Juan Ocasio
asked on
Setting up exchange server to accept mail from certain IP addresses
Hello all:
I just set up service with GFI MailEssentials to stop unwanted spam from entering my organization. Everything is working well so far, however, we are still having issues with some spam hitting our IP address directly and not going through GFI's system. The way to avoid this is to allow emails only from GFI's IP addresses. Any other mail will be dropped.
Can someone please direct me in the direction to getting this set up? I have SBS 2008 so the setu is pretty vanilla straight out the box. I've been reading up on this and I believe I have to set up Edge Transport, but really don't know if that's the correct way to get this done.
I will be awarding the points to whomever can give me step by step instructions, and not a link as I do not want to mess my exchnage server up. Everything has been working well, and as they say, 'If it's not broken, don't fix it'. I may be asking additional questions as I implement any suggestions (or prior to implementing any suggestions). The other route is to set up my firewall to allow on certain IP addresses. I thought about this, but setting up the rules on our fortigate would be a bit time consuming as there are many IP addresses for me to allow.
Many thanks in advanced!
jocasio
I just set up service with GFI MailEssentials to stop unwanted spam from entering my organization. Everything is working well so far, however, we are still having issues with some spam hitting our IP address directly and not going through GFI's system. The way to avoid this is to allow emails only from GFI's IP addresses. Any other mail will be dropped.
Can someone please direct me in the direction to getting this set up? I have SBS 2008 so the setu is pretty vanilla straight out the box. I've been reading up on this and I believe I have to set up Edge Transport, but really don't know if that's the correct way to get this done.
I will be awarding the points to whomever can give me step by step instructions, and not a link as I do not want to mess my exchnage server up. Everything has been working well, and as they say, 'If it's not broken, don't fix it'. I may be asking additional questions as I implement any suggestions (or prior to implementing any suggestions). The other route is to set up my firewall to allow on certain IP addresses. I thought about this, but setting up the rules on our fortigate would be a bit time consuming as there are many IP addresses for me to allow.
Many thanks in advanced!
jocasio
SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
I think you are looking at the "Client" Receive Connector, and not the one that accepts mail from the outside world's email servers. One way to check, and this is going to be a bit more work, is to look at each Receive Connector, and look for any where "Anonymous" connections are allowed. External email servers cannot be expected to authenticate with your server, so any Receive Connector that has "Anonymous" checked is possibly one you need to be looking at.
As for the 2 IP ranges you mentioned, that means that that particular Receive Connector is set up to accept/receive mail only from those 2 IP ranges. If that is the case, and that is the only Receive Connector that is configured, then I think you need to look at your firewall. I wouldn't delete those just yet. I'm afraid you're going to need to do a little detective work, and figure out how port 25 traffic flows from the outside world to your server. Once you understand that flow, you will know what you can delete (and what you need to keep). It might very well be that someone at some point has configured it so that your firewall controls the entry of port 25 traffic to your server.
At any rate, it is my opinion that this filtering is best done on your firewall. If the firewall drops undesirable email (port 25) traffic, it results in a little less work for your mail server to do, and helps prevent unnecessary traffic from entering your network in the first place.
So, don't delete anything just yet. Investigate fully all Receive connectors to see which one (or which ones) accept traffic from anonymous sources without requiring authentication.
As for the 2 IP ranges you mentioned, that means that that particular Receive Connector is set up to accept/receive mail only from those 2 IP ranges. If that is the case, and that is the only Receive Connector that is configured, then I think you need to look at your firewall. I wouldn't delete those just yet. I'm afraid you're going to need to do a little detective work, and figure out how port 25 traffic flows from the outside world to your server. Once you understand that flow, you will know what you can delete (and what you need to keep). It might very well be that someone at some point has configured it so that your firewall controls the entry of port 25 traffic to your server.
At any rate, it is my opinion that this filtering is best done on your firewall. If the firewall drops undesirable email (port 25) traffic, it results in a little less work for your mail server to do, and helps prevent unnecessary traffic from entering your network in the first place.
So, don't delete anything just yet. Investigate fully all Receive connectors to see which one (or which ones) accept traffic from anonymous sources without requiring authentication.
ASKER
Didn't see your reply before I did this, so I did it and...
OK. I tried to do this, but GFI started reporting Bounce Perm Fail messages:
Dispoistion DIR Status Reply
BOUNCE (PERM FAIL) IN 530 5.7.1 Client was not authenticated
Not sure what this means. Also, I have 3 connectors 1) The Default, 2)Sharepoint 2)Internet (my remote.domainname.com) The sharepoint is set to 127.0.0.1. Interestingly the Internet connector seems to be setup incorrectly, but I am not sure why it is used. We do connect via web browsers at remote.mydomain.com and that seems to work well. Would this also have to be set to the IP addresses for GFI?
Any more help would be greatly appreciated.
Thanks!
jocasio
OK. I tried to do this, but GFI started reporting Bounce Perm Fail messages:
Dispoistion DIR Status Reply
BOUNCE (PERM FAIL) IN 530 5.7.1 Client was not authenticated
Not sure what this means. Also, I have 3 connectors 1) The Default, 2)Sharepoint 2)Internet (my remote.domainname.com) The sharepoint is set to 127.0.0.1. Interestingly the Internet connector seems to be setup incorrectly, but I am not sure why it is used. We do connect via web browsers at remote.mydomain.com and that seems to work well. Would this also have to be set to the IP addresses for GFI?
Any more help would be greatly appreciated.
