exchange 2007 smtp relay control by ip

Status
Not open for further replies.
S

sawyer

Hello

I have setup a SMTP receive connector that allows smtp relay. I have also

locked down this receive connector so it only receives mail from servers

that have these ip addresses. I then entered in the ip addresses for the

servers that were allowed to connect to this receive connector. The smtp

relay is working, but its working from any machine in the network, its not

preventing servers that haven't been added to the list of servers from

connecting. This is very strange, below is the properties for the smtp relay

connector. Again any machine on the network can relay, and as you can see

from the properties for the connector I have locked this connector down so

it only allows connections from certain individual ip's

AuthMechanism : Tls

Banner :

BinaryMimeEnabled : True

Bindings : {10.0.133.113:25}

ChunkingEnabled : True

DefaultDomain :

DeliveryStatusNotificationEnabled : True

EightBitMimeEnabled : True

DomainSecureEnabled : False

EnhancedStatusCodesEnabled : True

LongAddressesEnabled : False

OrarEnabled : False

Fqdn : Securerelay.kbb.com

Comment :

Enabled : True

ConnectionTimeout : 00:10:00

ConnectionInactivityTimeout : 00:05:00

MessageRateLimit : unlimited

MaxInboundConnection : 5000

MaxInboundConnectionPerSource : 20

MaxInboundConnectionPercentagePerSource : 2

MaxHeaderSize : 64KB

MaxHopCount : 30

MaxLocalHopCount : 8

MaxLogonFailures : 3

MaxMessageSize : 15MB

MaxProtocolErrors : 5

MaxRecipientsPerMessage : 200

PermissionGroups : AnonymousUsers, Custom

PipeliningEnabled : True

ProtocolLoggingLevel : Verbose

RemoteIPRanges : {10.7.13.140-255.255.255.255,

10.0.11

7.102-255.255.255.255,

10.0.130.100-2

55.255.255.255,

10.0.100.101-255.255.

255.255,

10.0.12.109-255.255.255.255,

10.0.62.100-255.255.255.255,

10.0.63

> 111-255.255.255.255,

10.7.17.73-255.

255.255.255}

RequireEHLODomain : False

RequireTLS : False

EnableAuthGSSAPI : False

Server : IRV-EDC-VMS37

SizeEnabled : Enabled

TarpitInterval : 00:00:05

AdminDisplayName :

ExchangeVersion : 0.1 (8.0.535.0)

Name : Internal smtp relay WNLB

DistinguishedName : CN=Internal smtp relay

WNLB,CN=SMTP R

eceive

Connectors,CN=Protocols,CN=IRV

-EDC-VMS37,CN=Servers,CN=Exchange

Adm

inistrative Group

(FYDIBOHF23SPDLT),C

N=Administrative Groups,CN=Kelley

Blu

e Book,CN=Microsoft

Exchange,CN=Servi

ces,CN=Configuration,DC=corp,DC=kbb,D

C=com

Identity : IRV-EDC-VMS37\Internal smtp relay

WNL

B

Guid :

7ffeb41e-8b88-4e62-8979-0dd7edffd4a8

ObjectCategory :

corp.kbb.com/Configuration/Schema/ms-

Exch-Smtp-Receive-Connector

ObjectClass : {top, msExchSmtpReceiveConnector}

WhenChanged : 12/17/2009 11:54:28 AM

WhenCreated : 8/4/2009 7:38:00 PM

OriginatingServer : irv-edc-dc3.corp.kbb.com

IsValid : True
 
S

sawyer

I am starting to think that the "onconnect" verb is not firing, but I don't

know how to confirm this? it is very strange though

"sawyer" <occompguy@cox.net> wrote in message

news:7A6305D9-13A3-4A2E-AFCD-A1EFE6BA76AD@microsoft.com...
> Hello

> I have setup a SMTP receive connector that allows smtp relay. I have also
> locked down this receive connector so it only receives mail from servers
> that have these ip addresses. I then entered in the ip addresses for the
> servers that were allowed to connect to this receive connector. The smtp
> relay is working, but its working from any machine in the network, its not
> preventing servers that haven't been added to the list of servers from
> connecting. This is very strange, below is the properties for the smtp
> relay connector. Again any machine on the network can relay, and as you
> can see from the properties for the connector I have locked this connector
> down so it only allows connections from certain individual ip's

