Exchange Server Forums
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
MessageLabs & Exch 2003
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
 Limited time MSExchange.org offer! -- 1.Sep.2008 1:00:00 PM
|
|
TechGenix and SolarWinds have partnered to provide free copies of SolarWinds Exchange Monitor to all visitors who join the MSExchange.org Forums. SolarWinds Exchange Monitor is a handy desktop dashboard that continuously monitors Microsoft Exchange to deliver real-time insight into Exchange services, mail queue sizes, and host server health. Learn more about Exchange Monitor and the free offer!
|
MessageLabs & Exch 2003 - 30.Nov.2007 1:42:52 PM
|
|
|
gstar1703
Posts: 79
Joined: 13.Apr.2005
From: UK
Status: offline
|
Hi,
We use MessageLabs for mail filtering and internally Exch2003. We have a hardware firewall which only allows inbound mail from the MessageLabs servers and all outbound is again routed by the firewall to them. On the internal gateway I had a SMTP filter that forwarded all inbound mail to Exch no worries, but I have now had to remove this filter and it seems I cant now accept inbound mail as it bounces saying relay not permitted.
MSLabs - mslabs.eu.com
SMTP Filter - 192.160.50.200
Exch - 192.160.50.10
Firewall - 192.160.50.1
MSLabs >>> Firewalll >>> SMTP Filter >>> Exch
Exch >>> SMTP >>> Firewall >>> MSLabs
On the firewall I routed all port 25 traffic to the Exch box but its says no relay for inbound mail. On the Exch box I have the 192.160.50.200 as a smarthost, should I change that to 192.160.50.1 [firewall], would that help? I tried using mslabs.eu.com but that didnt work?
Any help appreciated..
G
|
|
|
|
|
RE: MessageLabs & Exch 2003 - 30.Nov.2007 3:50:16 PM
|
|
|
Jesper Bernle
Posts: 221
Joined: 15.Oct.2007
From: Sweden
Status: offline
|
As long as your Exchange Server has Internet conectivity you donīthave to use Smart Hosts but I guess you want your outgoing mail to be screened against Spam and Viruses so it would make sense to point it to MessageLabs right?
To be able to receive you have to add the IP of your firewall to the list of accepted Realy Hosts.
It should work.
_____________________________
Jesper Bernle
Enterprise Messaging Administrator
|
|
|
|
|
RE: MessageLabs & Exch 2003 - 30.Nov.2007 4:08:43 PM
|
|
|
rishishah
Posts: 576
Joined: 14.Nov.2006
From: Surrey, UK
Status: offline
|
Something is a bit of a miss here.
When mail comes to your Exchange server from messagelabs, the recipient should be your domain that your exchange server has authority for. Hence this should not be relaying.
Check to see if anybody has put any IP address rules on the SMTP connector of your Exchange server.
For security reasons youu should NOT have to allow full relay for your Firewall's IP address because if for some reason your firewall is hacked than you becom a mail relay server.
_____________________________
Rishi Shah, MCP
If an advice works, report this to the fourm so that others are more confident about it.
Want a quicker answer - than describe your issue in as much detail as possible and exactly what steps you have already taken.
|
|
|
|
|
RE: MessageLabs & Exch 2003 - 3.Dec.2007 4:00:25 AM
|
|
|
gstar1703
Posts: 79
Joined: 13.Apr.2005
From: UK
Status: offline
|
Hi,
The firewall will only accept traffic on port 25 from the MessageLabs cluster, MessageLabs will only accept outbound mail from our firewall IP which works great. The problem lies in the fact Exchange only allows relaying from internal IP addresses which was OK as all mail was forwarded from the internal SMTP Filter - 192.160.50.200 to Exchange.
Now this step has been removed, how do I allow MessageLabs to be accepted as the sender on Exchange, I know this can work as I had it configured this way before!! I added the mslabs.eu.com domain to the allowed to relay in the SMTP virtual server properties alongside all our internal addresses but still no joy, receiving the below when attempting to send from external source.
This is the mail delivery agent at messagelabs.com.
I was not able to deliver your message to the following addresses.
<myuser@mydomain.co.uk>:
62.179.10.181 does not like recipient.
Remote host said: 550 5.7.1 Unable to relay for myuser@mydomain.co.uk
Baffled..
|
|
|
|
|
RE: MessageLabs & Exch 2003 - 3.Dec.2007 4:10:10 AM
|
|
|
rishishah
Posts: 576
Joined: 14.Nov.2006
From: Surrey, UK
Status: offline
|
When you receive mail on your Exchange server that is addresses to a domain serviced by your exchange server it is NOT mail relaying.
