Change outgoing SMTP email account...consequences??? 2

[wahnula]

Hello all,

All is good with my SBS2003 Premium SP1 office domain. Currently the email SMTP path through Exchange & Outlook 2003 is user->Exchange->mail.myco.com. Our ISP is houston.rr.com .

The problem is

http://www.myco.com

is hosted by digiworldmedia, which somehow ended up on a spam blacklist, so many of our company emails do not get through to their recipients, many times not even ending up in their "junk mail" folder, just deleted.

I have conducted tests using our ISP's SMTP server (smtp-server.housston.rr.com) with a pop3 account and the mail gets through fine, even to companies that do not receive our mail.myco.com emails.

My question is: In the CEICW, there is a page "Email Delivery Method", with the options "Use DNS to route e-mail" (currently selected) and another option to "Forward all e-mail to e-mail server at your ISP". Would it be prudent to change that choice to the second and use the "smtp-server.houston.rr.com" as outgoing server without messing up the delivery email address? I still want the email to arrive as "user@myco.com" not user@houston.rr.com".

On the "E-mail Retrieval Method" page I have "Use Exchange" and "E-mail is delivered directly to my server" and the E-mail Domain Name on the next page is myco.com.

As always I value all input.

Tony

 

[markdmac]

Are you sure the issue is that your ISP is on a blacklist?

Sounds to me like you have an issue with no RDNS record.



I hope you find this post helpful.

Regards,

Mark

Check out my scripting solutions at

http://www.thespidersparlor.com/vbscript

 

[wahnula]

Are you sure the issue is that your ISP is on a blacklist?

Yes and no. The webmaster told us one of his servers was compromised and used as a spambot. How would I check to verify that we do/don't have a RDNS record? I have access to the website cPanel, but could find no appropriate entries.

Tony

 

[markdmac]

http://www.dnsstuff.com

can be used to check. Visit that link and scroll down to the bottom of the page. Enter the IP address that your MX record points to.

I hope you find this post helpful.

Regards,

Mark

Check out my scripting solutions at

http://www.thespidersparlor.com/vbscript

 

[wahnula]

markdmac,

DNSstuff reports: "PASS OK. The IPs of all of your mail server(s) have reverse DNS (PTR) entries."

Under "Open DNS Servers" it had a big red FAIL with this note:

ERROR: One or more of your nameservers reports that it is an open DNS server. This usually means that anyone in the world can query it for domains it is not authoritative for (it is possible that the DNS server advertises that it does recursive lookups when it does not, but that shouldn't happen). This can cause an excessive load on your DNS server. Also, it is strongly discouraged to have a DNS server be both authoritative for your domain and be recursive (even if it is not open), due to the potential for cache poisoning (with no recursion, there is no cache, and it is impossible to poison it). Also, the bad guys could use your DNS server as part of an attack, by forging their IP address.

Whaddaya think? Problem or no?

Tony

 

[markdmac]

Sounds to me like you shoudl report this to your ISP and if they don't coreect it change ISPs.

I hope you find this post helpful.

Regards,

Mark

Check out my scripting solutions at

http://www.thespidersparlor.com/vbscript

 

[wahnula]

markdmac,

This is not my ISP it's my website mailserver's report. My ISP is roadrunner and I have used their SMTP address without problems.

My original question is can I change the Email Delivery Method from "Use DNS to route e-mail" (currently selected) to "Forward all e-mail to e-mail server at your ISP" in the CEICW and enter the ISPs SMTP server instead.

Thanks again.

Tony

 

[TechSoEasyMVP]

SPAM Blacklists are based on a mail server's IP address, NOT the domain name. So if you were to switch to hosting your own email in Exchange, then it wouldn't be listed anymore.

To clarify... you have TWO ISP's. One is the company that provides your Internet connection, and the other is the company that provides your Internet domain hosting.

I see no reason to use the SmartHost option and route through Roadrunner... you should be able to just send from your own server.... unless Roadrunner blocks port 25. In which case, then you would need to route through them.

Jeffrey B. Kane
TechSoEasy

http://www.techsoeasy.com

 

[wahnula]

TechSoEasy,

Thanks for the reply. I do not use Exchange for email hosting in the usual way, I use DDNS. When I send from my server, I route through the (second ISP) website's mailservers and nameservers. So, I am currently using mail.myco.com as a SmartHost.

