Exchange/Email Topology Issue

RobertKaucher · October 2011

Some of you are already aware of my work situation. We are a joint venture of two companies (we will call them Parent-A and Parent-B) and our work environment is amazingly complex. We've probably got under 200 employees but they are all over the US, Canada, India, New Zealand, and even in Brazil. Many of our “offices” are small 2 to 10 people embedded within the facilities of one of the parents. They use the parent’s computers, email, etc…

The issue that I am experiencing is with email and I would like to know what suggestions you guys might have for us. We have a number of distribution lists that have users from both parents on them. So you will find jsmith@parent-a.com and bjones@parent-b.com on the same list. The list’s address will be some_group@parent-a.com. When people with parent-b addresses send email to the some_group list it goes to the parent-a Exchange server and is expanded and then mailed back out to the users with parent-b addresses looking as if the parent-a server is spoofing a parent-b email address. Of course the mail is blocked. There is no way in this world that we can request anything to be done (such as white listing) from parent-b. Parent-b’s IT would not even answer our emails. It is not an option – do not make any suggestions regarding action from parent-b.

What we are thinking of doing is creating a list server that would hold all of our “distribution groups” on our own domain name so that we could completely by pass any of either parent’s infrastructures. But, this brings up issues of retention and management, etc. I was wondering if there were any scenarios such as leveraging parent-a’s Exchange server and doing some sort of re-write. I’m just not familiar enough with Exchange to know what is even possible. Parent-b is using Lotus and is, as I said, off limits as far as any solution is concerned.

it_consultant · October 2011

I take it our exchange servers are not part of the same forest / domain? This behavior shouldn't happen if all the HT servers are in the same forest, since they will be able to tell the originator and recipient by GUID as opposed to SMTP address.

RTmarc · October 2011

What version of Exchange? In 2007 and 2010 you can setup an address re-write in the transport rules.

it_consultant · October 2011

Parent A needs to be configured to not check for spoofing characteristics when it is being emailed from the other domains. Being unfamiliar with your spam solution I can't recommend a technical solution. You could also set up a new accepted domain within your exchange server and set the type to external relay domain. This will cause the HT server to treat the email with kid gloves as as far as anti-spam is concerned and I believe this is the exact scenario exchange has in mind for that type of accepted domain.

Understanding Accepted Domains: Exchange 2010 SP1 Help
External Message Routing: Exchange 2010 SP1 Help

Everyone · October 2011

it_consultant wrote: »

Parent A needs to be configured to not check for spoofing characteristics when it is being emailed from the other domains. Being unfamiliar with your spam solution I can't recommend a technical solution. You could also set up a new accepted domain within your exchange server and set the type to external relay domain. This will cause the HT server to treat the email with kid gloves as as far as anti-spam is concerned and I believe this is the exact scenario exchange has in mind for that type of accepted domain.

Understanding Accepted Domains: Exchange 2010 SP1 Help
External Message Routing: Exchange 2010 SP1 Help

^^ This. Whitelist parent-a.com and parent-b.com on your mail gateway solution, if you're using one, then configure accepted domains for the Exchange site.

If you aren't on 2010 yet.. here's some articles for doing it with 2003...
Configure Accepted Domains for an Exchange 2003 Hybrid Deployment: Exchange 2010 SP1 Help

Good one from the Exchange Team Blog here: Accepted Domains, Shared SMTP Address Spaces and Recipient Filtering - Exchange Team Blog - Site Home - TechNet Blogs

RobertKaucher · October 2011

it_consultant wrote: »

Parent A needs to be configured to not check for spoofing characteristics when it is being emailed from the other domains. Being unfamiliar with your spam solution I can't recommend a technical solution. You could also set up a new accepted domain within your exchange server and set the type to external relay domain. This will cause the HT server to treat the email with kid gloves as as far as anti-spam is concerned and I believe this is the exact scenario exchange has in mind for that type of accepted domain.

