• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Discussion of article on SMTP inbound/outbound relay

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 General ] >> Exchange Publishing >> Discussion of article on SMTP inbound/outbound relay Page: [1]
Login
Message << Older Topic   Newer Topic >>
Discussion of article on SMTP inbound/outbound relay - 25.May2004 4:29:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
This thread is for discussing the article on inbound and outbound SMTP relay over at http://www.isaserver.org/articles/smtprelayinboundoutbound.html.

Thanks!
Tom

[ May 25, 2004, 04:38 PM: Message edited by: tshinder ]
Post #: 1
RE: Discussion of article on SMTP inbound/outbound relay - 26.May2004 6:21:00 PM   
citric

 

Posts: 2
Joined: 12.Dec.2003
From: UK
Status: offline
Hi Tom,

I've configured our ISA 2004 server as an inbound/outbound relay, (with a dual IP address on the internal interface as per a previous article). Inbound and outbound mail is not a problem, no relaying is taking place, and even message screening is working well.

My problem is that system-generated emails are not being allowed by the ISA server, e.g. non-delivery reports and delivery reciepts. They end up in the badmail folder with a security (80004005) error in the .bdr file. The ISA SMTP log reports "Hold Policy rule stamp could not be found in the message; taking default action" for each message. The sender is always <>, the recipients are internal (on allowed domains)

Can you shed any light on which component may be causing the problem, or is it that another rule is needed? Let me know if you need more details on our configuration.

Thanks

Andrew Walman

(in reply to tshinder)
Post #: 2
RE: Discussion of article on SMTP inbound/outbound relay - 30.May2004 3:21:00 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Andrew,

IIRC, this was a known issue with the beta 2. Unfortunately, they fixed it by removing the ability to control the SMTP message screener policy on a per rule basis [Frown]

HTH,
Tom

(in reply to tshinder)
Post #: 3
RE: Discussion of article on SMTP inbound/outbound relay - 20.Jun.2004 9:49:00 AM   
Guest
Exchange already has a relay control built but neither your article nor exchange seems to have the ability to block inbound email address such as.

Server name mail.microsoft.com

To : Example@microsoft.com

From: Example@microsoft.com

These messages will always get in and with the new virus's today this is what they attempt.

Know of any products that alow control over this?

(in reply to tshinder)
  Post #: 4
RE: Discussion of article on SMTP inbound/outbound relay - 20.Jun.2004 8:14:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Chris,

The SMTP Message Screener can block based on source or destination email address. Have you checked into this yet?

Thanks!
Tom

(in reply to tshinder)
Post #: 5
RE: Discussion of article on SMTP inbound/outbound relay - 2.Aug.2004 10:44:00 PM   
caranosian

 

Posts: 2
Joined: 2.Aug.2004
Status: offline
Friday night I finished setting up an ISA 2000 box, running on Windows Server 2003, with the IIS SMTP relay sending mail to and from my internal Exchange 2000 server. I thought things were great until I discovered I left the SMTP relay open, so spammers are using it and we are now on a couple of open relay black lists.

So I read your article and followed the directions carefully. The only tweak I had to make was to choose the "Only the list below" in the Relay restrictions - I was using the "All except the list below" with nothing in the list. Our 2 domains are in the Domain list as "Remote", each with the "Forward to smart host" setting just like your article shows.

I then used the zoneedit.com site and successfully confirmed that my server (63.100.68.140) is no longer an open relay.

Unfortunately, now no mail is leaving here at all! Everyone is getting mail bounced back by our Exchange server with the message "You do not have permission to send to this recipient. For assistance, contact your system administrator.
<ap005.chs.com #5.7.1 smtp;550 5.7.1 Unable to relay for <email destination address>."

Can you help me determine what am I missing? Thanks!

Chris Aranosian
Consumer Health Sciences
caranosian@consumerhealthsciences.com

EDIT: I am going to have to undo the change I made, re-opening the relay, just to allow outbound mail....

[ August 02, 2004, 10:46 PM: Message edited by: caranosian ]

(in reply to tshinder)
Post #: 6
RE: Discussion of article on SMTP inbound/outbound relay - 3.Aug.2004 4:43:00 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Chris,

Are you using an ISA 2004 firewall? This thread is for ISA 2004 firewalls and the article applied to ISA 2004 firewalls.

