How to bypass local mail delivery for exchange 2013/2010 and use smart host exclusively

Hello,

We have a hosted exchange platform running exchange 2010 and 2013 and need to solve a security flaw with emails delivering locally for domains locally hosted.

We have resellers who have web access to a Citrix portal to provision their clients domain, users, distribution groups, forwarding and including the ability to switch the domain between 1. Authoritative, 2. Internal Relay, 3. External Relay.
This opens up the system for abuse as a reseller could easily create a verywellknowndomain.com as Authoritative and intercept mail being sent from other users on the same platform. Ideally we need the Exchange to use MX records to find the delivery route or have the ability to force all internal mail through a smarthost and bypass the local delivery system in Excahnge.

Does anyone know if there is a transport rule that can be changed or even if there is a 3rd party application that can run alongside exchange?

Thanks
technolutionsAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Jason CrawfordExchange / Office 365 Premier Field EngineerCommented:
You should just be able to specify external MX lookups on your Send Connectors:

https://technet.microsoft.com/en-us/library/jj657457(v=exchg.160).aspx

If one of your tenants has the ability to configure an accepted domain, they're just telling the server to add to the list of domains it accepts email for and not necessarily how that email will route/deliver.
0
technolutionsAuthor Commented:
Hi Keyser

Thanks, but thats not what I am trying to get at.

We have a multi tenant hosted platform with Citrix Clouportal in front.
We provision a Customer with Exchange services which creates the mailboxes and AD entries.

The problem that we have is as follows:

Tenant A has branding enabled. The branding is added when the mail leaves our platform.
Tenant B does not have branding.
Both Tenants have send connectors.

Tenant A sends a mail to Tenant B. Exchange looks at the mail, looks at the recipient and finds that TenantB is also on the same platform.  It then uses the AD delivery route instead of going out via SendConnector, Branding and then being delivered to Tenant B.

apologies if my previous question was not clear enough and thanks for taking the time to assist.
0
Jason CrawfordExchange / Office 365 Premier Field EngineerCommented:
Thank you for the clarification.  I want to ensure I understand correctly so here's an example of what I'm hearing.  

1. You're working with a multi-tenant instance of Exchange behind a Citrix web front-end
2. Tenant A creates an Authoritative Accepted Domain of, for instance, gmail.com.
3. Tenant B sends an email to a gmail.com email address, and because that domain is now internal to Exchange it routes locally instead of through gmail.com MX record

Am I correct in assuming Cloudportal handles all tenant separation settings (Address Lists, RBAC roles, AD perms, etc)?  If so I've worked with a similar product called Hosting Controller, and at least with the HC platform all access was tiered:

1. Root
2. Reseller
3. Customer

Each tier had an increasingly higher level of access from Customer to Root.  In this instance the "tenant" would be assigned the Customer level of access and would not have the ability to add more domains on their own.  Before we look at this from the Exchange side, is there no way to restrict access on the Cloudport level?
0
technolutionsAuthor Commented:
We have found this product http://knowmoreit.com/product/route-by-sender/ which seems to fit most of the objectives. It is not the easiest solution to implement and requires adding dll files and loading them with exchange. It also requires building your own xml file for the dll's to operate and needs to be added to all the servers with Transport roles. There is a template but this can lead to discrepancies if the file needs to be updated manually on each server.

We can't remove the function of resellers not being able to manage their domains autonomously and we would simply not have the resources to manage this for all of them.

For now we will use this solution by routing all mail between tenants out of a single send connector this will mean we will only have to update the xml file once.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
technolutionsAuthor Commented:
To let anyone else know about the solution
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Exchange

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.