Forwarding/Relaying Issue
I'm having a strange problem with the relaying of messages. My company (mycompany.com) has several employees who work outside the facility and have, in addition to their Exchange accounts, have accounts at extrenal providers (specifically me.com). Some messages that originate outside of mycompany.com (specifically from gmail.com and a few others) come into our Exchange server and are forwarded out to the me.com account without a problem. However, the majority of messages that originate from domains outside of mycompany.com do not. A message essentially like the example below is returned to the sender. I'm having a devil of a time narrowing down the problem and any suggestions would be helpful. Your message did not reach some or all of the intended recipients. Subject: Email Test Sent: 8/11/2010 11:35 AM The following recipient(s) could not be reached: John Public on 8/11/2010 11:36 AM You do not have permission to send to this recipient. For assistance, contact your system administrator. <myserver.mycompany.COM #5.7.1 smtp;554 5.7.1 <sjf@relation.com>: Sender address rejected: Access denied>
August 11th, 2010 7:43pm

This is becoming a more common problem and is down to the way that Exchange forwards the emails. It doesn't change the headers in any way, so if the originating domain has configured antispoofing measures and the destination domain is doing checks on the antispoofing, then the email will be rejected. The email looks like your Exchange server is spoofing it. To put it simply, Exchange forwarding is becoming unreliable, and is no longer something that I recommend. For those outside I suggest either Outlook Anywhere/RPC over HTTPS, Blackberry or an ActiveSync device. Simon.Simon Butler, Exchange MVP. http://blog.sembee.co.uk , http://exbpa.com/
Free Windows Admin Tool Kit Click here and download it now
August 11th, 2010 11:11pm

On Wed, 11 Aug 2010 16:43:36 +0000, Steven Frank wrote: > > >I'm having a strange problem with the relaying of messages. > >My company (mycompany.com) has several employees who work outside the facility and have, in addition to their Exchange accounts, have accounts at extrenal providers (specifically me.com). > >Some messages that originate outside of mycompany.com (specifically from gmail.com and a few others) come into our Exchange server and are forwarded out to the me.com account without a problem. However, the majority of messages that originate from domains outside of mycompany.com do not. A message essentially like the example below is returned to the sender. > >I'm having a devil of a time narrowing down the problem and any suggestions would be helpful. > >Your message did not reach some or all of the intended recipients. > > Subject: Email Test Sent: 8/11/2010 11:35 AM > >The following recipient(s) could not be reached: > > John Public on 8/11/2010 11:36 AM You do not have permission to send to this recipient. For assistance, contact your system administrator. <myserver.mycompany.COM #5.7.1 smtp;554 5.7.1 <sjf@relation.com>: Sender address rejected: Access denied> Does relation.com publish a SPF TXT record in DNS? If they do, it probably doesn't include your IP address. What release of Exchang are you running? When you say these messages are "forwarded out", are they really "forwarded" (where the sender becomes the mailbox to which the message was originally sent), or are the "redirected" (where the sender remains the message's original sender)? --- Rich Matheisen MCSE+I, Exchange MVP --- Rich Matheisen MCSE+I, Exchange MVP
August 12th, 2010 4:11am

Thanks for your response. The Exchange version is: 6.5.7638.1 I'm not sure how to answer your question about the method of forwarding, but I'll describe what we're doing and hopefully that will shed some light on things. For the users in question, I have, in addition to their normal Exchange user, added a Contact that contains the external (me.com) email address. Then, in the Properties for the main account under Exchange General/Delivery Options I have the Contact specified as the Forward To under Forwarding address. With regard to relation.com, I have looked at the DNS config and do not see an SPF TXT record, although I admit to not being familiar with that record. In any case, I used relation.com as a specific example of this behavior and there are many others, none of which I have access to or control of, so I need to find a solution that doesn't rely on being able to modify the source domain. Please let me know if you need any further information. Thanks again!
Free Windows Admin Tool Kit Click here and download it now
August 12th, 2010 4:37am