In the header is 'digiworldhosting' not roadrunner. I believe this is causing the problem. I have one HUGE corporate vendor (70% of our supplies) that receives emails when sent from my shop via POP3 w/ roadrunner mailservers, he receives nothing through digiworldwhatever. Since the company email is not really hosted locally (it is forwarded from website to Exchange via a TZO domain) I was hoping to mitigate the high number of non-received messages by clients and vendors alike.

As an example, the boss lives next door and is not a part of the SBS domain. I had his OE set up to use mail.myco.com as mailserver (myco is hosted by digiworld...). Many emails got blocked or placed into SPAM folders. I changed his SMTP server to smtp-server.houston.rr.com, problem stopped.

Tony

 

[TechSoEasyMVP]

Just because you use DDNS does not mean that you don't configure your Exchange server with your proper email domain name. (ie, myco.com)

It also doesn't mean that you can't receive mail directly to your Exchange Server. You only need to have the MX record changed (probably at digiworldhosting) to point to your DDNS FQDN.

As for sending mail, don't use mail.myco.com as the SmartHost because that's going through digiworldhosting. Instead, either just leave it set to send via DNS or use Roadrunner's smtp instead (as you had originally asked about -- smtp-server.houston.rr.com). This has NOTHING at all to do with the email address you are sending from which will show up on a recipient's message.



Jeffrey B. Kane
TechSoEasy

http://www.techsoeasy.com

 

[wahnula]

TechSoEasy,

You only need to have the MX record changed (probably at digiworldhosting) to point to your DDNS FQDN.

I am doing this (in a way) by Email Domain Forwarding in cPanel of myco.com. I was told it is another layer of protection/separation for my SBS newtwork.

use Roadrunner's smtp instead (as you had originally asked about -- smtp-server.houston.rr.com).

Thank you thank you thank you!!! I sort of knew this was the solution but was waiting for validation by someone who had traveled this road before. Much appreciated!

Tony

 

[TechSoEasyMVP]

No, you can't do Email Domain Forwarding in CPanel. You need to have the MX record changed!

Email Domain Forwarding in CPanel only works if forwarding to a domain that HAS an MX record configured. Whoever told you that was wrong.


Jeffrey B. Kane
TechSoEasy

http://www.techsoeasy.com

 

[wahnula]

TechSoEasy,

Thanks for your response. The MX record in my Email Domain Forwarded DDNS domain (servername.com, hosted by tzo) points to the IP address of the Exchange server. It (Exchange server) is fully working. The Tzo applet runs on the server and updates the MX record as needed. Thanks again and hope this clears things up. It was done as another layer of security as well as to save $50/month on a static IP.

If this setup (however unconvevtional) is incorrect please let me know. I am back at work after a week off and plan to implement the smtp-server.houston.rr.com SmartHost later today.

Here is a thread where proper operation of DDNS & SBS was discussed:

thread1584-1302733

Thanks again.

Tony

 

[TechSoEasyMVP]

Okay, here's where I think you are missing the point...

You apparently have set up TWO separate domains which is not correct. From reading your other thread, it seems like you have MyCompany.com as your public domain, and have set up myco2.com to use as the domain managed via TZO.

There is no need for this second domain because MyCompany.com can have MANY different servers depending on the service being requested. For instance your web site, which is hosted externally and accessed either by users typing

http://www.MyCompany.com

or just

http://MyCompany.com

are directed to the IP address designated in your Public DNS Zone file. Since you also have an SBS, and need your email traffic to be routed to the SBS, then you would just put a HOST A record in the DNS Zone file that says sbs.MyCompany.com can be found at 123.456.789.012 as well as an MX record that says mail should be sent to sbs.MyCompany.com (you cannot use IP addresses directly in an MX record which is why it takes two entries).

Now, since you have a dynamic IP Address, you are unable to create that HOST A record unless you have your Public DNS zone file hosted by TZO. The way to do this is to change the NameServers that are designated in your MyCompany.com's domain registration. So, wherever you registered MyCompany.com is where you would change those. Instructions from TZO are here:

http://www.tzo.com/MainPageDomains/TransferringDomains.html

Note that you are not transfering your domain to TZO by doing this, you are ONLY setting their name servers as "Authoritative".