Understanding Accepted Domains: Exchange 2010 SP1 Help
External Message Routing: Exchange 2010 SP1 Help

I think you mean on parent-b as that is the one doing the rejecting. But as I stated - nothing can be done in parent-b's IT infrastructure. If I called and put in a ticket asking them to please ensure that they breathed oxygen I would receive an email telling me that they were unable to do that. Parent-A is doing the "spoofing" Parent-b is doing the rejecting. bjones@parent-b.com sends email to some_group@parent-a.com and the group membership is expanded and the email is sent out from the parent-a server with a from address of bjones@parent-b.com and the parent-b server sees that and assumes it is spam. I know I could fix this by white listing on the parent-b server but I am more likely to to win the lottery and then immediately being killed by a meteorite than I am to get anything done in parent-b's side of things.

Everyone wrote: »

^^ This. Whitelist parent-a.com and parent-b.com on your mail gateway solution, if you're using one, then configure accepted domains for the Exchange site.

If you aren't on 2010 yet.. here's some articles for doing it with 2003...
Configure Accepted Domains for an Exchange 2003 Hybrid Deployment: Exchange 2010 SP1 Help

Good one from the Exchange Team Blog here: Accepted Domains, Shared SMTP Address Spaces and Recipient Filtering - Exchange Team Blog - Site Home - TechNet Blogs

Still not sure you are getting it... But I think you understand the general problem. However the blockage is at parent-b's side and I cannot do anything about it... Are there any other ideas besides configuring parent-b to accept these messages? I understand that is the way it should be done. But this is an instance where it cannot be done.

Here is an image showing the situation a little more clearly...
https://picasaweb.google.com/lh/photo/CD5SeKglvQRbkt_1QoCPYw?feat=directlink

Parent-b is not on Exchnge. Parent-A is on 2007 and migrating to 2010 as we speak.

it_consultant · October 2011

Ahhh, I see. Unfortunately if parent-b is blocking you there is now way to ram your email through their email server without their intervention, which I understand is not going to be forthcoming. I think the list server is a going to be a giant pain in the A$$ which will almost be more of a hassle than is warranted. It sounds like this needs to piss off someone who has the power to move the IT department in company B. They are still on Lotus...which kinda says a lot.

I run into this issue, more often than not, with scanners of all things. They simply cant play nice with SMTP servers so I whitelist them individually in my spam filter and allow them to spoof.

Everyone · October 2011

There's nothing you can do, Parent-B has to fix it. Parent-A being on Exchange and Parent-B being on Lotus isn't really a problem.

Parent-B's mail system has to be told that it is OK for SMTP traffic coming from Parent-A's IP address space to relay mail using Parent-B's domain name.

undomiel · October 2011

What about if you setup Exchange to smarthost all e-mails sent to parent-b.com through parent-b.com's mail server? That is assuming they have authentication enabled on their smtp.

it_consultant · October 2011

undomiel wrote: »

What about if you setup Exchange to smarthost all e-mails sent to parent-b.com through parent-b.com's mail server? That is assuming they have authentication enabled on their smtp.

They would still have to set this up to allow it, and he has already said they have sandbox issues.

Everyone · October 2011

undomiel wrote: »

What about if you setup Exchange to smarthost all e-mails sent to parent-b.com through parent-b.com's mail server? That is assuming they have authentication enabled on their smtp.

Won't work, all you're doing there is eliminating the DNS lookup.

Here is what happens at the protocol level.

Parent-A's mail server connects to Parent-B's mail server via SMTP on port 25.

Parent B's mail server answers with a 220 banner message.
Parent A says "Helo parent-a.com"
Parent B' replies with "250 Hello parent-a.com" (IP address is often in brackets next to the domain name).
Parent A says "mail from:user@parent-b.com"
Parent B says "550 Relaying denied".

Parent B is configured the way it should be to prevent spoofing. It is saying "Hey wait a minute, you aren't me!" and not allowing the session to continue.

RobertKaucher · October 2011

I am willing to accept oddball workarounds, though. I know there is likely no cure (unless there is some sort of rule in Exchange that will modify the from field and keep the reply to as the original email address.

mailt to: jsmith@parent-a.com; bjones@parent-b.com, sbaker@parent-a.com; jyoung@parent-b.com;
mail from: bjones@parent-a.com
reply to: bjones@parent-b.com
Body...