Thanks!
Tom

(in reply to tshinder)
Post #: 7
RE: Discussion of article on SMTP inbound/outbound relay - 3.Aug.2004 7:03:00 AM   
caranosian

 

Posts: 2
Joined: 2.Aug.2004
Status: offline
Hi Tom -

Thanks for the quick reply. No, I'm still running ISA 2000, I don't have a copy of 2004 yet. I installed ISA 2000 on Win Server 2003 as described here: http://www.isaserver.org/tutorials/installon2003.html

I'll be happy to continue this discussion in another thread, but I really need to know: can I have the SMTP relay as described in the smtprelayinboundoutbound article functioning happily on an ISA 2000 box? Or are you telling me this will not work as described without getting ISA 2004?

If this SMTP relay supposed to be workable with ISA 2000, can you suggest why outbound mail is triggering the "you do not have permission" rejection message? As you might imagine, I really need to get my open relay closed and have our email working properly asap, so any suggestions you can offer would be appreciated.

Thanks again!
Chris

(in reply to tshinder)
Post #: 8
RE: Discussion of article on SMTP inbound/outbound relay - 4.Aug.2004 12:11:00 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Chris,

You can do that. In fact, there's a doc in the ISA 2000 Exchange Kit that covers the step by steps to make it happen.

HTH,
Tom

(in reply to tshinder)
Post #: 9
RE: Discussion of article on SMTP inbound/outbound relay - 14.Dec.2004 6:42:00 PM   
ver5_0

 

Posts: 1
Joined: 14.Dec.2004
From: Waco, Tx
Status: offline
I have relay setup with an internal IIS 6 server to an internal Exchange server as shown on the section "Configuring Inbound and Outbound Relay on an IIS 6.0 SMTP Server with GFI MailEssentials" of your article. Inbound works corrctly but outbound SMTP connections are only about 30% successful. I watched the monitor with a filter for port 25 and can see many denies for my SMTP server with no rule specified in the filter. I have gone so far as to allow all internal to all external for port 25 durring troubleshooting. I can also see inbound connections working with my SMTP Publishing rule and the occasional outbound SMTP connection that goes through (Note the rules are reflected for these).

This really leaves me two questions.
1. How does an access rule work sometimes?
2. Why isn't the rule denying outbound SMTP being displayed in the monitor?

(in reply to tshinder)
Post #: 10
RE: Discussion of article on SMTP inbound/outbound relay - 15.Dec.2004 12:25:00 AM   
bpatlen

 

Posts: 23
Joined: 5.Aug.2004
From: VA
Status: offline
Hi Tom:

Finally...your new book (that I ordered back in Aug) arrived. [FYI, I cross-referenced the article with the book and found a problem: in Ch 8 "Creating Mail Server Publishing Rules" there are 3 'Select Access Type' options (fig 8.52 on pg 700) and you state that you will cover each one separately. However, you only cover the first 2 and don't discuss Server-to-Server Communications. Thought you want to know.]

Anyway, I'm having trouble setting up the relay according to your article and have a few questions:

1) Should the firewall client be installed on the SMTP Relay server? I have NetIQ's MailMarshal SMTP software rather than the MailEssential software you used. In it there's a field to configure a proxy or use direct access to the internet (e.g., for acquiring updates). If the firewall client should not be installed, then should the Relay use ISA2004 as the proxy or leave it with direct access?

2) In the article you give steps to publish the relay server. After selecting the SMTP Server protocol, the wizard states that I can/should use the Mail Server Publishing Wizard instead. If I publish the Relay server using your method, do I also have to publish the Exchange Server? Alternatively, does it matter whether I use the Server Publishing Wizard or the Mail Server Publishing Wizard?

3) I don't publish my own external DNS. I think the article assumes I do. I configured my internal DNS to forward unresolved queries to my ISP's DNS. Part of the reason is that I didn't publish my own mail server. Now that I'm trying to do this, do I have to also publish a public DNS (plus a backup)? If not, what needs to be configured on my internal DNS, ISA2004, the relay server, and my ISP's DNS?