> AuthMechanism : Tls
> Banner :
> BinaryMimeEnabled : True
> Bindings : {10.0.133.113:25}
> ChunkingEnabled : True
> DefaultDomain :
> DeliveryStatusNotificationEnabled : True
> EightBitMimeEnabled : True
> DomainSecureEnabled : False
> EnhancedStatusCodesEnabled : True
> LongAddressesEnabled : False
> OrarEnabled : False
> Fqdn : Securerelay.kbb.com
> Comment :
> Enabled : True
> ConnectionTimeout : 00:10:00
> ConnectionInactivityTimeout : 00:05:00
> MessageRateLimit : unlimited
> MaxInboundConnection : 5000
> MaxInboundConnectionPerSource : 20
> MaxInboundConnectionPercentagePerSource : 2
> MaxHeaderSize : 64KB
> MaxHopCount : 30
> MaxLocalHopCount : 8
> MaxLogonFailures : 3
> MaxMessageSize : 15MB
> MaxProtocolErrors : 5
> MaxRecipientsPerMessage : 200
> PermissionGroups : AnonymousUsers, Custom
> PipeliningEnabled : True
> ProtocolLoggingLevel : Verbose
> RemoteIPRanges : {10.7.13.140-255.255.255.255,
> 10.0.11
> 7.102-255.255.255.255,
> 10.0.130.100-2
> 55.255.255.255,
> 10.0.100.101-255.255.
> 255.255,
> 10.0.12.109-255.255.255.255,
> 10.0.62.100-255.255.255.255,
> 10.0.63
> .111-255.255.255.255,
> 10.7.17.73-255.
> 255.255.255}
> RequireEHLODomain : False
> RequireTLS : False
> EnableAuthGSSAPI : False
> Server : IRV-EDC-VMS37
> SizeEnabled : Enabled
> TarpitInterval : 00:00:05
> AdminDisplayName :
> ExchangeVersion : 0.1 (8.0.535.0)
> Name : Internal smtp relay WNLB
> DistinguishedName : CN=Internal smtp relay
> WNLB,CN=SMTP R
> eceive
> Connectors,CN=Protocols,CN=IRV
> -EDC-VMS37,CN=Servers,CN=Exchange
> Adm
> inistrative Group
> (FYDIBOHF23SPDLT),C
> N=Administrative Groups,CN=Kelley
> Blu
> e Book,CN=Microsoft
> Exchange,CN=Servi

> ces,CN=Configuration,DC=corp,DC=kbb,D
> C=com
> Identity : IRV-EDC-VMS37\Internal smtp
> relay WNL
> B
> Guid :
> 7ffeb41e-8b88-4e62-8979-0dd7edffd4a8
> ObjectCategory :
> corp.kbb.com/Configuration/Schema/ms-
> Exch-Smtp-Receive-Connector
> ObjectClass : {top,
> msExchSmtpReceiveConnector}
> WhenChanged : 12/17/2009 11:54:28 AM
> WhenCreated : 8/4/2009 7:38:00 PM
> OriginatingServer : irv-edc-dc3.corp.kbb.com
> IsValid : True

>
 
S

sawyer

I deleted the connector and recreated it, now it is preventing servers from

connecting that havent been added to the list of ip that are allowed to

connect. Very strange indeed

"sawyer" <occompguy@cox.net> wrote in message

news:B5ED2882-8766-4FD9-9419-E066F2A7C93B@microsoft.com...
> I am starting to think that the "onconnect" verb is not firing, but I
> don't know how to confirm this? it is very strange though

> "sawyer" <occompguy@cox.net> wrote in message
> news:7A6305D9-13A3-4A2E-AFCD-A1EFE6BA76AD@microsoft.com...
> > Hello
>

>> I have setup a SMTP receive connector that allows smtp relay. I have also
> > locked down this receive connector so it only receives mail from servers
> > that have these ip addresses. I then entered in the ip addresses for the
> > servers that were allowed to connect to this receive connector. The smtp
> > relay is working, but its working from any machine in the network, its
> > not preventing servers that haven't been added to the list of servers
> > from connecting. This is very strange, below is the properties for the
> > smtp relay connector. Again any machine on the network can relay, and as
> > you can see from the properties for the connector I have locked this
> > connector down so it only allows connections from certain individual ip's
>

