Hello
Sorry about the big mail list, but my question involves 3 different
expertise, so I am not sure where to post.

In a nutshell what I am trying to do is the following.
a) Get IIS, in an anonymous access DMZ, to pick email from my ISP through an
ISA server 2004 firewall
I haven't figured out yet how to get the mail server to pick up email, I
could publish the SMTP server on the external firewall, but all email is
currently being sent to my ISP and I quite like this because they can take
care of a lot of spam filtering, virus etc. problems for me.

b) I then want IIS to forward the email to an internal exchange server
(through another ISA firewall)
I am trying to setup IIS to relay email. when I configure SMTP I get the
error "the domain name is not valid". I am setting up a domain and selecting
forward all email to smarthost, but when I check this option and type in the
IP address of the Exchange server, this is the error I get. It will be
picking up email destined for three different comains x.com , y.com and
z.com. The domain name for the Windows domain that needs to accept these
emails is called b.com. is this going to be a problem? I have not set up
anything on the Exchange server yet (should I be doing this first?)

c) Theoretically Exchange should then deliver the incoming mail to the
indovodual users. I have configured the exchange policies such that all
users have the appropriate associated SMTP email addresses against their
user names, so hopefully this should just work.

Sorry for all the questions, I seem to have half answers for most issues,
but just can't seem to get there.

Thanks to anyone who profers help/advice.

Saira

The users in Exchange

[ Post a follow-up to this message ]

> In a nutshell what I am trying to do is the following.
> a) Get IIS, in an anonymous access DMZ, to pick email from my ISP through
> an ISA server 2004 firewall
> I haven't figured out yet how to get the mail server to pick up email, I
> could publish the SMTP server on the external firewall, but all email is
> currently being sent to my ISP and I quite like this because they can take
> care of a lot of spam filtering, virus etc. problems for me.

You cannot do this with IIS alone. You will need a POP3 connector that
integrates with your Exchange instance and retrieves mail from your ISP (I
assume the ISP is using POP3 for message retrieval). In this case there is
no need for point b) below.


> b) I then want IIS to forward the email to an internal exchange server
> (through another ISA firewall)

You don't need this if you install and configure the POP3 connector on the
Exchange server itself. Here's an example of such a connector that
integrates natively with Exchange 2000/2003:
http://www.mapilab.com/exchange/pop3_connector/

Not too expensive either by comparison with other products of this nature.


> I am trying to setup IIS to relay email. when I configure SMTP I get the
> error "the domain name is not valid". I am setting up a domain and
> selecting forward all email to smarthost, but when I check this option and
> type in the IP address of the Exchange server, this is the error I get.

This should not be a problem, but check your DNS configuration carefully for
errors.


> It will be picking up email destined for three different comains x.com ,
> y.com and z.com. The domain name for the Windows domain that needs to
> accept these emails is called b.com. is this going to be a problem? I have
> not set up anything on the Exchange server yet (should I be doing this
> first?)

Yes you need to set up Exchange to accept messages for all three domains -
this is being done mainly through Recipient Policies in the Exchange System
Manager.

Virgil



>
> c) Theoretically Exchange should then deliver the incoming mail to the
> indovodual users. I have configured the exchange policies such that all
> users have the appropriate associated SMTP email addresses against their
> user names, so hopefully this should just work.
>
> Sorry for all the questions, I seem to have half answers for most issues,
> but just can't seem to get there.
>
> Thanks to anyone who profers help/advice.
>
> Saira
>
> The users in Exchange
>

[ Post a follow-up to this message ]

If Exchange is only recieving from the IIS SMTP (pushed to Exchange from
IIS) it doesn't need the connector.  The connector is required if Exchange
"polls" (pulled from IIS to Exchange) the IIS/SMTP for the mail as a "POP3
Client".

I use IIS/SMTP to relay to Exchange myself.  The IIS/SMTP box runs a Spam
Filtering system that processes the incomming mail, then passes it on to the
Exchange.  There was nothing to configure on Exchange,..Exchange is
completely "oblivous" to what is happening.

