Re: Scared as hell with SBS 2003 Exchange
- From: Joe <joe@xxxxxxxxxxxxxx>
- Date: Tue, 04 Apr 2006 23:42:43 +0100
JoeF wrote:
Someone informed me today that my SBS Exchange server is out there in the open for all to access. Please help calm me down and clarify my configuration:
I have a Cisco Pix 501 firewall opening ports 25, 443, and 4125 from it's public outside IP address and forwarding them to the outside interface of a Symantec Gateway Security 360 appliance, forwarding those same ports to SBS 2003's internal IP address.
This same person told me I need to put the Exchange server on the PIX 501 DMZ interface and use a different public IP address just for Exchange.
If you were using multiple W2003 servers, that would be reasonable
advice. Since you're using SBS, it isn't, and this person should know
that.
While it is certainly possible to configure SBS as an open relay, it
isn't by default. If you feel you may have inadvertently done so, check
Google for information. Microsoft has a set of steps to follow to make
sure it's not, but you should probably get a better idea of what may
actually be happening.
I'm having problems currently with my new SBS 2003 Exchange configuration which is using DNS to route all mail. I've heard that I need to set up reverse DNS for my public IP address to allow messages being sent to certain domains such as verizon.net, nyc.rr.com, optonline.net, etc. I'm getting messages as follows:
=================================================
#5.7.1 smtp;550 5.7.1 <user1@xxxxxxxxx>... Relaying denied>
Could not deliver the message in the time limit specified. Please retry or contact your administrator.#4.4.7
=================================================
Post on this user group have told me to use a smart host method for sending mail. Where do I go from here? What should I do?
OK. Some large ISPs are getting fussy as to who they accept email from
(though less fussy who they host) and reverse DNS is considered a
minimum qualification. They don't (or at least AOL) seem to insist that
the reverse DNS hostname matches the mail server HELO string but there
must be something that looks like a proper domain name. That's the job
of whoever hosts your domain name, and they will know what to do.
You can either do this, or send mail through your ISP's own mail server
(smarthost) which presumably is respectable enough not to have problems.
There is a slight operational difference in that if mail doesn't go
through, you get the ISP's error message. If you are sending direct
you can see the whole SMTP handshake, which may tell you more about
the problem. You are also reliant on the ISP's mail server working,
so there is an extra link in the reliability chain. This is not usually
much of a problem, as if their mail server is down, you probably don't
have Internet access anyway.
It is possible to configure mail to some domains to go via smarthost,
and the rest direct.
.
- Prev by Date: Re: Question: what gets "lost" when implementing the transition pack?
- Next by Date: Re: SBS CALs on Win Server 2003 Standard Edition
- Previous by thread: Re: Scared as hell with SBS 2003 Exchange
- Next by thread: faxes problems
- Index(es):
Relevant Pages
|
