Exchange Server Forums
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
more than just OWA...
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
 Limited time MSExchange.org offer! -- 1.Sep.2008 1:00:00 PM
|
|
TechGenix and SolarWinds have partnered to provide free copies of SolarWinds Exchange Monitor to all visitors who join the MSExchange.org Forums. SolarWinds Exchange Monitor is a handy desktop dashboard that continuously monitors Microsoft Exchange to deliver real-time insight into Exchange services, mail queue sizes, and host server health. Learn more about Exchange Monitor and the free offer!
|
more than just OWA... - 5.Feb.2007 4:11:20 PM
|
|
|
mia450r
Posts: 86
Joined: 28.Jun.2006
Status: offline
|
Hey guys...
My company uses Postini for SPAM. Mail is delivered from Postini to our Linux/sendmail email gateway, and then to the mailboxes on our Backend Exchange 2003 server.
We also have a 2003 Exchange FE server which is just an OWA server. It resides on the DMZ, uses SSL and is properly "locked down" so all it does is OWA over http. Only the necessary firewall ports are open for OWA.
What would it take to have the Exchange 2003 FE server become the gateway server-- and thus, REPLACE the sendmail server? Obviously, I want to be sure to do this as secure as possible. What edits would I need to make to the FE server? What firewall openings would have to be made?
thanks!
mia
|
|
|
|
RE: more than just OWA... - 5.Feb.2007 4:23:13 PM
|
|
|
uemurad
Posts: 5574
Joined: 7.Jan.2004
From: California, USA
Status: offline
|
Postini communicates using SMTP (port 25) - that's the only additional port required. You have to configure Postini to direct all of its traffic to the outside address of your FE (Inbound Servers --> Delivery Manager).
_____________________________
Regards,
Dean T. Uemura
Microsoft MVP - Exchange
exchangeguy.blogspot.com
uemurad@yahoo.com
|
|
|
|
|
RE: more than just OWA... - 5.Feb.2007 4:35:54 PM
|
|
|
mia450r
Posts: 86
Joined: 28.Jun.2006
Status: offline
|
Thanks!
So, currently, the SMTP service on the FE server is disabled. If I enable it, and then configure the FW to allow TCP 25 inbound --but only from Postini servers, I assume-- then we will be secure?
What about outbound mail? (FYI--we dont use postini for outbound)
Currently, our BE server sends outbound mail to our linux sendmail e-mail gateway. Should I have the BE server send the mail out to the internet, or, have it relay it to the FE server first? If the latter, what do I need to configure on the FE server for it to properly relay email (from the BE server), out to the internet?
Any time I've tried to have the BE server deliver mail out to the internet, it can only deliver SOME of the mail... like there is a DNS problem...
thanks
mia
< Message edited by mia450r -- 5.Feb.2007 4:38:39 PM >
|
|
|
|
|
RE: more than just OWA... - 5.Feb.2007 5:09:24 PM
|
|
|
uemurad
Posts: 5574
Joined: 7.Jan.2004
From: California, USA
Status: offline
|
What is your goal? Are you trying to remove the Sendmail completely?
As far as being secure, if you are confident that your FE is secure, then yes, open port 25 only to Postini and you'll still be secure.
In your current configuration, what does Sendmail do with the outbound mail? You need to choose a route for your outbound mail if you want to change, but it should work as is.
_____________________________
Regards,
Dean T. Uemura
Microsoft MVP - Exchange
exchangeguy.blogspot.com
uemurad@yahoo.com
|
|
|
|
|
RE: more than just OWA... - 5.Feb.2007 5:19:34 PM
|
|
|
mia450r
Posts: 86
Joined: 28.Jun.2006
Status: offline
|
Yep, the end-goal is replacing the sendmail gateway server with the Exchange 2003 FE server.
Currently, the sendmail gateway server relays mail from the BE Exchange 2003 server, out to the internet.
Should I have the BE server send the outgoing SMTP email to the FE server? What edits need to be made (BE and FE) for the mail to flow out?
(as I said, currently, if I tell the BE server to send mail directly to the internet, and not through the smart/relay (sendmail), then only SOME internet mail gets delivered. We get bounces for many emails, almost like there is a DNS problem with the BE server....failing doing lookups on the zones its trying to deliver mail to)
Many thanks....
mia
|
|
|
|
|
RE: more than just OWA... - 5.Feb.2007 5:36:07 PM
|
|
|
uemurad
Posts: 5574
Joined: 7.Jan.2004
From: California, USA
Status: offline
|
Mia,
What I also should have said was to test-test-test.
For inbound, I'd open port 25 on the FE, but don't yet restrict it to only Postini. Use Telnet via port 25 to make sure that incoming messages can get all the way to your mailboxes. If that works, then add the restriction. Add the FE to Postini's configuration , but add the Sendmail server as its failover. That way when mail starts flowing, if the FE doesn't work for some reason the messages will keep coming to Sendmail. Leave it that way until you are ready to remove the Sendmail server.
