1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

Exchange server 2003: Not receiving Emails.Please advise

Discussion in 'Windows Server System' started by simond, 2007/12/17.

  1. 2007/12/17
    simond

    simond Inactive Thread Starter

    Joined:
    2002/07/26
    Messages:
    77
    Likes Received:
    0
    Hi,
    I would like bit of assistance please? I'm unable to receive emails to my exchange server.

    I have setup exchange server 2003 with service pack 2.
    The exchange server is pointing to my local dns.
    the DNS server are forwarding dns queries to my isp's DNS

    I have setup HOST A record and updated the MX records and allowd ovewr 48hours for the dns to propergate.

    I have setup port forwarding on my router for port 25 and it's forwarding smtp to my exchange server.

    I have put the exchange server in DMZ but still cannot receive emails externalyl.Previously and NDR was generated but now no longer an ndr is generated.

    Below is the steps taken

    <details of DNS config removed by ReggieB - see below>


    Plase advise
     
    Last edited by a moderator: 2007/12/18
  2. 2007/12/17
    eannatone

    eannatone Inactive

    Joined:
    2004/12/16
    Messages:
    209
    Likes Received:
    1
    When i try to access sending mail to your server this is the error i get.
    "454 5.7.3 Client does not have permission to submit mail to this server. "
    Check the security setting on your virtual SMTP server.
     

  3. to hide this advert.

  4. 2007/12/17
    eannatone

    eannatone Inactive

    Joined:
    2004/12/16
    Messages:
    209
    Likes Received:
    1
    Can you send mail internally?
     
  5. 2007/12/17
    simond

    simond Inactive Thread Starter

    Joined:
    2002/07/26
    Messages:
    77
    Likes Received:
    0
    Hi,

    I will check the virtual settings.
    i had similar error. Maybe i have denied access to anonymous access .
     
  6. 2007/12/17
    simond

    simond Inactive Thread Starter

    Joined:
    2002/07/26
    Messages:
    77
    Likes Received:
    0
    Internal no problems at all.

    I will check the virtual server settings further.
     
  7. 2007/12/18
    ReggieB

    ReggieB Inactive Alumni

    Joined:
    2004/05/12
    Messages:
    2,786
    Likes Received:
    2
    A good test is whether you can telnet into port 25 of the mail server, from outside your network. For example, if your external address is 11.11.11.11 then this command as the cmd shell should connect you into the server
    Code:
    telnet 11.11.11.11 25
    You need to do this from a PC outside your network, as many routers (especially firewalled ones) will not act normally if you try to access a resource via its external address when you are inside the network.

    What you get when you connect depends on the mail server. Sometimes there is a single greeting line of text, but sometimes you just get a blank screen. The key thing is that you don't get a failure to connect message. If you get a failure message, then there is a problem with way you are routing the traffic through to the mail server.

    This test will also work internally, so you can familiarise yourself with a normal response before you try it externally. If your routing/port-forwarding is working correctly, you will get the same response internal and externally.

    If you can connect via this method, then you are probably looking at a routing problem outside your network. Either you ISP DNS set up, or a routing problem on the internet. I'd suggest in this circumstance that the best way for is to discuss the problem with your ISP.
     
  8. 2007/12/18
    ReggieB

    ReggieB Inactive Alumni

    Joined:
    2004/05/12
    Messages:
    2,786
    Likes Received:
    2
    I've just had another look at the information you posted and have realised that you've posted too much information about your configuration. I was able to use the information you posted to test the connection via telnet from here. Telnet to port 25 failed. However, when I entered your address into a browser I was taken straight to an IIS "under construction" default page.

    Remove the server from your DMZ

    I am fairly sure that server is not properly secured and by putting it in your DMZ, you've exposed it to the internet in a way that is bypassing much of the security provided by your router/firewall. What's more your posting pointed straight at that server.

    I'd recommend that you give that server a very thorough scan for malware and viruses before you proceed.

    Forwarding port 25 should be all you need to do get incoming SMTP traffic to pass through your router/firewall.

    My guess is that your problem with e-mail is that your server isn't listening on port 25 or that your router is port-forwarding to an incorrect internal address.
     
