Posts: 2
Joined: 12.Dec.2003
From: UK
Status: offline
Hi Tom,
I've configured our ISA 2004 server as an inbound/outbound relay, (with a dual IP address on the internal interface as per a previous article). Inbound and outbound mail is not a problem, no relaying is taking place, and even message screening is working well.
My problem is that system-generated emails are not being allowed by the ISA server, e.g. non-delivery reports and delivery reciepts. They end up in the badmail folder with a security (80004005) error in the .bdr file. The ISA SMTP log reports "Hold Policy rule stamp could not be found in the message; taking default action" for each message. The sender is always <>, the recipients are internal (on allowed domains)
Can you shed any light on which component may be causing the problem, or is it that another rule is needed? Let me know if you need more details on our configuration.
IIRC, this was a known issue with the beta 2. Unfortunately, they fixed it by removing the ability to control the SMTP message screener policy on a per rule basis
Friday night I finished setting up an ISA 2000 box, running on Windows Server 2003, with the IIS SMTP relay sending mail to and from my internal Exchange 2000 server. I thought things were great until I discovered I left the SMTP relay open, so spammers are using it and we are now on a couple of open relay black lists.
So I read your article and followed the directions carefully. The only tweak I had to make was to choose the "Only the list below" in the Relay restrictions - I was using the "All except the list below" with nothing in the list. Our 2 domains are in the Domain list as "Remote", each with the "Forward to smart host" setting just like your article shows.
I then used the zoneedit.com site and successfully confirmed that my server (63.100.68.140) is no longer an open relay.
Unfortunately, now no mail is leaving here at all! Everyone is getting mail bounced back by our Exchange server with the message "You do not have permission to send to this recipient. For assistance, contact your system administrator. <ap005.chs.com #5.7.1 smtp;550 5.7.1 Unable to relay for <email destination address>."
Can you help me determine what am I missing? Thanks!
Chris Aranosian Consumer Health Sciences caranosian@consumerhealthsciences.com
EDIT: I am going to have to undo the change I made, re-opening the relay, just to allow outbound mail....
I'll be happy to continue this discussion in another thread, but I really need to know: can I have the SMTP relay as described in the smtprelayinboundoutbound article functioning happily on an ISA 2000 box? Or are you telling me this will not work as described without getting ISA 2004?
If this SMTP relay supposed to be workable with ISA 2000, can you suggest why outbound mail is triggering the "you do not have permission" rejection message? As you might imagine, I really need to get my open relay closed and have our email working properly asap, so any suggestions you can offer would be appreciated.
I have relay setup with an internal IIS 6 server to an internal Exchange server as shown on the section "Configuring Inbound and Outbound Relay on an IIS 6.0 SMTP Server with GFI MailEssentials" of your article. Inbound works corrctly but outbound SMTP connections are only about 30% successful. I watched the monitor with a filter for port 25 and can see many denies for my SMTP server with no rule specified in the filter. I have gone so far as to allow all internal to all external for port 25 durring troubleshooting. I can also see inbound connections working with my SMTP Publishing rule and the occasional outbound SMTP connection that goes through (Note the rules are reflected for these).
This really leaves me two questions. 1. How does an access rule work sometimes? 2. Why isn't the rule denying outbound SMTP being displayed in the monitor?
Posts: 23
Joined: 5.Aug.2004
From: VA
Status: offline
Hi Tom:
Finally...your new book (that I ordered back in Aug) arrived. [FYI, I cross-referenced the article with the book and found a problem: in Ch 8 "Creating Mail Server Publishing Rules" there are 3 'Select Access Type' options (fig 8.52 on pg 700) and you state that you will cover each one separately. However, you only cover the first 2 and don't discuss Server-to-Server Communications. Thought you want to know.]
Anyway, I'm having trouble setting up the relay according to your article and have a few questions:
1) Should the firewall client be installed on the SMTP Relay server? I have NetIQ's MailMarshal SMTP software rather than the MailEssential software you used. In it there's a field to configure a proxy or use direct access to the internet (e.g., for acquiring updates). If the firewall client should not be installed, then should the Relay use ISA2004 as the proxy or leave it with direct access?
2) In the article you give steps to publish the relay server. After selecting the SMTP Server protocol, the wizard states that I can/should use the Mail Server Publishing Wizard instead. If I publish the Relay server using your method, do I also have to publish the Exchange Server? Alternatively, does it matter whether I use the Server Publishing Wizard or the Mail Server Publishing Wizard?
3) I don't publish my own external DNS. I think the article assumes I do. I configured my internal DNS to forward unresolved queries to my ISP's DNS. Part of the reason is that I didn't publish my own mail server. Now that I'm trying to do this, do I have to also publish a public DNS (plus a backup)? If not, what needs to be configured on my internal DNS, ISA2004, the relay server, and my ISP's DNS?
4) Related to the last question, I have a tri-homed ISA machine but haven't setup a DMZ (actually I tried but had problems so reverted). I know split-DNS is the way to go but what about the SMTP relay? Does it stay on the inside and integrate with Active Directory (which is a benefit for MailMarshal) or do I put it out there and make it a DNS/SMTP relay box?
I also use MailMarshall for SMTP and I have a similar problem. Everything works fine except mailers that do a reverse lookup on my server block the message because my MailMarshall box stamps it with its internal ip. Am I to assume (I don't like to assume anything ever) that I must have an SMTP relay flat on the internet with no firewall protection at all?? It seems that's the case, if not could someone please recommend what to do. Thanks in advance!
quote:Originally posted by ver5_0: I have relay setup with an internal IIS 6 server to an internal Exchange server as shown on the section "Configuring Inbound and Outbound Relay on an IIS 6.0 SMTP Server with GFI MailEssentials" of your article. Inbound works corrctly but outbound SMTP connections are only about 30% successful. I watched the monitor with a filter for port 25 and can see many denies for my SMTP server with no rule specified in the filter. I have gone so far as to allow all internal to all external for port 25 durring troubleshooting. I can also see inbound connections working with my SMTP Publishing rule and the occasional outbound SMTP connection that goes through (Note the rules are reflected for these).