For outbound, you're assessment of a DNS issue could very well be true. Test the DNS by checking it from both systems. Where do Sendmail and the FE get their DNS information? Does the same domain name return the same MX information from both? Perform an outbound telnet test from the BE server and see what results. Clear the DNS cache. Duplicate the telnet test on the FE server.
How are you forwarding the outbound from BE to Sendmail? Using a Smarthost setting?
_____________________________
Regards,
Dean T. Uemura
Microsoft MVP - Exchange
exchangeguy.blogspot.com
uemurad@yahoo.com
|
|
|
|
|
RE: more than just OWA... - 6.Feb.2007 9:55:46 AM
|
|
|
mia450r
Posts: 86
Joined: 28.Jun.2006
Status: offline
|
--sendmail server is also one of our external, outwardly facing DNS servers
--outbound mail is sent from Exchange site to sendmail server through an Internet Site Connector, with the radio button set to FWD through the following smarthost
--FE server currently only has the http protocol enabled for OWA. SMTP, POP, etc are all disabled (and not configured) for security
--BE & FE servers currently use an internal DNS server, which is 'internet aware' and talks to the root hints servers (All our client's use this DNS server with no lookup problems when they surf the web)
--FE mailbox store has been deleted. I need to re-create the mailbox sore, right? (but no mailboxes should be on the FE)
If I enable SMTP on the FE server, do I need to configure it to only relay from Postini? Or will the FW handle the security well enough? (by only allowing port 25 from Postini) How do I force the Exchange site to send and receive all Internet mail through the FE server? If I select the "Use DNS" radio button on the connector, some of the outbound mail will bounce. I do like your idea to run sendmail as a backup (via Postini config) until everything is flowing through the FE server properly....
Thanks!!!
< Message edited by mia450r -- 6.Feb.2007 11:39:40 AM >
|
|
|
|
|
RE: more than just OWA... - 7.Feb.2007 1:18:04 PM
|
|
|
uemurad
Posts: 5574
Joined: 7.Jan.2004
From: California, USA
Status: offline
|
Sorry for not getting back to you sooner - sometimes my own Exchange problems get in the way of helping here at the forums.
If you feel confident about the firewall being enough security, then opening it to port 25 only from Postini's IP range will keep it secure. Ask yourself though whether any traffic can possibly get in from anywhere else (e.g. a dual-NIC server could bypass your firewall).
Forcing inbound Internet mail through the FE is a matter of Postini configuration.
Forcing outbound Internet mail through the FE can be done with a Smarthost setting on your BE.
Setting the Use DNS on the FE server should work for all outbound messages. When you find a message that bounces, check DNS for that domain's MX record, then test with Telnet to see what might be causing the bounce.
_____________________________
Regards,
Dean T. Uemura
Microsoft MVP - Exchange
exchangeguy.blogspot.com
uemurad@yahoo.com
|
|
|
|
|
RE: more than just OWA... - 7.Feb.2007 2:32:36 PM
|
|
|
mia450r
Posts: 86
Joined: 28.Jun.2006
Status: offline
|
Ok...Thanks.....
Bear with me, these may be stupid questions--I'm learning as I go here...
--The sendmail server has 3 alias files (users, lists, system) which direct incoming mail to the proper location in the Exchange environment. How do I replicate those aliases on the front end server, so it directs incoming mail the same way the sendmail server was?
--What makes the sendmail server a Smart Host? That it can do DNS lookups on its own? Still trying to figure out the DNS difference between the sendmail server and our internal DNS server. How do I test failures using telnet?
m
EDIT: OK, that 1st one was a dumb question. Most of the entries in the alias files simply specify the MBs in the exchange environment. (user: user@exchange.domain.com) So, those aliases are no longer needed since mail is now being delivered directly to the Exchange site, where the actual mailboxes reside.
< Message edited by mia450r -- 7.Feb.2007 3:18:47 PM >
|
|
|
|
|
RE: more than just OWA... - 7.Feb.2007 3:13:15 PM
|
|
|
uemurad
Posts: 5574
Joined: 7.Jan.2004
From: California, USA
Status: offline
|
I'm not familiar with Sendmail. Please give me an example of what is in the alias files. Exchange expects to receive messages addressed with SMTP (name@domain).
SmartHost in this case refers to how Exchange deals with the outbound traffic. It just means that the connector sends all the mail to "somewhere". It's up to that "somewhere" to be able to receive SMTP traffic and forward it.
If the Exchange server is sending the traffic directly to the Internet, then you'll want it to do the DNS lookups. In this case, since you are asking the FE to be the Internet connection, it will use DNS, and the BE server will have the FE listed as it's SmartHost.
