Exchange/Email Topology Issue

I take it our exchange servers are not part of the same forest / domain? This behavior shouldn't happen if all the HT servers are in the same forest, since they will be able to tell the originator and recipient by GUID as opposed to SMTP address.

RTmarc

What version of Exchange? In 2007 and 2010 you can setup an address re-write in the transport rules.

Parent A needs to be configured to not check for spoofing characteristics when it is being emailed from the other domains. Being unfamiliar with your spam solution I can't recommend a technical solution. You could also set up a new accepted domain within your exchange server and set the type to external relay domain. This will cause the HT server to treat the email with kid gloves as as far as anti-spam is concerned and I believe this is the exact scenario exchange has in mind for that type of accepted domain.

Understanding Accepted Domains: Exchange 2010 SP1 Help
External Message Routing: Exchange 2010 SP1 Help

it_consultant wrote: »

Parent A needs to be configured to not check for spoofing characteristics when it is being emailed from the other domains. Being unfamiliar with your spam solution I can't recommend a technical solution. You could also set up a new accepted domain within your exchange server and set the type to external relay domain. This will cause the HT server to treat the email with kid gloves as as far as anti-spam is concerned and I believe this is the exact scenario exchange has in mind for that type of accepted domain.

Understanding Accepted Domains: Exchange 2010 SP1 Help
External Message Routing: Exchange 2010 SP1 Help

^^ This. Whitelist parent-a.com and parent-b.com on your mail gateway solution, if you're using one, then configure accepted domains for the Exchange site.

If you aren't on 2010 yet.. here's some articles for doing it with 2003...
Configure Accepted Domains for an Exchange 2003 Hybrid Deployment: Exchange 2010 SP1 Help

Good one from the Exchange Team Blog here: Accepted Domains, Shared SMTP Address Spaces and Recipient Filtering - Exchange Team Blog - Site Home - TechNet Blogs

it_consultant wrote: »

Parent A needs to be configured to not check for spoofing characteristics when it is being emailed from the other domains. Being unfamiliar with your spam solution I can't recommend a technical solution. You could also set up a new accepted domain within your exchange server and set the type to external relay domain. This will cause the HT server to treat the email with kid gloves as as far as anti-spam is concerned and I believe this is the exact scenario exchange has in mind for that type of accepted domain.

Understanding Accepted Domains: Exchange 2010 SP1 Help
External Message Routing: Exchange 2010 SP1 Help

I think you mean on parent-b as that is the one doing the rejecting. But as I stated - nothing can be done in parent-b's IT infrastructure. If I called and put in a ticket asking them to please ensure that they breathed oxygen I would receive an email telling me that they were unable to do that. Parent-A is doing the "spoofing" Parent-b is doing the rejecting. bjones@parent-b.com sends email to some_group@parent-a.com and the group membership is expanded and the email is sent out from the parent-a server with a from address of bjones@parent-b.com and the parent-b server sees that and assumes it is spam. I know I could fix this by white listing on the parent-b server but I am more likely to to win the lottery and then immediately being killed by a meteorite than I am to get anything done in parent-b's side of things.

Everyone wrote: »

^^ This. Whitelist parent-a.com and parent-b.com on your mail gateway solution, if you're using one, then configure accepted domains for the Exchange site.

If you aren't on 2010 yet.. here's some articles for doing it with 2003...
Configure Accepted Domains for an Exchange 2003 Hybrid Deployment: Exchange 2010 SP1 Help

Good one from the Exchange Team Blog here: Accepted Domains, Shared SMTP Address Spaces and Recipient Filtering - Exchange Team Blog - Site Home - TechNet Blogs

Still not sure you are getting it... But I think you understand the general problem. However the blockage is at parent-b's side and I cannot do anything about it... Are there any other ideas besides configuring parent-b to accept these messages? I understand that is the way it should be done. But this is an instance where it cannot be done.

Here is an image showing the situation a little more clearly...
https://picasaweb.google.com/lh/photo/CD5SeKglvQRbkt_1QoCPYw?feat=directlink

Parent-b is not on Exchnge. Parent-A is on 2007 and migrating to 2010 as we speak.

Ahhh, I see. Unfortunately if parent-b is blocking you there is now way to ram your email through their email server without their intervention, which I understand is not going to be forthcoming. I think the list server is a going to be a giant pain in the A$$ which will almost be more of a hassle than is warranted. It sounds like this needs to piss off someone who has the power to move the IT department in company B. They are still on Lotus...which kinda says a lot.

I run into this issue, more often than not, with scanners of all things. They simply cant play nice with SMTP servers so I whitelist them individually in my spam filter and allow them to spoof.

There's nothing you can do, Parent-B has to fix it. Parent-A being on Exchange and Parent-B being on Lotus isn't really a problem.

