Exchange 2003 - More Questions about changing SMTP connector from smarthost to direct for outgoing internet mail

I had a previous thread going regarding changing our internet mail connector
settings on our Exchange 2003 organization so that we're not using the
smarthost for outgoing email (incoming email will be going through an
antispam/antivirus appliance). I received some good information, but now I
have some additional questions regarding this change. We've worked with
our internal network group, as well as our ISP and are getting everything
ready to switch.

1) Our internal DNS namespace does not match our external one (our
internal ones are all ".local"). When we have our one exchange server (the
one designated as the "bridgehead") making the outgoing SMTP connections, do
I need to have the server supply the external domain name when it makes the
initial connections (I thought it was part of the EHLO/HELO sequence).
There's no place to change it on the routing connector, but I've looked into
it, and it looks like I would change it on the bridgehead's "Default SMTP
Virtual Server", "Delivery", "Advanced tab", in the "Fully-qualified domain
name" field. Is the correct place?

2) If I change that entry to our external domain name, will it affect
mail communication from that server to the other internal Exchange boxes?

3) On that "advanced delivery" tab, there's a button for "external DNS
servers". If I put in our ISP's DNS servers on this screen, again, will
this affect the internal server to server communications? The regular
Windows O/S settings will still point to our internal DNS servers. I had
determined previously to use our regular internal DNS servers (they do
forward to the outside if necessary), but that was when I thought I had to
change the Windows DNS settings. Since this is specific to the email
traffic only, should I set the external DNS entries here?

4) In the other thread, I asked about restarting services and was told
that the changes take effect almost immediately without a restart. However,
as I was looking for the other information above, I found a technet article
about setting up SMTP connectors (KB265293). That article said that after
making the connector changes, you need to restart the Routing Engine and
SMTP services. Since the connector already exists and we're just making
changes, will we need to restart the services after changing ? I don't want
to do anything to interrupt our mail flow during normal hours.

Any information would be appreciated.

Mike O.

Bharat
Fri Mar 14 21:40:09 CDT 2008

1 & 2) Masquerading SMTP Virtual Servers: Changing the fqdn and masquerade
domain
http://exchangepedia.com/blog/2007/12/masquerading-smtp-virtual-servers.html

3) Can you internal DNS servers resolve external domains? If yes, there's no
reason to add your ISP's DNS servers, imo.

4) No need to restart, and you don't really lose anything by restarting
(except temporary unavailability of SMTP..... ).
--
Bharat Suneja
MVP - Exchange
www.zenprise.com
NEW blog location:
exchangepedia.com/blog
----------------------------



"Mike O" <put_the_spam@the.can> wrote in message
news:eItI%23UjhIHA.1944@TK2MSFTNGP02.phx.gbl...
>I had a previous thread going regarding changing our internet mail
>connector settings on our Exchange 2003 organization so that we're not
>using the smarthost for outgoing email (incoming email will be going
>through an antispam/antivirus appliance). I received some good
>information, but now I have some additional questions regarding this
>change. We've worked with our internal network group, as well as our ISP
>and are getting everything ready to switch.
>
> 1) Our internal DNS namespace does not match our external one (our
> internal ones are all ".local"). When we have our one exchange server
> (the one designated as the "bridgehead") making the outgoing SMTP
> connections, do I need to have the server supply the external domain name
> when it makes the initial connections (I thought it was part of the
> EHLO/HELO sequence). There's no place to change it on the routing
> connector, but I've looked into it, and it looks like I would change it on
> the bridgehead's "Default SMTP Virtual Server", "Delivery", "Advanced
> tab", in the "Fully-qualified domain name" field. Is the correct place?
>
> 2) If I change that entry to our external domain name, will it affect
> mail communication from that server to the other internal Exchange boxes?
>
> 3) On that "advanced delivery" tab, there's a button for "external
> DNS servers". If I put in our ISP's DNS servers on this screen, again,
> will this affect the internal server to server communications? The
> regular Windows O/S settings will still point to our internal DNS servers.
> I had determined previously to use our regular internal DNS servers (they
> do forward to the outside if necessary), but that was when I thought I had
> to change the Windows DNS settings. Since this is specific to the email
> traffic only, should I set the external DNS entries here?
>
> 4) In the other thread, I asked about restarting services and was
> told that the changes take effect almost immediately without a restart.
> However, as I was looking for the other information above, I found a
> technet article about setting up SMTP connectors (KB265293). That article
> said that after making the connector changes, you need to restart the
> Routing Engine and SMTP services. Since the connector already exists and
> we're just making changes, will we need to restart the services after
> changing ? I don't want to do anything to interrupt our mail flow during
> normal hours.
>
> Any information would be appreciated.
>
> Mike O.