To test with Telnet, go to the console of the sending system (in this case your FE server if that is where the messages fail). A Remote Desktop session is fine.
You'll need to determine somewhere to which to send a message. At a command prompt window, type the command: NSLOOKUP. When it responds with its prompt ">", type SET TYPE=MX, then type the domain name to which you are going to send the message (e.g. outsidedomain.com). You should get a list of FQDNs and/or IP addresses. Note them and type the command EXIT to return to the OS command prompt.
Next you'll send a message. At the command prompt, type in the following sequence (the ------- before and after delimits the sequence):
-----------------
telnet <FQDN or IPaddress> 25
ehlo testmessage
mail from: yourSMTPaddress@yourdomain.com
rcpt to: receivingaddress@outsidedomain.com
data
subject: Test message from <mia450r>
Testing outbound mail flow. Please send a reply if received.
.
quit
------------------
Note that there is a blank line after the "subject:" line, a blank line after the text of the message, and a "period" by itself after that (denoting the end of the message body). The "quit" command ends the telnet session.
If you get all the way through, the receiving system should check for the message. If you use your actual SMTP address in the "mail from" line, you'll receive any NDR (bounce) messages.
You should receive an OK response to the "ehlo" and "mail from" commands.
Any other responses to the commands entered should give a clue to why it may be failing.
Finally, my philosophy is that the only stupid question is the one not asked. You never need to apologize (at least to me) for asking. Whether or not you receive an intelligent answer is completely out of your hands... ;-)
< Message edited by uemurad -- 7.Feb.2007 3:16:08 PM >
_____________________________
Regards,
Dean T. Uemura
Microsoft MVP - Exchange
exchangeguy.blogspot.com
uemurad@yahoo.com
|
|
|
|
|
RE: more than just OWA... - 7.Feb.2007 3:28:46 PM
|
|
|
mia450r
Posts: 86
Joined: 28.Jun.2006
Status: offline
|
Good stuff, I will try that out....
Re: the sendmail alias files... see my edit above. The majority of the alias files' content isnt an issue-- however, some usernames get re-directed to a different mailbox. (ie, "-" goes to "[email=user-b@exchange.company.com]user-b@exchange.company.com[/email]") How would I represent this in Exchange?
m
< Message edited by mia450r -- 7.Feb.2007 3:33:00 PM >
|
|
|
|
|
RE: more than just OWA... - 7.Feb.2007 3:38:44 PM
|
|
|
uemurad
Posts: 5574
Joined: 7.Jan.2004
From: California, USA
Status: offline
|
Add any needed aliases to the Active Directory object. If you open the ADUC (Active Directory Users & Computers) and open the object in question (let's say it's your user object), then on the E-mail Addresses tab click New and select SMTP Address. Enter the alias (it has to be unique to your AD forest).
When Exchange receives a message, it performs a lookup in AD to see which object owns the address, then forwards the message there. SMTP addresses can be attached to mailboxes, Public Folders, Distribution Lists, Security Groups, and Contact objects.
_____________________________
Regards,
Dean T. Uemura
Microsoft MVP - Exchange
exchangeguy.blogspot.com
uemurad@yahoo.com
|
|
|
|
|
RE: more than just OWA... - 7.Feb.2007 3:46:02 PM
|
|
|
mia450r
Posts: 86
Joined: 28.Jun.2006
Status: offline
|
LoL... Right on... you're quick!
I was just trying that, as I got your reply from the forum....and it does work.
Very cool... I'm seeing an end to the reliance on sendmail at our company....
Still have to test the DNS stuff tho....and make sure everything is secure....
Thank you so much for your help, patience and focus on this!! I'll try the DNS edits/tests soon.....
m
|
|
|
|
|
RE: more than just OWA... - 7.Feb.2007 5:04:47 PM
|
|
|
mia450r
Posts: 86
Joined: 28.Jun.2006
Status: offline
|
Hmmm... another oddity I'm seeing... with public folders.
In setting up the FE / OWA server, I did as instructed and disabled/unmounted the Public Folders on the FE server... (the Mailbox Store is active, but there are no MBs on the FE)
Emails coming in from the outside world are not reaching the Public Folders on the BE server.
If I look at the Queues on the FE server, inside Local Delivery, some emails are hanging up in there. I believe these are emails destined for the Public Folders....
Why arent these getting forwarded over to the BE server, like any of the other emails coming in?
Tx
mia
< Message edited by mia450r -- 7.Feb.2007 5:10:56 PM >
|
|
|
|
|
RE: more than just OWA... - 7.Feb.2007 5:42:56 PM
|
|
|
uemurad
Posts: 5574
Joined: 7.Jan.2004
From: California, USA
Status: offline
|
If you look at the messages in the queue, are they timestamped prior to your disabling PF on the FE? If you send a test message to one of the mail-enabled PFs, does it get stuck in the queue?
