Email rejected as spam when sent from remote client on LAN-to-LAN VPN

We have an SBS 2011 box (with Exchange) in a central location. A remote office has a LAN to LAN VPN connection. The SBS box location has an ADSL connection, and therefore we have set up a smart host for SMTP sending.

When email is sent (from Outlook, connected to Exchange) from the remote office, it is invariably rejected as spam.

Email is not marked as spam if a software (Windows PPTP) VPN is established directly to the SBS box (regardless of whether the LAN-to-LAN VPN is connected or not).

I believe the issue is something to do with the originating-ip being detected as the remote office IP (which is dynamic) - but would have expected that this should not behave differently in either scenario?
Who is Participating?
mercury1ltdConnect With a Mentor Author Commented:
I have found a resolution for this - it was a DNS problem. On the LAN-to-LAN VPN the DNS lookup was resolved the external IP address of the SBS box - so was going over the internet to the SBS/Exchange server. When on the Windows VPN, the SBS server was providing the DNS lookup and therefore resolved itself.

The solution was to provide the IP of the SBS box as the primary DNS server on the remote network.

Quite why Exchange works like this (when both scenarios have an authenticated Outlook client) I don't know, and would be interested academically if someone could explain, but the original issue is resolved by this DNS change.
Please check your Receive-Connectors. I can't pinpoint you exactly to the Option you need (yet), but your Exchange Server seems not to trust the network from which the Mails are coming from.
mercury1ltdAuthor Commented:
Sorry I should clarify that these are outgoing emails - being rejected not by the Exchange server, but (generally) the smtp smart host.
WEBINAR: GDPR Implemented - Tips & Lessons Learned

Join the WatchGuard team on Thursday, March 29th as we recount some valuable lessons learned in weighing the needs of a business against the new regulatory environment, look ahead at the two months left before implementation, and help you understand the steps you can take today!

In that case, do you happen to have multiple public IPs on one NIC?
Exchange is blind to the IPs and randomly uses all given IP Addresses from the Network Adapter you assigned in your Send Connector.
If you look into the Message Queue you'll probably find reasons why the message is not accepted by the receiving Mail Server or the Smarthost.

Furthermore, Smarthosts do have limits imposed (Message Size, Amount of Messages per x minutes, etc.), maybe you hit one of these?
mercury1ltdAuthor Commented:
Only one IP I think.

Definately not hit any smart host limits - this is definitely to do with the VPN. Messages sent when connected to the software (windows) VPN directly to the SBS server work 100% of the time. Messages sent when just connected to the hardware VPN are always rejected as SPAM.
It is to do with the Receive Connectors. In them you decide how Exchange accepts Messages.
Generally speaking you have a NIC/IP-Range where your Clients are located. For these you accept only Authenticated mail. For other IP-Ranges you can define, that anonymous access is allowed (to work as an SMTP-Server for other Servers who can't authenticate for example).

So your LAN-to-LAN-Route resolved on the external IP-Address for which Exchange-Users is not checked, but Anonymous is (and that is proper).
So when Outlook tries to log on via this Receive Connector, Exchange says: "Anonymous or nothing, everything else is not kosher, and therefore is spam..."

(I hope my explanation is somehow comprehensible... hadn't had coffee yet ;))
mercury1ltdAuthor Commented:
This resolves the question
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.