Exchange 2007 Transport Edge server in SMTP Relay mode

Was struggling to get an Exchange 2007 Transport Edge server working how I wanted it to.

I was simply trying to use it as a straight forward standalone relay SMTP server in prep for the whole Exchange 2007 thang. Not connected to Exchange in the slightest way, shape or form. I haven’t had the chance to play with Exchange 2007 and as we all know Ms is a case of next, next, next - finish and it’s up and running, so didn’t bother with RTFM ….

The set up:

Server running Exchange 2007 with SP1, two network cards connected to different network with a DMZ protected by an ISA server.

Two receive connectors:

1 Receiving for From the Internet, using the IP address of the external facing network and receiving mail from the external smart host IP address range

1 Receiving for From the LAN, using the IP address of the internal facing network and receiving mail from the internal ISA IP address range

Removed any ticks for the Authentication tab and made sure the Permission Groups tab were set to Anonymous Users on the receiver connectors’ properties tabs.

Two Send connectors

1 Sending for Outbound to the Internet (Using the * SMTP rule pointing to a smart host)

1 Sending for External Mail to the LAN (With the domains of the Internal LAN added and pointing to a smart host that’s an ISA IP address for the published Exchange server)

Then adding in the authoritative domain on my LAN as Accepted domains.

Everything looked good, so then tried to telnet from the internal network to the mail relay.

220 EdgeServer.DMZ.LOCAL Microsoft ESMTP MAIL Service ready at Sat, 23 Feb 2008 18:59:46 +1100
helo
250 EdgeServer.DMZ.LOCAL Hello [127.0.0.007]
mail from: badbob@chris-mohan.com
250 2.1.0 Sender OK
rcpt to: external@gmail.com
550 5.7.1 Unable to relay

WHAT! Arrgh

After much digging through blogs and other sites – I couldn’t find an answer. So I took it to the Exchange boys, Ben and Bundy, at the office.

After much chewing of the fat, Bundy noted the properties of permission groups of the receive connectors, especially the Exchange server permission in bold:

Anonymous

  • Ms-Exch-SMTP-Submit
  • Ms-Exch-SMTP-Accept-Any-Sender
  • Ms-Exch-SMTP-Accept-Authoritative-Domain-Sender
  • Ms-Exch-Accept-Headers-Routing

ExchangeServers

  • Ms-Exch-SMTP-Submit
  • Ms-Exch-SMTP-Accept-Any-Sender
  • Ms-Exch-SMTP-Accept-Any-Recipient
  • Ms-Exch-Accept-Authoritative-Domain-Sender
  • Ms-Exch-Bypass-Anti-Spam
  • Ms-Exch-SMTP-Accept-Authentication-Flag
  • Ms-Exch-Bypass-Message-Size-Limit
  • Ms-Exch-Accept-Headers-Routing
  • Ms-Exch-Accept-Exch50
  • Ms-Exch-Accept-Headers-Organization (Note: this permission is not granted to Externally Secured servers.)
  • Ms-Exch-Accept-Headers-Forest (Note: this permission is not granted to Externally Secured servers)

Taken from here

Ben (he of www.benchristian.com fame) then took a further leap.

On the Outbound to the LAN receive connector, ticked the Exchange servers box on Permission Groups tab and Externally Secured box on Authentication tab.

Exchange_Edge_Auth  Exchange_Edge_Perms

We tried telnet again and the damn thing started relaying! I was most pleased and annoyed at the same time.

Good work lads!

Reply now | Feed

3 Comments

  1. #11
    Gyorgy Kaposvari :

    Apr 14, 2008 8:10 pm |

    I’m glad to found this page, it contains the solution of my problem.
    Thanks

  2. #136
    johnh :

    Oct 17, 2009 4:46 pm |

    Perhaps you could clarify last statement about the “further leap”. You stated that on the “Outbound to LAN receive connector clicked on the Exchange server in permission groups and Externally secured IN authentication”. There are two things I don’t understand here:
    1. “in authentication” What does this mean?
    and,
    2. You described “Outbound to LAN” as a send connector under “2 Send Connectors”, but reference it as a receive connector in the last statement.
    I’m rather annoyed with Exchange 2007 because I can’t allow our unix users to authenticate SMTP for relay. So what it looks like is I have to open up an open relay. Is there anyway (without putting our hub transport on the DMZ) to allow SMTP relay for authenticated users within our organization? I don’t know how much directory information ADAM holds or if it would be a viable source for authentication because there’s little to no information on how to setup Exchange as a valid relay for authenticated senders.

    Thanks for any help you can offer.

  3. #137
    Chris Mohan( author ) :

    Oct 17, 2009 7:27 pm |

    Hello John,

    I’ve cleaned up the post to make the fix section clearer and changed the name of the send receiver to avoid confusion.

    Hopefully.

    Without knowing your environment, I only can offer general advice :-)
    For the Unix machines, you can add their IP addresses in as allowed to relay to the internal Exchange Hub server. This isn’t great but works. See here for details:
    http://msexchangeteam.com/archive/2006/12/28/432013.aspx

    If you have the money, you may want to look at Windows 2008 Federation Services http://technet.microsoft.com/en-us/library/dd391937(WS.10).aspx that would then allow Unix user to authenticate to AD and get rid of the ugly IP address work around.

Leave a Reply


XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Wp Logo Theme: Guangzhou
Home