Try using Message Tracking on the test message and see what it says.
_____________________________
Regards,
Dean T. Uemura
Microsoft MVP - Exchange
exchangeguy.blogspot.com
uemurad@yahoo.com
|
|
|
|
|
RE: more than just OWA... - 8.Feb.2007 9:11:24 AM
|
|
|
mia450r
Posts: 86
Joined: 28.Jun.2006
Status: offline
|
I disabled the PF store on the FE months ago (when I first set it up as an OWA server only) but only just started sending mail thru the FE..... mail is not making it to the PF on the BE server.
Yes, all messages meant for that public folder are stuck in the local queue on the FE.
The PF store should be disabled (not mounted) on the FE, correct?
I have to switch mailflow back to sendmail until I can remedy this......
< Message edited by mia450r -- 8.Feb.2007 10:02:47 AM >
|
|
|
|
|
RE: more than just OWA... - 8.Feb.2007 5:14:20 PM
|
|
|
uemurad
Posts: 5574
Joined: 7.Jan.2004
From: California, USA
Status: offline
|
What happens if on the FE you use Telnet to send a message to one of the PFs?
_____________________________
Regards,
Dean T. Uemura
Microsoft MVP - Exchange
exchangeguy.blogspot.com
uemurad@yahoo.com
|
|
|
|
|
RE: more than just OWA... - 9.Feb.2007 8:55:48 AM
|
|
|
mia450r
Posts: 86
Joined: 28.Jun.2006
Status: offline
|
Dean-
I tried sending a test message via cmd telnet session, on the FE server, to the PF.
I used my own work email as the sending email, and it acknowledged that sender was 'ok.' Then I typed the rcpt to: PFemail@mycompany.com, it did not come back saying that the address was ok. After finishing, it echo'd that the message was queued for delivery by the FE server....
No NDR bounce, and no message was delivered to the PF, however, the email is now stuck in the "Local Delivery" queue on the FE server.... just like the other test emails I had previously sent to the PF.
How do I tell why they are getting hung up there? Is this due to a DNS issue, or maybe a FW port not being open? The FE server resides on the DMZ, and I'm fairly certain all the necessary ports are open between it, the A/D servers and the BE server... as OWA functions fine, and other mail gets delivered to the BE. Seems to just be the PF's. BTW, the FE server is now an outwardly facing DNS server, replicating with another of our sendmail/DNS servers. Should the FE server look to itself as primary DNS with our internal DNS server listed as secondary?
Thanks again.
m
< Message edited by mia450r -- 9.Feb.2007 9:17:43 AM >
|
|
|
|
|
RE: more than just OWA... - 9.Feb.2007 10:00:30 AM
|
|
|
uemurad
Posts: 5574
Joined: 7.Jan.2004
From: California, USA
Status: offline
|
I did some testing on my own servers, and here is what I found.
From my workstation, I telnetted to my mailbox server (all internal). My server responded the same way yours did to the RCPT TO: command. I didn't get an "OK". That was unexpected, but not necessarily a bad thing.
Interestingly enough, the first message I tested I mistyped my address on the MAIL FROM: line. When I checked Message Tracking, it said it generated an NDR. However, since my address was wrong, I obviously didn't get it.
I tried again, this time typing my address correctly (so I could see what the NDR said), but this time the message went through and appeared in the PF.
This leads me to the question, what permission does Anonymous have on that PF? Since the message is coming from the outside, the sending address shouldn't be anything in AD, therefore it would be identified as Anonymous. That would have to have permissions to at least Create Items (like Author). Can you confirm?
_____________________________
Regards,
Dean T. Uemura
Microsoft MVP - Exchange
exchangeguy.blogspot.com
uemurad@yahoo.com
|
|
|
|
|
RE: more than just OWA... - 9.Feb.2007 10:14:01 AM
|
|
|
mia450r
Posts: 86
Joined: 28.Jun.2006
Status: offline
|
Hey Dean,
I already know the answer to this, and just checked to be certain.
The PF I am testing with, I set up to receive external emails from our customers, so Anonymous is set as a contributor. If mail delivers our 'normal' way: Postini -> sendmail GW -> BE server, it posts to the PF fine. If I switch delivery from Postini -> FE, messages to the PF get hung up in the Local Delivery Queue.
FYI-
Just now, when I went into System Manager on the FE, to look at the perms of that PF, under the Site/Public Folders, I get an error message, and it does not 'see' any of the PFs. If, however, I go to Servers/BE server/1st Storage Grp/Folders, then I could see them, and their perms.
I realize the FE should not have a PF store mounted.... but is this any clue as to why the FE isnt forwarding the emails to the PF on the BE??
-m
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