4) Related to the last question, I have a tri-homed ISA machine but haven't setup a DMZ (actually I tried but had problems so reverted). I know split-DNS is the way to go but what about the SMTP relay? Does it stay on the inside and integrate with Active Directory (which is a benefit for MailMarshal) or do I put it out there and make it a DNS/SMTP relay box?

All help is appreciated! Merry Christmas!

Brian Patlen

(in reply to tshinder)
Post #: 11
RE: Discussion of article on SMTP inbound/outbound relay - 20.Dec.2004 2:39:00 PM   
Spathi73

 

Posts: 3
Joined: 17.Dec.2004
From: Ohio
Status: offline
I also use MailMarshall for SMTP and I have a similar problem. Everything works fine except mailers that do a reverse lookup on my server block the message because my MailMarshall box stamps it with its internal ip. Am I to assume (I don't like to assume anything ever) that I must have an SMTP relay flat on the internet with no firewall protection at all?? It seems that's the case, if not could someone please recommend what to do. Thanks in advance!

(in reply to tshinder)
Post #: 12
RE: Discussion of article on SMTP inbound/outbound relay - 28.Dec.2004 2:01:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
quote:
Originally posted by ver5_0:
I have relay setup with an internal IIS 6 server to an internal Exchange server as shown on the section "Configuring Inbound and Outbound Relay on an IIS 6.0 SMTP Server with GFI MailEssentials" of your article. Inbound works corrctly but outbound SMTP connections are only about 30% successful. I watched the monitor with a filter for port 25 and can see many denies for my SMTP server with no rule specified in the filter. I have gone so far as to allow all internal to all external for port 25 durring troubleshooting. I can also see inbound connections working with my SMTP Publishing rule and the occasional outbound SMTP connection that goes through (Note the rules are reflected for these).

This really leaves me two questions.
1. How does an access rule work sometimes?
2. Why isn't the rule denying outbound SMTP being displayed in the monitor?

Hi Ver,

If there is an outbound access rule that allows the SMTP relay outbound access to TCP 25, and that machine isn't exceeding its connection limit, there's no reason for the blocked connection. It would be important to have information from the log files and NetMon to see the specific reasons for what is causing your failures.

HTH,
Tom

(in reply to tshinder)
Post #: 13
RE: Discussion of article on SMTP inbound/outbound relay - 28.Dec.2004 2:05:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
quote:
Originally posted by bp:
Hi Tom:

Finally...your new book (that I ordered back in Aug) arrived. [FYI, I cross-referenced the article with the book and found a problem: in Ch 8 "Creating Mail Server Publishing Rules" there are 3 'Select Access Type' options (fig 8.52 on pg 700) and you state that you will cover each one separately. However, you only cover the first 2 and don't discuss Server-to-Server Communications. Thought you want to know.]

Anyway, I'm having trouble setting up the relay according to your article and have a few questions:

1) Should the firewall client be installed on the SMTP Relay server? I have NetIQ's MailMarshal SMTP software rather than the MailEssential software you used. In it there's a field to configure a proxy or use direct access to the internet (e.g., for acquiring updates). If the firewall client should not be installed, then should the Relay use ISA2004 as the proxy or leave it with direct access?

2) In the article you give steps to publish the relay server. After selecting the SMTP Server protocol, the wizard states that I can/should use the Mail Server Publishing Wizard instead. If I publish the Relay server using your method, do I also have to publish the Exchange Server? Alternatively, does it matter whether I use the Server Publishing Wizard or the Mail Server Publishing Wizard?

3) I don't publish my own external DNS. I think the article assumes I do. I configured my internal DNS to forward unresolved queries to my ISP's DNS. Part of the reason is that I didn't publish my own mail server. Now that I'm trying to do this, do I have to also publish a public DNS (plus a backup)? If not, what needs to be configured on my internal DNS, ISA2004, the relay server, and my ISP's DNS?

4) Related to the last question, I have a tri-homed ISA machine but haven't setup a DMZ (actually I tried but had problems so reverted). I know split-DNS is the way to go but what about the SMTP relay? Does it stay on the inside and integrate with Active Directory (which is a benefit for MailMarshal) or do I put it out there and make it a DNS/SMTP relay box?

All help is appreciated! Merry Christmas!

