Solved

Exchange 2013 - False FQDN in Email Header

Posted on 2014-01-13
19
30 Views
Last Modified: 2016-05-18
Hello,

we have an exchange 2013 cluster:

2x CAS-Server
2x Mailbox-Server (DAG)

CAS-Server 1:
smtp1.domainname.de
IP: xxx.xxx.xxx.150

CAS-Server 2:
smtp2.domainname.de
IP: xxx.xxx.xxx.151

The FQDN is correctly set on sendconnector on both cas servers.
Now we have the following problem:

We send many emails to externa mail system and then check the header on received mails.

Received: from smtp1.domainname.de (xxx.xxx.xxx.150) => That's right

or

Received: from smtp1.domainname.de (xxx.xxx.xxx.151) => That's false. We have false fqdn here. fqdn does not match with ip-adress. Correctly it must be smtp2.domainname.de

We could not find any false configuration on our side.
Do you have an idea how we can fix this problem?

Thanks
0
Comment
Question by:uhscale
  • 8
  • 6
  • 4
19 Comments
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 39776328
Do you have one or two Send Connectors?
If you have two send connectors, are both servers on the Send Connectors?

Simon.
0
 

Author Comment

by:uhscale
ID: 39776350
Hello,

we have two send connectors.

EXCAS01
EXCAS02

On both send connectors we have both mailbox-servers added.
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 39776357
That is the problem then.
You need to have each server listed only on the connector that matches its FQDN.

Simon.
0
 

Author Comment

by:uhscale
ID: 39776371
Hello,

sorry but your answer is not clear for me.

We have 2 mailbox-servers running in a dag. So all mailbox-servers must be able to use both send connectors. If one cas-server is down, mailbox-servers should be able to send using another cas-server.
So we need to add all mailbox-servers to all send-connectors.
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 39776382
That isn't how Send Connectors work.
Send connectors belong to the org, not to a server.

Therefore if you have two send connectors with each server listed on one each, then email will flow no matter what. Exchange is quite capable of sending email from one server to another for delivery, which is what is happening now.

Simon.
0
 

Author Comment

by:uhscale
ID: 39776505
Hello,

thanks for your answer. I understand, but how to configure it correctly.

If we have only one send connector with fqdn = smtp.domainname.de
So we would still found two different ip-adresses in header

Received: from smtp.domainname.de (xxx.xxx.xxx.150)
and
Received: from smtp.domainname.de (xxx.xxx.xxx.151)

But A Record for smtp.domainname.de can only be set to one ip-adress. For example xxx.xxx.xxx.150

But if email is send from
Received: from smtp.domainname.de (xxx.xxx.xxx.151)
This would can be seen as spam on some mailservers, because hostname and ip-adress does not match.

Thanks
0
 

Expert Comment

by:ITConnection
ID: 39776866
Can you post the full header for both servers?  Also is the IP you are exing out internal or external?
0
 
LVL 63

Assisted Solution

by:Simon Butler (Sembee)
Simon Butler (Sembee) earned 500 total points
ID: 39777059
You need two connectors, with the correct FQDN on it.
Then set each source server as the correct one that matches the external IP address.

That is it.
It doesn't matter which server is up, because there is a valid Send Connector. As I wrote above, send connectors do not belong to a server, they are an org setting.

Simon.
0
 

Author Comment

by:uhscale
ID: 39778603
Hello,

sorry but your solution is not clear for me.

We have two send connectors

EXCAS01
EXCAS02

Both of them have as Source-Server our mailbox-server (these servers have no external ip-adress, only internal and using CAS-Servers as outgoing proxy)

On both send connectors we have correct FQDN set.
But how to assign to send connectors our cas-servers?

Thanks
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 63

Assisted Solution

by:Simon Butler (Sembee)
Simon Butler (Sembee) earned 500 total points
ID: 39785125
You will need to adjust the NAT configuration so that the mailbox servers are sending out email with the correct external IP address.

I don't have access to a platform with the CAS and mailbox roles separated out. I haven't deployed separate servers for over three years on any deployment that I do, so it hasn't been an issue that I have come across. The best practise is all roles on all servers.

Simon.
0
 

Author Comment

by:uhscale
ID: 39785323
Hello,

there must be a general solution directly from microsoft, how to configure such a scenario. As it is a normal scenario to use cas servers as proxy for outgoing mails. And for high availability we must have a minimum of 2 cas servers.
0
 

Expert Comment

by:ITConnection
ID: 39785353
I agree with Simon.  It sounds like you have the two servers set up properly and it is just a NAT issue you are having.  You have to set your firewall or NAT device to have both servers send with the same IP address.
0
 
LVL 63

Accepted Solution

by:
Simon Butler (Sembee) earned 500 total points
ID: 39785913
"And for high availability we must have a minimum of 2 cas servers. "

That is indeed the case, but you can combine them with the mailbox role servers and use hardware load balancers. The only designs I have seen that split out the CAS role are those that use WNLB - I don't use WNLB for any reason or purpose (it isn't recommended by the Exchange product team and generally sucks) so I have no reason to split the role out.

With Exchange 2013 you cannot use the CAS role to proxy SMTP traffic out to the internet because that is done by the mailbox role. The CAS role is purely CAS.
If you were expecting something different then you have designed your implementation wrong.

Simon.
0
 

Author Comment

by:uhscale
ID: 39832450
Hello,

we are still searching for a solution here. Mailbox Server have no public IP-Adress because of security reasons. To protect customers data, mailbox server holding the mailbox stores should have only backnet ip-adress, an no front net ip-adress.
That's why microsoft included option to send using cas server proxy option.

So we are still searching for a solution of our problem.

At: http://technet.microsoft.com/en-us/library/aa996349%28v=exchg.150%29.aspx
you see that mails are send using cas servers.

Mailbox server send only internal mails, to other mailbox servers inside the same organization.

Thanks
0
 

Expert Comment

by:ITConnection
ID: 39832489
So are these IP addresses:
Received: from smtp.domainname.de (xxx.xxx.xxx.150)
and
Received: from smtp.domainname.de (xxx.xxx.xxx.151)
Internal or External?
0
 

Author Comment

by:uhscale
ID: 39832589
Those are External.
0
 

Expert Comment

by:ITConnection
ID: 39832966
And your issue is that both should have the same ip correct? Can you not set your firewall to send email from the problem server with the same external ip?
0
 

Author Comment

by:uhscale
ID: 39834873
Hello,

the problem is not sending from only one ip-adress. the problem is that we can not find association between IP-Adress and FQDN.

At the moment we have only one FQDN (smtp.domainname.de), but it is sending from two different ip-adress.
This is false!

So it must be possible to set fqdn per each sending ip-adress like:

Received: from smtp1.domainname.de (xxx.xxx.xxx.150)
and
Received: from smtp2.domainname.de (xxx.xxx.xxx.151)

On Exchange 2010 this was working fine. On Exchange 2013 we can not find how to do the same.
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

We are happy to announce a brand new addition to our line of acclaimed email signature management products – CodeTwo Email Signatures for Office 365.
Easy CSR creation in Exchange 2007,2010 and 2013
In this video we show how to create a Distribution Group in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >>…
In this video we show how to create a Resource Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: Navigate to the Recipients >> Resources tab.: "Recipients" is our default selection …

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now