Bharat
Fri Mar 07 13:17:25 CST 2008
I wouldn't say it's never a good idea - there are situations where you would
point the SMTP VS to external DNS servers - when internal DNS servers are
unable to resolve external domains. In any case, you wouldn't want to point
the OS TCP config to point to external DNS servers.
--
Bharat Suneja
MVP - Exchange
www.zenprise.com
NEW blog location:
exchangepedia.com/blog
----------------------------
"Craig Philbeck" <M3PostMasters@nospam.m3tg.com> wrote in message
news:uxIN4GIgIHA.5296@TK2MSFTNGP05.phx.gbl...
> It's never a good idea to point your exchange servers to external DNS
> servers. Always point them to your internal DNS servers and forward
> queries for external hostnames from there.
>
> --
> Craig Philbeck
> M3Postmasters@nospam.m3tg.com
> M3 Technology Group
> www.m3postmasters.com
>
>
> "Mike O" <put_the_spam@the.can> wrote in message
> news:OczkvQ%23fIHA.2540@TK2MSFTNGP05.phx.gbl...
>>
>> "Bharat Suneja [MVP]" <bharat@nospam.org> wrote in message
>> news:OHu$PT1fIHA.4728@TK2MSFTNGP03.phx.gbl...
>>> DNS performance generally isn't a bottleneck except in really large
>>> environments.
>>> Can your internal DNS servers resolve internet domains? If yes, simply
>>> point Exchange to internal DNS (which would be the default
>>> configuration - so no change required).
>>>
>> Yes, our internal DNS will go to the outside for name resolution if
>> necessary. I just thought that since most of the email DNS lookups are
>> probably going to be for the outbound internet domains, it might be more
>> efficient to have the Exchange server query the external DNS at our ISP,
>> instead of taking the extra hops to go to the inside ones first (which
>> would end up going to the external ones anyway).
>>
>>
>>> --
>>> Bharat Suneja
>>> MVP - Exchange
>>> www.zenprise.com
>>> NEW blog location:
>>> exchangepedia.com/blog
>>> ----------------------------
>>>
>>>
>>> "Mike O" <put_the_spam@the.can> wrote in message
>>> news:uu3EDBzfIHA.3780@TK2MSFTNGP06.phx.gbl...
>>>> "Bharat Suneja [MVP]" <bharat@nospam.org> wrote in message
>>>> news:uW5dloyfIHA.4140@TK2MSFTNGP04.phx.gbl...
>>>>> Responses inline.
>>>>>
>>>>> --
>>>>> Bharat Suneja
>>>>> MVP - Exchange
>>>>> www.zenprise.com
>>>>> NEW blog location:
>>>>> exchangepedia.com/blog
>>>>> ----------------------------
>>>>>
>>>>>
>>>>> "Mike O" <put_the_spam@the.can> wrote in message
>>>>> news:u$w1RLyfIHA.4684@TK2MSFTNGP06.phx.gbl...
>>>>>>I have some questions about modifying an SMTP connector in Exchange
>>>>>>2003 sp2
>>>>>>
>>>>>> Our production email environment has three email servers, two back
>>>>>> end and one front end in a single admin and single site/routing
>>>>>> group. Our connection to and from internet mail is using a McAfee
>>>>>> antispam/antivirus gateway "SCM" appliance.
>>>>>>
>>>>>> Our current configuration has a connector set up for internet mail.
>>>>>> It has the "*" address space and has one of the servers designated as
>>>>>> the bridgehead server and the "smart host" setting pointing to the IP
>>>>>> of the McAfee device. The McAfee appliance is set to forward
>>>>>> incoming mail for our system to the bridgehead server.
>>>>>>
>>>>>> This configuration has been set up and been stable for over three
>>>>>> years.
>>>>>>
>>>>>> Recently we've been running into an issue when sending large (3,000+
>>>>>> recipients) out through the McAfee appliance (we've just opened a
>>>>>> ticket with McAfee; they're working on it). One of the ideas we're
>>>>>> looking into is setting our system to bypass the McAfee gateway for
>>>>>> outgoing email and have the bridgehead server send directly out to
>>>>>> the various internet recipients. Incoming mail would still go
>>>>>> through the appliance.
>>>>>>
>>>>>> Our networking group can modify the firewall to allow outgoing SMTP
>>>>>> and DNS connections from the bridgehead server, but I just want to
>>>>>> make sure I understand the changes on the connector and the effects.
>>>>>> I have some questions about this:
>>>>>>
>>>>>> 1) Once the firewall is set, is all I need to do is set the
>>>>>> connector to use "DNS to route to each address space on this
>>>>>> connector" instead of the "forward all mail to. Smart Host", correct?
>>>>>
>>>>> Correct. Make sure the server can resolve internet domains before you
>>>>> do that, and also test outbound SMTP connectivity using telnet (to
>>>>> smtp port of an external/internet mail host).
>>>>>
>>>>
>>>> Currently the server is pointing to our internal DNS servers, which
>>>> will then forward to external DNS (if necessary) for name resolution.
>>>> I was wondering if I should set the Exchange server look first at the
>>>> external DNS of our ISP (after opening up the port), then look at the
>>>> internal DNS server if it can't resolve it on the outside DNS system.
>>>> If I have it look internal first, will be a performance issue, since
>>>> the internal DNS would have to forward it out? I guess I'm wondering
>>>> which would be more important, resolving internal names quicker, or
>>>> external ones? My feeling is that there would be more external lookups
>>>> necessary since the internal traffic would be mainly just to the other
>>>> Exchange boxes. I definately don't want to do anything to slow down
>>>> our internal email users, though.
>>>>
>>>>>>
>>>>>> 2) Changing the connector would only affect outgoing mail,
>>>>>> correct? The McAfee appliance is our incoming SPAM filter, we do NOT
>>>>>> want to bypass this for incoming mail.
>>>>>
>>>>> Correct. Connectors are (generically speaking) a bunch of settings for
>>>>> routing outbound mail. Inbound mail is controlled by external MX and A
>>>>> records.
>>>>>
>>>>>>
>>>>>> 3) The firewall would be modified to only allow connections
>>>>>> initiated from the inside. This is not a major security risk since
>>>>>> connection requests initiated from the outside would not be accepted,
>>>>>> correct?
>>>>>
>>>>> Correct.
>>>>>
>>>>>>
>>>>>> 4) Once I change the connector setting, does it take effect
>>>>>> immediately or do I need to restart any services (or the server)?
>>>>>
>>>>> Routing changes take effect almost immediately.
>>>>>>
>>>>>> Any information would be appreciated.
>>>>>
>>>>> You have a good understanding of how it works. :)
>>>>>
>>>>>>
>>>>>> Mike O.
>>>>>
>>>>
>>>
>>
>
>