1

This has been kicking my butt for some time now and i'm reaching out for help. Here is the scenario: There is 1 Exchange 2003 server which lives on mail.example.com. It has 1 SMTP Virtual server and 1 SMTP Connector. The connector is configured to forward all mail through an external spam filter.

What I am looking to do is setup a ticket system (JIRA), which will live in a virtual machine on the same LAN as Exchange and should receive only internal mail destined for jira@jira.example.com. So i will have a distribution list on exchange - it-support@example.com which will have a contact member jira@jira.example.com. From what i've read i need another SMTP connector configured on exchange in order to process outgoing mail destined for jira.example.com. Postfix will be the receiving mail server for jira.example.com. So far, i am struggling to see any indication of mail being routed to Postfix, but there are no bounces. Please let me know what you think. Here is my attempt at a diagram :) http://nulledge.info/display/NTS/Example.com+mail+routing

Problem: I am unable to get exchange to forward to postfix.

Question: What is the best way to verify that exchange is actually trying to deliver the message to Postfix and does not drop it?

Question #2: In the descried scenario, would exchange be considered a "relay" for postfix? Thanks so much in advance!

Exchange is configured to send email via a smarthost

tbapb
  • 39
  • 1
  • 8

1 Answers1

3

A couple of things:

  1. Exchange Server 2003 isn't automatically authoritative for subdomains, which is what jira.example.com is.

  2. There are a few different ways to accomplish what you need, detailed here:

http://support.microsoft.com/kb/321721

A third method, which I think is easier would be:

  1. Create an internal DNS zone for jira.example.com.

  2. Create an A record for the Postfix server in the jira.example.com zone.

  3. Create an MX record in the jira.example.com zone that points to the Postfix A record.

This method leaves your Exchange server unencumbered regarding the Recipient Policy and SMTP connector. I think this is cleaner and simpler. The only caveat is if you have an external subdomain in the example.com DNS zone for jira (jira.example.com) then internal resolution of DNS RR's for jira.example.com are going to break.