>
>> AuthMechanism : Tls
> > Banner :
> > BinaryMimeEnabled : True
> > Bindings : {10.0.133.113:25}
> > ChunkingEnabled : True
> > DefaultDomain :
> > DeliveryStatusNotificationEnabled : True
> > EightBitMimeEnabled : True
> > DomainSecureEnabled : False
> > EnhancedStatusCodesEnabled : True
> > LongAddressesEnabled : False
> > OrarEnabled : False
> > Fqdn : Securerelay.kbb.com
> > Comment :
> > Enabled : True
> > ConnectionTimeout : 00:10:00
> > ConnectionInactivityTimeout : 00:05:00
> > MessageRateLimit : unlimited
> > MaxInboundConnection : 5000
> > MaxInboundConnectionPerSource : 20
> > MaxInboundConnectionPercentagePerSource : 2
> > MaxHeaderSize : 64KB
> > MaxHopCount : 30
> > MaxLocalHopCount : 8
> > MaxLogonFailures : 3
> > MaxMessageSize : 15MB
> > MaxProtocolErrors : 5
> > MaxRecipientsPerMessage : 200
> > PermissionGroups : AnonymousUsers, Custom
> > PipeliningEnabled : True
> > ProtocolLoggingLevel : Verbose
> > RemoteIPRanges : {10.7.13.140-255.255.255.255,
> > 10.0.11
> > 7.102-255.255.255.255,
> > 10.0.130.100-2
> > 55.255.255.255,
> > 10.0.100.101-255.255.
> > 255.255,
> > 10.0.12.109-255.255.255.255,
> > 10.0.62.100-255.255.255.255,
> > 10.0.63
> > .111-255.255.255.255,
> > 10.7.17.73-255.
> > 255.255.255}
> > RequireEHLODomain : False
> > RequireTLS : False
> > EnableAuthGSSAPI : False
> > Server : IRV-EDC-VMS37
> > SizeEnabled : Enabled
> > TarpitInterval : 00:00:05
> > AdminDisplayName :
> > ExchangeVersion : 0.1 (8.0.535.0)
> > Name : Internal smtp relay WNLB
> > DistinguishedName : CN=Internal smtp relay
> > WNLB,CN=SMTP R
> > eceive
> > Connectors,CN=Protocols,CN=IRV
> > -EDC-VMS37,CN=Servers,CN=Exchange
> > Adm
> > inistrative Group
> > (FYDIBOHF23SPDLT),C
> > N=Administrative
> > Groups,CN=Kelley Blu
> > e Book,CN=Microsoft
> > Exchange,CN=Servi
>

>> ces,CN=Configuration,DC=corp,DC=kbb,D
> > C=com
> > Identity : IRV-EDC-VMS37\Internal smtp
> > relay WNL
> > B
> > Guid :
> > 7ffeb41e-8b88-4e62-8979-0dd7edffd4a8
> > ObjectCategory :
> > corp.kbb.com/Configuration/Schema/ms-
> > Exch-Smtp-Receive-Connector
> > ObjectClass : {top,
> > msExchSmtpReceiveConnector}
> > WhenChanged : 12/17/2009 11:54:28 AM
> > WhenCreated : 8/4/2009 7:38:00 PM
> > OriginatingServer : irv-edc-dc3.corp.kbb.com
> > IsValid : True
>

>
>
>>
 
S

sawyer

Still not working. I have two HT servers (windows 2008) and they are

configured in a WNLB cluster. The two HT servers are configured with a

receive connector, and both receive connectors listen on the same ip

address. If I setup just one receive connector it works fine, but as soon as

I setup the second receive connector, I am unable to prevent Ip's from

connecting to the receive connector

"sawyer" <occompguy@cox.net> wrote in message

news:CA7A5AD1-825E-4D63-AB68-7BB49ED869F0@microsoft.com...
> I deleted the connector and recreated it, now it is preventing servers
> from connecting that havent been added to the list of ip that are allowed
> to connect. Very strange indeed

> "sawyer" <occompguy@cox.net> wrote in message
> news:B5ED2882-8766-4FD9-9419-E066F2A7C93B@microsoft.com...
> > I am starting to think that the "onconnect" verb is not firing, but I
> > don't know how to confirm this? it is very strange though
>

>> "sawyer" <occompguy@cox.net> wrote in message
> > news:7A6305D9-13A3-4A2E-AFCD-A1EFE6BA76AD@microsoft.com...
> >> Hello
> >
>>> I have setup a SMTP receive connector that allows smtp relay. I have
> >> also locked down this receive connector so it only receives mail from
> >> servers that have these ip addresses. I then entered in the ip addresses
> >> for the servers that were allowed to connect to this receive connector.
> >> The smtp relay is working, but its working from any machine in the
> >> network, its not preventing servers that haven't been added to the list
> >> of servers from connecting. This is very strange, below is the
> >> properties for the smtp relay connector. Again any machine on the
> >> network can relay, and as you can see from the properties for the
> >> connector I have locked this connector down so it only allows
> >> connections from certain individual ip's
> >
>>
>>> AuthMechanism : Tls
> >> Banner :
> >> BinaryMimeEnabled : True
> >> Bindings : {10.0.133.113:25}
> >> ChunkingEnabled : True
> >> DefaultDomain :
> >> DeliveryStatusNotificationEnabled : True
> >> EightBitMimeEnabled : True
> >> DomainSecureEnabled : False
> >> EnhancedStatusCodesEnabled : True
> >> LongAddressesEnabled : False
> >> OrarEnabled : False
> >> Fqdn : Securerelay.kbb.com
> >> Comment :
> >> Enabled : True
> >> ConnectionTimeout : 00:10:00
> >> ConnectionInactivityTimeout : 00:05:00
> >> MessageRateLimit : unlimited
> >> MaxInboundConnection : 5000
> >> MaxInboundConnectionPerSource : 20
> >> MaxInboundConnectionPercentagePerSource : 2
> >> MaxHeaderSize : 64KB
> >> MaxHopCount : 30
> >> MaxLocalHopCount : 8
> >> MaxLogonFailures : 3
> >> MaxMessageSize : 15MB
> >> MaxProtocolErrors : 5
> >> MaxRecipientsPerMessage : 200
> >> PermissionGroups : AnonymousUsers, Custom
> >> PipeliningEnabled : True
> >> ProtocolLoggingLevel : Verbose
> >> RemoteIPRanges : {10.7.13.140-255.255.255.255,
> >> 10.0.11
> >> 7.102-255.255.255.255,
> >> 10.0.130.100-2
> >> 55.255.255.255,
> >> 10.0.100.101-255.255.
> >> 255.255,
> >> 10.0.12.109-255.255.255.255,
> >> 10.0.62.100-255.255.255.255,
> >> 10.0.63
> >> .111-255.255.255.255,
> >> 10.7.17.73-255.
> >> 255.255.255}
> >> RequireEHLODomain : False
> >> RequireTLS : False
> >> EnableAuthGSSAPI : False
> >> Server : IRV-EDC-VMS37
> >> SizeEnabled : Enabled
> >> TarpitInterval : 00:00:05
> >> AdminDisplayName :
> >> ExchangeVersion : 0.1 (8.0.535.0)
> >> Name : Internal smtp relay WNLB
> >> DistinguishedName : CN=Internal smtp relay
> >> WNLB,CN=SMTP R
> >> eceive
> >> Connectors,CN=Protocols,CN=IRV
> >> -EDC-VMS37,CN=Servers,CN=Exchange
> >> Adm
> >> inistrative Group
> >> (FYDIBOHF23SPDLT),C
> >> N=Administrative
> >> Groups,CN=Kelley Blu
> >> e Book,CN=Microsoft
> >> Exchange,CN=Servi
> >
>>> ces,CN=Configuration,DC=corp,DC=kbb,D
> >> C=com
> >> Identity : IRV-EDC-VMS37\Internal smtp
> >> relay WNL
> >> B
> >> Guid :
> >> 7ffeb41e-8b88-4e62-8979-0dd7edffd4a8
> >> ObjectCategory :
> >> corp.kbb.com/Configuration/Schema/ms-
> >> Exch-Smtp-Receive-Connector
> >> ObjectClass : {top,
> >> msExchSmtpReceiveConnector}
> >> WhenChanged : 12/17/2009 11:54:28 AM
> >> WhenCreated : 8/4/2009 7:38:00 PM
> >> OriginatingServer : irv-edc-dc3.corp.kbb.com
> >> IsValid : True
> >
>>
>>
>>>
 
E

Ed Crowley [MVP]

Your ranges look wrong. You have configured the ranges:

10.7.13.140 to 255.255.255.255,

10.0.117.102 to 255.255.255.255,

10.0.130.100 to 255.255.255.255,

10.0.100.101 to 255.255.255.255,

10.0.12.109 to 255.255.255.255,

10.0.62.100 to 255.255.255.255,

10.0.63.111 to 255.255.255.255, and

10.7.17.73 to 255.255.255.255,

which makes no sense. (In fact, specifying 10.0.12.109-255.255.255.255 does

the same thing as what you've done.) I think you're trying to restrict its

use to eight hosts, so I think you want to enter:

Set-ReceiveConnector -Identity "IRV-EDC-VMS37\Internal smtp

relay" -RemoteIPRanges

10.7.13.140,10.0.117.102,10.0.130.100,10.0.100.101,10.0.12.109,10.0.62.100,10.0.63.111,10.7.17.73

Ed Crowley MVP

"There are seldom good technological solutions to behavioral problems."

> .

"sawyer" <occompguy@cox.net> wrote in message

news:7A6305D9-13A3-4A2E-AFCD-A1EFE6BA76AD@microsoft.com...
> Hello

> I have setup a SMTP receive connector that allows smtp relay. I have also
> locked down this receive connector so it only receives mail from servers
> that have these ip addresses. I then entered in the ip addresses for the
> servers that were allowed to connect to this receive connector. The smtp
> relay is working, but its working from any machine in the network, its not
> preventing servers that haven't been added to the list of servers from
> connecting. This is very strange, below is the properties for the smtp
> relay connector. Again any machine on the network can relay, and as you
> can see from the properties for the connector I have locked this connector
> down so it only allows connections from certain individual ip's

> AuthMechanism : Tls
> Banner :
> BinaryMimeEnabled : True
> Bindings : {10.0.133.113:25}
> ChunkingEnabled : True
> DefaultDomain :
> DeliveryStatusNotificationEnabled : True
> EightBitMimeEnabled : True
> DomainSecureEnabled : False
> EnhancedStatusCodesEnabled : True
> LongAddressesEnabled : False
> OrarEnabled : False
> Fqdn : Securerelay.kbb.com
> Comment :
> Enabled : True
> ConnectionTimeout : 00:10:00
> ConnectionInactivityTimeout : 00:05:00
> MessageRateLimit : unlimited
> MaxInboundConnection : 5000
> MaxInboundConnectionPerSource : 20
> MaxInboundConnectionPercentagePerSource : 2
> MaxHeaderSize : 64KB
> MaxHopCount : 30
> MaxLocalHopCount : 8
> MaxLogonFailures : 3
> MaxMessageSize : 15MB
> MaxProtocolErrors : 5
> MaxRecipientsPerMessage : 200
> PermissionGroups : AnonymousUsers, Custom
> PipeliningEnabled : True
> ProtocolLoggingLevel : Verbose
> RemoteIPRanges : {10.7.13.140-255.255.255.255,
> 10.0.11
> 7.102-255.255.255.255,
> 10.0.130.100-2
> 55.255.255.255,
> 10.0.100.101-255.255.
> 255.255,
> 10.0.12.109-255.255.255.255,
> 10.0.62.100-255.255.255.255,
> 10.0.63
> .111-255.255.255.255,
> 10.7.17.73-255.
> 255.255.255}
> RequireEHLODomain : False
> RequireTLS : False
> EnableAuthGSSAPI : False
> Server : IRV-EDC-VMS37
> SizeEnabled : Enabled
> TarpitInterval : 00:00:05
> AdminDisplayName :
> ExchangeVersion : 0.1 (8.0.535.0)
> Name : Internal smtp relay WNLB
> DistinguishedName : CN=Internal smtp relay
> WNLB,CN=SMTP R
> eceive
> Connectors,CN=Protocols,CN=IRV
> -EDC-VMS37,CN=Servers,CN=Exchange
> Adm
> inistrative Group
> (FYDIBOHF23SPDLT),C
> N=Administrative Groups,CN=Kelley
> Blu
> e Book,CN=Microsoft
> Exchange,CN=Servi

> ces,CN=Configuration,DC=corp,DC=kbb,D
> C=com
> Identity : IRV-EDC-VMS37\Internal smtp
> relay WNL
> B
> Guid :
> 7ffeb41e-8b88-4e62-8979-0dd7edffd4a8
> ObjectCategory :
> corp.kbb.com/Configuration/Schema/ms-
> Exch-Smtp-Receive-Connector
> ObjectClass : {top,
> msExchSmtpReceiveConnector}
> WhenChanged : 12/17/2009 11:54:28 AM
> WhenCreated : 8/4/2009 7:38:00 PM
> OriginatingServer : irv-edc-dc3.corp.kbb.com
> IsValid : True

>
 
Status
Not open for further replies.
Top