MikeO
Sat Mar 15 10:27:00 CDT 2008

thank you for the response.

Regarding questions 1&2:
I checked out the blog you pointed to, and the other ones, but I'm still a
little confused.

Here's our current configuration (I'm not using our actual server names or
IP..)

Our internal namespace is "acme.local", ip 10.x.x.x. The external is
"acme.com"
Three internal back-end exchange servers:
coyote.acme.local, roadrunner.acme.local
One internal front end server/bridgehead: anvil.acme.local.
Each internal server has the standard "default SMTP virtual server"

Currently, a SMTP connector exists, with address space "*", sending to a
smarthost. the bridgehead is "anvil", "Default SMTP virtual server"

I want to set anvil.acme.local to be able to send to the outside (just
outgoing email, incoming email is through a different route). Our network
group has set up the firewall to allow outgoing SMTP. The external address
is 200.200.200.50. An external DNS "A" record (and reverse PTR)at our ISP
has been created for this IP as the name "mail2.acme.com"

The "Advanced Delivery" FQDN entry currently is "anvil.acme.local". As I
understand it, I need to set it to "mail2.acme.com", so that it identifies
itself on the HELO/EHLO connections that it makes to the outside.

However, if I set the "default SMTP virtual server" on anvil to
"mail2.acme.com", since that resolves to an external IP and name, will anvil
be able to communicate with the other internal servers properly?

It looks like I should set up a second "SMTP virtual server" on Anvil and
use it as the bridgehead virtual server. If I do this, set it's FQDN to the
external name/ip, and leave the "default SMTP virtual server" alone with the
internal FQDN, will this work?

I guess I'm wondering what happens when you have two SMTP virtual servers on
one physical server, how does Exchange know which one to use for what mail?

I appreciate any assistance on this.



"Bharat Suneja [MVP]" wrote:

> 1 & 2) Masquerading SMTP Virtual Servers: Changing the fqdn and masquerade
> domain
> http://exchangepedia.com/blog/2007/12/masquerading-smtp-virtual-servers.html
>
> 3) Can you internal DNS servers resolve external domains? If yes, there's no
> reason to add your ISP's DNS servers, imo.
>
> 4) No need to restart, and you don't really lose anything by restarting
> (except temporary unavailability of SMTP..... ).
> --
> Bharat Suneja
> MVP - Exchange
> www.zenprise.com
> NEW blog location:
> exchangepedia.com/blog
> ----------------------------
>
>
>
> "Mike O" <put_the_spam@the.can> wrote in message
> news:eItI%23UjhIHA.1944@TK2MSFTNGP02.phx.gbl...
> >I had a previous thread going regarding changing our internet mail
> >connector settings on our Exchange 2003 organization so that we're not
> >using the smarthost for outgoing email (incoming email will be going
> >through an antispam/antivirus appliance). I received some good
> >information, but now I have some additional questions regarding this
> >change. We've worked with our internal network group, as well as our ISP
> >and are getting everything ready to switch.
> >
> > 1) Our internal DNS namespace does not match our external one (our
> > internal ones are all ".local"). When we have our one exchange server
> > (the one designated as the "bridgehead") making the outgoing SMTP
> > connections, do I need to have the server supply the external domain name
> > when it makes the initial connections (I thought it was part of the
> > EHLO/HELO sequence). There's no place to change it on the routing
> > connector, but I've looked into it, and it looks like I would change it on
> > the bridgehead's "Default SMTP Virtual Server", "Delivery", "Advanced
> > tab", in the "Fully-qualified domain name" field. Is the correct place?
> >
> > 2) If I change that entry to our external domain name, will it affect
> > mail communication from that server to the other internal Exchange boxes?
> >
> > 3) On that "advanced delivery" tab, there's a button for "external
> > DNS servers". If I put in our ISP's DNS servers on this screen, again,
> > will this affect the internal server to server communications? The
> > regular Windows O/S settings will still point to our internal DNS servers.
> > I had determined previously to use our regular internal DNS servers (they
> > do forward to the outside if necessary), but that was when I thought I had
> > to change the Windows DNS settings. Since this is specific to the email
> > traffic only, should I set the external DNS entries here?
> >
> > 4) In the other thread, I asked about restarting services and was
> > told that the changes take effect almost immediately without a restart.
> > However, as I was looking for the other information above, I found a
> > technet article about setting up SMTP connectors (KB265293). That article
> > said that after making the connector changes, you need to restart the
> > Routing Engine and SMTP services. Since the connector already exists and
> > we're just making changes, will we need to restart the services after
> > changing ? I don't want to do anything to interrupt our mail flow during
> > normal hours.
> >
> > Any information would be appreciated.
> >
> > Mike O.
>
>

