jdfuller
asked on
Sonicwall - Spam Filter - Exchange Interaction
The title about says it all. I am coming in on the public IP into the Sonicwall (TZ170 ::: x.x.x.200). I used the public service wizard to create the "Exchange Private" service, as it was named, that routes the mail to the Exchange Server (Clean install, 10 user, Exch 2010 on new Server 2008 (Domain Controller, ADS) ::: x.x.x.210). I then "re"-routed the incoming mail, by changing the target IP of the service, to the filter (a Barracuda Model 100 appliance). Tech support at Barracuda says al settings are correct and working. The IP test shows the Exchange Server rejecting incoming mail. I checked the existence of the recipient in the Exchg Mgmnt Console and it existed. I checked the (A) and (MX) records in the Forward Lookup Zones and they exist, also. From the client (Outlook 2003 or 2007) the server syncs the folders just fine for the users, however, the sent mail appears to go but is never delivered. Outbox empties, Sent Items shows item but no mail goes out. They CAN send to each other, just not outbound from the server.
I want to remove the Barracuda and fix just the Exchange problem first. I feel like there are way too many moving parts right now.
I want to remove the Barracuda and fix just the Exchange problem first. I feel like there are way too many moving parts right now.
Definitely a few moving parts.
Did e-mail, both in and out, work with the Exchange server through the firewall PRIOR to you "rerouting" the incoming mail?
If not, I would take the Barracuda out of the equation until you have the basics diagnosed/fixed.
If it DID work before the rerouting, I would look at how the Exchange server, filter and firewall "point" SMTP traffic to make sure it all matches up. Since Exchange "thinks" it is sending, I wonder if the traffic is being "black holed" by the filter or the firewall.
- Tom
Did e-mail, both in and out, work with the Exchange server through the firewall PRIOR to you "rerouting" the incoming mail?
If not, I would take the Barracuda out of the equation until you have the basics diagnosed/fixed.
If it DID work before the rerouting, I would look at how the Exchange server, filter and firewall "point" SMTP traffic to make sure it all matches up. Since Exchange "thinks" it is sending, I wonder if the traffic is being "black holed" by the filter or the firewall.
- Tom
If SMTP worked prior to the reroute, I would look at the firewall first.
On my larger networks, I DISABLE outbound SMTP unless it originates from authorized servers (in case someone is able to somehow install malware that attempts to spam). On a SonicWALL, I normally devine an Address Object, "Internal Mail Servers", and only allow outbound traffic from that object.
However, if you did something similar, but the object is just a single host instead of a group, then the firewall would drop the SMTP traffic unless you also redefined the host object as being the Barracuda.
- Tom
On my larger networks, I DISABLE outbound SMTP unless it originates from authorized servers (in case someone is able to somehow install malware that attempts to spam). On a SonicWALL, I normally devine an Address Object, "Internal Mail Servers", and only allow outbound traffic from that object.
However, if you did something similar, but the object is just a single host instead of a group, then the firewall would drop the SMTP traffic unless you also redefined the host object as being the Barracuda.
- Tom
@Tom: This question was spawned from the question below after I helped him setup the sonicwall. Just helping complete the picture.
https://www.experts-exchange.com/questions/26279484/Sonicwall-Setup-for-Exchange-2010.html
https://www.experts-exchange.com/questions/26279484/Sonicwall-Setup-for-Exchange-2010.html
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks all and digi for hanging in. More info. This is a new domain that has never rcvd or sent email externally or internally. The hope was that I could somehow get things verified working before unleashing the www on the exchange server. Here is a thought. The external new domain is being forwarded to the current working domain that is hosting pop mbxs. I worry that this new domain is visible to the LAN dns and is complicating my efforts. Thoughts are to point the new domain mail traffic into the public ip and not forward it to the existing domain thereby isolating it from the current www that hosts the pop mail. The idea is to eliminate the pop mbxs once the new domain is functioning properly. Late here in California. Will pick up tomorrow morn. Thanks again to all interested parties. Stay tuned.
ASKER
For those following this thread :::
I have removed the spam filter in an effort to minimize parametric difficulties; a.k.a., too many cooks in the kitchen. I am going to make sure the exchange server is working with the new domain first before adding the spam filter back into the equation. I have pointed the new domain to the WAN static IP and have dropped all the email config's from the Sonicwall. I am going to recreate the email services using the Sonicwall Public Service Wizard pointing it at the exchange server for now.