On Thu, 12 Aug 2010 01:37:25 +0000, Steven Frank wrote: >The Exchange version is: 6.5.7638.1 So, Exchange 2003 SP2? >I'm not sure how to answer your question about the method of forwarding, but I'll describe what we're doing and hopefully that will shed some light on things. For the users in question, I have, in addition to their normal Exchange user, added a Contact that contains the external (me.com) email address. Then, in the Properties for the main account under Exchange General/Delivery Options I have the Contact specified as the Forward To under Forwarding address. Okay, so it isn't Outlook doing a "forward", it's the Exchange server simply changing the RCPT TO address. >With regard to relation.com, I have looked at the DNS config and do not see an SPF TXT record, If that's the reql domain name, they don't publish any SPF information. FYI, the DNS record type is "TXT". >although I admit to not being familiar with that record. In any case, I used relation.com as a specific example of this behavior and there are many others, none of which I have access to or control of, so I need to find a solution that doesn't rely on being able to modify the source domain. > >Please let me know if you need any further information. In the example, was the person that sent the e-mail to your site using a sender's address in the domain relation.com? Lot's of e-mail systems don't accept email from their own domain, and that's what the sender's address would be if the "From:" address in the mail was in the relation.com domain. --- Rich Matheisen MCSE+I, Exchange MVP --- Rich Matheisen MCSE+I, Exchange MVP
August 12th, 2010 6:14am

Yes, Exchange 2003 SP2. Yes, this is not being done by Outlook, it is being done by Exchange. I do not understand your last question, but I will try to explain the situation again, in its most basic terms. userA@anycompany.com sends an email to userB@mycompany.com When the email arrives on the Exchange server at mycompany.com I want Exchange to forward/relay it to userb@me.com anycompany.com (relation.com in this ONE example) can be, and has been, many other domains (primarily customers and vendors of my company) and I have no control of, or insight into, any of them. This process does work from a very small (at least as far as I can tell) number of source domains (one of them being gmail.com) Please do not focus on the source domain. It can be any domain out on the Internet and I need this to work regardless of who sends the email.
Free Windows Admin Tool Kit Click here and download it now
August 12th, 2010 3:54pm

There is no universal solution. You cannot ignore the source domain, because that is where the problem is. If the source domain have configured themselves to stop their domain being spoofed, then the way that Exchange does the forward means it looks like spoofing. The only way that things could be changed would be with header rewriting, but that would break the ability to reply. The only solution that is universal is to stop forwarding email and make the users connect back to your server to read the messages. Simon.Simon Butler, Exchange MVP. http://blog.sembee.co.uk , http://exbpa.com/
August 12th, 2010 10:58pm

On Thu, 12 Aug 2010 12:54:03 +0000, Steven Frank wrote: >Yes, Exchange 2003 SP2. > >Yes, this is not being done by Outlook, it is being done by Exchange. > >I do not understand your last question, but I will try to explain the situation again, in its most basic terms. userA@anycompany.com sends an email to userB@mycompany.com When the email arrives on the Exchange server at mycompany.com I want Exchange to forward/relay it to userb@me.com That's what will happen. And when the message is sent to userb@me.com the MAIL FROM command use the address userA@anycompany.com. The "From:" header will also contain userA@anycompany.com. >anycompany.com (relation.com in this ONE example) can be, and has been, many other domains (primarily customers and vendors of my company) and I have no control of, or insight into, any of them. No doubt. Which may be why you have the problem you do. If the e-mail system that handles the domain "me.com" checks the sender's address (in either the RFC821 MAIL FROM command, or the RFC822 From, Sender, or Resent-* headers) it may determine that the sending server is not authorized to send e-mail for the domain. HOW that system checks the address against the IP address is really up to the e-mail system administrators at the domain "me.com. They might use SPF, of they might use SenderID, or they may use some customized method. As you point out, you don't know what they use. >This process does work from a very small (at least as far as I can tell) number of source domains (one of them being gmail.com) If it's the e-mail system for "me.com" that's rejecting your mail you'll have to contact them to find out why they're doing that and how to avoid it. On the other hand, if it's YOUR system that's generating the 550 5.7.1 status, check the permissions on the mail-enabled Contact in the AD. Your SMTP protocol log will show you the SMTP conversation with the servers for the domain "me.com" and you see whether it's your server or theirs that returns the status code. >Please do not focus on the source domain. It can be any domain out on the Internet and I need this to work regardless of who sends the email. Well, you ch deal with one domain that fails and use that as a model to find the problem, or you can deal with generalities and thousands of domains. The problem is that you may have the same symptom for different reasons. That measn you may have a different problem for different domains. Understanding WHAT the problem is before you go in search of a solution is the way to deal with this, don't you agree? --- Rich Matheisen MCSE+I, Exchange MVP --- Rich Matheisen MCSE+I, Exchange MVP
Free Windows Admin Tool Kit Click here and download it now
August 13th, 2010 5:15am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics