Dear all, i try figure out the following problem. One of our customers is running a SBS 2008. The Exchangeserver works proberly for the LAN Users. Now we implemented a Nagios Server into the customers DMZ. The Nagios Server should send mailalerts to the local support team. To do this nagios comes with a postfix (MTA) this had been configured to relay all messages to the customers Exchange .. but the Exchange won´t accept the connections... During my debugging i see two receive connectors configured: 1. Default <servername> - Local IP: 172.16.x.x 25, Remote IP: 172.16.x.x-172.16.x.x, TLS,Std-Auth,Exch.Server-Auth, Integra. Win.Auth, Exch-Users,Exch-Server,Legacy Exch-Server 2. Windows SBS Interent Receive <servername> - Local IP: 172.16.x.x 25, Remote IP: 0.0.0.0-255.255.255.255, TLS,Anonymous in my optionen this should work..... but no the postfix could not make a connection to the Exchangeserver (timed out), so i cross checked everything, especialy the firewall. only rule i found between DMZ and LAN was this one : allow any any so i checked the exchange again, and the windowsfirewall isn´t active either.. so the big question is why the exchange blocks the connection from the postfix. the nagios/postfix got 192.168.x.x in DMZ and is routed via the firewall to 172.16.x.GW. cause the 172.16.x.GW address isn´t included in the iprange of connector 1 , this mail traffic should be routed to connector 2, wich allows anoymous access . i tried to deliver a mail to the exchange via telnet... but this connection times out too. another problem is that the customer can´t monitor the smtp port in his exchange cause it won´t accept connections from DMZ.... i´m puzzeld , anyone of you some ideas ? thanks and regards Steffen

Do the firewall logs show that traffic on port 25 is passing through?

I presume that all the wizards have been run in SBS to ensure that it is configured correctly? SBS does make some changes to the connectors for its own purposes, however the receive connectors should accept traffic from anywhere. Have you checked the connection restrictions on the Receive Connectors? If the firewall configuration between the LAN and DMZ is allow any any, then what is the point in the DMZ? If the server in the DMZ is compromised then an attacker can walk straight in. Simon.Simon Butler, Exchange MVP Blog | Exchange Resources

Hi Simon, I presume that all the wizards have been run in SBS to ensure that it is configured correctly? SBS does make some changes to the connectors for its own purposes, however the receive connectors should accept traffic from anywhere. Have you checked the connection restrictions on the Receive Connectors? No i check it own my self via Exchange-Managenmentconsole .. i know that SBS does some "mystiros things" in background. From my experience in the past, i´m not trusting any SBS Wizard ;). What do mean with "connection restrictions"? Every setting i found is posted in starting thread. If the firewall configuration between the LAN and DMZ is allow any any, then what is the point in the DMZ? If the server in the DMZ is compromised then an attacker can walk straight in. I know this, and we already plan the chances in a follow up project. Hi AndyD, Do the firewall logs show that traffic on port 25 is passing through? I haven`t the full access to the firewall logs but those logs which i was able to access logs ok. I´m looking forward to have a meeting with the firewalladmin, so i can verify this. thanks and regards Steffen

SBS 2008 has been designed to be managed by the wizards. While you may not trust them, treating SBS as full product will usually end up in a lot of pain. The wizards are very good and if run correctly and you allow SBS to manage everything then it will work as designed. I have deployed many SBS 2008 servers and use the wizards every time - and I am very capable of setting up the server manually. If you haven't run the wizards to configure the server then that is probably some of the cause of the problem. SBS will have made changes to the configuration of the server behind the scenes when it was installed and the wizard is the most efficient way of getting those changes made to accommodate configuration changes. Simon.Simon Butler, Exchange MVP Blog | Exchange Resources