I am quite sure someone has simply locked down the SMTP protocol (on the exchange server) to receive mail only from the old SMTP Server.
Have a look at your SMTP protocol and change this to the internal ip address of your firewall (if you firewall is going to present its IP Address to the Exchange server).
You may wish to paste images of your SMTP configuration on your Exchange Server if the above does work...it may be that someone has really had a good go at the SMTP configuration and confused things.
Good security says that IP Address filtering should be done by your firewall (if it is an Accredited one and looked after properly) rather than giving this task to the SMTP Protocol.
< Message edited by rishishah -- 3.Dec.2007 4:13:26 AM >
_____________________________
Rishi Shah, MCP
If an advice works, report this to the fourm so that others are more confident about it.
Want a quicker answer - than describe your issue in as much detail as possible and exactly what steps you have already taken.
|
|
|
|
|
RE: MessageLabs & Exch 2003 - 3.Dec.2007 4:31:47 AM
|
|
|
gstar1703
Posts: 79
Joined: 13.Apr.2005
From: UK
Status: offline
|
Hi,
I have screenprinted and posted here if it helps, thanx again for your time..
G
|
|
|
|
|
RE: MessageLabs & Exch 2003 - 3.Dec.2007 6:32:36 AM
|
|
|
rishishah
Posts: 576
Joined: 14.Nov.2006
From: Surrey, UK
Status: offline
|
quote:
ORIGINAL: gstar1703
Hi,
I have screenprinted and posted here if it helps, thanx again for your time..
G
Sorry but cannot see any attachments.
_____________________________
Rishi Shah, MCP
If an advice works, report this to the fourm so that others are more confident about it.
Want a quicker answer - than describe your issue in as much detail as possible and exactly what steps you have already taken.
|
|
|
|
|
RE: MessageLabs & Exch 2003 - 3.Dec.2007 7:01:35 AM
|
|
|
rishishah
Posts: 576
Joined: 14.Nov.2006
From: Surrey, UK
Status: offline
|
The connection control page is missing.
Have a look in there and see if anybody has not set specific IP rules and hence denying your Firewall to contact this server.
Also can you confirm how your firewall presents the connection to this Exchange server. Does it present its own Internal IP address or that of Messagelabs.
_____________________________
Rishi Shah, MCP
If an advice works, report this to the fourm so that others are more confident about it.
Want a quicker answer - than describe your issue in as much detail as possible and exactly what steps you have already taken.
|
|
|
|
|
RE: MessageLabs & Exch 2003 - 3.Dec.2007 7:21:33 AM
|
|
|
gstar1703
Posts: 79
Joined: 13.Apr.2005
From: UK
Status: offline
|
Hi,
Nothing exciting in the connection tab http://gary.brett.googlepages.com/exch2003 and the firewall is presenting itself through internal IP I would imagine though its hard to tell..
Cheers
Gary
|
|
|
|
|
RE: MessageLabs & Exch 2003 - 3.Dec.2007 7:38:02 AM
|
|
|
rishishah
Posts: 576
Joined: 14.Nov.2006
From: Surrey, UK
Status: offline
|
What sort of a firewall do you have... is it one that allows any testing from the firewall to the Exchange server (example like as ISA running on Windows), or Checkpoint on Windows/Linux), ect.
If you doo can you try doing the telnet ipaddressofserver 25 test from the firewall to your Exchange Server.
Also please verify in your exchange server that your server is the authority for receiving mail for the correct domain (just checking....)
_____________________________
Rishi Shah, MCP
If an advice works, report this to the fourm so that others are more confident about it.
Want a quicker answer - than describe your issue in as much detail as possible and exactly what steps you have already taken.
|
|
|
|
|
RE: MessageLabs & Exch 2003 - 3.Dec.2007 8:06:58 AM
|
|
|
gstar1703
Posts: 79
Joined: 13.Apr.2005
From: UK
Status: offline
|
Hi,
I have a SonicWALL, cant telnet directly from it but can ping, tracert etc, something very odd is going on here. I have this morning compared an Exchange box in another office and both firewalls which are identical.
Setup the Smart Host as eu.messagelabs.com as that is what the other has, copied all config back to my local exch box, ensured Firewall NAT & rules were the same, yet I still receive the Relay error when sending from external account. Its so frustrating..
Good Firewall NAT -
MessageLabs >> FW_WANIP >> Internal SMTP server
Bad Firewall NAT -
MessageLabs >> FW_WANIP >> Exchange server
There doesnt appear to be any reference to our Exchange box in the mail headers but its must be that that is bouncing the mail?
Also I can send internal mail fine so do I need to add the eu.messaagelabs FQDN to all relay section?
Argghh
|
|
|
|
|
RE: MessageLabs & Exch 2003 - 3.Dec.2007 8:21:09 AM
|
|
|
rishishah
Posts: 576
Joined: 14.Nov.2006
From: Surrey, UK
Status: offline
|
Okay lets look at your Firewall.
Looks like your Sonicwall is doing some sort of SMTP APplication level filtering. I would concentrate on this and ensure it does allow your authorative domains through to your Exchange server.
As you are receiving mail from Messagelabs and it is addressed to your domain this is not relay but standard mail delivery. Hence Messagelabs does NOT need to be in any relay.
Also once this is resolved have a look at your current relay options as you have sent large subnets to allow replaying. This means that all 3 of thoes subnets can do mail relaying and in my personal view is a security risk. I appreciate it is a pain, however i would only allow mail delivery for ordinary usrrs via Outlook MAPI only and all servers and applications that need direct access to the SMTP protocol, these should be specifically stated in the IP list in relay as opposed to entire subnets.
However lets fix your initial problem of incomming mail.
Do one more thing to rule out your firewall...if you have access to another internet connection than put that on the allow list on the firewall (port 25 only) and forward that connection to the Exchange box... next use the telent external_ipadress_of_your_firewall 25 and send the smtp commands through.
_____________________________
Rishi Shah, MCP
If an advice works, report this to the fourm so that others are more confident about it.
Want a quicker answer - than describe your issue in as much detail as possible and exactly what steps you have already taken.
|
|
|
|
|
RE: MessageLabs & Exch 2003 - 3.Dec.2007 8:37:31 AM
|
|
|
gstar1703
Posts: 79
Joined: 13.Apr.2005
From: UK
Status: offline
|
Ok,
I created NAT rule and firewall access rule to allow port 25 traffic from our other office IP address, then fired up Telnet as follows:
3959 ready at Mon, 3 Dec 2007 13:30:47 +0000
EHLO mydomain.CO.UK
250-myserver.corp.myotherdomain Hello [81.149.251.91]
250-TURN
250-SIZE
250-ETRN
250-PIPELINING
250-DSN
250-ENHANCEDSTATUSCODES
250-8bitmime
250-BINARYMIME
250-CHUNKING
250-VRFY
250-X-EXPS GSSAPI NTLM LOGIN
250-X-EXPS=LOGIN
250-AUTH GSSAPI NTLM LOGIN
250-AUTH=LOGIN
250-X-LINK2STATE
250-XEXCH50
250 OK
MAIL FROM:GARY.BRETT@mydomain.CO.UK
250 2.1.0 GARY.BRETT@mydomain.CO.UK....Sender OK
RCPT TO:IT@myotherdomain
550 5.7.1 Unable to relay for IT@myotherdomain
I would say the firewall is allowing traffic through to the Exch box, wouldnt you? If so there has to be something on this server that doesnt like the inbound headers. The internal Firewall IP is in the allow relay config..
|
|
|
|
|
RE: MessageLabs & Exch 2003 - 3.Dec.2007 8:45:01 AM
|
|
|
rishishah
Posts: 576
Joined: 14.Nov.2006
From: Surrey, UK
Status: offline
|
Sorry to ask but are you using Authenticated SMTP only between Messagelabs and yourself?
And in the RCPT you should be sending mail to you@yourdomain.com, why are you using otherdomain. Unless your exchange server is an authorative forr otherdomain it will reject the mail for sure.
So for mail from make up any address and any domain and for RCPT use your own e-mail address@yourdomain that the Exchange server serves.
_____________________________
Rishi Shah, MCP
If an advice works, report this to the fourm so that others are more confident about it.
Want a quicker answer - than describe your issue in as much detail as possible and exactly what steps you have already taken.
|
|
|
|
|
RE: MessageLabs & Exch 2003 - 3.Dec.2007 9:21:49 AM
|
|
|
gstar1703
Posts: 79
Joined: 13.Apr.2005
From: UK
Status: offline
|
Ok, When I create the NAT rules to forward all port 25 to the old SMTP server or to the Exch2003 box from my other office I get this:
Note I have sent from a GMAIL account into my local domain account. When I run this locally the TELNET completes and I do indeed receive the message into my Outlook box.