Rich
Sat Mar 15 15:08:39 CDT 2008

Mike O. <MikeO@discussions.microsoft.com> wrote:

[ snip ]

>However, if I set the "default SMTP virtual server" on anvil to
>"mail2.acme.com", since that resolves to an external IP and name, will anvil
>be able to communicate with the other internal servers properly?

They will if you create a acme.com DNS zone on your internal DNS and
populate it with an A record for that name.

>It looks like I should set up a second "SMTP virtual server" on Anvil and
>use it as the bridgehead virtual server. If I do this, set it's FQDN to the
>external name/ip, and leave the "default SMTP virtual server" alone with the
>internal FQDN, will this work?

No need for an additional SMTP VS.


--
Rich Matheisen
MCSE+I, Exchange MVP
MS Exchange FAQ at http://www.swinc.com/resource/exch_faq.htm
Don't send mail to this address mailto:h.pott@getronics.com
Or to these, either: mailto:h.pott@pinkroccade.com mailto:melvin.mcphucknuckle@getronics.com mailto:melvin.mcphucknuckle@pinkroccade.com

Mike
Sun Mar 16 09:45:24 CDT 2008


"Rich Matheisen [MVP]" <richnews@rmcons.com.NOSPAM.COM> wrote in message
news:42bot35ful4duaqasajaq1ik89ocr0k7ml@4ax.com...
> Mike O. <MikeO@discussions.microsoft.com> wrote:
>
> [ snip ]
>
>>However, if I set the "default SMTP virtual server" on anvil to
>>"mail2.acme.com", since that resolves to an external IP and name, will
>>anvil
>>be able to communicate with the other internal servers properly?
>
> They will if you create a acme.com DNS zone on your internal DNS and
> populate it with an A record for that name.
>

But if we create "acme.com" zone on our internal DNS, won't that affect
resolution for any of our other "acme.com" servers? Currently, all the
"acme.com" names are resolved by an outside DNS service. We have a
separate web development group that normally maintains all those servers. I
don't want to get into the position of having internal users not be able to
access some new web service because we didn't update our internal "copy" of
the "acme.com" DNS space. Can we set our internal DNS to have one
"acme.com" name, but go to the outside to resolve any other acme.com names?
Currently our DNS is set to forward outside for any names outside our
network, but I didn't know if you can have part of a zone inside and forward
out for others in the same zone.

Am I worring about nothing? Does the Exchange internal server to server
communication use the FQDN defined on the delivery/advanced tab of the
virtual server? If I do change it to "mail2.acme.com", will it break
communications to the back end servers? The regualr Windows TCP/IP stack
will have the internal "anvil.acme.local" name.

Or on the other way, if I don't change it, since it's only for outgoing
mail, will it cause outside systems to reject the mail

>>It looks like I should set up a second "SMTP virtual server" on Anvil and
>>use it as the bridgehead virtual server. If I do this, set it's FQDN to
>>the
>>external name/ip, and leave the "default SMTP virtual server" alone with
>>the
>>internal FQDN, will this work?
>
> No need for an additional SMTP VS.

The more I looked into it, the more I don't want to mess with multiple VS's.

>
>
> --
> Rich Matheisen
> MCSE+I, Exchange MVP
> MS Exchange FAQ at http://www.swinc.com/resource/exch_faq.htm
> Don't send mail to this address mailto:h.pott@getronics.com
> Or to these, either: mailto:h.pott@pinkroccade.com
> mailto:melvin.mcphucknuckle@getronics.com
> mailto:melvin.mcphucknuckle@pinkroccade.com

Rich
Sun Mar 16 10:43:07 CDT 2008

"Mike O" <put_the_spam@the.can> wrote:

[ snip ]

>But if we create "acme.com" zone on our internal DNS, won't that affect
>resolution for any of our other "acme.com" servers?

Sure. But it's just as easy to add those addresses to your internal
DNS. How may are there? 10, 100, 1000? More?

>Currently, all the
>"acme.com" names are resolved by an outside DNS service. We have a
>separate web development group that normally maintains all those servers. I
>don't want to get into the position of having internal users not be able to
>access some new web service because we didn't update our internal "copy" of
>the "acme.com" DNS space.