joeqwerty
  • 109,901
  • 6
  • 81
  • 172
  • Thanks, this is great stuff. I had missed one configuration step where a new Recipient policy is created. I am still however unable to see any indication of mail delivery in postfix logs (/var/log/maillog). What is the best way to verify that exchange is actually trying to deliver the message to Postfix and does not drop it? – tbapb Oct 30 '11 at 07:01
  • Use the Message Tracking tool in ESM to track the message and look at the SMTP log on the Exchange server to follow the SMTP conversation. – joeqwerty Oct 30 '11 at 14:59
  • These are the last few lines of the logs in Message Tracking for the message in question: SMTP:Message delivered locally to multiple recipients SMTP Store Driver: Message delivered locally to store to email_Addy@example.com However, there is no indication of message delivery to jira-its@jira.example.com – tbapb Oct 30 '11 at 17:58
  • The messages never hit my Postfix server according to /var/log/maillog/. As i send an email from outside, i am tailing both exchange and postfix logs...I see the exchange logs change, but there is no change on postfix logs. I may have a bad postfix config... – tbapb Oct 30 '11 at 18:20
  • Question #2: In the descried scenario, would exchange be considered a "relay" for postfix? – tbapb Oct 30 '11 at 18:57
  • Following method #3: Status: 5.5.0 Diagnostic-Code: smtp;553 sorry, relay of mail is not allowed. (#5.7.1) – tbapb Oct 30 '11 at 20:25
  • The NDR isnt generated by exchange, but by an external spam filter server which i have no control over – tbapb Oct 30 '11 at 20:30
  • Please help.... – tbapb Oct 30 '11 at 20:30
  • Where is the 553 being generated? On the Exchange server or the Postfix server? – joeqwerty Oct 30 '11 at 21:07
  • I just tested method 3 in my environment and it worked fine. My guess is that the SMTP 553 is being generated by Postfix, most likely because Postfix isn't configured to be authoritative for jira.example.com, and therefore sees the incoming email as an attempt to relay through Postfix to jira.example.com. Note that if you use method 3 then you shouldn't be using method 1 or 2. Use method 1 OR 2 OR 3 but not a combination of them. – joeqwerty Oct 30 '11 at 21:22
  • when i watch /var/log/maillog and also do a tcp dump on port 25 on Postfix, i se no connection attempts. I dont think Postfix generates the NDRs. There is a need for a connector SMTP connector here...I've configured mine to send mail to jira.example.com address space and increased the cost to 25 on the default internet connector. I dont think exchange is configured to send mail to jira.example.com correctly. – tbapb Oct 30 '11 at 21:33
  • NDR is generated by an external spam filter which i have no access to if the config is via method #3 from the answer – tbapb Oct 30 '11 at 21:34
  • 1
    So the email is getting hung up at the external spam filter, which it shouldn't using method 3 unless Exchange is configured to send email via a smarthost. Is that the case? – joeqwerty Oct 30 '11 at 21:49
  • I cant imagine it being the case since email is getting into Exchange. The distribution list that i send mail to from the outside contains the external contact as well as an exchange mailbox. The mail gets to the exchange mailbox just fine. If i dont configure an SMTP connector for jira.example.com, the NDR is 553 sorry, relay of mail is not allowed. (#5.7.1), generated by the external spam filter. – tbapb Oct 30 '11 at 22:59
  • Using Method #3, the external spam filter genereates an NDR 553 – tbapb Oct 30 '11 at 23:04
  • smtp;553 sorry, relay of mail is not allowed. (#5.7.1) – tbapb Oct 30 '11 at 23:04
  • Using method #3, mail destined for jira.example.com still goes out through the default smtp connector, WHICH is configured to use a smaart host! Yes! now i get your question!! What would be the next config step? – tbapb Oct 30 '11 at 23:15
  • OK, now I understand your configuration. I think you can get this all working using method 3 by creating a new SMTP connector for jira.example.com. Configure it to use DNS to route email. Give it a cost of 1 and change the cost of the default SMTP connector to 10. When an email is sent to jira@jira.example.com, it will go through the new SMTP connector (due to it's lower cost) and be routed via DNS by virtue of your internal jira.example.com DNS zone. (Keeping my fingers crossed). – joeqwerty Oct 30 '11 at 23:52
  • This seems to be working, judging only by the fact that i receive no boucebacks when i send an email from the outside. However, mail never arrives at Postfix. I see the mail arrive to exchange in exchange logs...but when i am watching postfix logs, i cannot see nay activity on in /var/log/maillog not tcpdump on port 25. Where do you think the mistake is? on exchange side or postfix? – tbapb Oct 31 '11 at 00:00
  • Do a search for the recipient in the Message Tracking tool in ESM and the SMTP log on the Exchange server. – joeqwerty Oct 31 '11 at 00:25
  • I see a bunch of entries. All are from my gmail account trying to send to the distribution list containing a local exchange mailbox and an external contact. Listing both, the mailbox and the contact Second to last message is SMTP:Message Delivered Locally to multiple recipients. – tbapb Oct 31 '11 at 00:33
  • Oh, you've got a Contact for jira@jira.example.com? Is the email address of the Contact jira@jira.example.com? If so, you should see Exchange deliver to Postfix in the MTT in ESM for the Contact. – joeqwerty Oct 31 '11 at 00:45
  • I do have a contact for jira@jira.example.com. The email address is that as well. Do you mean Message Tracking center when you say MTT or are you referring to something else. I am not seeing any other entries other than my attempts from gmail. – tbapb Oct 31 '11 at 00:54
  • Yes, I'm referring to the Message Tracking Tool. As a test, start by removing the Contact. Then send an internal email form your AD account to jira@jira.example.com. You should see it in MTT as being delivered to Postfix. In addition, how are you sending to the Contact from gmail? Do you have an external DNS zone for jira.example.com with an MX for your Exchange server? – joeqwerty Oct 31 '11 at 01:02
  • I don't have an external zone for jira.example.com. I do have an internal one however. All steps from method #3. I send from gmail to a distribution list on exchange which contains my exchange mailbox and an external contact. Exchange SHOULD use either the newly created SMTP connector or an MX record resolve internally for jira.example.com. After deleting the external contact, it looks like im still able to send to jira@jira.example.com from inside...but still no log update in Postfix (/var/log/maillog)..this is weird – tbapb Oct 31 '11 at 01:36