Thanks!
jocasio
If you changed only the connector with the 2 IP ranges you mentioned, and it broke stuff, then that can only mean that you need to look at your firewall. Can you restore the original settings and see if you stop getting those Bounce messages?
(BTW, I am assuming you are using the Online version of GFI Mail Essentials here)
(BTW, I am assuming you are using the Online version of GFI Mail Essentials here)
ASKER
Yep. I did restore the settings and all is good now. My firewall is just set to NAT port 25 to my exchange server, so I don't think that's the issue. I am using the online version of GFI. I am going to pick this mack up in the am to see if I can get some help from GFI. If yo can think of anything else in the interim, please let me know.
Many thanks!
jocasio
Many thanks!
jocasio
From an outsider's point-of-view, the Receive connector that was modified caused problems with receiving external email when it was modified. So, it would seem that connector is the one that Exchange uses for receiving email from remote addresses (assuming that was the only connector where a change was made). Call me stubborn, but I think that is the place to adjust settings (apart from the firewall, that is :) ).
Was this server setup using the wizards?
If so you should have THREE connectors - the Default, Client and SBS Connector.
It is the SBS connector that you should be changing. The default should be left as it is.
The best thing to do right now is get it back to the default setup - so use the Fix My Network wizard in the SBS management console to correct things.
Simon.
If so you should have THREE connectors - the Default, Client and SBS Connector.
It is the SBS connector that you should be changing. The default should be left as it is.
The best thing to do right now is get it back to the default setup - so use the Fix My Network wizard in the SBS management console to correct things.
Simon.
ASKER
Sembee2:
Yes: I had three connectors:
As example, If my IP range was the following - 192.168.123/24 here are the following remote IP addresses:
Firewall: 192.168.123.1
Server: 192.168.123.2
RECEIVE CONNECTORS:
Default COMPUTERNAMESBS has as it's remote IP Addresses:
192.168.123.0-192.168.123. 0
192.168.123.2-192.168.123. 255
In the "Specify the FQDN this connector will provide in response to the HELP or EHLO":
COMPUTERNAMESBS.domainname .local
Windows SBS Fax Sharepoint Receive COMPUTERNAMESBS has as it's remote IP Addresses:
127.0.0.1-127.0.0.1
In the "Specify the FQDN this connector will provide in response to the HELP or EHLO":
COMPUTERNAMESBS.domainname .local
Windows SBS Internet Receive COMPUTERNAMESBS has as it's remote IP Addresses:
0.0.0.0-192.168.122.255
192.168.123.1-192.168.123. 1
192.168.124.0-255.255.255. 255
In the "Specify the FQDN this connector will provide in response to the HELP or EHLO":
remote.domainname.com
I've gone ahead and modified the Windows SBS Internet Receive COMPUTERNAMESBS and it seems to be working. Was this the one I should have modified? Do you know what the correlation is between the three connectors?
Many thanks!
jocasio
Yes: I had three connectors:
Default COMPUTERNAMESBS
Windows SBS Fax Sharepoint Receive COMPUTERNAMESBS
Windows SBS Internet Receive COMPUTERNAMESBS
As example, If my IP range was the following - 192.168.123/24 here are the following remote IP addresses:
Firewall: 192.168.123.1
Server: 192.168.123.2
RECEIVE CONNECTORS:
Default COMPUTERNAMESBS has as it's remote IP Addresses:
192.168.123.0-192.168.123.
192.168.123.2-192.168.123.
In the "Specify the FQDN this connector will provide in response to the HELP or EHLO":
COMPUTERNAMESBS.domainname
Windows SBS Fax Sharepoint Receive COMPUTERNAMESBS has as it's remote IP Addresses:
127.0.0.1-127.0.0.1
In the "Specify the FQDN this connector will provide in response to the HELP or EHLO":
COMPUTERNAMESBS.domainname
Windows SBS Internet Receive COMPUTERNAMESBS has as it's remote IP Addresses:
0.0.0.0-192.168.122.255
192.168.123.1-192.168.123.
192.168.124.0-255.255.255.
In the "Specify the FQDN this connector will provide in response to the HELP or EHLO":
remote.domainname.com
I've gone ahead and modified the Windows SBS Internet Receive COMPUTERNAMESBS and it seems to be working. Was this the one I should have modified? Do you know what the correlation is between the three connectors?
Many thanks!
jocasio
ASKER CERTIFIED SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
ASKER
Thanks again:
I have split the points because Kaffiend lead me in the right direction and Sembee2 pinpointed the correct configutation with a great explanation.
Thanks again, experts!
jocasio
I have split the points because Kaffiend lead me in the right direction and Sembee2 pinpointed the correct configutation with a great explanation.
Thanks again, experts!
jocasio
ASKER
Simon: I do have one more question. The Windows SBS Internet Receive COMPUTERNAMESBS had my firewall's IP address as one of the remote IPs. Do I have to keep that? I removed all of the previous configs (including that one) and it still seems to work. Is there any reason why it was there to begin with?
Thank again!
jocasio
Thank again!
jocasio
It shouldn't be there, so I would remove it.
Simon.
Simon.
ASKER
Thanks Simon.
ASKER
I checked this setting and interestingly the 2 ranges in the 'Receive mail from remote servers that have these IP Addresses" are both from my IP range.
So if the IP address of my server is 192.168.1.2 the two ranges are:
192.168.1.0-192.168.1.0
192.168.1.2-192.168.1.255
Can you please tell me what this means? Do I delete these two entries and add the ones for GFI?
Thanks
jocasio