Well, who deals with updating the external DNS? Is it a big problem to
also update the internal DNS with the same information? It's also
possible for the external addresses to use internal names, but that
seems a bit silly.

>Can we set our internal DNS to have one
>"acme.com" name, but go to the outside to resolve any other acme.com names?

No.

>Currently our DNS is set to forward outside for any names outside our
>network, but I didn't know if you can have part of a zone inside and forward
>out for others in the same zone.
>
>Am I worring about nothing? Does the Exchange internal server to server
>communication use the FQDN defined on the delivery/advanced tab of the
>virtual server? If I do change it to "mail2.acme.com", will it break
>communications to the back end servers? The regualr Windows TCP/IP stack
>will have the internal "anvil.acme.local" name.

Easy enough to check. Use a lab machine, make the change on it, don't
update the DNS. Wait for AD replication and then run WinRoute.exe to
check the state of the machines, routing group connectors, and
anything else. Is any of it "down"? Is the reason for it being down
the inability to resolve the new name?

>Or on the other way, if I don't change it, since it's only for outgoing
>mail, will it cause outside systems to reject the mail

That depends entirely on the MTAs with which you communicate. Some
insist that not only must your IP address have a PTR record, but that
the name returned by the PTR query must match the EHLO/HELO data (or
at least the domain part of the data). Some go so far as to insist
that the MAIL FROM domain match the EHLO\HELO domain. In other words,
YMMV.


--
Rich Matheisen
MCSE+I, Exchange MVP
MS Exchange FAQ at http://www.swinc.com/resource/exch_faq.htm
Don't send mail to this address mailto:h.pott@getronics.com
Or to these, either: mailto:h.pott@pinkroccade.com mailto:melvin.mcphucknuckle@getronics.com mailto:melvin.mcphucknuckle@pinkroccade.com

Mike
Mon Mar 17 22:07:16 CDT 2008

Well, we got it working. Here's what we ended up doing:

We modified the virtual server and set the external FQDN on the
delivery/advanced settings, then restarted the SMTP service, and set the
connector to use DNS instead of the smarthost. Emails started immediately
started queuing up on the other internal servers.

We then reset the virtual server and connector settings and let the queues
clear. Did some more checking, found an article that seemed to indicated
that we needed to add a Service Principal Name on the server for the SMTPSRV
with the external FQDN using the setSPN command. Made those changes, it
seemed to work briefly, then the queues started backing up again...

Duplicating our external DNS on our internal system wasn't an option.
However, that did give me an idea and what finally solved the problem was
to create a HOSTS file on the other Exchange servers with the external FQDN
of the bridgehead server, but pointing to the internal address. As soon as
I did that, the queues started dropping and email was flowing quickly.

I appreciate all the comments and suggestions. I've probably learned more
about connectors and the virtual SMTP server configuration in the last week
than I did over the last year...

Mike O.


"Rich Matheisen [MVP]" <richnews@rmcons.com.NOSPAM.COM> wrote in message
news:k7fqt3h66ooftupnks4u7o8qqjf1inaiae@4ax.com...
> "Mike O" <put_the_spam@the.can> wrote:
>
> [ snip ]
>
>>But if we create "acme.com" zone on our internal DNS, won't that affect
>>resolution for any of our other "acme.com" servers?
>
> Sure. But it's just as easy to add those addresses to your internal
> DNS. How may are there? 10, 100, 1000? More?
>
>>Currently, all the
>>"acme.com" names are resolved by an outside DNS service. We have a
>>separate web development group that normally maintains all those servers.
>>I
>>don't want to get into the position of having internal users not be able
>>to
>>access some new web service because we didn't update our internal "copy"
>>of
>>the "acme.com" DNS space.
>
> Well, who deals with updating the external DNS? Is it a big problem to
> also update the internal DNS with the same information? It's also
> possible for the external addresses to use internal names, but that
> seems a bit silly.
>
>>Can we set our internal DNS to have one
>>"acme.com" name, but go to the outside to resolve any other acme.com
>>names?
>
> No.
>
>>Currently our DNS is set to forward outside for any names outside our
>>network, but I didn't know if you can have part of a zone inside and
>>forward
>>out for others in the same zone.
>>
>>Am I worring about nothing? Does the Exchange internal server to server
>>communication use the FQDN defined on the delivery/advanced tab of the
>>virtual server? If I do change it to "mail2.acme.com", will it break
>>communications to the back end servers? The regualr Windows TCP/IP stack
>>will have the internal "anvil.acme.local" name.
>
> Easy enough to check. Use a lab machine, make the change on it, don't
> update the DNS. Wait for AD replication and then run WinRoute.exe to
> check the state of the machines, routing group connectors, and
> anything else. Is any of it "down"? Is the reason for it being down
> the inability to resolve the new name?
>
>>Or on the other way, if I don't change it, since it's only for outgoing
>>mail, will it cause outside systems to reject the mail
>
> That depends entirely on the MTAs with which you communicate. Some
> insist that not only must your IP address have a PTR record, but that
> the name returned by the PTR query must match the EHLO/HELO data (or
> at least the domain part of the data). Some go so far as to insist
> that the MAIL FROM domain match the EHLO\HELO domain. In other words,
> YMMV.
>
>
> --
> Rich Matheisen
> MCSE+I, Exchange MVP
> MS Exchange FAQ at http://www.swinc.com/resource/exch_faq.htm
> Don't send mail to this address mailto:h.pott@getronics.com
> Or to these, either: mailto:h.pott@pinkroccade.com
> mailto:melvin.mcphucknuckle@getronics.com
> mailto:melvin.mcphucknuckle@pinkroccade.com

Rich
Mon Mar 17 22:24:51 CDT 2008

"Mike O" <put_the_spam@the.can> wrote:

[ snip ]

>We then reset the virtual server and connector settings and let the queues
>clear. Did some more checking, found an article that seemed to indicated
>that we needed to add a Service Principal Name on the server for the SMTPSRV
>with the external FQDN using the setSPN command. Made those changes, it
>seemed to work briefly, then the queues started backing up again...

The SPN is really only necessary for the internal names. I think ExBPA
will point out that a SPN is missing, though, even if it's for an
"external" name.

>Duplicating our external DNS on our internal system wasn't an option.
>However, that did give me an idea and what finally solved the problem was
>to create a HOSTS file on the other Exchange servers with the external FQDN
>of the bridgehead server, but pointing to the internal address. As soon as
>I did that, the queues started dropping and email was flowing quickly.

In a small environment that will work. It's not something I'd do
myself, though.


--
Rich Matheisen
MCSE+I, Exchange MVP
MS Exchange FAQ at http://www.swinc.com/resource/exch_faq.htm
Don't send mail to this address mailto:h.pott@getronics.com
Or to these, either: mailto:h.pott@pinkroccade.com mailto:melvin.mcphucknuckle@getronics.com mailto:melvin.mcphucknuckle@pinkroccade.com

Mike
Tue Mar 18 05:47:58 CDT 2008


"Rich Matheisen [MVP]" <richnews@rmcons.com.NOSPAM.COM> wrote in message
news:6adut3ldgh44j9tm2ng3avu0grgfkstjej@4ax.com...
> "Mike O" <put_the_spam@the.can> wrote:
>
> [ snip ]
>
>>We then reset the virtual server and connector settings and let the queues
>>clear. Did some more checking, found an article that seemed to indicated
>>that we needed to add a Service Principal Name on the server for the
>>SMTPSRV
>>with the external FQDN using the setSPN command. Made those changes, it
>>seemed to work briefly, then the queues started backing up again...
>
> The SPN is really only necessary for the internal names. I think ExBPA
> will point out that a SPN is missing, though, even if it's for an
> "external" name.
>

I wasn't sure, and it didn't seem like it would hurt anything to try it.


>>Duplicating our external DNS on our internal system wasn't an option.
>>However, that did give me an idea and what finally solved the problem was
>>to create a HOSTS file on the other Exchange servers with the external
>>FQDN
>>of the bridgehead server, but pointing to the internal address. As soon
>>as
>>I did that, the queues started dropping and email was flowing quickly.
>
> In a small environment that will work. It's not something I'd do
> myself, though.
>
Currently we've only got a few production servers, with about 5,000 users.
There's a lot going to be happening soon; in the next few months we're going
to be migrating to Exchange 2007 and another project has us moving the
external DNS in-house. This solution was just to solve a specific issue we
had with the smart host/McAfee applaince and get us through with minimal
changes at this time.

>
> --
> Rich Matheisen
> MCSE+I, Exchange MVP
> MS Exchange FAQ at http://www.swinc.com/resource/exch_faq.htm
> Don't send mail to this address mailto:h.pott@getronics.com
> Or to these, either: mailto:h.pott@pinkroccade.com
> mailto:melvin.mcphucknuckle@getronics.com
> mailto:melvin.mcphucknuckle@pinkroccade.com