  • Are you sure Postfix is authoritative for jira.example.com? – joeqwerty Oct 31 '11 at 01:58
  • I think that if there was a Postfix config issue and i'm not saying threre isn't, but i would still see something in /var/log/maillog and on the packet capture, but since i'm not seeing either, there may be an issue earlier than postfix – tbapb Oct 31 '11 at 02:21
  • Nothing in MTT either when i search for jira@jira.example.com as the sender and exchange server as the server. :))) – tbapb Oct 31 '11 at 02:24
  • jira@jira.example.com should be the recipient. Send an email from your AD account/mailbox to jira@jira.example.com and search the MTT for jira@jira.example.com as the recipient. – joeqwerty Oct 31 '11 at 02:28
  • The search returns only previous entries when the sender is my gmail account, there are no new entries where the sender is my AD account. – tbapb Oct 31 '11 at 02:32
  • I just thought of something: Configure the SMTP connector for jira.example.com to use the Postfix server as it's smarthost. I don't know why I didn't think of that before. That precludes the need for the internal jira.example.com DNS zone. As long as the cost for the jira.example.com SMTP connector is lower than the cost for the * SMTP connector then email to jira.example.com should go to the Postfix server. Now that I think about it, this kind of brings you back to the beginning: Using another SMTP connector to deliver email to Postfix for jira@jira.example.com. – joeqwerty Oct 31 '11 at 02:45
  • My apologies. I got wrapped up in trying to get method 3 working without revisitng your original question. If you have an SMTP connector for jira.example.com that uses Postfix as it's smarthost and it has a lower cost than the * connector then it should work without the need for the jira.example.com DNS zone. I have to admit, I may have gotten a little turned around with all of the back and forth between us. I sincerely hope I didn't send you off on a wild goose chase. Method 3 definitely works, as I tested it in my own Exchange environment but at the end of the day you may not need it. – joeqwerty Oct 31 '11 at 02:50
  • I've tried this before...I had configured a new recipient policy as well and a new SMTP connector which used postfix as the smarthost. – tbapb Oct 31 '11 at 02:52
  • 1
    OK, do me a favor. Get everything back to their original settings. Get rid of the Recipient Policy, the Contact, the SMTP connector, and the DNS zone for jira.example.com. Then send an email from your AD account to jira@jira.example.com. You should get an NDR stating "The destination server for this recipient could not be found in Domain Name Service". If you do then we'll know we're back at square one and can start again from the beginining. – joeqwerty Oct 31 '11 at 03:06
  • I'd still like to keep the internal DNS zone to make jira accessible via http://jira.example.com. This zone would contain only an A record. Let me give it a try with the connector one more time – tbapb Oct 31 '11 at 03:09
  • ok, clearing all settings now back to original setup... – tbapb Oct 31 '11 at 03:11
  • After clearing everything. DNS zone, Recepient policy, jira SMTP connector and the contact the DNR is : **Sorry, I couldn't find any host named jira.example.com. (#5.1.2)** The NDR is generated by the external spam filter since there is only one connector which uses the external spam filter as a smarthost – tbapb Oct 31 '11 at 03:17
  • OK, good. I keep forgetting that you're using a smarthost. Now let's start by configuring an internal DNS zone for jira.example.com with the A and MX records as before. Then configure your default SMTP connector to use DNS to route email (only momentarily for this test), then send an email from your AD account to jira@jira.example.com and let's see if it gets to Postfix. – joeqwerty Oct 31 '11 at 03:24
  • I've got to get to bed for work in the AM. I'll pick up on this in the morning. A fresh start in the morning for you as well might be a good idea at this point. – joeqwerty Oct 31 '11 at 03:34
  • 1 Primary forward DNS zone created for jira.example.com. A record and MX record created. Switched the primary SMTP host to route mail using DNS. The address space for this connector is * with cost of 1. Restarted SMTP and Routing service. Sending from exchange to jira@jira.example.com shows nothing on Postfix side and tcpdump catches nothing on port 25. Strange. I do not receive an NDR – tbapb Oct 31 '11 at 03:41
  • Thank You for all your help so far. I really appreciate it! – tbapb Oct 31 '11 at 03:41
  • OK, let's start from there. On the Exchange server use nslookup to find the MX record for jira.example.com. Does it resolve correctly to the Postfix server? If so, can you telnet to port 25 of the Postfix server from the Exchange server? If so, can you send an email from the telnet session to jira@jira.example.com? – joeqwerty Oct 31 '11 at 12:23
  • Also, is there anything in the Exchange queues for jira@jira.xample.com? – joeqwerty Oct 31 '11 at 13:31
  • Nslookup resolves the MX record for jira.example.com successfully. I can successfully connect via telnet on port 25. As i type "helo me" and "mail from" commands, i see activity in logs files (/var/log/maillog). Tcpdump port 25 also shows activity on Postfix. After the data command, postficx logs shows that it is queued for delivery. i entered my work address into the mail from: field and recived a bounceback::: **#< #5.2.0 X-Postfix; maildir delivery failed: create maildir file /var/spool/mail/Maildir/tmp/1320072998.P11734.jira.example.com: Permission denied> #SMTP#** – tbapb Oct 31 '11 at 15:04
  • Joe, how do i check the exchange queues? – tbapb Oct 31 '11 at 15:06
  • Looks like mail is trying to to this folder var/spool/mail/Maildir/tmp/....however it should go to var/spool/mail/jira-its/Maildir/tmp/ – tbapb Oct 31 '11 at 15:12
  • But i think the bigger challenge here is getting exchange to forward email destined for jira.example.com to Postfix – tbapb Oct 31 '11 at 15:16
  • In ESM expand your Administrative Group and expand your server to see the queues. It sounds to me like Exchange is probably attempting to connect but being blocked by Postfix (based on the permission denied message you're getting). – joeqwerty Oct 31 '11 at 16:10