Allow a group of users received and send emails to a specific Internet domain.
Hello;
Right now I have a group of users not able to send or received email from the Internet at all. They just received email within the organization. Now we require they able to send/received emails from a few vendors only (specific domains from the Internet)I'm usingExchange Server 2003 SP2.
I havemy SMTP Connector rejecting all email from this group (SD_No_InternetMail) and this group has configured in the Exchange Generalproperties-> Message Restrictions -> Authenticated users only.
Do you know a configuration that resolve this dilemma?
Thank You in advance.
April 16th, 2008 12:18am
Hi Carlos,
Regarding the situation, I suggest that you can create another SMTP connector with the specific domains as its Address Space and allow the group (SD_No_InternetMail) sending email to the specific domains.
The detailed steps below:
1. Create a new SMTP connector
2. On the Address Space tab, please add the specific SMTP domains
For more information regarding the SMTP connector, you can refer to the following site:
http://technet.microsoft.com/en-us/library/aa997032(EXCHG.65).aspx
Mike
Free Windows Admin Tool Kit Click here and download it now
April 17th, 2008 2:41pm
Mike;
Thank You for the replay and link.
As you suggest I created the second SMTP connector with "example.domain.com" in the address space with a cost of "1". In the Delivery Restrictions tab in thenew connectorI am rejecting everybody except the SD_No_InternetMail group. Now the members of the group are able to send email to this domain but receiving from it.What doI need to change in the connector itselfor in the exchange properties of the group to allow the members of the group receive email from"example.domain.com"but notothers domains?
Thank You
April 17th, 2008 8:33pm
Hi Carlos,
I understand that the group can send emails to the specific domains but still failed to receive the emails from your vendor domain.
Carlos, we have a workaround regarding the issue but may have high costs and complicated steps. I have provided the detailed steps below:
We need to have two SMTP Virtual Servers: one Server to allow the email to the SD_No_InternetMail group from the specific domains and the other server blocked the emails to the SD_No_InternetMail group from Internet.
Step 1: Blocked all Internet emails to the SD_No_InternetMail group on one SMTP Virtual Server (We called it A):
==================================================================
1. Create Recipient Filtering and filter all the users in the SD_No_InternetMail group
2. Enable the filter on the SMTP Virtual Server which usually used to receive Internet emails
Note: We need to add all user address into the filter manually instead of just adding the group email address.
Step 2: Create another SMTP Virtual Server (we called it B) to receive emails from the specific domains
=====================================================
Note: We need to assign different IP address for the two SMTP Virtual Server.
After creating a new SMTP Virtual Server, please only allow the public IP Network addresses of the specific domains to connect to the SMTP Virtual Server. We can configure the restriction through SMTP Virtual Server Properties->Access tab->Connections.
Step 3: Please update your external DNS MX records
====================================
You should have two DNS MX records for the two SMTP Virtual Servers. The MX record for the SMTP Virtual Server B needs to have higher priority.
In this way, if the Internet user attempts to send email to your domain, it will firstly attempt to access your SMTP Virtual Server B. If the user belongs to the vendor domain, the user can connect to the Server successfully. If the user belongs to other domains, it will be redirect to SMTP Virtual Server A which has the Recipient Filter enabled.
Step 4: Please uncheck Authenticated users only of the SD_No_InternetMail group
Mike
Free Windows Admin Tool Kit Click here and download it now
April 18th, 2008 10:04am
Mike;
Thank You again to follow up this thread.
I will try this solution over the weekend. I will let you know the results. Ihave my doubts with the MX records. If an email is directed to me (different of vendor domain)the sending server will get a bounce back because it hit the (VS B with aMX 0). HE REACH the SMTP server though,butwas rejected because a restriction.It is not the same thatit was not able to reach the server due a connection issue and try a different MX for deliver the email (if there is one)
Currently, I haveinmy domain two MX records, MX 0 pointing to my ExchangeServer and MX 10 pointing to my ISP mail server ( I have duplicate account in that server). if for any reason my Internet connection is down all the mail is redirected to that server (MX 10) for backup. Then when the Internet is backmy Exchange server connects to that server to download the savedmail. Normally my second MX record just get hit if my Exchange do not response at all, but if Exchange responded is either aNDR or delivers the email.
Any way, Iwill let you know the results. It really makes sense you suggestion, butas I said I don't know how will MX record will switch to a second MX if the first it did response.
Thank You for you information.
April 19th, 2008 1:11am
Hi Carlos,
I have configured a test environment with two servers. Server A in Domain One. Server B is in the other Domain . I have configured two SMTP Virtual Servers on Server A. One SMTP Virtual Server is configured to only allow a static IP address to create connection (the Server B has another IP address). The other SMTP Virtual Server has no limitation.
After configured the DNS server to let the first SMTP Virtual Server has higher priority, I noticed that the email can be still sent to the Server A from Server B. In addition, after checking the frame by using netmon, I noticed that the TCP connection created to the first SMTP Virtual Server is disconnected immediately by the SMTP Virtual Server. Then, a second connection is created to the unlimited SMTP Virtual Server to send email.
Hence, I think that the second MX record will be used if the first connection is rejected by the connection restriction.
Mike
Free Windows Admin Tool Kit Click here and download it now
April 21st, 2008 9:32am
Mike;
I configured your solution with the two SMTP VS and works fine!!! Just one little thing,I noticedthat ifI filtered in VS "B" to allowby domain name ( ex: domain.com ) does not work. It sent the mail to VS " A " where the users are filtered. So, due the factmy vendors just have one or two mail servers I am using IP's instead. (No a big deal)
Other question in the same token is: Now I am not getting a copy of the NDR when the VS " A " filters out the users. The senders get an awkward NDR " 550 5.7.1 Requested action not taken: mailbox not available " I research in the Internet and seems there is not way to editthe NDR message to be morespecific like " Sender domain has been filter out for this mailbox " I played a little with IMF in reject mode and a registry entry to modify the NDR, but seems that filtering recipients is totally apart of the IMF.
Do you have a suggestion on this one?
Again Thank You much for your suggestion/solution to this issue. I will wait for you reply to mark this question resolve.
April 23rd, 2008 9:21pm
Hi Carlos,
I am glad to know that the method is helpful.
Regarding the first issue to filter connection through Domain name, Carlos, I would like to explain when using the domain to filter connection, the DNS reserve lookup is in use. Thus, please check whether the PTR record of your vendor domain is exist and correctly configured on DNS server. In addition, as the DNS reserve lookup will affect the system performance, I suggest that you still use IP address instead of domain name filter.
Regarding the second issue to modify NDR message, it is a different issue. I suggest that you submit a new thread to have more MVPs to help you regarding the issue. In addition, it is also helpful for others to search specific information in this forum.
Mike
Free Windows Admin Tool Kit Click here and download it now
April 25th, 2008 1:36pm
Mike;
Thank again for the explanation and I will open a new thread for the NDR reports.
April 25th, 2008 7:36pm