It sounds to me like the IIS/SMTP Service is just simply missconfigured.
The question should be answered in an IIS Group, not ISA.  ISA has nothing
to do with it,..the fact that it is going through an ISA as a result of
Publishing is irrelevant.

--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com


"ZVR" <no_spam_ever@me.local> wrote in message
news:4405f815$0$5488$9a6e19ea@unlimited.newshosting.com... 
through[vbcol=seagreen] 
take[vbcol=seagreen] 
>
> You cannot do this with IIS alone. You will need a POP3 connector that
> integrates with your Exchange instance and retrieves mail from your ISP (I
> assume the ISP is using POP3 for message retrieval). In this case there is
> no need for point b) below.
>
> 
>
> You don't need this if you install and configure the POP3 connector on the
> Exchange server itself. Here's an example of such a connector that
> integrates natively with Exchange 2000/2003:
> http://www.mapilab.com/exchange/pop3_connector/
>
> Not too expensive either by comparison with other products of this nature.
>
> 
and[vbcol=seagreen] 
>
> This should not be a problem, but check your DNS configuration carefully
for
> errors.
>
> 
have[vbcol=seagreen] 
>
> Yes you need to set up Exchange to accept messages for all three domains -
> this is being done mainly through Recipient Policies in the Exchange
System
> Manager.
>
> Virgil
>
>
> 
issues,[vbcol=seagreen] 
>
>

[ Post a follow-up to this message ]

"Phillip Windell" <@.> wrote in message
news:%23OkOYzWPGHA.1360@TK2MSFTNGP10.phx.gbl...
> If Exchange is only recieving from the IIS SMTP (pushed to Exchange from
> IIS) it doesn't need the connector.  The connector is required if Exchange
> "polls" (pulled from IIS to Exchange) the IIS/SMTP for the mail as a "POP3
> Client".

I know what you mean, however from the original post I got the impression
that the mailboxes are currently hosted at the ISP which performs all kind
of processing on them and also "stores" the messages in which case a POP3
connector would be required. If the ISP does not "store" the mailboxes and
simply passes everything on to the IIS relay after applying some anti-virus
filtering and so on, then the POP3 connector would be unnecessary as you
pointed out.

Virgil

[ Post a follow-up to this message ]

Ok,..well we'll have to wait and see how they respond back. Maybe they will
clarify it then.

--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com



"ZVR" <no_spam_ever@me.local> wrote in message
 news:440618bd$0$28053$9a6e19ea@unlimited
.newshosting.com...
> "Phillip Windell" <@.> wrote in message
> news:%23OkOYzWPGHA.1360@TK2MSFTNGP10.phx.gbl... 
Exchange[vbcol=seagreen] 
"POP3[vbcol=seagreen] 
>
> I know what you mean, however from the original post I got the impression
> that the mailboxes are currently hosted at the ISP which performs all kind
> of processing on them and also "stores" the messages in which case a POP3
> connector would be required. If the ISP does not "store" the mailboxes and
> simply passes everything on to the IIS relay after applying some
anti-virus
> filtering and so on, then the POP3 connector would be unnecessary as you
> pointed out.
>
> Virgil
>
>

[ Post a follow-up to this message ]

Either way it's crazy. Why would one use IIS to redirect mail,  if POP
connector to the ISP is gonna be used?
He's publishing the mail server with ISA anyways, so I gues he's best bet
would be to configure exchange to only receive email from ISP's smtp
server(and for "filtering" to use as a smart host for sending as well),
after Exchange have been published through ISA!

Julian Dragut



"Phillip Windell" <@.> wrote in message
news:O2DLxKYPGHA.456@TK2MSFTNGP15.phx.gbl...
> Ok,..well we'll have to wait and see how they respond back. Maybe they
> will
> clarify it then.
>
> --
> Phillip Windell [MCP, MVP, CCNA]
> www.wandtv.com
>
>
>
> "ZVR" <no_spam_ever@me.local> wrote in message
>  news:440618bd$0$28053$9a6e19ea@unlimited
.newshosting.com... 
> Exchange 
> "POP3 
> anti-virus 
>
>

[ Post a follow-up to this message ]

We're not publishing Exchange through ISA, and we do not want to expose our
internal Exchange server to the internet.
One option that we did have was to put in place another Exchange server in
the DMZ, in this case we would have used a POP Connector to contact the ISP
and the email would then have gone through to the backend server, however
this is not our setup.What we actually have is an IIS server in a DMZ and an
Exchange server on the internal LAN. My questions was:
What is the best way to get mail from the ISP into the DMZ (yes, the ISP
stores the email in mailboxes, so from previous feedback, it looks like the
opinion is that I will need a POP connector to get the mail down).

