Link to home
Start Free TrialLog in
Avatar of elemist

asked on

Smart Host failover


Here's the scenario.

1 x SBS 2011 Exchange Server
1 x Untangle Firewall/Load Balancer/Internet Fail over
2 x ADSL Connections with Static IP

The SBS server sits behind the Untangle Server which has both ADSL Connections connected to it.

Originally we had the Server using our ISP's outbound mail servers as a smart host to relay mail out. However once the connection failed over/ or load balanced over to the alternate connection which is from another provider the smart host rejects the email as its coming from outside their network.

So then we reverted to sending mail out directly from the Server - however my fear has come through and it appears we have been black listed by a number of people.

How do people handle this kind of fail over/load balancing solution?

Could i set the default gateway on the server to the primary connections router and use the smart filter?

It wouldn't be hard to reconfigure the server to the alternate connection if we have issues with the primary connection. Just updating the smart filter...
Avatar of arnold
Flag of United States of America image

Resolve the reasons your server got blacklisted rather than concentrating on dealing with the route it uses to send.
Not addressing the blacklisting will merely delay and will likely later on will get the server blacklisted on the other ip.
I would agree with arnold, solve the direct problem, don't try to work around it.

Have you actually been blacklisted, or are you on a blocklist for some other reason, such as a lack of reverse dns, address seen as a dynamic address etc

Do you have reverse DNS entries for the exist IP addresses used by out bound email ?

Do you have a SPF record for your domain that lists the exit IP addresses ?

Are you configured as an open relay ?
Avatar of elemist


I've almost got the blacklisting issue resolved.. But i'm more interested in preventing this from occurring in the future.

I've outbound port 25 from all client workstations, so now only our exchange server can send outbound on that port. Hopefully reducing the chances of this happening again.

But i still think using a smart host on the outbound is alot easier for us. If anything's going to get black listed, it won't be our server - instead it will be our ISP's and they have a whole team of people dedicated to resolving issues like that.

I know it sounds selfish. But at the end of the day my customer pays me by the hour. Whilst we do everything possible within the budget to prevent this from happening, obviously there's still a chance it will.

So back to my main question.

Is there any way to do fail over for outbound mail whilst using a smart host?
To address your point that the smart host provider will have their server blacklisted.
The first thing they do once they get notified or discover that their server is blacklisted and seeing the reason as a mailing coming from you, they will blacklist your server or deny your server connections/relaying.

So instead of affecting emails going from your server to some having issues because they use the blacklist, your ISP blacklisting your server will result in no emails being delivered.

You could define internally a host that maps to each ISPs smarthost.
You would then define a static route for each smart host to only go through the interface of that provider.

On the router.
Ip route host <smarthost1> isp1_interface
Ip route host <smarthost2> isp2_interface

In localdns 60 in a <smarthost1> 60 in a <smarthost2>

This way your exchange will distribute the email through your providers.

Presumably your domains MX points to both ISPs for incoming mail.
Avatar of Jeffrey Kane - TechSoEasy
Jeffrey Kane - TechSoEasy
Flag of United States of America image

Link to home
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Depending on the firewall you are using to load you might be able to create a firewall to achieve this.

1. Set the firewall internal ip to be your smart host
2. Create the opposite of your normal port forward rule, so that port 25 traffic with destination of your firewall internal up is forwarded to the mail server of whatever connection is currently live.

Personally I think jeffs plan of using an authenticated smart host is easier!
Avatar of elemist


Thanks Jeff and aoakley!

Jeff - thats my current plan. I've found one provider only excepts authenticated connections AFTER a pop connection is established first. Which is a giant pain given we don't use pop mail at all from them.

I'm waiting to hear back from the other provider to see whether they allow it.


Trying to get my head around the idea.. It sounds plausable, the internal forwarding makes sense - but how would you get it to route to the relevant provider depending on which connection it goes out on?
I don't see how you can set your firewall's internal IP as the smart-host.  I don't think Exchange will accept that the local IP of the firewall is valid for an external smart-host without some additional monkeying around with the connector's settings, and this very well may compromise the security of the server.

@aoakley:  have you ever done this before?

FYI, if you use a third-party relay service you will never get blacklisted.

@jeff. Yes i have done. Frequently. With routers like the mikrotik where you can have a script execute when the wan interface changes it works very well. Not for the faint hearted though I do think your solution of getting a smtp relay with auth is better for the average user.  But if you are wanting to keep everything "in house" my soln does work.
Fair enough... it just does seem as though there can be way too many issues with that setup.

It's actually surprisingly stable! Think of it like a reverse port forward :)

An authenticated smtp relay as Jeff suggested is a far simpler method and the one I suggest you use...