This really leaves me two questions. 1. How does an access rule work sometimes? 2. Why isn't the rule denying outbound SMTP being displayed in the monitor?
Hi Ver,
If there is an outbound access rule that allows the SMTP relay outbound access to TCP 25, and that machine isn't exceeding its connection limit, there's no reason for the blocked connection. It would be important to have information from the log files and NetMon to see the specific reasons for what is causing your failures.
Finally...your new book (that I ordered back in Aug) arrived. [FYI, I cross-referenced the article with the book and found a problem: in Ch 8 "Creating Mail Server Publishing Rules" there are 3 'Select Access Type' options (fig 8.52 on pg 700) and you state that you will cover each one separately. However, you only cover the first 2 and don't discuss Server-to-Server Communications. Thought you want to know.]
Anyway, I'm having trouble setting up the relay according to your article and have a few questions:
1) Should the firewall client be installed on the SMTP Relay server? I have NetIQ's MailMarshal SMTP software rather than the MailEssential software you used. In it there's a field to configure a proxy or use direct access to the internet (e.g., for acquiring updates). If the firewall client should not be installed, then should the Relay use ISA2004 as the proxy or leave it with direct access?
2) In the article you give steps to publish the relay server. After selecting the SMTP Server protocol, the wizard states that I can/should use the Mail Server Publishing Wizard instead. If I publish the Relay server using your method, do I also have to publish the Exchange Server? Alternatively, does it matter whether I use the Server Publishing Wizard or the Mail Server Publishing Wizard?
3) I don't publish my own external DNS. I think the article assumes I do. I configured my internal DNS to forward unresolved queries to my ISP's DNS. Part of the reason is that I didn't publish my own mail server. Now that I'm trying to do this, do I have to also publish a public DNS (plus a backup)? If not, what needs to be configured on my internal DNS, ISA2004, the relay server, and my ISP's DNS?
4) Related to the last question, I have a tri-homed ISA machine but haven't setup a DMZ (actually I tried but had problems so reverted). I know split-DNS is the way to go but what about the SMTP relay? Does it stay on the inside and integrate with Active Directory (which is a benefit for MailMarshal) or do I put it out there and make it a DNS/SMTP relay box?
All help is appreciated! Merry Christmas!
Brian Patlen
Hi Brian, Thanks for the tip on the book issue in chapter 8! I think I left that out because those options were really uninteresting and extraneous
Answers to your questions: 1. NO, never install the Firewall client on the SMTP relay machine.
2. You only have to publish the SMTP server that accepts incoming connections. If the Exchange Server is not accepting incoming connections, then there's no reason to publish it.
3. You don't need to publish your own DNS. As long as the DNS is configured correctly, it can be located anywhere.
4. Ideally, the incoming SMTP relay would be on an anonymous access DMZ. However, it can also be placed on the Internal network.
quote:Originally posted by Spathi73: I also use MailMarshall for SMTP and I have a similar problem. Everything works fine except mailers that do a reverse lookup on my server block the message because my MailMarshall box stamps it with its internal ip. Am I to assume (I don't like to assume anything ever) that I must have an SMTP relay flat on the internet with no firewall protection at all?? It seems that's the case, if not could someone please recommend what to do. Thanks in advance!
Hi Spathi,
Is the Mail Marshall thing doing inbound or outboud relay? I had assumed it was doing inbound relay, so the issue of reverse lookup should be nil.
I know the topic is old, but for me very actual. I have setup the inbound smtp relay and this works fine. However, I do not see the option to use an SMTP outbound server to allow any domain. The domain wizrd keeps prompting me for a domain and wildcards are not possible (only like *.com, *.nl, etc. which make no sense).
I have no idea where to look. Can you please give me a hint ? I am just using plain stuff, no GFI or whatever.
The domains you are referring to are for YOUR domains for inbound SMTP sessions. For outbound, you do not need to configure the domains that are allowed to send.
I have other concerns regarding the Outbound Email (I have separate Access Rule since my Incoming Mails are sent to AntiVirus Gateway before sending to Exchange). I have configured my Exchange to forward outgoing messages to internal interface of ISA. ISA Accepts the message but it is not sent out. I have seen on the Inetpub\mailroot\Queue\NTFS... that the message was still queued up. Here is my Access Rule:
Rule Name: SMTP_Outbound SMTP Server Action: Allow Traffic: SMTP Server From: Anywhere To: 10.0.0.1 (ISA Internal IP Address) Request appears to come from the ISA Server Computer Networks (Listener): Internal / External Schedule: Always
I also configure the System Policy (Allow SMTP from ISA Server to trusted servers), from the To tab to use Internal and External but still not working.
I wonder why you like to send messages that have to leave to your internal interface. I have a Front End in a DMZ, and have the stuff send directly to my ISP though ISA (where some rules are defined to allow this, but basically the IP settings on the SMTP services are sufficient).
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Printable Version
All Forums >> [ISA Server 2004 General ] >> Exchange Publishing >> Discussion of article on SMTP inbound/outbound relay 
Discussion of article on SMTP inbound/outbound relay - 
![[Frown]](/image/smiles/frown.gif)
RE: Discussion of article on SMTP inbound/outbound relay - ![[Smile]](/image/smiles/smile.gif)
New Messages
No New Messages
Hot Topic w/ New Messages
Hot Topic w/o New Messages
Locked w/ New Messages
Locked w/o New Messages
Post New Thread