SMTP Virtual Server Security

Oh man! Ad-blocking software has been detected! :'(

This website is run by the community, for the community... and it needs advertisements in order to keep running. Blocking our ads means your killing our stats!
Please disable your ad-block, or become a premium member to hide all advertisements and this notice.

I may get a few ‘Duh Ryan’ responses here, but thought I would share

Ran into a problem today with an Exchange 2003 – 2010 migration, mail was flowing into 2010 fine, but not out
All the connectors were in place as expected, which killed half of the suggestions on the interwebs

Turns out it was a security related issue
The mail was backing up in a RG queue and the error message reported (with a get-queue | fl command) against it was

451 4.4.0 Primary target IP address responded with: "421 4.4.2 Connection dropped due to SocketError." Attempted failover to alternate host, but that did not succeed. Either there are no alternate hosts, or delivery failed to all alternate hosts.

Turns out the client had locked down their SMTP virtual server on the 2003 environment pretty well, limiting it to almost every internal IP but the one they had given to Exchange 2010 ;)

Adding that in the SMTP Virtual Server properties on the Exchange 2003 system solved the problem, guess I’ll remember to check there first next time!


I dont often see really well locked down SMTP virtual servers, but it is a bank, so i guess i should of suspected!

 

Oh man! Ad-blocking software has been detected! :'(

This website is run by the community, for the community... and it needs advertisements in order to keep running. Blocking our ads means your killing our stats!
Please disable your ad-block, or become a premium member to hide all advertisements and this notice.

Well in normal circumstances that's how it should be configured. I think maybe your previous experiences were just from someone who configured them inappropriately.

Thanks for sharing though

 

Most people running exchange 2003 don't really have security top of their agenda.. or they wouldn't be running exchange 2003 still ;)

but yeah, i have a lot of experiences with lazy exchange admins

this wasn't the relay restrictions, those are very common
this was an actual 'which servers are even allowed to talk to me on port 25' restriction, an access list basically, those are far less often utilized in my experience
Happy i solved it though, keeps the project on track

 

Yeesh - really? That's one of the first things I do anywhere - tie down access to the SMTP VS and implement relay restrictions. I guess I'm just a paranoid old fart!

 

Aye, we tie them down to the Smart Host on the Exchange Server 2003/2007/2010 and also lock it down on firewalls to only permit relaying to these IP;s.

Then just for good measure we only deny any pop3, imap and smtp traffic from the LAN.

 

I'm just telling it how i see it :P
it seems to be very rarely done outside of relaying, but we need more paranoid old farts like you! especially with 03 boxes! haha

Sure most firewalls are blocking all that inbound anyway, like Craigie says, probably why most people dont worry about internal stuff so much *shrug*

 

Oh and trust me Zeb
you would have kittens if you saw some of the **** i walk into ;)