Hopefully all of that makes sense. You may also want to review

http://sbsurl.com/net101

which describes how the many pieces of Internet, LAN, Active Directory fit together.

Jeffrey B. Kane
TechSoEasy

http://www.techsoeasy.com

 

[wahnula]

TechSoEasy,

My main reason for doing it the way I have (it was deliberate) was to keep my Internet presence and my SBS server completely separate, for security reasons. I was advised this would be a more secure approach with multiple layers.

What you propose makes perfect sense, and I understand it completely. My mentor, a retired (anal retentive) Systems Engineer, proposed and helped me implement this plan. While it might be superfluous, is it really not correct?

Tony

 

[wahnula]

TechSoEasy,

Not trying to be arrogant, I have a lot to learn and I know it. We were trying to avoid hackers and bad folks, at the time it made sense to me to isolate our Web presence from our workplace, as myco2 is also be the conduit for OWA and, hopefully, RWW in the near future. I am a tech enthusiast but obviously not a pro, this is my first network (besides the NT4.0 I did not build, just singlehandedly administered and migrated to SBS).

I am the main revenue producer/IT guy for our company, IT time is precious, so any changes to the status quo are very,very cautiously made. Especially with a daily working system, depended upon by a dozen or more people. I like to do things myself and am not afraid to ask questions, my theory is ask three times make one change. Not that I an incapable, I only need reassurance from someone who's been there. Your input is much appreciated and I did learn from that link...and would appreciate more.

As I move forward and more questions arise I hope you will participate in my threads.

Tony

 

[ShackDaddy]

To your original question, Tony: if you choose to route your mail through your service provider's smart-host, you will probably need to set up the credentials, since it will ask for authentication. You would use your roadrunner account creds for that. When your mail arrives, it will not say that it's from Roadrunner, it will say it's from whichever SMTP address is set as the default for the user. Roadrunner is merely acting as an authenticating relay.

What I'd be worried about in your current situation (routing via DNS) is that some major destinations (AT&T.com, AOL.com, etc) analyze source subnets and blacklist mailservers according to source IP, even if you have an RDNS record in place. I have a client who has a Verizon Business DSL account that was unable to send to any AOL mailboxes because his static IP address was part of what AOL considered a "dynamic pool." In that situation, you can either forward all your mail through a smarthost, like you are contemplating, or create unique connectors for the troublesome domains and route those domains through the smarthost-pointed connector.

ShackDaddy
Shackelford Consulting

 

[wahnula]

if you choose to route your mail through your service provider's smart-host, you will probably need to set up the credentials, since it will ask for authentication.

ShackDaddy,

Thanks for jumping in. While everyone in the office uses Outlook 2003 w/ Exchange, I still run several POP3 accounts on my personal client PC w/OE. I can use smtp-server.houston.rr.com as SMTP server for all or any of them, in fact my earthlink acct. will not work with mail.earthlink.net, connection gets refused, RR's SMTP addy works fine.

On OE's "Servers" page, under Outgoing Mail Server, the "My server requires authentication" box is NOT checked leading me to believe that credentials are unnecessary, and as a RR subscriber I get to use their mailserver for whichever accounts I choose. Is this a correct conclusion?

Of course I will do testing after-hours, like I said, ask three times, change once!

Tony

 

[ShackDaddy]

Yeah, sounds like authentication is not required. I'd be a little concerned about them shutting off your outbound port 25 flow if they didn't like the traffic levels, but other than that, you should be fine using it.

ShackDaddy
Shackelford Consulting

 

[TechSoEasyMVP]

"My main reason for doing it the way I have (it was deliberate) was to keep my Internet presence and my SBS server completely separate, for security reasons. I was advised this would be a more secure approach with multiple layers."

Don't confuse your PUBLIC domain name with your INTERNAL ACTIVE DIRECTORY domain name. This is how you keep the two separate. Which is why you would use domain.com publicly and domain.local internally.

But in order to get to your server, there has to be something publicly configured, and the way I suggested is not only the most common way, but is also quite secure.

This is why I recommended that you read

http://sbsurl.com/net101

which describes most of these things.


Jeffrey B. Kane
TechSoEasy

http://www.techsoeasy.com