SMTP Problem

[TNGPicard]

Ok - I'm sure this has been answered to death, my search skills are failing me tonight (started a systems migration/upgrade at 0300 this morning - not on exchange, another production system I'm doing in semi-parallel).

I have several internal users/uses of SMTP - some automated e-mail systems from monitoring equipment, some users use Thunderbird via POP3 & SMTP, my website application server uses my exchange system as a mail relay for sending mail.

Everything is working fine with SMTP on my exchange 2003 box. On my exchange 2007 box I'm not able to send to external recipients through SMTP.

I don't have any smarthosts setup; the SMTP connector looks like it has some relation to my Exch 2003 server. I'd feel a lot better about starting to think about decommissioning the Exch 2003 server later next week. I'm moving the remainder of my users over a week from today and going to try making the exch 2007 box receive my incoming mail also starting at that time but I need to get this SMTP problem fixed.

220 lmfjex07.mydomain.com Microsoft ESMTP MAIL Service ready at Tue, 13 May 2008 20:
53:35 -0500
helo lmfjex07.mydomain.com
250 lmfjex07.mydomain.com Hello [192.168.5.244]
mail from:mark@mydomain.com
250 2.1.0 Sender OK
rcpt to:tngpicard@mypersonaldomain.org
550 5.7.1 Unable to relay

Any thoughts / links / "hey TNG, you forgot this step *thump*"


Mark / TNGPicard

 

[ShackDaddy]

You have to manually set up a Send Connector at the Org level in E2007 for outbound external mail. Have you done that?

Dave Shackelford
Shackelford Consulting

 

[TNGPicard]

ShackDaddy -

I have attempted to do so but perhaps i have seit it up wrong.

At the Org Level, Under Hub transport, Send Connectors I have two entries. I created the one called "External Mail"

[PS] C:\Windows\System32>get-SendConnector "External Mail" | Format-List


AddressSpaces                : {SMTP:*;1}
AuthenticationCredential     :
Comment                      :
ConnectedDomains             : {}
ConnectionInactivityTimeOut  : 00:10:00
DNSRoutingEnabled            : True
DomainSecureEnabled          : False
Enabled                      : True
ForceHELO                    : False
Fqdn                         :
HomeMTA                      : Microsoft MTA
HomeMtaServerId              : meEX07
Identity                     : External Mail
IgnoreSTARTTLS               : False
IsScopedConnector            : False
IsSmtpConnector              : True
LinkedReceiveConnector       :
MaxMessageSize               : 10MB
Name                         : External Mail
Port                         : 25
ProtocolLoggingLevel         : None
RequireTLS                   : False
SmartHostAuthMechanism       : None
SmartHosts                   : {}
SmartHostsString             :
SourceIPAddress              : 0.0.0.0
SourceRoutingGroup           : Exchange Routing Group (DWBGZMFD01QNBJR)
SourceTransportServers       : {meEX07}
UseExternalDNSServersEnabled : False

This one was already there:

[PS] C:\Windows\System32>get-SendConnector "Internet Mail SMTP Connector (meEXCH)" | Format-List


AddressSpaces                : {SMTP:*;1}
AuthenticationCredential     :
Comment                      :
ConnectedDomains             : {}
ConnectionInactivityTimeOut  : 00:10:00
DNSRoutingEnabled            : True
DomainSecureEnabled          : False
Enabled                      : True
ForceHELO                    : False
Fqdn                         :
HomeMTA                      : Microsoft MTA
HomeMtaServerId              : meEXCH
Identity                     : Internet Mail SMTP Connector (meEXCH)
IgnoreSTARTTLS               : False
IsScopedConnector            : False
IsSmtpConnector              : True
LinkedReceiveConnector       :
MaxMessageSize               : unlimited
Name                         : Internet Mail SMTP Connector (meEXCH)
Port                         : 25
ProtocolLoggingLevel         : None
RequireTLS                   : False
SmartHostAuthMechanism       : None
SmartHosts                   : {}
SmartHostsString             :
SourceIPAddress              : 0.0.0.0
SourceRoutingGroup           : me
SourceTransportServers       : {meEXCH}
UseExternalDNSServersEnabled : False



[PS] C:\Windows\System32>

meEXCH is my Exchange 2003 server.

 

[ShackDaddy]

I checked your Send Connector configs against an E2003/E2007 rollout I just did, and they match exactly, so it doesn't seem like the problem is there. They are both supposed to be there.

Let me make sure I understand the scenario: your regular MAPI users can send outbound via the E2007 server, but other clients which connect to the server via SMTP can't relay through the server, right?

Check this: Org section -> Hub Transport -> Global Settings -> Transport Settings Properties -> Message Delivery tab. That's where you can configure the IP addresses of internal hosts that are allowed to relay SMTP through the server.

Dave Shackelford
Shackelford Consulting

 

[TNGPicard]

Let me make sure I understand the scenario: your regular MAPI users can send outbound via the E2007 server, but other clients which connect to the server via SMTP can't relay through the server, right?

Yes, you are understanding me correctly.

Check this: Org section -> Hub Transport ...

I added 192.168.5.0/24 (which is the subnet me and the server are both on) and gave it another shot. still got Relaying Denied.

Mark

 

[TNGPicard]

Well, I got it working, probably the very wrong way but its working. I'm not opposed to changing it but I went to
Hub Transport (org level)
Accepted Domains
Create new accepted domain
Set it to be "External Relay Domain
Accepted Domain: *


and that seems to work.

I'm a little concerned that this might make me seen as a public open relay but I use a 3rd party vendor to deliver mail into me (they filter it) and I only allow inbound SMTP connections from their public IP addresses.

Mark / TNG

 

[ShackDaddy]

Given your scenario, your fix should be a safe one, unless someone in the future decides to merely rely on the local anti-spam agents instead of the 3rd-party scrubber.

Glad you found your way out of the woods, but I wish we'd figured out what the actual blockage was.

Dave Shackelford
Shackelford Consulting

 

[TNGPicard]

ShackDaddy -

I do too, I'm still open to suggestions though.

As far as the solution and the local anti-spam agents --- using the 3rd party AV and Spam solution really helps us out not only in keepthing things out BEFORE they hit any part of my network but its also part of our DR/BCP plan so mail won't bounce even if I'm down longer than the normal retry interval for delivering e-mail which is critical since we are located in hurricane territory. I've thought about bringing in a dedicated e-mail AV/Spam filtering appliance which would end up being cheaper long term but I'd lose the 3rd party caching -- so as long as Louisiana and California are not both down at the same time, I should be in OK shape.

Mark

 

[ShackDaddy]

No, I like 3rd party solutions better than appliances, as long as I can trust the vendor. I have all my clients on scrubbers and recently had to move them all to a better vendor. I'm currently an MXLogic reseller and am very happy. They even offer a good archiving/compliance service that I can use for some of my SOX-required clients.

Dave Shackelford
Shackelford Consulting

 

[TNGPicard]

Shack - yeah, the company I'm very happy with is also an mxlogic reseller