Parent-B's mail system has to be told that it is OK for SMTP traffic coming from Parent-A's IP address space to relay mail using Parent-B's domain name.

undomiel

What about if you setup Exchange to smarthost all e-mails sent to parent-b.com through parent-b.com's mail server? That is assuming they have authentication enabled on their smtp.

undomiel wrote: »

What about if you setup Exchange to smarthost all e-mails sent to parent-b.com through parent-b.com's mail server? That is assuming they have authentication enabled on their smtp.

They would still have to set this up to allow it, and he has already said they have sandbox issues.

undomiel wrote: »

What about if you setup Exchange to smarthost all e-mails sent to parent-b.com through parent-b.com's mail server? That is assuming they have authentication enabled on their smtp.

Won't work, all you're doing there is eliminating the DNS lookup.

Here is what happens at the protocol level.

Parent-A's mail server connects to Parent-B's mail server via SMTP on port 25.

Parent B's mail server answers with a 220 banner message.
Parent A says "Helo parent-a.com"
Parent B' replies with "250 Hello parent-a.com" (IP address is often in brackets next to the domain name).
Parent A says "mail from:user@parent-b.com"
Parent B says "550 Relaying denied".

Parent B is configured the way it should be to prevent spoofing. It is saying "Hey wait a minute, you aren't me!" and not allowing the session to continue.

I am willing to accept oddball workarounds, though. I know there is likely no cure (unless there is some sort of rule in Exchange that will modify the from field and keep the reply to as the original email address.

mailt to: jsmith@parent-a.com; bjones@parent-b.com, sbaker@parent-a.com; jyoung@parent-b.com;
mail from: bjones@parent-a.com
reply to: bjones@parent-b.com
Body...

If there is a way to do that on a case-by-case basis it would work. Other wise, I'm open to other suggestions.

RobertKaucher wrote: »

I am willing to accept oddball workarounds, though. I know there is likely no cure (unless there is some sort of rule in Exchange that will modify the from field and keep the reply to as the original email address.

If there is a way to do that on a case-by-case basis it would work. Other wise, I'm open to other suggestions.

Transport rule...

Understanding Address Rewriting: Exchange 2010 SP1 Help

Everyone wrote: »

Transport rule...

Understanding Address Rewriting: Exchange 2010 SP1 Help

Lol, that was post number 666 for you!

We saw that this morning in our meeting. But that is only for 2010, correct?

RobertKaucher wrote: »

Lol, that was post number 666 for you!

We saw that this morning in our meeting. But that is only for 2010, correct?

Nope... you can do it in 2007 too..

New-AddressRewriteEntry: Exchange 2007 Help

Same command on both 2007 and 2010 I think.

How to Create a New Address Rewrite Entry: Exchange 2007 Help

undomiel

But if Parent-B's mail servers have authentication enabled on the connector, or whatever it is called in the Notes world, and you authenticate to the server that would bypass the relay restrictions.

it_consultant wrote: »

Ahhh, I see. Unfortunately if parent-b is blocking you there is now way to ram your email through their email server without their intervention, which I understand is not going to be forthcoming. I think the list server is a going to be a giant pain in the A$$ which will almost be more of a hassle than is warranted. It sounds like this needs to piss off someone who has the power to move the IT department in company B. They are still on Lotus...which kinda says a lot.

I run into this issue, more often than not, with scanners of all things. They simply cant play nice with SMTP servers so I whitelist them individually in my spam filter and allow them to spoof.

Thanks for the proverbial tea and sympathy... Sad thing is, they are a HUGE multinational. I would really expect better from them.

Everyone wrote: »

Nope... you can do it in 2007 too..

New-AddressRewriteEntry: Exchange 2007 Help

Same command on both 2007 and 2010 I think.

How to Create a New Address Rewrite Entry: Exchange 2007 Help

Thanks! This is an option for us then!

blargoe

The answer is to tell bjones@parent-b.com that his IT department employs lazy, retarded f**kwits; if he requires sending email to the email groups, he needs to take it up with them. Maybe polish up the wording a bit, though.

Really. You'd think if it were that important for someone at company B to send email to someone else at company B, and company B's IT department were the hold up, that a non-IT higher-up person could knock some heads together if you rattle the right person's cage.

blargoe wrote: »

The answer is to tell bjones@parent-b.com that his IT department employs lazy, retarded f**kwits; if he requires sending email to the email groups, he needs to take it up with them. Maybe polish up the wording a bit, though.

Really. You'd think if it were that important for someone at company B to send email to someone else at company B, and company B's IT department were the hold up, that a non-IT higher-up person could knock some heads together if you rattle the right person's cage.

Well, you know the stereotypical serial killer movie where the bad guy has a thing for prostitutes? And the police don't care because, well, the girls being killed are just prostitutes? Well, our organization is the prostitutes and no one cares how badly something might be killing us.

RobertKaucher wrote: »

Well, you know the stereotypical serial killer movie where the bad guy has a thing for prostitutes? And the police don't care because, well, the girls being killed are just prostitutes? Well, our organization is the prostitutes and no one cares how badly something might be killing us.

So uh... hey, how much?

What, too soon?