Brian Patlen

Hi Brian,
Thanks for the tip on the book issue in chapter 8! I think I left that out because those options were really uninteresting and extraneous [Smile]

Answers to your questions:
1. NO, never install the Firewall client on the SMTP relay machine.

2. You only have to publish the SMTP server that accepts incoming connections. If the Exchange Server is not accepting incoming connections, then there's no reason to publish it.

3. You don't need to publish your own DNS. As long as the DNS is configured correctly, it can be located anywhere.

4. Ideally, the incoming SMTP relay would be on an anonymous access DMZ. However, it can also be placed on the Internal network.

HTH,
Tom

(in reply to tshinder)
Post #: 14
RE: Discussion of article on SMTP inbound/outbound relay - 28.Dec.2004 2:06:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
quote:
Originally posted by Spathi73:
I also use MailMarshall for SMTP and I have a similar problem. Everything works fine except mailers that do a reverse lookup on my server block the message because my MailMarshall box stamps it with its internal ip. Am I to assume (I don't like to assume anything ever) that I must have an SMTP relay flat on the internet with no firewall protection at all?? It seems that's the case, if not could someone please recommend what to do. Thanks in advance!

Hi Spathi,

Is the Mail Marshall thing doing inbound or outboud relay? I had assumed it was doing inbound relay, so the issue of reverse lookup should be nil.

HTH,
Tom

(in reply to tshinder)
Post #: 15
RE: Discussion of article on SMTP inbound/outbound relay - 19.Jul.2006 12:29:08 AM   
topski2000

 

Posts: 4
Joined: 7.Dec.2004
Status: offline
Hi Thomas,

I know the topic is old, but for me very actual. I have setup the inbound smtp relay and this works fine. However, I do not see the option to use an SMTP outbound server to allow any domain. The domain wizrd keeps prompting me for a domain and wildcards are not possible (only like *.com, *.nl, etc. which make no sense).

I have no idea where to look. Can you please give me a hint ? I am just using plain stuff, no GFI or whatever.

Thanks a lot in advance!

BR,

Ronald

(in reply to tshinder)
Post #: 16
RE: Discussion of article on SMTP inbound/outbound relay - 19.Jul.2006 7:31:15 PM   
tonygauderman

 

Posts: 107
Joined: 6.Feb.2006
Status: offline
Ronald,

The domains you are referring to are for YOUR domains for inbound SMTP sessions.  For outbound, you do not need to configure the domains that are allowed to send.

(in reply to topski2000)
Post #: 17
RE: Discussion of article on SMTP inbound/outbound relay - 20.Jul.2006 5:17:51 AM   
textguru

 

Posts: 223
Joined: 4.May2004
From: Philippines
Status: offline
I have other concerns regarding the Outbound Email (I have separate Access Rule since my Incoming Mails are sent to AntiVirus Gateway before sending to Exchange). I have configured my Exchange to forward outgoing messages to internal interface of ISA. ISA Accepts the message but it is not sent out. I have seen on the Inetpub\mailroot\Queue\NTFS... that the message was still queued up. Here is my Access Rule:

Rule Name: SMTP_Outbound SMTP Server
Action: Allow
Traffic: SMTP Server
From: Anywhere
To: 10.0.0.1 (ISA Internal IP Address)
    Request appears to come from the ISA Server Computer
Networks (Listener): Internal / External
Schedule: Always

I also configure the System Policy (Allow SMTP from ISA Server to trusted servers), from the To tab to use Internal and External but still not working.

Hope you might help

(in reply to tonygauderman)
Post #: 18
RE: Discussion of article on SMTP inbound/outbound relay - 16.Aug.2006 9:09:40 PM   
topski2000

 

Posts: 4
Joined: 7.Dec.2004
Status: offline
Hi,

I wonder why you like to send messages that have to leave to your internal interface. I have a Front End in a DMZ, and have the stuff send directly to my ISP though ISA (where some rules are defined to allow this, but basically the IP settings on the SMTP services are sufficient).

Just my thought ..

BR,

Ronald Top

(in reply to textguru)
Post #: 19

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 General ] >> Exchange Publishing >> Discussion of article on SMTP inbound/outbound relay Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts