Re: Design question regarding smart-host
Thanks Tina, Jim, All relevant remarks. I will end up NAT-ing our 2 hub IPs as suggested. As for outgoing SMTP, Jim is right we don't filter at all SMTP for outgoing traffic, i told my manager we should do something about it but he is having a hard time believing that if i would close port 25 except for our HT it will not cause any issues... Anyways thanks a lot for putting me on the right track, much appreciated! On Mon, Mar 18, 2013 at 6:28 PM, Tanya Pinetti tpine...@outlook.com wrote: Alexander, If you went with a single Edge server, you would lose redundancy as the single Edge is now your single point of failure. If you used both HTs, you have redundancy. While you can go with one public IP NAT'd to both HT servers (as mentioned by Jim below), I would prefer a one-to-one NAT assuming you have enough public IPs. For me, one-to-one makes troubleshooting easier. -- From: kennedy...@elyriaschools.org To: exchangelist@lyris.sunbelt-software.com Subject: RE: Design question regarding smart-host Date: Mon, 18 Mar 2013 17:17:51 + This is for outgoing email correct? You still only need one public IP. NAT both servers to the same IP. I would assume you can still use the old IP your spam appliance used….should be a quick setup in your firewall. *From:* Alexander Rose [mailto:arose...@gmail.com] *Sent:* Monday, March 18, 2013 1:16 PM *To:* MS-Exchange Admin Issues *Subject:* Design question regarding smart-host We have two HT servers actually. I think that is why i thought about using an edge sync server so i would only need one public IP. Le lundi 18 mars 2013, Tanya Pinetti a écrit : All you need is a spare public IP and NAT it to your HT server. I prefer not using an Edge server if you are sending all outbound emails to FOPE since your networking team will have an ACL on the firewall allowing only your HT server SMTP access to the FOPE subnet. Sent from my iPhone On Mar 18, 2013, at 8:58 AM, Alexander Rose arose...@gmail.com wrote: Hi all, We currently use an old Anti-Spam appliance as our smart host, it is located in a DMZ and has a NATed IP for sending emails to the outside world. We only have one Send Connector in our Exchange Org. and it uses this smart-host for all emails. I have created a new send connector to test our new smart-host ( mail.messaging.microsoft.com as were moving to FOPE). After an email was sent for testing, i received a notification from Microsoft that states that the IP used to send the email was blocked and banned. When i checked the IP, i found out it is the one our internal clients are getting when they go on Internet (if i go to whatismyip.comfrom my workstation i get that IP, all clients are NATed to that one public IP). As all our clients are using this IP, we would like to use a dedicated public IP for sending emails. In our situation the only solution i see would be to setup our own smart-host first (let say a Edge Sync Server), create a default send connector on our Exchange HUBs to direct emails to this Edge Sync server and create another Send connector on the Edge Sync server to direct emails to FOPE. Am i correct? Or is there a way to do differently? --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist
Re: Design question regarding smart-host
Thanks Tanya :) sorry about the mistake On Tue, Mar 19, 2013 at 11:09 AM, Alexander Rose arose...@gmail.com wrote: Thanks Tina, Jim, All relevant remarks. I will end up NAT-ing our 2 hub IPs as suggested. As for outgoing SMTP, Jim is right we don't filter at all SMTP for outgoing traffic, i told my manager we should do something about it but he is having a hard time believing that if i would close port 25 except for our HT it will not cause any issues... Anyways thanks a lot for putting me on the right track, much appreciated! On Mon, Mar 18, 2013 at 6:28 PM, Tanya Pinetti tpine...@outlook.comwrote: Alexander, If you went with a single Edge server, you would lose redundancy as the single Edge is now your single point of failure. If you used both HTs, you have redundancy. While you can go with one public IP NAT'd to both HT servers (as mentioned by Jim below), I would prefer a one-to-one NAT assuming you have enough public IPs. For me, one-to-one makes troubleshooting easier. -- From: kennedy...@elyriaschools.org To: exchangelist@lyris.sunbelt-software.com Subject: RE: Design question regarding smart-host Date: Mon, 18 Mar 2013 17:17:51 + This is for outgoing email correct? You still only need one public IP. NAT both servers to the same IP. I would assume you can still use the old IP your spam appliance used….should be a quick setup in your firewall. *From:* Alexander Rose [mailto:arose...@gmail.com] *Sent:* Monday, March 18, 2013 1:16 PM *To:* MS-Exchange Admin Issues *Subject:* Design question regarding smart-host We have two HT servers actually. I think that is why i thought about using an edge sync server so i would only need one public IP. Le lundi 18 mars 2013, Tanya Pinetti a écrit : All you need is a spare public IP and NAT it to your HT server. I prefer not using an Edge server if you are sending all outbound emails to FOPE since your networking team will have an ACL on the firewall allowing only your HT server SMTP access to the FOPE subnet. Sent from my iPhone On Mar 18, 2013, at 8:58 AM, Alexander Rose arose...@gmail.com wrote: Hi all, We currently use an old Anti-Spam appliance as our smart host, it is located in a DMZ and has a NATed IP for sending emails to the outside world. We only have one Send Connector in our Exchange Org. and it uses this smart-host for all emails. I have created a new send connector to test our new smart-host ( mail.messaging.microsoft.com as were moving to FOPE). After an email was sent for testing, i received a notification from Microsoft that states that the IP used to send the email was blocked and banned. When i checked the IP, i found out it is the one our internal clients are getting when they go on Internet (if i go to whatismyip.comfrom my workstation i get that IP, all clients are NATed to that one public IP). As all our clients are using this IP, we would like to use a dedicated public IP for sending emails. In our situation the only solution i see would be to setup our own smart-host first (let say a Edge Sync Server), create a default send connector on our Exchange HUBs to direct emails to this Edge Sync server and create another Send connector on the Edge Sync server to direct emails to FOPE. Am i correct? Or is there a way to do differently? --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist
Re: Design question regarding smart-host
All you need is a spare public IP and NAT it to your HT server. I prefer not using an Edge server if you are sending all outbound emails to FOPE since your networking team will have an ACL on the firewall allowing only your HT server SMTP access to the FOPE subnet. Sent from my iPhone On Mar 18, 2013, at 8:58 AM, Alexander Rose arose...@gmail.com wrote: Hi all, We currently use an old Anti-Spam appliance as our smart host, it is located in a DMZ and has a NATed IP for sending emails to the outside world. We only have one Send Connector in our Exchange Org. and it uses this smart-host for all emails. I have created a new send connector to test our new smart-host (mail.messaging.microsoft.com as were moving to FOPE). After an email was sent for testing, i received a notification from Microsoft that states that the IP used to send the email was blocked and banned. When i checked the IP, i found out it is the one our internal clients are getting when they go on Internet (if i go to whatismyip.com from my workstation i get that IP, all clients are NATed to that one public IP). As all our clients are using this IP, we would like to use a dedicated public IP for sending emails. In our situation the only solution i see would be to setup our own smart-host first (let say a Edge Sync Server), create a default send connector on our Exchange HUBs to direct emails to this Edge Sync server and create another Send connector on the Edge Sync server to direct emails to FOPE. Am i correct? Or is there a way to do differently? --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist
Re: Design question regarding smart-host
Nope. U should be able to set up a dedicated NAT rule for SMTP only and configure FOPE with the public IP address as the inbound SMTP IP address. That is the way I had it setup and never had an issue. Sent on the run! On 18 Mar 2013, at 17:54, Alexander Rose arose...@gmail.com wrote: Hi all, We currently use an old Anti-Spam appliance as our smart host, it is located in a DMZ and has a NATed IP for sending emails to the outside world. We only have one Send Connector in our Exchange Org. and it uses this smart-host for all emails. I have created a new send connector to test our new smart-host (mail.messaging.microsoft.com as were moving to FOPE). After an email was sent for testing, i received a notification from Microsoft that states that the IP used to send the email was blocked and banned. When i checked the IP, i found out it is the one our internal clients are getting when they go on Internet (if i go to whatismyip.com from my workstation i get that IP, all clients are NATed to that one public IP). As all our clients are using this IP, we would like to use a dedicated public IP for sending emails. In our situation the only solution i see would be to setup our own smart-host first (let say a Edge Sync Server), create a default send connector on our Exchange HUBs to direct emails to this Edge Sync server and create another Send connector on the Edge Sync server to direct emails to FOPE. Am i correct? Or is there a way to do differently? --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist
