Multiple email domains within a single exchange server

[jmconsulting]

I am trying to consolidate three email domain names into one exchange server. They have unique names and point to three separate mx records under their separate domain registrations. All domains are registered with the same provider.

The internal exchange server is behind a Cisco 515e firewall with two interfaces, one being the primary internet connection and the other a dmz for the exchange server (both with unique external IP addresses). The server is an exchange 2k server with a single smtp connector pointing the the first of the three email domains. This is working fine and I need to add the other two to the exchange server.

What is the best approach to solving this issue? Should I handle it at the dns server of the provider, or do I create multiple virtual servers on the exchange box with separate network cards and IP addresses?

Any help will be greatly appreciated.

Jim

 

[xmsre]

Let the pix do the forwarding. On exchange, put the users for each domain in a seperate OU. Create a recipient policy for each OU that generates the appropriate smtp addresses. If you use OWA, be aware:

http://support.microsoft.com/default.aspx?scid=kb;en-us;293386

 

[jmconsulting]

Do I need to create seperate virtual servers on the exchange box? If so, do I need seperate IP addresses for each domain? I have the users set up with on seperate OU's with the necessary email addresses.

P.S. we have no plans of using OWA (hopefully).

 

[xmsre]

No, you don't need seperate virtual servers or IP addresses. You do need exchane to accept messages for delivery to all three domains, hence the recipient policies.

 

[jmconsulting]

So if I have the following..

abc.com, efg.com, hij.com and the dns entries point for the three domains point to mail.abc.com, mail.efg.com, and mail.hij.com. If I change the dns to point to the dmz IP address and as long as I have the recipient policies to point the correct address to the appropriate AD entry, I don't have to worry about the exchange server rejecting emails that don't point to the virtual server mail.abc.com.

Thanks...Jim

 

[xmsre]

External mail servers never see what is going on behind the firewall. They see the IP on the external interface that has appropriate host and PTR records in external DNS.

 

[jmconsulting]

I understand that the external mail server does not have any idea of what is inside the firewall. What I am trying to figure out is what I need to do in order to point three domains to a single IP address on an single Exchange server. Do I simply point the A records of the two other domains to the IP address of the exchange server or do I need to change the efg.com of the mx record to the abc.com mx and ip record?

Sorry for the ignorance, but I was already burned once with an attempt to get them all under one roof. Can't afford another botched attempt....

thanks.....jim

 

[xmsre]

If you change each of the MX records to point to one of the current external IP addresses on your firewall, that will work. A host record and PTR record presumably already exist. Changing external DNS records will take time to propagate, so you may see some problems.

Leaving the external configuration the same, and internally redirecting to the same server will work. Externally, there are no changes to MX, host, or PTR records, so this approach provides for immediate effect. The problem is that the MX record may not match the the outbound address used, causing some servers to reject mail. To prevent this, add additional higher weighted MX records for the other two domains now, and wait a few days for those records to propagate before you start. Because these new MX records have a higher weight, they will not impact your current mailflow. You have no outage this way, and you can decomission the old records later at a time of your choosing.

At some point, independent of what you do externally, your intent is for mail destined for all three domains to arrive and be serviced by a single exchange server. This means that exchange must accept for delivery mail destined for all three domains. To do this, there must be a recipient policy that generates an smtp address for each of the domains. Three OUs with three recipient policies is an easy wayt to keep things sorted out.

 

[jmconsulting]

Thanks....

I have the primary OU established and mail flows properly. The second OU is set up with the recipient policy established. My first attempt was to insert a lower weighted MX record on one of the two remaining domains and the ISP got things messed up. I am trying to avoid that problem again. So if I add a higher weighted MX record and point it to the external IP address of the firewall, how do I verify that the config is correct. It is my understanding that the system will attempt the lower weighted MX first and if unable to transmit, it then moves up.

 

[xmsre]

It is my understanding that the system will attempt the lower weighted MX first and if unable to transmit, it then moves up"

Exactly. It will not interfere with your current mailflow. In your current mailflow:

The MX for xxx.com points to host.xxx.com on IP xx.xx.xx.10
The MX for yyy.com points to host.yyy.com on IP xx.xx.xx.11
The MX for zzz.com points to host.zzz.com on IP xx.xx.xx.12

Let's assume xx.xx.xx.12 is currently redirected to exchange and when exchange sends, it's redirected to appear to come from xx.xx.xx.12.

If you redirect xx.xx.xx.10 and xx.xx.xx.11 to your exchange server, all the external dns records remain intact. When exchange sends mail for xxx.com and yyy.com, it will appear to come from host.zzz.com.

adding the higher weighted MX record will register host.zzz.com as authorized to relay mail for the domain in question (xxx.com or yyy.com). This will prevent mail from your server being preceived as forged by organizations that have implemented SPF. That is the only function of the additional MX at this time.

After mail flows successfully for a few days, have your ISP simply retire the old MX records. When the old MX is retired, now the additional MX is the primary MX for the domain.