|
I had a quick question about using Mailhop Relay and Sender ID filtering with Exchange 2003. I seem to have a few clients who are unable to get mail to us, however others are going through just fine. The block seems to be at my mail server, the good folks at DynDNS verified that the emails were being passed by them, but not by my mail server stating that there were Sender ID problems. On my 2003 Exchange server I've got the Sender ID Filtering enabled and set to Reject the message and the sending party is responsible for the NDR. So if I'm right on this let me know, if I'm overlooking something please advise. I believe what is happening is that my mail server is seeing DynDNS as the sender of some emails and that the actual sender of the email does not have the DynDNS servers as mail relays. My server sees DynDNS attempt to deliver a message from that domain which it's not authorized to do, and I reject it. Is this possible and is my thought process correct? |
The question has been closed Sep 16 at 08:50 PM ago by Cry Havok for the following reason "Abandoned question".
|
,You can use SenderID (and DNSBLs) on Microsoft Exchange even if the message arrives at your server from an intermdiate SMTP relay -- provided you know the IP address(es) of those intermediate machines. Add the IP addresses (in Exchange 2003): Global Settings -> Message Delivery -> General -> Add... Add the IP addresses (in Exchange 2007/2010): Organization Configuration -> Hub Transport -> Transport Settings -> Message Delivery -> Add... The IP addresses, I believe, should be 216.146.32.0/22 and 10.0.0.0/8. The Exchange server will examine the "Received:" headers in the message, looking for the first one that is NOT in the list of internal or perimeter IP addresses. It will then use the IP address in THAT "Received:" header as the source server. DynDNS's answer to my question about what IP address ranges are used by theire machines received this answer: "We are not giving out all our internal IPs, unfortunately, nor have any other of our 4.5 million users asked for them in order to do SPF records so it wouldn't be a priority for us. They should not be needed for SPF records as the originating server should be all that matters." That leads me to believe that whoever's answering these questions doesn't understand how SPF/SenderID works. Funny, the answer does suggest whitelisting DynDNS's servers ;)
Sep 16 at 08:50 PM
Cry Havok ♦
|
|
If you're using MailHop Relay, and you have no other way of messages receiving you, then you must disable all Sender-ID or SPF checks or whitelist all MailHop servers. They will always fail since the connecting IP address is that of the MailHop server. I think the only issue I see in that logic, even though it makes perfect sense to me and is what I was thinking is that the vast majority of email was getting through still. Does DynDNS do SPF or Sender-ID filtering itself, it seems as though I saw somewhere answering that question, but I've spent the last several minutes coming up short on the DynDNS site. Thanks for your response
Feb 09 at 06:36 PM
Julian
I don't think they do, certainly they don't list it. You'll only have delivery problems where the sender's domain uses SPF or Sender ID, which only a relatively small number do. That'll be why it's mostly working for you just now.
Feb 09 at 11:01 PM
Cry Havok ♦
|
Closing - the question is answered (and DynDNS's own documentation covers this) and the originator hasn't returned since asking the question.