Design question regarding smart-host
We have two HT servers actually. I think that is why i thought about using an edge sync server so i would only need one public IP. Le lundi 18 mars 2013, Tanya Pinetti a écrit : All you need is a spare public IP and NAT it to your HT server. I prefer not using an Edge server if you are sending all outbound emails to FOPE since your networking team will have an ACL on the firewall allowing only your HT server SMTP access to the FOPE subnet. Sent from my iPhone On Mar 18, 2013, at 8:58 AM, Alexander Rose arose...@gmail.com wrote: Hi all, We currently use an old Anti-Spam appliance as our smart host, it is located in a DMZ and has a NATed IP for sending emails to the outside world. We only have one Send Connector in our Exchange Org. and it uses this smart-host for all emails. I have created a new send connector to test our new smart-host ( mail.messaging.microsoft.com as were moving to FOPE). After an email was sent for testing, i received a notification from Microsoft that states that the IP used to send the email was blocked and banned. When i checked the IP, i found out it is the one our internal clients are getting when they go on Internet (if i go to whatismyip.comfrom my workstation i get that IP, all clients are NATed to that one public IP). As all our clients are using this IP, we would like to use a dedicated public IP for sending emails. In our situation the only solution i see would be to setup our own smart-host first (let say a Edge Sync Server), create a default send connector on our Exchange HUBs to direct emails to this Edge Sync server and create another Send connector on the Edge Sync server to direct emails to FOPE. Am i correct? Or is there a way to do differently? --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist
RE: Design question regarding smart-host
This is for outgoing email correct? You still only need one public IP. NAT both servers to the same IP. I would assume you can still use the old IP your spam appliance usedshould be a quick setup in your firewall. From: Alexander Rose [mailto:arose...@gmail.com] Sent: Monday, March 18, 2013 1:16 PM To: MS-Exchange Admin Issues Subject: Design question regarding smart-host We have two HT servers actually. I think that is why i thought about using an edge sync server so i would only need one public IP. Le lundi 18 mars 2013, Tanya Pinetti a écrit : All you need is a spare public IP and NAT it to your HT server. I prefer not using an Edge server if you are sending all outbound emails to FOPE since your networking team will have an ACL on the firewall allowing only your HT server SMTP access to the FOPE subnet. Sent from my iPhone On Mar 18, 2013, at 8:58 AM, Alexander Rose arose...@gmail.commailto:arose...@gmail.com wrote: Hi all, We currently use an old Anti-Spam appliance as our smart host, it is located in a DMZ and has a NATed IP for sending emails to the outside world. We only have one Send Connector in our Exchange Org. and it uses this smart-host for all emails. I have created a new send connector to test our new smart-host (mail.messaging.microsoft.comhttp://mail.messaging.microsoft.com as were moving to FOPE). After an email was sent for testing, i received a notification from Microsoft that states that the IP used to send the email was blocked and banned. When i checked the IP, i found out it is the one our internal clients are getting when they go on Internet (if i go to whatismyip.comhttp://whatismyip.com from my workstation i get that IP, all clients are NATed to that one public IP). As all our clients are using this IP, we would like to use a dedicated public IP for sending emails. In our situation the only solution i see would be to setup our own smart-host first (let say a Edge Sync Server), create a default send connector on our Exchange HUBs to direct emails to this Edge Sync server and create another Send connector on the Edge Sync server to direct emails to FOPE. Am i correct? Or is there a way to do differently? --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist
RE: Design question regarding smart-host