MOD ::: Appreciate the open Q until resolved. Maybe it will be beneficial to have the result eventually. Should be in a couple days. Thanks.
I have removed the spam filter in an effort to minimize parametric difficulties; a.k.a., too many cooks in the kitchen. I am going to make sure the exchange server is working with the new domain first before adding the spam filter back into the equation. I have pointed the new domain to the WAN static IP and have dropped all the email config's from the Sonicwall. I am going to recreate the email services using the Sonicwall Public Service Wizard pointing it at the exchange server for now.
MOD ::: Appreciate the open Q until resolved. Maybe it will be beneficial to have the result eventually. Should be in a couple days. Thanks.
fingers crossed...i'm sure you'll get it. stepping back is usually the best first step to resolution.
Sounds like a plan.
With a clean and tested setup on the SonicWALL, it is pretty easy to tweak the Address Objects to redirect to the Barracuda. I've done it a few times and it was fairly easy.
I would like the Q left open pending your progress too.
Good Luck,
Tom
With a clean and tested setup on the SonicWALL, it is pretty easy to tweak the Address Objects to redirect to the Barracuda. I've done it a few times and it was fairly easy.
I would like the Q left open pending your progress too.
Good Luck,
Tom
ASKER
OK folks...the next installment is here. I have managed to use the Sonicwall wizard to setup the public service for Exchange. I have had the new domain pointed at the WAN IP for several days now. I can telnet to the IP and get a response from the server on port 25. I get ESMTP MAIL Service ready...
I am testing send receive traffic from the new domain as I write this but wanted to post something in light of the EE prompt to continue the question. More very soon.
I am testing send receive traffic from the new domain as I write this but wanted to post something in light of the EE prompt to continue the question. More very soon.
great...thanks for the update!
ASKER
Reference Thread: https://www.experts-exchange.com/questions/25065088/Exchange-Receive-Connector.html
This person had the same type of problem so I followed all the screen shots that lead to the successful outcome BUT..there is always a but... I get this response from the domain when sending mail from the outside to the new domain:
SMTP error from remote mail server after RCPT TO:<recipient@domain.org>:
host mail.domain.org [x.x.x.196]: 550 5.7.1 Unable to relay
This, by the way, was the response I got tfrom the Barracuda Spam Firewal when it tried to verify installation by sending a message to Barracuda. I may have mentioned that earlier.
This person had the same type of problem so I followed all the screen shots that lead to the successful outcome BUT..there is always a but... I get this response from the domain when sending mail from the outside to the new domain:
SMTP error from remote mail server after RCPT TO:<recipient@domain.org>:
host mail.domain.org [x.x.x.196]: 550 5.7.1 Unable to relay
This, by the way, was the response I got tfrom the Barracuda Spam Firewal when it tried to verify installation by sending a message to Barracuda. I may have mentioned that earlier.
ASKER
From this great little test website from MS ::: https://www.testexchangeconnectivity.com
Result :::
Testing Inbound SMTP Mail flow for domain voviedo@woodwardpark.org
Failed to test inbound SMTP mail flow.
Test Steps
Attempting to retrieve DNS MX records for domain woodwardpark.org
One or more MX records were successfully retrieved from DNS.
Additional Details
MX Records Host mail.woodwardpark.org, Preference 0
Testing Mail Exchanger mail.woodwardpark.org.
One or more SMTP tests failed for this Mail Exchanger.
Test Steps
Attempting to resolve the host name mail.woodwardpark.org in DNS.
Host successfully resolved
Additional Details
IP(s) returned: 99.3.111.196 ::: THIS IS CORRECT - jdfuller
Testing TCP Port 25 on host mail.woodwardpark.org to ensure it is listening and open.
The port was opened successfully.
Additional Details
Banner Received: 220 WPBCDC01.WPBC.local Microsoft ESMTP MAIL Service ready at Tue, 29 Jun 2010 16:21:59 -0700 ::: THIS IS ALSO RECEIVED VIA TELNET - jdfuller
Attempting to send test email message to voviedo@woodwardpark.org using MX mail.woodwardpark.org.
Delivery of the test message failed.
Additional Details
Server returned status code 550 - Mailbox unavailable. The server response was: 5.7.1 Unable to relay
Exception details:
Message: Mailbox unavailable. The server response was: 5.7.1 Unable to relay ::: The mailbox SMTP Email address is correct and is on the users Exchange Account profile tab - jdfuller
Type: System.Net.Mail.SmtpFailed RecipientE xception
Stack trace:
at System.Net.Mail.SmtpTransp ort.SendMa il(MailAdd ress sender, MailAddressCollection recipients, String deliveryNotify, SmtpFailedRecipientExcepti on& exception)
at System.Net.Mail.SmtpClient .Send(Mail Message message)
at Microsoft.Exchange.Tools.E xRca.Tests .SmtpMessa geTest.Per formTestRe ally()
Does this help anyone?
