General discussion

Locked

Exchange 2003 / domain issue

By drmweaver ·
ok, I have a few questions. but first let me layout our network as it was setup prior to me taking it on....

IN house we have an exchange server 2003. Our domain is mydomain.local in house. we have a cisco router that is plugged into the T1, and another cat5 is plugged into our Firewall. Our firewall is of course plugged into the router, and plugged into our switches.

Our exchange server, has to nics. Only one is active and working for now. It is plugged directly into the switch.

All workstations are setup to pull their email from our exchange server.

HOWEVER, is the big problem. Our EMAILS and WEB are not hosted internally. We have an ISP that hosts our mydomain.com website and emails.

Our exchange server pops out to retrieve our emails and brings them into the exchange server and then distributes them to the respective workstations/users.

When a user sends out emails, it just gets sent out.

However, we are experiencing some issues with like government sites, schools, etc and basically for AOL. What they keep saying is that our Routers' external ip address is being blocked because of a non DNS reverse lookup.

Any suggestions on how i can EASILY resolve this without housing our own web and email??

Thanks and all suggestions or ideas will be reviewed closely and appreciated.

This conversation is currently closed to new comments.

8 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Comments

Collapse -

T1 Provider

by Churdoo In reply to Exchange 2003 / domain is ...

Your T1 provider can add a PTR record (reverse DNS) to resolve your exchange server's public IP to the FQDN that your exchange server reports.

Go to your exchange server and browse to "http://whatismyip.com" and that is the public IP you need to reverse-DNS.

Next, go into exchange ESM and dig down to your SMTP virtual server / properties / Delivery / Advanced Delivery / and look in the "fully qualified domain name" box; this is the name that the above IP needs to resolve to. If the box is blank, then ENTER an FQDN in there, but using the mydomain.COM, like mymail.mydomain.com.

Lastly, go to the host of your mydomain.COM DNS (probably the same entity that hosts your www and email), and have them put in a corresponding A-record in your .COM zone, resolving the above FQDN to the above IP.

You would still have to do this if you did host your own email delivery. Again, the REVERSE-DNS needs to be done by your T1 provider (or they can cause it to be done for you), and the forward DNS by your .COM DNS host.

Collapse -

Won't work

by drmweaver In reply to T1 Provider

Unfortunately that won't work. I did the http://whatismyip.com and it shows my routers ip address.

As I said, our ISP houses our www.domainname.com emails.

The main problem we have is persons replying back to us or we to them cause it sees our ip address as domain.local and not the domain.com.

The ESM reads servername.domain.local

The ISP tells us they will not put a PTR on a routers ip nor will they put a reverse DNS.

Collapse -

t1 providers for t1 line

by andrenym00378 In reply to T1 Provider

<a href="http://www.bandwidtht1.com">T1 Service</a> can sometimes be difficult to understand. Call your provider

Collapse -

Oh it does work ....

by Churdoo In reply to Exchange 2003 / domain is ...

... just may have to modify the execution a bit per these new conditions

I fully understand your scenario and have it running quite successfully at many clients.

As you have indicated, the biggest problem with your setup, is that your server is sending, or attempting to send, outbound SMTP directly to recipient SMTP servers, yet it is advertising itself as "servername.domain.LOCAL" which of course will fail any lookup from a receiving mail server, and therefore fails the simplest of anti-spam policies. Hence the rejection by aol and many others.

Now this may not even be a problem if your ISP operates a valid fully forward/reverse DNS'd SMTP server of their own that you can instruct your exchange server to forward all emails through. This would actually be the easiest thing to do, and should be within the scope of your ISP. In exchange, you would simply add the name or IP of your ISP SMTP server to the connector that sends to the * domain (all domains) / General tab / send all mail to smarthost box. If there is no such connector, you would create one.

If however you still choose to have your exchange server send outbound SMTP to recipient servers, the first thing you need to do is change how the exchange server identifies itself. You can make this change in ESM as I indicated in my first post and you need to change it to something.domain.COM. Making this change only affects how exchange identifies itself to recipient SMTP mail servers and will not adversely affect any exchange or email functionality.

Next, I understand what you're saying about your router IP. Your ISP then, should be able to NAT a different public IP from your IP block to your exchange server so that exchange is on its own dedicated IP (with appropriate ACL's in place), which they then should be able to forward and reverse DNS. The DNS name that you use in the forward and reverse DNS should be the FQDN that you entered in ESM above.

Again, your situation is not unique. Frankly, your ISP, even if they don't know Exchange specifically, SMTP is SMTP, and they should have been able to suggest either of the above solutions, and the fact that they were only too quick to say what they would NOT do without following through and offering any viable solutions, should concern you.

Collapse -

Changes

by drmweaver In reply to Oh it does work ....

Ok, lets' start with the ESM. I've got the SMTP open on the general tab, and I see the FQDN. I have the server name.domain.local there. i.e. dell2007.domain.local

If I change that to dell2007.domain.com and there is no such dell2007.domain.com will that screw something up?

Collapse -

Won't mess anything up

by Churdoo In reply to Changes

No, making that change won't screw anything up.

Of course it won't solve your problem, because it's only the beginning of the solution, but it won't screw anything up.

The next part of the solution will be to have dell2007.domain.com resolve to the dedicated public IP of the exchange server, and then to have a corresponding PTR record created.

Collapse -

Dedicated IP of the exchange server

by drmweaver In reply to Won't mess anything up

Currently there is no dedicated IP of the exchange server. I only have one ip address and that is the internal domain ip address. I can't put the exchange server on the internet due to policy issues. Even so, if I did, the cat5 cable for the 2nd nic card, does it just go into the switch like the first one?

I have the exchange nic plugged into the switch. Then I have the firewall that has to nic ports, one for the switch, and one for the router. then the router has two nic ports, one for the firewall and one that connects the t1.

If I put a 2nd cat5 cable in the 2nd nic card, assign it an external ip address from my block of ips, won't I then have to register my local.domain.com address of the exchange server, and will that mess up the mx and ptr records for our isp mail.mydomain.com emails?

See I told you this was going to be confusing......grin

Collapse -

One step at a time

by Churdoo In reply to Dedicated IP of the excha ...

No it's not confusing, we're just taking it one step at a time.

To get Exchange on a public IP ... who maintains your router and firewall? Is it maintained by yourselves or by your ISP? What I recommend is that you talk to those who manage your router and firewall (or talk to your T1 ISP for assistance) and have them NAT one of your public IP's to the private IP of the Exchange server. At the same time, they can put appropriate ACL's in place to disallow inbound traffic -- you MAY want to take this opportunity to have them allow inbound HTTP/HTTPS for Outlook Web Access (OWA), or don't bother with it if that doesn't interest you.

With this method, you will not have to enable or use the 2nd NIC in the exchange server, and won't have to make any physical cabling changes, yet you will be secure if the proper ACL's are put in place.

Once this is complete, yes you will want to register the IP in forward and reverse DNS, again, using the same FQDN that you set in ESM virtual SMTP server props; this was the whole point of the exercise, to get forward and reverse resolution of your exchange server for sending email without being rejected as a potential spammer.

You will not modify your MX records, so just by registering the forward (A) and reverse (PTR) records for this IP/FQDN will not affect your current MX records and therefore will not affect your inbound email delivery.

We're almost there.

Back to Networks Forum
8 total posts (Page 1 of 1)  

Related Discussions

Related Forums