Another thing to look at is why is the IP your desktops NAT out to blockedmy bet is because you don't block outgoing port 25 and one or more of them got a virus and were turned into a spam bot. Strongly consider blocking outgoing port 25 for everything except what needs to send email...your two HT servers. Have anything else legit relay through those. From: Kennedy, Jim Sent: Monday, March 18, 2013 1:18 PM To: MS-Exchange Admin Issues Subject: RE: Design question regarding smart-host This is for outgoing email correct? You still only need one public IP. NAT both servers to the same IP. I would assume you can still use the old IP your spam appliance usedshould be a quick setup in your firewall. From: Alexander Rose [mailto:arose...@gmail.com] Sent: Monday, March 18, 2013 1:16 PM To: MS-Exchange Admin Issues Subject: Design question regarding smart-host We have two HT servers actually. I think that is why i thought about using an edge sync server so i would only need one public IP. Le lundi 18 mars 2013, Tanya Pinetti a écrit : All you need is a spare public IP and NAT it to your HT server. I prefer not using an Edge server if you are sending all outbound emails to FOPE since your networking team will have an ACL on the firewall allowing only your HT server SMTP access to the FOPE subnet. Sent from my iPhone On Mar 18, 2013, at 8:58 AM, Alexander Rose arose...@gmail.commailto:arose...@gmail.com wrote: Hi all, We currently use an old Anti-Spam appliance as our smart host, it is located in a DMZ and has a NATed IP for sending emails to the outside world. We only have one Send Connector in our Exchange Org. and it uses this smart-host for all emails. I have created a new send connector to test our new smart-host (mail.messaging.microsoft.comhttp://mail.messaging.microsoft.com as were moving to FOPE). After an email was sent for testing, i received a notification from Microsoft that states that the IP used to send the email was blocked and banned. When i checked the IP, i found out it is the one our internal clients are getting when they go on Internet (if i go to whatismyip.comhttp://whatismyip.com from my workstation i get that IP, all clients are NATed to that one public IP). As all our clients are using this IP, we would like to use a dedicated public IP for sending emails. In our situation the only solution i see would be to setup our own smart-host first (let say a Edge Sync Server), create a default send connector on our Exchange HUBs to direct emails to this Edge Sync server and create another Send connector on the Edge Sync server to direct emails to FOPE. Am i correct? Or is there a way to do differently? --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist
RE: Design question regarding smart-host
Alexander, If you went with a single Edge server, you would lose redundancy as the single Edge is now your single point of failure. If you used both HTs, you have redundancy. While you can go with one public IP NAT'd to both HT servers (as mentioned by Jim below), I would prefer a one-to-one NAT assuming you have enough public IPs. For me, one-to-one makes troubleshooting easier. From: kennedy...@elyriaschools.org To: exchangelist@lyris.sunbelt-software.com Subject: RE: Design question regarding smart-host Date: Mon, 18 Mar 2013 17:17:51 + This is for outgoing email correct? You still only need one public IP. NAT both servers to the same IP. I would assume you can still use the old IP your spam appliance used….should be a quick setup in your firewall. From: Alexander Rose [mailto:arose...@gmail.com] Sent: Monday, March 18, 2013 1:16 PM To: MS-Exchange Admin Issues Subject: Design question regarding smart-host We have two HT servers actually. I think that is why i thought about using an edge sync server so i would only need one public IP. Le lundi 18 mars 2013, Tanya Pinetti a écrit : All you need is a spare public IP and NAT it to your HT server. I prefer not using an Edge server if you are sending all outbound emails to FOPE since your networking team will have an ACL on the firewall allowing only your HT server SMTP access to the FOPE subnet. Sent from my iPhone On Mar 18, 2013, at 8:58 AM, Alexander Rose arose...@gmail.com wrote: Hi all, We currently use an old Anti-Spam appliance as our smart host, it is located in a DMZ and has a NATed IP for sending emails to the outside world. We only have one Send Connector in our Exchange Org. and it uses this smart-host for all emails. I have created a new send connector to test our new smart-host (mail.messaging.microsoft.com as were moving to FOPE). After an email was sent for testing, i received a notification from Microsoft that states that the IP used to send the email was blocked and banned. When i checked the IP, i found out it is the one our internal clients are getting when they go on Internet (if i go to whatismyip.com from my workstation i get that IP, all clients are NATed to that one public IP). As all our clients are using this IP, we would like to use a dedicated public IP for sending emails. In our situation the only solution i see would be to setup our own smart-host first (let say a Edge Sync Server), create a default send connector on our Exchange HUBs to direct emails to this Edge Sync server and create another Send connector on the Edge Sync server to direct emails to FOPE. Am i correct? Or is there a way to do differently? --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist