Vat of Knowledge

When you have trouble reaching outside domains via email, the first place to look is your mail queue.  Regardless of mail server version, Exchange, sendmail, take a look at the queue and see if mail is building up.  If it is, find out why.  I wanted to share an experience I had with my Exchange 2003 server recently, that is important to know if you run into it.  We found that we were unable to send email to certain outside domains, such as company2.hk and institution.edu, but we were able to send email to our Gmail just fine.

We were changing our public IP scheme due to outgrowing the previous scheme, we needed more publics and they were only available in blocks.  So let’s say our public range was 10.1.1.0/24.  Our gateway is 10.1.1.1, and our Cisco router sits on 10.1.1.2.  Our internal private IP range is 192.168.1.0/24, and the Exchange server sits on a static IP of 192.168.1.10.  However, instead of opening RPC over HTTP ports (80 and 443) to our Cisco’s external interface address of 10.1.1.2 –> 192.168.1.10, we opened those ports on 10.1.1.4 –> 192.168.1.10.  As well as IMAP port 143 and SMTP port 25.  We then changed our external DNS entry for mail.company.com –> 10.1.1.4.  We also called in to our ISP to have reverse DNS entries made for mail.company.com –> 10.1.1.4.  Mail starts building up in the queue.  Why?

Error I was seeing in most queues that had mail in them were “SMTP connection dropped by remote host” and “SMTP protocol error”.  Blacklisted?  http://www.robtex.com to the rescue.  Go to this page from your front end, or sending SMTP Exchange server.  When you get there, you will see your external IP.  Click on your external IP right after the text that says:

swiss army knife internet tool

in the searchbox above you can search for:
RBL checks multible RBL:s if a specific is listed (10.1.1.2)

What I found here was that my external IP was translating to 10.1.1.2 from my front end Exchange server, not 10.1.1.4, as it was supposed to! I showed up in multiple blacklists, such as spamhaus, smapcop and others. My Exchange FE server needs to be seen by the world as 10.1.1.4, so we have to go into the Cisco and create a static NAT like:

static (inside,outside) 10.1.1.4 192.168.1.10 netmask 255.255.255.255

That was all it took to get mail flowing again in this case.  When you deploy Exchange, just be careful, of course to make sure that you don’t have an open relay with your SMTP server.  Make sure that only authorized IP address, IP subnets, or authorized users are allowed to relay mail through your Exchange solution.  Otherwise you will legitimately be blacklisted, in which case, you will need to secure your solution and ask to be removed from the lists.  I may be preaching to the choir here, but here are more specific instructions.

Within Exchange System Manager, expand your administrative group, first admin group, servers and find your sending SMTP server.  This is usually your front end server if you have a front end/back end solution, if not, it’s your only Exchange server.  From here you will see a protocols container, expand that click on the SMTP container.  Right click on the SMTP virtual server you want to administer, in most cases only one, Default SMTP Virtual Server, and click properties.  Click on the Access tab, and then on Relay.  Here is where you can set up relaying to either individual IP addresses or IP subnets.  Click on “only the list below” and add your IP’s or subnets.  Also put a check in the box for “Allow all computers which successfully authenticate…”.

Back on the Access tab, click on Authentication.  Here you can set you default domain, and only allow integrated Windows authentication for greatest security.