250-MYServer.corp.MYDOMAIN.co.uk Hello [81.149.251.91]
250-TURN
250-SIZE
250-ETRN
250-PIPELINING
250-DSN
250-ENHANCEDSTATUSCODES
250-8bitmime
250-BINARYMIME
250-CHUNKING
250-VRFY
250-X-EXPS GSSAPI NTLM LOGIN
250-X-EXPS=LOGIN
250-AUTH GSSAPI NTLM LOGIN
250-AUTH=LOGIN
250-X-LINK2STATE
250-XEXCH50
250 OK
MAIL FROM:GARY.BRETT@GMAIL.COM
250 2.1.0 GARY.BRETT@GMAIL.COM....Sender OK
RCPT TO:MYUSER@EXCHDOMAIN.CO.UK
550 5.7.1 Unable to relay for MYUSER@EXCHDOMAIN.CO.UK
MessageLabs do not request authentication as thye have pinned down the IPs that are allowed to replay mail from our domain name. As you may see in the images posted earlier I do however have all 3 tick boxes sellected in the SMTP authentication confi screen, but I guess thats OK as it wouldnt have worked at all if that was incorrect.
On the old SMTP filter, all mail was simply routed to port 25 on the Exchange server so I guess looked as thought it was originating on a LAN IP, now all mail is routed from the firewall which again has a LAN IP so I cant see the difference here. The only reference I have to the old SMTP filter is in the smart hosts, but even after removing that it still doesnt work..
What a mess I am in eh?
|
|
|
|
|
RE: MessageLabs & Exch 2003 - 3.Dec.2007 10:02:43 AM
|
|
|
rishishah
Posts: 576
Joined: 14.Nov.2006
From: Surrey, UK
Status: offline
|
Okay if the telnet test works can you try two more things:
1) Set your firewall to NAT port 25 but NOT apply any SMTP filtering at all. Just plain old port blocking (dumb firewall). So rather than have the firewall check if it is the SMTP protocol passing through, just allow anything across port 25. (As this is locked down to IP addresses for Messagelabs, it should be secure enough, but this can be changed latter on).
2) Change the NATing on the firewall so that it presents the firewall's internal IP Address to the firewall as opposed to that of the sender's ip address. Currently when you send a HELO/EHLO command you reply in telnet seems to be 81.*.*.* which is an Internet Address. Can you force the Nating such that it makes the Mailserver think that the mail is comming from the firewall's trusted network port?
I do not believe your Exchange solution is to blame here at all.
Rishi
_____________________________
Rishi Shah, MCP
If an advice works, report this to the fourm so that others are more confident about it.
Want a quicker answer - than describe your issue in as much detail as possible and exactly what steps you have already taken.
|
|
|
|
|
RE: MessageLabs & Exch 2003 - 3.Dec.2007 10:42:15 AM
|
|
|
gstar1703
Posts: 79
Joined: 13.Apr.2005
From: UK
Status: offline
|
Hi Rishi
Again I must thankyou for your persistance it is appreciated.. The firewall is already doing just what you suggested in point 1, the SMTP filtering is done on a server internally that sits between the FW & Exch.
The 81 address is an internet address as I was telnetting from an ADSL line at our other office, hence I guess the reason for the Telnet relay failure.
Normally the sending IP would be from the MessageLabs cluster, the FireWALL simply checks this is true, then passes through to a device on the LAN. As I say, the traffic is being passed through the firewall without issues as it reaches the old SMTP software no problem. I cant seem to get my head round why the SMTP filter accepts this mail but the Exchange box doesnt, its as though Exchange will only accept mail form the SMTP filter software on the internal IP!
As another test I edited the NAT again to route direct to Exch box, bypassing the SMTP filter software and turned on debug mode on firewall with the following result? 192.168.45.10 address is Exch
12/03/2007 15:30:42.784 Debug Network TCP connection abort received; TCP connection dropped 85.158.137.83, 55454, WAN 192.168.45.10, 25, LAN, EXCHSERVER TCP Flag(s): RST
12/03/2007 15:30:42.784 Debug Network TCP connection abort received; TCP connection dropped 85.158.137.83, 55454, WAN, mail140.messagelabs.com 192.168.45.10, 25, LAN, EXCHSERVER TCP Flag(s): RST
That looks to me like Exch is resetting the request, what do you think?
|
|
|
|
|
RE: MessageLabs & Exch 2003 - 3.Dec.2007 1:21:37 PM
|
|
|
rishishah
Posts: 576
Joined: 14.Nov.2006
From: Surrey, UK
Status: offline
|
Okay its clear your firewall is presenting the IP address of messaagelabs to Exchange 2003. Is the Default Gateway of your Exchange server the Firewall?
If you do a trace route to messagelabs from the Exchange server does it pass your firewall or does it take another route?
_____________________________
Rishi Shah, MCP
If an advice works, report this to the fourm so that others are more confident about it.
Want a quicker answer - than describe your issue in as much detail as possible and exactly what steps you have already taken.
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
