Email delivery issue with SMTP service in Windows Server 2012 R2
Hello Experts
I have set up a new SMTP server using Windows Server 2012 R2 and the SMTP service (IIS 6). The server sits in our local domain but does nothing else for us.
For information (this is relevant) the server's DNS configuration is (in order):
192.168.40.50
192.168.40.53
8.8.8.8
The first 2 DNS servers are internal only - no internet access.
The problem I have is that with the DNS servers configured in this order no email will be delivered - the messages just sit in the queue. If I edit the order and place Google's DNS server first email delivery works every time - but I get untold numbers of local DNS related issues on the server over time.
With the DNS set up in the way I have listed above (i.e. Google last) my server will happily resolve any name (public or private) I ask it to.
It has unrestricted internet access.
This one has me scratching my head - so any advice will be gratefully received.
Many thanks.
I have set up a new SMTP server using Windows Server 2012 R2 and the SMTP service (IIS 6). The server sits in our local domain but does nothing else for us.
For information (this is relevant) the server's DNS configuration is (in order):
192.168.40.50
192.168.40.53
8.8.8.8
The first 2 DNS servers are internal only - no internet access.
The problem I have is that with the DNS servers configured in this order no email will be delivered - the messages just sit in the queue. If I edit the order and place Google's DNS server first email delivery works every time - but I get untold numbers of local DNS related issues on the server over time.
With the DNS set up in the way I have listed above (i.e. Google last) my server will happily resolve any name (public or private) I ask it to.
It has unrestricted internet access.
This one has me scratching my head - so any advice will be gratefully received.
Many thanks.
ASKER
Hi Dan
They are all destined for outside our domain.
Thanks.
They are all destined for outside our domain.
Thanks.
A couple questions:
1. how many NICs in the server?
2. how many IPs addresses on the NICs?
3. is the SMTP service bound to a specific IP address?
4. Your DNS servers cannot resolve external domain names? The Root Hints have been removed and there are no forwarders configured?
Dan
1. how many NICs in the server?
2. how many IPs addresses on the NICs?
3. is the SMTP service bound to a specific IP address?
4. Your DNS servers cannot resolve external domain names? The Root Hints have been removed and there are no forwarders configured?
Dan
ASKER
Thanks for coming back to me again. The answers to your questions are:
1. 1 - it's a Hyper-V virtual server
2. 1 - 192.168.40.10
3. At present, no - it is set to "(All Unassigned)". I have tried it set specifically to the IP address of the server however.
4. No. A while ago we blocked all public internet access for all our servers with the odd exception (WSUS for example).
1. 1 - it's a Hyper-V virtual server
2. 1 - 192.168.40.10
3. At present, no - it is set to "(All Unassigned)". I have tried it set specifically to the IP address of the server however.
4. No. A while ago we blocked all public internet access for all our servers with the odd exception (WSUS for example).
Being a virtual server is irrelevant, quite common now-a-days.
I always recommend to use a specific IP, it makes for easier security management at the network perimeter (firewall).
Your last statement doesn't make sense. If you've restricted all server access to internal networks only, how do you expect to deliver emails to the outside world? How is your server resolving DNS names via a Google DNS server, if your servers have no Internet access?
Also, you are aware that Windows does not just scan thru the listed DNS server in your TCP/IP config and use one randomly. There is a well defined process that Windows uses during the OS boot to determine which of the configured DNS Servers it will use.
Most of the time, the first DNS server listed is used. Unless that server is offline, that is the one you are using. The Windows DNS Client does not use all the DNS Servers in its config, it uses the first server to answer and then sticks with it until the network stack is restarted or the machine is rebooted.
Dan
I always recommend to use a specific IP, it makes for easier security management at the network perimeter (firewall).
Your last statement doesn't make sense. If you've restricted all server access to internal networks only, how do you expect to deliver emails to the outside world? How is your server resolving DNS names via a Google DNS server, if your servers have no Internet access?
Also, you are aware that Windows does not just scan thru the listed DNS server in your TCP/IP config and use one randomly. There is a well defined process that Windows uses during the OS boot to determine which of the configured DNS Servers it will use.
Most of the time, the first DNS server listed is used. Unless that server is offline, that is the one you are using. The Windows DNS Client does not use all the DNS Servers in its config, it uses the first server to answer and then sticks with it until the network stack is restarted or the machine is rebooted.
Dan
ASKER
Dan
The SMTP server is one of the exceptions and has unrestricted internet access.
I believe I understand how the DNS servers are selected in order of use, but perhaps I don't. With the 2 internal DNS servers only configured on the NIC we have no external resolution at all. Add in Google's as a 3rd and we have external resolution.
The SMTP server is one of the exceptions and has unrestricted internet access.
I believe I understand how the DNS servers are selected in order of use, but perhaps I don't. With the 2 internal DNS servers only configured on the NIC we have no external resolution at all. Add in Google's as a 3rd and we have external resolution.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks Dan. I will give that a try (the allowing of 53 out through the firewall for our DNS machines).
ASKER
I've requested that this question be closed as follows:
Accepted answer: 500 points for danmcfadden's comment #a41239798
Assisted answer: 0 points for Plagus's comment #a41239807
for the following reason:
My own comment offered final clarification on the change I made to restore service.
Accepted answer: 500 points for danmcfadden's comment #a41239798
Assisted answer: 0 points for Plagus's comment #a41239807
for the following reason:
My own comment offered final clarification on the change I made to restore service.
Did my advice not help direct you to a resolution? The question is being closed without awarding any points?
Dan
Dan
Dan