If there is a way to do that on a case-by-case basis it would work. Other wise, I'm open to other suggestions.

Everyone · October 2011

RobertKaucher wrote: »

I am willing to accept oddball workarounds, though. I know there is likely no cure (unless there is some sort of rule in Exchange that will modify the from field and keep the reply to as the original email address.

If there is a way to do that on a case-by-case basis it would work. Other wise, I'm open to other suggestions.

Transport rule...

Understanding Address Rewriting: Exchange 2010 SP1 Help

RobertKaucher · October 2011

Everyone wrote: »

Transport rule...

Understanding Address Rewriting: Exchange 2010 SP1 Help

Lol, that was post number 666 for you!

We saw that this morning in our meeting. But that is only for 2010, correct?

Everyone · October 2011

RobertKaucher wrote: »

Lol, that was post number 666 for you!

We saw that this morning in our meeting. But that is only for 2010, correct?

Nope... you can do it in 2007 too..

New-AddressRewriteEntry: Exchange 2007 Help

Same command on both 2007 and 2010 I think.

How to Create a New Address Rewrite Entry: Exchange 2007 Help

undomiel · October 2011

But if Parent-B's mail servers have authentication enabled on the connector, or whatever it is called in the Notes world, and you authenticate to the server that would bypass the relay restrictions.

RobertKaucher · October 2011

it_consultant wrote: »

Ahhh, I see. Unfortunately if parent-b is blocking you there is now way to ram your email through their email server without their intervention, which I understand is not going to be forthcoming. I think the list server is a going to be a giant pain in the A$$ which will almost be more of a hassle than is warranted. It sounds like this needs to piss off someone who has the power to move the IT department in company B. They are still on Lotus...which kinda says a lot.

I run into this issue, more often than not, with scanners of all things. They simply cant play nice with SMTP servers so I whitelist them individually in my spam filter and allow them to spoof.

Thanks for the proverbial tea and sympathy... Sad thing is, they are a HUGE multinational. I would really expect better from them.

Everyone wrote: »

Nope... you can do it in 2007 too..

New-AddressRewriteEntry: Exchange 2007 Help

Same command on both 2007 and 2010 I think.

How to Create a New Address Rewrite Entry: Exchange 2007 Help

Thanks! This is an option for us then!

blargoe · October 2011

The answer is to tell bjones@parent-b.com that his IT department employs lazy, retarded f**kwits; if he requires sending email to the email groups, he needs to take it up with them. Maybe polish up the wording a bit, though.

Really. You'd think if it were that important for someone at company B to send email to someone else at company B, and company B's IT department were the hold up, that a non-IT higher-up person could knock some heads together if you rattle the right person's cage.

RobertKaucher · October 2011

blargoe wrote: »

The answer is to tell bjones@parent-b.com that his IT department employs lazy, retarded f**kwits; if he requires sending email to the email groups, he needs to take it up with them. Maybe polish up the wording a bit, though.

Really. You'd think if it were that important for someone at company B to send email to someone else at company B, and company B's IT department were the hold up, that a non-IT higher-up person could knock some heads together if you rattle the right person's cage.

Well, you know the stereotypical serial killer movie where the bad guy has a thing for prostitutes? And the police don't care because, well, the girls being killed are just prostitutes? Well, our organization is the prostitutes and no one cares how badly something might be killing us.

Everyone · October 2011

RobertKaucher wrote: »

Well, you know the stereotypical serial killer movie where the bad guy has a thing for prostitutes? And the police don't care because, well, the girls being killed are just prostitutes? Well, our organization is the prostitutes and no one cares how badly something might be killing us.

So uh... hey, how much?

What, too soon?

RobertKaucher · October 2011

Everyone wrote: »

So uh... hey, how much?

What, too soon?

Free for you on your 669th post!

Exchange/Email Topology Issue

Comments