Once the email gets to the IIS Server I need it to be relayed to the
internal Exchange server (this is where I am getting the IIS SMTP
configuration error). My main question here, was how do I make sure that all
mail for all three domains gets forwarded through to the internal Exchange
server.

We already have our internal mailboxes configured via recipient policies to
receive mail from the various different domains, but I was not sure whether
this was all I needed to do.


"Julian Dragut" <julian.dragut@itsm.ca> wrote in message
news:u%23CpCJbPGHA.3272@tk2msftngp13.phx.gbl...
> Either way it's crazy. Why would one use IIS to redirect mail,  if POP
> connector to the ISP is gonna be used?
> He's publishing the mail server with ISA anyways, so I gues he's best bet
> would be to configure exchange to only receive email from ISP's smtp
> server(and for "filtering" to use as a smart host for sending as well),
> after Exchange have been published through ISA!
>
> Julian Dragut
>
>
>
> "Phillip Windell" <@.> wrote in message
> news:O2DLxKYPGHA.456@TK2MSFTNGP15.phx.gbl... 
>
>

[ Post a follow-up to this message ]

> What is the best way to get mail from the ISP into the DMZ (yes, the ISP
> stores the email in mailboxes, so from previous feedback, it looks like
> the opinion is that I will need a POP connector to get the mail down).

Yes you will. However! As I was saying in my previous email, if you
integrate a POP3 connector into your internal Exchange instance, you will
not need this intermediate DMZ step, period. The reason being that the
internal Exchange can connect to your ISP and retrieve the POP3 mail
directly, then route the messages to the appropriate mailboxes. Nowhere in
this scenario are you "exposing" the internal Exchange machine - there will
be no "incoming" connections to it, just outgoing requests made from the
POP3 connector to your ISP mail servers. This is as secure at it can be -
you only need to allow outbound access through your firewalls for the ISP
IP(s), for the POP3 protocol.

> Once the email gets to the IIS Server I need it to be relayed to the
> internal Exchange server (this is where I am getting the IIS SMTP
> configuration error).

This type of configuration is actually even less secure than what I am
suggesting because you need to allow traffic from the DMZ into the internal
network space, so if your DMZ ever gets compromised, the offenders will have
a direct access path into your SMTP service. Still secure enough if you ask
me, but just pointing out for the sake of the design that integrating the
POP3 connector into your internal Exchange instance is probably the best
option security-wise.

Virgil

[ Post a follow-up to this message ]

Kinda long,...read it all.

"Saira" <Saira@BayonetVentures.com> wrote in message
news:ORZNtTePGHA.3936@TK2MSFTNGP12.phx.gbl...
> and we do not want to expose our
> internal Exchange server to the internet.

Why not? If you publish it from ISA (followed by the "outer" firewall doing
a Static NAT to the ISA) you are only exposing the SMTP service which isn't
any different (or worse) than using an SMTP service in the DMZ.

> One option that we did have was to put in place another Exchange server in
> the DMZ, in this case we would have used a POP Connector to contact the
ISP
> and the email would then have gone through to the backend server, however
> this is not our setup.

Yes you could do that, but (in my opinion) this whole method is based on
needless paranoia and on top of that the Admin doing it has to buy ($$$$) 2
Exchange Servers to perform a "single" job that could have just as easily
and safely been done with one Exchange.

> What we actually have is an IIS server in a DMZ and an
> Exchange server on the internal LAN. My questions was:
> What is the best way to get mail from the ISP into the DMZ (yes, the ISP
> stores the email in mailboxes, so from previous feedback, it looks like
the
> opinion is that I will need a POP connector to get the mail down).

Then you have exactly what I thought you did.  *IF* you need a POP3
Connector it would have to go on the IIS/SMTP in the DMZ (not the Exchange
machine) so it could interact with the ISP's system. However I don't think
there is such a thing.  There isn't even a POP3 Service with IIS until you
get to the one with Server2003,...and a POP3 Service is not the same thing
as a POP3 Connector, which as far as I know is an "Exchange only" item.

Now with all that said,...you don't need a POP3 Connector.  The ISP's SMTP
Server will use *SMTP* (not POP3) to send whatever it gets to the "outer
firewall's external IP#,...the firewall using Static NAT will pass it on to
the IIS/SMTP in the DMZ.  The IIS/SMTP does a "rinse & repeat" of what the
ISP did and simply forward everything it recieves to the ISA's external IP#
where the Publishing Rule grabs it and passes it to the Exchange Server.
The Exchange Server is the one with the "brains" and will determine what to
do with the messages and if they even really belong there.

> Once the email gets to the IIS Server I need it to be relayed to the
> internal Exchange server (this is where I am getting the IIS SMTP
> configuration error). My main question here, was how do I make sure that
all
> mail for all three domains gets forwarded through to the internal Exchange
> server.

1. In the MMC below the  IIS/SMTP Virtual Server there is a Domains
Object,...in it you have to list all the Domains you are dealing with (do
not include the "@"). Make sure they aren't spelled wrong.

a. Then in the Properties of each of those Domain (not counting the
Local
Default one),...enable "Allow the mail to be relayed to this domain"
b. Then enable "Forward all mail to Smarthost" and give it the external
ISA's IP# and enclose it in square brackets.
c. Leave everything else blank. Leave the Advanced Tab blank. Leave
"Outbound Security" set to anonymous.

2. Then in the Properties of the IIS/SMTP Virtual Server go to the Access
Tab, then the Relay button.  Select "Only the list below",..then leave the
list blank. At the bottom Select the "Allow Computer that successfully
authenticate".

But this group is supposed to be about configuring and troubleshooting
ISA,...not IIS/SMTP.  But then you crossposted to about a million other
groups.

> We already have our internal mailboxes configured via recipient policies
to > receive mail from the various different domains, but I was not sure
whether > this was all I needed to do.

Yes, as far as Exchange is concerned,...that is all you do.  Exchange only
cares about what to do with the mail once it arrives (hence the Recipient
Policy), but Exchange couldn't care less how the mail found its way to the
server.

--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com
-----------------------------------------------------
Understanding the ISA 2004 Access Rule Processing
http://www.isaserver.org/articles/I...ccessRules.html

Troubleshooting Client Authentication on Access Rules in ISA Server 2004
http://download.microsoft.com/downl...>
ts_rules.doc

Microsoft Internet Security & Acceleration Server: Guidance
http://www.microsoft.com/isaserver/...idance/2004.asp
http://www.microsoft.com/isaserver/...idance/2000.asp

Microsoft Internet Security & Acceleration Server: Partners
http://www.microsoft.com/isaserver/partners/default.asp

Deployment Guidelines for ISA Server 2004 Enterprise Edition
[url]http://www.microsoft.com/technet/prodtechnol/isa/2004/deploy/dgisaserver.mspx[/url
]
-----------------------------------------------------

[ Post a follow-up to this message ]

Thank you Phillip and Virgil
It is a very long thread, I didn't realise what I was starting when I
posted!!

What you are saying makes sense, I must admit I am trying to listen to all
sides (some of whom say it is a bad idea to allow your Exchange server to
interact directly with the internet).

If I am to publish my Exchange server to the outer firewall (I am working in
a back to back scenario), do you have any idea on how to do this? I can see
how to do this if Exchange was in the DMZ, but not in the internal LAN. I
assume that if I do this, I am basically done and dusted  as Exchange will
receive all the email and I will then just need to enable the firewall to
allow outgoing SMTP from Exchange and that's it....

