You are here

Share the same SMTP address space (domain name) with a different e-mail server

shroman's picture

Mail system consists of three servers:

Border SMTP connectivity is managed by a Postfix/BSD based server, implementing ClamAV virus scanning, blacklisting, graylisting and spam assassin classification.

Additional functionality:

  • blocked content is available through web interface;
  • users are authenticated through Active Directory;
  • current mailbox lists (used domain names and user mailboxes) are refreshed on regular basis, using unprivileged AD user and OpenSSH connectivity to refresh mailbox lists from BSD mail server’s MySQL user tables.
  •  

Main mail server – Microsoft Exchange 2003.

Hosted domains mail server, BSD mail server with horde web interface, provides SMTP, IMAP, POP3 services protected with SSL. User and domain administration using vmailadmin opensource project. Unfortunately the project looks dead (www.vmailadmin.org ), but I’m trying to patch it myself from times to times.

The problem!

So the problem is as follows:

The two servers: Exchange mail and Hosted mail servers were designed to managed different domain names. As time passed by business requirements changed, one day IT department was told to add a domain alias to mail server “Exchange”. The domain alias to add was: A.COM, this was the domain name already hosted on the second mail server “Hosted mails”. Adding domain name alias in AD Exchange environment is really simple, you only need to add a recipient policy for new domain and add global address book alias for all users.  To route incoming mail on the border mailfilter server, a special postfix map file was  created to direct all mail destined for domain A.COM, but not found on “hosted mails” server to route to Exchange mail server. So everything should work.

“Huston, we’ve got a problem!”

The routing mechanism is broken! Mail is routed correctly when coming from the outside of the network, but when a user (A.COM) of Exchange mailbox, tries to send an email to a user on domain: A.COM it gets a NDR. Exchange server is trying to look up the recipient in its address book, it is authoritative for the domain A.COM and no recipient is found.

Solution.

Share the same SMTP address space with a different e-mail system

Only one e-mail system can be authoritative for a particular SMTP address space. When an e-mail system is non-authoritative for an SMTP address space, the e-mail must eventually be routed to an e-mail system that is authoritative for the SMTP address space. This behavior occurs to make sure that a non-delivery report is generated if an e-mail message cannot be delivered to a recipient. An SMTP address space can be shared with any number of different e-mail systems. In this configuration, each e-mail system is a link in a chain of e-mail systems. The first e-mail system in the chain sends messages to the second e-mail system, and so on. This behavior continues until the message is delivered to a recipient or until the last e-mail system in the chain generates a non-delivery report for the message.

Exchange must be authoritative for the primary SMTP address space that is specified in the default recipient policy. Exchange does not have to be authoritative for any other SMTP address space. In this situation, you only have to add the shared SMTP address space to another recipient policy, set that SMTP address space as the primary SMTP address space, and then click to clear the This Exchange Organization is responsible for all mail delivery to this address (A.COM) check box in the SMTP Address Properties dialog box.

Important You cannot share an SMTP address space for which Exchange is authoritative. KB:823158  (http://support.microsoft.com/kb/823158/ ) Authoritative and nonauthoritative domains in Exchange 2000 Server and in Exchange Server 2003.

Recipient policies dictate the SMTP address spaces for which Exchange is authoritative. To determine whether Exchange is authoritative for a particular SMTP address space, follow these steps:

1. In Exchange System Manager, right-click the recipient policy, and then click Properties.

2. Click the E-Mail Addresses (Policy) tab, click an e-mail address, and then click Edit.

3. If the This Exchange Organization is responsible for all mail delivery to this address check box is selected, Exchange is authoritative for the SMTP address space. If this check box is not selected, Exchange is non-authoritative for the SMTP address space.

Configure an SMTP connector for the shared SMTP address space (this is required to route messages to the “Hosted mails” server).

After you configure the shared SMTP address space, you must specify the means for Exchange to determine where to route messages that do not resolve to an object in Active Directory. To do this, create an SMTP connector that has the shared SMTP address space in the Add Address Space dialog box of the connector object. If you do not add the SMTP connector with the shared address space, any incoming e-mail that is destined to the shared SMTP address space is interpreted as an attempt to relay. In this situation, Exchange does not accept the incoming e-mail. Additionally, you must specify a server to which Exchange will forward unresolved e-mail. You can specify this destination server by using its host name or by using its IP address.

To configure the SMTP connector, follow these steps:

1. In Exchange System Manager, right-click Connectors, point to New, and then click SMTP Connector.

2. In the Properties dialog box, type a name for the new connector in the Name box.

3. Click Forward all mail through this connector to the following smart hosts, and then type the host name of the destination computer or the IP address of the destination computer. You must type square brackets ([ ]) around the host name or IP address. For example, if the IP address of the destination computer is 192.168.1.10, type [192.168.1.10]. In our scenario the “Smart host”  is the mailfilter border mail server.

This computer will receive all e-mail that is not resolved to objects in Active Directory.

4. Click Add, click an Exchange server in the Add Bridgehead dialog box, and then click OK.

5. Click the Address Space tab, click Add, click SMTP in the Add Address Space dialog box, and then click OK.

6. In the Internet Address Space Properties dialog box, type the shared SMTP address space in the E-mail domain box. When you type the shared SMTP address space, do not include the at (@) symbol. Then, click OK.

7. Click to select the Allow messages to be relayed to these domains check box.

Note Because Exchange must also receive messages for the shared e-mail address space, you must let Exchange relay messages to this domain. This setting lets all the SMTP virtual servers that are listed under Local bridgeheads on the General tab accept messages for the shared e-mail address space.

8. Click OK.

SMTP routing paths

Mail is coming from the outside to the A.COM domain:

  1. Mail from the outside passes filtering rules
  2. The postfix decides where is the recipient mailbox
    1. If the mailbox is not on the hosted mails servers, than the mail is destined to the Exchange server

Mail is coming from the exchange system to the A.COM domain:

  1. Exchange looks up the local recipient table, if recipient is not found
  2. The mail is forwarded to the mailfilter border mail server
  3. The border server looks up the recipients
  4. The mail is forwarded to the “Hosted mails” server.

The picture in the beginning of the article shows the direction of mail traffic between the servers. Green arrows shows normal mail traffic, yellow arrows are used to show the shared domain mail traffic route.

That’s it. If you have any questions or comments please add one below!