  9. 2007/12/18
    simond

    simond Inactive Thread Starter

    Joined:
    2002/07/26
    Messages:
    77
    Likes Received:
    0
    Hi,

    Thanks for the reply.

    The only reason i put the machine in the DMZ for testing purposes since i wasn't receving emails internally even though i had port 25 forwarded to my exchange server i wanted to see if the issue would reoccur if the server was in the DMZ...Sounds silly to put the server in the dmz because the documentation says port 25 should be forwarded to the exchange and it should do the job but i decided to take extra step.

    I use this machine for testing purpose and i'll reimage the server again.

    Good News

    For first time i was able to receive emails from external domains. What I done to resove the problem was enabling anonymous access under virtual server.I had disabled anonymous access


    Here is the step taken


    Under the properties of the SMTP Virtual Server, Access Tab, Authentication button ticked anonymous access and under the Relay button made sure have 'Only the list below" were selected and nothing in the list box below it


    I have taken the server from the DMZ and tried sending emails from external domains and did not have any problems. Finally;)


    I'm currently working on my exchange certification so this is the best way of learning..

    I need a clarification please?


    1) When you telent to the smtp server from external domain? Should the public ip be visable?

    2) For users to access outlook web access the server needs to be a front end server? therefore it should be on the dmz?


    Many Thanks as always you guys help alot.
     
  10. 2007/12/18
    Scott Smith

    Scott Smith Inactive Alumni

    Joined:
    2002/01/12
    Messages:
    1,950
    Likes Received:
    4
    If your talking about external users accessing their exchange it would go like this:

    For Outlook 2003 Web access:

    Forward Port 80 to Exchange box.

    Enter from outside as mail.yourdomain.com/exchange

    User will be promped for credentuals.
     
  11. 2007/12/18
    ReggieB

    ReggieB Inactive Alumni

    Joined:
    2004/05/12
    Messages:
    2,786
    Likes Received:
    2
    As Scott says - port forward the ports required for the web service (80). I'm not sure if web outlook uses SSL. If it does, you will need to forward port 443 too.

    However, it does depend on your DMZ.

    The use of the term DMZ has been muddied in the last few years. Many cheap router define a DMZ simply as an internal address to which all requests are forwarded. That less a DMZ and more a huge hole in your firewall (or the incomplete protection provided by NAT).

    Traditionally, a secure network would have two firewalls. An outer one (often little more than a router with a set of firewall rules), and an inner one (a fully fledged firewall). The space between the two firewalls was the DMZ.

    In the DMZ you'd put any servers that provided services to the internet.

    The idea was that servers in the DMZ would have some protection provided by the outer firewall, but were expected to be secure themselves (fully patched and limited open connections). The system was designed so as to handle these servers becoming compromised. That is, even if a hacker got control of a server in the DMZ, they would still be blocked from the main network by the inner firewall.

    However, managing two firewalls was often seen as excessively complicated and expensive. Therefore, a compromise was designed. The two firewalls were collapsed into one but this single firewall had separate connections to two (or more) internal networks. One the main network. The other the DMZ. The firewall could then be configured with different less stringent rules for the DMZ than for the main network. Also traffic between the DMZ and the main network would have to pass through the firewall and therefore could also have controlling rules applied. This is the set up that most decent modern firewalls provide.

    The cheap router DMZ provides none of the security or features of a proper DMZ. It is in effect a port forwarding of all services to an internal host PC. That PC then has to protect itself on all the ports that could be attacked. If it becomes compromised, the whole of your internal network is compromised because there is nothing between the compromised device and the rest of the network.

    In conclusion
    Therefore, if you have a proper DMZ that is separated from your main network by a firewall, then putting a dedicated mail server in the DMZ makes a lot of sense (note the word dedicated. If the server is also your file server, then putting it in a DMZ isn't such a good idea). Firewalls that provide this facility have a separate DMZ port and allow you to set rules specifically for the DMZ.

    If as I suspect, you do not have a proper DMZ, using port forwarding is a far better solution. With port forwarding only the specific required ports are forwarded, thereby limiting the potential pathway to your server and making it easier to secure.
     
  12. 2007/12/19
    simond

    simond Inactive Thread Starter

    Joined:
    2002/07/26
    Messages:
    77
    Likes Received:
    0
    Thanks for the info guys.
    The issue is resolved:)
     

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.