Saira


"Phillip Windell" <@.> wrote in message
news:uzVbTogPGHA.1124@TK2MSFTNGP10.phx.gbl...
> Kinda long,...read it all.
>
> "Saira" <Saira@BayonetVentures.com> wrote in message
> news:ORZNtTePGHA.3936@TK2MSFTNGP12.phx.gbl... 
>
> Why not? If you publish it from ISA (followed by the "outer" firewall
> doing
> a Static NAT to the ISA) you are only exposing the SMTP service which
> isn't
> any different (or worse) than using an SMTP service in the DMZ.
> 
> ISP 
>
> Yes you could do that, but (in my opinion) this whole method is based on
> needless paranoia and on top of that the Admin doing it has to buy ($$$$)
> 2
> Exchange Servers to perform a "single" job that could have just as easily
> and safely been done with one Exchange.
> 
> the 
>
> Then you have exactly what I thought you did.  *IF* you need a POP3
> Connector it would have to go on the IIS/SMTP in the DMZ (not the Exchange
> machine) so it could interact with the ISP's system. However I don't think
> there is such a thing.  There isn't even a POP3 Service with IIS until you
> get to the one with Server2003,...and a POP3 Service is not the same thing
> as a POP3 Connector, which as far as I know is an "Exchange only" item.
>
> Now with all that said,...you don't need a POP3 Connector.  The ISP's SMTP
> Server will use *SMTP* (not POP3) to send whatever it gets to the "outer
> firewall's external IP#,...the firewall using Static NAT will pass it on
> to
> the IIS/SMTP in the DMZ.  The IIS/SMTP does a "rinse & repeat" of what the
> ISP did and simply forward everything it recieves to the ISA's external
> IP#
> where the Publishing Rule grabs it and passes it to the Exchange Server.
> The Exchange Server is the one with the "brains" and will determine what
> to
> do with the messages and if they even really belong there.
> 
> all 
>
> 1. In the MMC below the  IIS/SMTP Virtual Server there is a Domains
> Object,...in it you have to list all the Domains you are dealing with (do
> not include the "@"). Make sure they aren't spelled wrong.
>
>    a. Then in the Properties of each of those Domain (not counting the
> Local
>        Default one),...enable "Allow the mail to be relayed to this
> domain"
>    b. Then enable "Forward all mail to Smarthost" and give it the external
>        ISA's IP# and enclose it in square brackets.
>    c. Leave everything else blank. Leave the Advanced Tab blank. Leave
>        "Outbound Security" set to anonymous.
>
> 2. Then in the Properties of the IIS/SMTP Virtual Server go to the Access
> Tab, then the Relay button.  Select "Only the list below",..then leave the
> list blank. At the bottom Select the "Allow Computer that successfully
> authenticate".
>
> But this group is supposed to be about configuring and troubleshooting
> ISA,...not IIS/SMTP.  But then you crossposted to about a million other
> groups.
> 
> to > receive mail from the various different domains, but I was not sure
> whether > this was all I needed to do.
>
> Yes, as far as Exchange is concerned,...that is all you do.  Exchange only
> cares about what to do with the mail once it arrives (hence the Recipient
> Policy), but Exchange couldn't care less how the mail found its way to the
> server.
>
> --
> Phillip Windell [MCP, MVP, CCNA]
> www.wandtv.com
> -----------------------------------------------------
> Understanding the ISA 2004 Access Rule Processing
> http://www.isaserver.org/articles/I...ccessRules.html
>
> Troubleshooting Client Authentication on Access Rules in ISA Server 2004
> http://download.microsoft.com/downl...
7/ts_rules.doc
>
> Microsoft Internet Security & Acceleration Server: Guidance
> http://www.microsoft.com/isaserver/...idance/2004.asp
> http://www.microsoft.com/isaserver/...idance/2000.asp
>
> Microsoft Internet Security & Acceleration Server: Partners
> http://www.microsoft.com/isaserver/partners/default.asp
>
> Deployment Guidelines for ISA Server 2004 Enterprise Edition
> [url]http://www.microsoft.com/technet/prodtechnol/isa/2004/deploy/dgisaserver.mspx[/u
rl]
> -----------------------------------------------------
>
>
>
>
>

[ Post a follow-up to this message ]