Result :::
Testing Inbound SMTP Mail flow for domain voviedo@woodwardpark.org
Failed to test inbound SMTP mail flow.
Test Steps
Attempting to retrieve DNS MX records for domain woodwardpark.org
One or more MX records were successfully retrieved from DNS.
Additional Details
MX Records Host mail.woodwardpark.org, Preference 0
Testing Mail Exchanger mail.woodwardpark.org.
One or more SMTP tests failed for this Mail Exchanger.
Test Steps
Attempting to resolve the host name mail.woodwardpark.org in DNS.
Host successfully resolved
Additional Details
IP(s) returned: 99.3.111.196 ::: THIS IS CORRECT - jdfuller
Testing TCP Port 25 on host mail.woodwardpark.org to ensure it is listening and open.
The port was opened successfully.
Additional Details
Banner Received: 220 WPBCDC01.WPBC.local Microsoft ESMTP MAIL Service ready at Tue, 29 Jun 2010 16:21:59 -0700 ::: THIS IS ALSO RECEIVED VIA TELNET - jdfuller
Attempting to send test email message to voviedo@woodwardpark.org using MX mail.woodwardpark.org.
Delivery of the test message failed.
Additional Details
Server returned status code 550 - Mailbox unavailable. The server response was: 5.7.1 Unable to relay
Exception details:
Message: Mailbox unavailable. The server response was: 5.7.1 Unable to relay ::: The mailbox SMTP Email address is correct and is on the users Exchange Account profile tab - jdfuller
Type: System.Net.Mail.SmtpFailed
Stack trace:
at System.Net.Mail.SmtpTransp
at System.Net.Mail.SmtpClient
at Microsoft.Exchange.Tools.E
Does this help anyone?
ASKER
FIXED!!! I found there was NO "Accepted Domains" other than the .local in the Exchange Managemenet Console/Org. Config./Hub Transport. Why doesn't the install make one! The default domain was given at the time of install. I didn't think of this at all. I only found it by picking at one tab at a time and validating its settings by reason.
Once the new domain was added as an Accepted Domain, BINGO!! the receive started working for all recipients.
PROBLEM: I still can't send! I created a Send Connector to IP range 0.0.0.0-255.255.255.255. This did not seem to help. Do I need it?
Once the new domain was added as an Accepted Domain, BINGO!! the receive started working for all recipients.
PROBLEM: I still can't send! I created a Send Connector to IP range 0.0.0.0-255.255.255.255. This did not seem to help. Do I need it?
ASKER
BTW ::: The client shows the mail is Sent and it is in the Sent folder but no bounce and no inidcation that it went out.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
digi ::: Did you see the comment I made above yours? I made one but I admit the IP address range I put was 0.0.0.0-255.255.255.255 and don't include subdom's. I am changing it now and test. Hang one...
yeah...i saw that...thought the IP was wrong...fingers crossed.
ASKER
digi ::: You got it. I guess 0.0.0.0-255.255.255.255 isn't a valid IP range? What gives? That changed and the one I found about the "Accepted Domains" did the trick. Thanks for hanging in there with me to figure this out. I wish there were more points to award you. Tom got me started an the right track while I was fumbling with the Barracuda so I have to give there, too.
I'll be on the Send/Receive Error next ater I put the Barracuda back on line. I guessing they'll be more points to award in those two areas. Keep an eye on my Author name. I seem to ask more than I answer but maybe that will change in time. You guys rock.
I'll be on the Send/Receive Error next ater I put the Barracuda back on line. I guessing they'll be more points to award in those two areas. Keep an eye on my Author name. I seem to ask more than I answer but maybe that will change in time. You guys rock.
ASKER
Goes to show, team work - works! Thanks. Best money ever spent.
no problem...i think my wife wishes i'd never heard of it!!
Glad we could help and thanks for the points! I'll keep my eye for your next question...
Glad we could help and thanks for the points! I'll keep my eye for your next question...
ASKER
Ditto! :o)
ASKER
Sonicwall ::: Barracuda ::: Exchange Server
x.x.x.253 x.x.x.200 x.x.x.210