Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Exchange 2k to Exch 2k relay problems

Status
Not open for further replies.
belyache

belyache

IS-IT--Management
Apr 17, 2002
23
US
I am trying to get an external Exchange server to relay through my local server.

I have the outbound SMTP at site "A" set to forward to a Smart Host which is at site "B". This is only to allow Site "B" to forward e-mail to the internet due to AOL blocking ISP's traffic.

At site "B" I have set in my Default SMTP Virtual Server to allow relay for the domain name of Site "A". The email at Site "A" is being returned with an error that says that relaying is not being allowed. I have also checked the SMTP logs, they also show that Site "B"'s exchange server is prohibiting the relay.

If I allow relaying to everyone (i.e. wide open), the email flows just fine. But that obviously is not an option.

Both servers are Exchange 2000 SP3 on SBS 2000.

I am a bit perplexed at this point.

Does anyone have any ideas?

Thanks
Glenn
 
Sort by date Sort by votes
I suspect that the problem is related to DNS. Have you considered using IP addresses instead?

So, to be clear, you're setting this under the SMTP Virtual Server's Properties > Access > Relay Restrictions. You've selected "Only the list below" and then clicked Add and selected the Domain option.

Exchange System Manager should have warned you that this will require reverse lookups.

What source IP address does the Site 'A' SMTP server use to connect to the Site 'B' server? Does this address get translated by a firewall or other NAT device somewhere along the way? Does the DNS service at Site 'A' have an entry for this IP address or can it recurse the answer properly from Site 'B'?
 
Upvote 0 Downvote
Hmmmm,

To be clear... yes, setting this under the SMTP Virtual Server's Properties > Access > Relay Restrictions. You've selected "Only the list below" and then clicked Add and selected the Domain option

I am using DSL (dynamic address), so I can't set a specific IP. However, you may have hit something though. I am using a firewall (PIX) and it does translate the address via PAT. But I am not sure that would cause a problem. I have only one address to choose from so it should always be the correct address.
I am using NO-IP to keep the dynamic address up to date. Yes, I checked to make sure the address that server "B" saw of server "A" was the same.


I am going to try adding the current IP address to the list and give that a try.

Glenn
 
Upvote 0 Downvote
Adding a static address does work...

Now to the problem of why the reverse DNS doesn't get the right info.

Any ideas?

Glenn
 
Upvote 0 Downvote
The questions that I would ask are:

Where are the DNS servers for the Exchange server? Can you make entries on them?

If you do:
C:\>nslookup
>set type=ptr
>
What result does it give you?
 
Upvote 0 Downvote
The DNS servers are not mine. If I do the commands:

C:\>nslookup
>set type=ptr
>
I get the domain name back, along with the following:
primary name server = ns2.no-ip.com
responsible mail addr = hostmaster.no-ip.com
serial = 2003092619
refresh = 90 (1 min 30 secs)
retry = 120 (2 mins)
expire = 604800 (7 days)
default TTL = 60 (1 min)

But this is not much different than my other static IP's DNS entry results.

Looking through the SMTP logs at Site "A", The results look er similar (static in server "B" vs name resolution in server "B"). The only difference is the line after the external address that server "A" is trying to send to, which it spits back that it server "B" is unable to relay for XXXXXX@XXXXXX.XXX .

ideas?

Glenn
 
Upvote 0 Downvote
So, your reverse queries are handled by an outside DNS service?

Where's the DNS for your AD done?

You basically need to create a reverse lookup zone on the DNS server that your Exchange server uses and add an entry for the IP address with which the other SMTP server is connecting.
 
Upvote 0 Downvote
Sorry:

DNS for AD is local.

I guess I am missing something, site "A" is a dynamic IP. I can't add an IP to map my DNS to, or I would have to change it constantly.

Are you saying to point the DNS entry of site "A" to the IP of the DNS server that hosts site "A"'s domain name? Seems like that would cause problems!?
Glenn
 
Upvote 0 Downvote
It would be easier, if I could draw a picture...

When one allows relaying by domain, Exchange performs a ptr (aka reverse) DNS lookup on the connecting (the server that's attempting to relay) host's IP address. Exchange checks the result of this reverse lookup to see if the domain name is allowed to relay.

As I understand things, your Exchange server (ExchA) in your site A, is connecting to the Exchange server (ExchB) in your site B and attempting to relay. The IP address that ExchB sees is the public address on your PIX router. This IP address is dynamic and changes. When you specified this IP address relaying worked, correct?

If all of this is correct, then we are close to a solution.
 
Upvote 0 Downvote
Jbud:

Yes, all you mentioned is true.

Any ideas would be appreciated.

Glenn
 
Upvote 0 Downvote
Then, as I see it, you have 2 options:
1. use the IP address to allow relaying, as you already know this works. Since this is a dynamic address, you may have to use a range of addresses (it's likely that this range will be an entire subnet, depending on how the DSL provider has it set up)

-OR-

2. Use domain names to allow relaying. You will also need to create a reverse zone on the AD DNS server that your Exchange server uses. This reverse zone will need to map the IP addresses mentioned in option 1 to the domain name that you enter on the Exchange server's virtual SMTP server.

But, there's one problem with either of these methods, if you specify a range or subnet: anyone within that range or subnet may be able to relay off of your Exchange server.
 
Upvote 0 Downvote
Hi:

I have finally figured it out. I found a site that mentioned changing the outgoing security for the SMTP connector. There are 2 SMTP connectors in the SBS 2000 exchange. On the Virtual connector you can change outbound security, but that is not where I was changing the smarthost from, but rather the SMTP connector.

Well, read the web page I am referencing, and it will explain. Instead of the "Basic Auth" I went with a local account (from site "A") and used "Integrated Auth". It is OK to use "Integrated Auth", correct?

Anyway, here is the link:
Thanks for all your help. I have learned a bit about a lot of things in the last 2 weeks.

Glenn
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

T
  • Locked
  • Question
How to use third party mail security gateway to scan internal/inter-domain mails in Exchange On-Premise?
Replies
3
Views
962
DrB0b
DrB0b
PatrickRoggers
  • Locked
  • Helpful tip
Safest Way to Import PST file into Exchange Online
Replies
0
Views
1K
PatrickRoggers
PatrickRoggers
ComputersUnlimited
  • Locked
  • Question
Migrating to Exchange 2019
Replies
0
Views
1K
ComputersUnlimited
ComputersUnlimited
Brent Fletcher
  • Locked
  • Question
Exchange rule to remove "✉" icon when it appears in a subject title from a supplier
Replies
0
Views
1K
Brent Fletcher
Brent Fletcher
stanlyn
  • Locked
  • Question
How to do Certificates on MultiDomain Exchange with Least Cost
Replies
1
Views
1K
Wesaf
Wesaf

Part and Inventory Search

Sponsor

Back
Top