Adding second domain to Echange Server - try #2

[bwgreen]

Slight change from my previous post - another user pointed out a typo I made.

Current configuration: Exchange 2003 server as a member server in domain x.com, processing e-mail for this omain. Everything working fine.

New configuration: We are adding a connection to a new networkthat has a domain y.org We have been given z.y.org and are authoritative on that subdomain - I have added this zone to our DNS with an SOA record, and a forwarder to the DNS for y.org so we can resolve thier MX record, or get forwarded to another DNS Server to get the MX record for a.y.org In exchange I have updated the Default recipient policy to add @z.y.org as a valid SMTP address and checked the box to tell Exchange that it processes all mail for this domain. The problem we are running into is when someone at y.org sends an email to user@z.y.org, or when I telnet to the SMTP virtual server and manually create a mesage using command-line SMTP (EHLO, mail from: another_user@x.com, rcpt to:user@z.y.org) an error occurs: "550 5.7.1 Unable to relay for user@z.y.org".

Thanks for all help!

 

[MarkArnold]

Welcome back. A lot neater.
So, let's take the DNS. You didn't need to do anything on your systems for the DNS for either z.y.org or y.org.

1. Because you have a Recipient Policy for z.y.org anyone sending email to it should have it accepted.

2. Because your server knows nothing about y.org it will do a DNS lookup all on its own. It doesn't need any help from you.

3. So long as the owners of y.org have set stuff up properly, and from your previous post it seems like they have, your server will be able to resolve it.

Your SMTP behaviour is indeed confusing. I'm thinking really that assuming you have not made one of your little typo's, you should undo all this DNS stuff. None of your DNS needs to have any *.y.org configurations. Get it all out and tidied up and then let's take it from there.

 

[bwgreen]

Do I not need the MX record for z.y.org on my DNS so that people in y.org can send to my server?

 

[MarkArnold]

Yes, but you already explained that y.org isn't under your control. You have been talking about "our zone" and my assumption has been that it is the DNS in your AD you're talking about. Your internal stuff does not need to know about z.y.org in DNS because you're just supporting the SMTP domain.
If "our zone" suddenly means that you do, after all, have control over the y.org domain that the other people own then that's a different story.

As the moment I am assuming that you do not own y.org and you do not have admin access to y.org. You told us that "they" had created z.y.org in "their" DNS which is great and correct.

 

[bwgreen]

They created a forwarder to our DNS to be able to resolve z.y.org - that is in our control. They don't have an MX record on their DNS for the z.y.org domain.

 

[MarkArnold]

Hell fire, they love to complicate matters don't they. Can you post the proper domain names so that we can have a look?

There is no reason that your Exchange server would give you that error if it were properly configured.

 

[bwgreen]

Actually, I can't. And besides that, this is an internal network - no connection to the Internet.

 

[MarkArnold]

Well then. I'm not saying that I don't believe you but, err, I don't think it's configured right.
I would advise you to check everything. Like I say, you should not have an unable to relay if you do indeed have an RP for that exact domain, regardless of what any DNS says.

 

[bwgreen]

I am just checking this.

1. In the Default Recipient Policy, in the e-mail Addresses tab I have an entry for @y.z.org of type SMTP, an entry for x.com of type SMTP (This is the default for SMTP), and an X400 entry.

2. In the Default SMTP Virtual Server, I have Anoymous Authentication enabled - everything there is default.

3. I have an SMTP connector for the new domain, with both z.y.org and y.org defined in the Address Space tab. The bridgehead server is my local Excahnge Server.

I can't think of anything else to look at - can you?

 

[MarkArnold]

Well, there is the fact that you've said @y.z.org when we're probably talking about z.y.org (or at least we have been all day)
Typo confidence levels remain high

Create another one called domain.local or something and see what you get. I know all this domain substitution is likely to force typo's but do another, just in case.

 

[bwgreen]

OK, I tried adding a new domain to Exchange (dummy.com)- still get the Relay error. Which makes me think that somehow the information on the domaion is not getting sent to the SMTP Virtual Server, since that's where the error is coming from. If I try to use the rcpt to: x@x.x I get the same message - "Unable to relay for x@x.x" (when telnetted to the SMTP Port on my Exchange Server).

Is there something I need to do to tell the SMTP Server to process a new domain?

 

[bwgreen]

Idea # (I've lost count of what I have tried!!)

I set up another server as a relay for my exchange server to process messages from z.y.org - but my Exchange Server still says "Unable to Relay". The e-mail I get is:

Undeliverable: Delivery Status Notification (Failure)

The following recipient(s) could not be reached:
User on 8/31/07 8:45 AM
You do not have permission to send to this recipient. For assisstance, contact your system administrator.
<server2.x.com #5.7.1 smtp;550 5.7.1 Unable to relay for user@z.y.org>

I am out of ideas here, but I have to get this working! Any ideas?

 

[MarkArnold]

Something I want you to try.
Use Outlook for this:
Create a new email message.
Enter your own z.y.org email address and do Check Name.
Does it get resolved to your display name?
Enter random text and hit send.
Do you get the message?

 

[bwgreen]

I just did what you asked - everything worked as it should.

 

[MarkArnold]

That sounds like you have restrictions on your SMTP VSI that is not letting you submit messages to the SMTP interface. What settings are there? Look on the Relay and the other button (security/authentication? something like that)

 

[bwgreen]

Default SMTP Virtual Server settings, Access tab:

Authentication - all 3 options are selected (Anonymous, Basic Authentication, Integrated Windows Authentication)

Relay - Only the list below is selected, the only item in the list in the server itself, and the Allow All Computers Which Successfully Authenticate To Relay, Regardless Of The List Above checkbox is selected

Connection - All except the list below is selected, and the list is empty.

Certificate - There is no certificate set up on this server.

 

[MarkArnold]

There's your answer.
If you want to use Outlook only to submit mail then you don't need to do anything. If you've got some application or Outlook Express users who need to use SMTP then their IP addresses need to be there or the authentication needs to be ticked (as it is)
So, the IP address of the server is utterly pointless. Whoever set it up in the past didn't know what they were doing with the relay settings.
Put your workstations IP address in there instead of the Exchange server and restart the SMTP Service.

You will, I assure you, be able to submit anonymously.

 

[bwgreen]

I just tried this - deleted the address, stopped and started the SMTP Virtual Server, and sent a message from another SMTP Server that I set up just for testing - still Unable to Relay.

 

[MarkArnold]

You need someone who knows what he's doing on that server really. Your next step is to check the Submit and Relay settings. If someone had done something silly with one thing they have probably done something wrong with that as well.

http://technet.microsoft.com/en-us/library/6d2c9c82-bcc2-4261-a30d-90536577c873.aspx

will help you a little bit but I'm worried you don't know enough to go as deep into it as you need.
Why don't you take screen shots of every single screen in the SMTP settings and mail them to me? mark-at-mvps-dot-org

 

[bwgreen]

Mark,

I am thinking that the SMTP Server is not getting the configuration from Exdchange that the server is responsible for the domain z.y.org - I'm just not sure why. Unfortunately, I can't do screenshots and send them to you about this.