merely delay and will likely later on will get the server blacklisted on the other ip.
I would agree with arnold, solve the direct problem, don't try to work around it.

Have you actually been blacklisted, or are you on a blocklist for some other reason, such as a lack of reverse dns, address seen as a dynamic address etc

Do you have reverse DNS entries for the exist IP addresses used by out bound email ?

Do you have a SPF record for your domain that lists the exit IP addresses ?

Are you configured as an open relay ?

Author

Commented:
I've almost got the blacklisting issue resolved.. But i'm more interested in preventing this from occurring in the future.

I've outbound port 25 from all client workstations, so now only our exchange server can send outbound on that port. Hopefully reducing the chances of this happening again.

But i still think using a smart host on the outbound is alot easier for us. If anything's going to get black listed, it won't be our server - instead it will be our ISP's and they have a whole team of people dedicated to resolving issues like that.

I know it sounds selfish. But at the end of the day my customer pays me by the hour. Whilst we do everything possible within the budget to prevent this from happening, obviously there's still a chance it will.

So back to my main question.

Is there any way to do fail over for outbound mail whilst using a smart host?
Success in ‘20 With a Profitable Pricing Strategy

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Distinguished Expert 2017

Commented:
To address your point that the smart host provider will have their server blacklisted.
The first thing they do once they get notified or discover that their server is blacklisted and seeing the reason as a mailing coming from you, they will blacklist your server or deny your server connections/relaying.

So instead of affecting emails going from your server to some having issues because they use the blacklist, your ISP blacklisting your server will result in no emails being delivered.

You could define internally a host that maps to each ISPs smarthost.
You would then define a static route for each smart host to only go through the interface of that provider.

On the router.
Ip route host <smarthost1> isp1_interface
Ip route host <smarthost2> isp2_interface

In localdns
Smarthost.mydomain.com. 60 in a <smarthost1>
Smarthost.mydomain.com. 60 in a <smarthost2>

This way your exchange will distribute the email through your providers.

Presumably your domains MX points to both ISPs for incoming mail.
Principal Consultant
Most Valuable Expert 2016
Top Expert 2014
Commented:
I solved this problem recently by using authentication with the smart host.  That way you can use the same one, even if the connection changes.

Check to see if either of your ISP's offer authenticated SmartHost, and if they don't, then switch to a SmartHost (Mail Relay) service -- which is fairly inexpensive.

Jeff
TechSoEasy
Andrew OakeleyConsultant

Commented:
Depending on the firewall you are using to load you might be able to create a firewall to achieve this.

1. Set the firewall internal ip to be your smart host
2. Create the opposite of your normal port forward rule, so that port 25 traffic with destination of your firewall internal up is forwarded to the mail server of whatever connection is currently live.

Personally I think jeffs plan of using an authenticated smart host is easier!

Author

Commented:
Thanks Jeff and aoakley!

Jeff - thats my current plan. I've found one provider only excepts authenticated connections AFTER a pop connection is established first. Which is a giant pain given we don't use pop mail at all from them.

I'm waiting to hear back from the other provider to see whether they allow it.

aoakley,

Trying to get my head around the idea.. It sounds plausable, the internal forwarding makes sense - but how would you get it to route to the relevant provider depending on which connection it goes out on?
Jeffrey Kane - TechSoEasyPrincipal Consultant
Most Valuable Expert 2016
Top Expert 2014

Commented:
I don't see how you can set your firewall's internal IP as the smart-host.  I don't think Exchange will accept that the local IP of the firewall is valid for an external smart-host without some additional monkeying around with the connector's settings, and this very well may compromise the security of the server.

@aoakley:  have you ever done this before?

FYI, if you use a third-party relay service you will never get blacklisted.

Jeff
TechSoEasy
Andrew OakeleyConsultant

Commented:
@jeff. Yes i have done. Frequently. With routers like the mikrotik where you can have a script execute when the wan interface changes it works very well. Not for the faint hearted though I do think your solution of getting a smtp relay with auth is better for the average user.  But if you are wanting to keep everything "in house" my soln does work.
Jeffrey Kane - TechSoEasyPrincipal Consultant
Most Valuable Expert 2016
Top Expert 2014

Commented:
Fair enough... it just does seem as though there can be way too many issues with that setup.

Jeff
TechSoEasy
Andrew OakeleyConsultant

Commented:
It's actually surprisingly stable! Think of it like a reverse port forward :)

An authenticated smtp relay as Jeff suggested is a far simpler method and the one I suggest you use...

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial