locked
Receive Connector no longer working for a server that has changed subnets - any ideas? RRS feed

  • Question

  • Hello all,

    First Post here so be gentle with me :)

    Situations is as follows. 

    We have an oracle database that uses pop3 to send emails via our Exchange 2007 SP2 (Update 4) server a process which has been working successfully for several years.  To facilitate this process I simply ensured that the POP3 service on our server was enabled and that a receive connector was created that explicitly permitted the IP Address of the oracle server, was configured for Externally Secured authentication and which had a permission group set for Exchange Servers.  This same receive connector is also used by our multi function printers to provide scan to email.  In this situation the Exchange server and the Oracle server sat on the same subnet.

    For PCI Compliance reasons we recently moved the Orcale database to a different subnet using a firewall as the router with the intention to limit access to the oracle server to specified subnets and machines.  The firewall is configured at the moment to allow the Oracle server to go anywhere and do anything but the firewall limits incoming traffic to specific servers and clients but does not filter traffic based on port/protocl.  This has all worked fine except for this issue with the Oracle server sending emails - now it can't.  I put the new IP address of the Oracle server into the receive connector and made no other changes assuming this would work but it doesn't.  I've created a new receive connector just for the oracle server but that doesn't work either.   When I telnet from the Oracle server to the Exchange server on port 25 and do a helo command the response I receive uses our external FQDN not the internal one causing me to believe that the Exchange server is applying our internet facing receive connector not the internal one (see below).  I'm puzzled by this as I thought the Exchange server uses the receive connector that most closely matches to the incoming request - which would be the connector containing the IP address.  However as a test I even put the IP address into the internet Receive connector but the exchange server will still not accept emails.

    To verify that things were working normally on the original subnet with the original receive connector I used telnet from our sharepoint server and this worked fine using the correct Receive connector and responding with the right FQDN and IP's, when I try the same process from the Oracle server it fails.

    This from our Sharepoint server which lives on the same subnet as the Exchange Server

    220 mailserver.internal.group Microsoft ESMTP MAIL Service ready at Thu, 4 Aug 2011 1
    6:52:11 +0100
    helo
    250 mailserver.internal.com Hello [192.168.0.50]
    mail from:jsherlock@external.co.uk

    250 2.1.0 Sender OK

    This from our Oracle server

     

    220 mailserver.external.co.uk Microsoft ESMTP MAIL Service ready at Thu, 4 Aug 2011 16:58:24
    +0100
    helo
    250 ex.ucb.co.uk Hello [192.168.0.13]
    mail from:jsherlock@external.co.uk
    550 5.7.1 Client does not have permissions to send as this sender

    I can only assume that the Exchange server is not accepting that the traffic from the new subnet is part of the domain but rather is external and consequenly denies access.  Naturally the new subnet is including in AD Sites and Services and both servers can ping each other and DNS resolution works fine.   The firewall is not performing NAT on the traffic and given the loose nature of the firewall rules is acting mostly as a router.  To clarify one point we use a different internal domain name to our external domain name.

    Research I've done on the net has not assisted me although I may well be simply phrasing my search criteria poorly but I'm at loss as to how to fix the issue.

    If anyone here has any insight or ideas as to how I may resolve the issue I would be most appreciative.  Many thanks for your time reading this,

     

    Blessings

     

    Jez

    Thursday, August 4, 2011 4:14 PM

Answers

  • Hello

     

    Thanks for your reply.   I checked the logs as requested but the logs indicated the correct IP was being picked up but the wrong, internet facing, connector was being used.   What was really odd was that the internet facing connector in use was disabled in the console which made me think that whilst the console was updating with the settings as we changed them the underlying service that utilizes these connectors was not.  Consequently I took the decision to restart the Edge Sync, PoP3 and tranport services.  As a result the system is now working as intended and the Oracle server can now send emails again.

     

    I should have thought to check the logs myself as they confirmed what I had already thought was happening.  Restarting services is something I don't like to do unscheduled on a mail server but it only took 2 minutes so fortunately no-one in the office seemed to notice.

     

    Thanks once again for the speedy response and pointing me in the right direction to complete the troubleshooting.

     

    Blessings

     

    Jez

    • Marked as answer by JPSherlock Friday, August 5, 2011 10:40 AM
    Friday, August 5, 2011 10:40 AM

All replies

  • On Thu, 4 Aug 2011 16:14:21 +0000, JPSherlock wrote:
     
    >
    >
    >Hello all,
    >
    >First Post here so be gentle with me :)
    >
    >Situations is as follows.
    >
    >We have an oracle database that uses pop3 to send emails via our Exchange 2007 SP2 (Update 4) server a process which has been working successfully for several years. To facilitate this process I simply ensured that the POP3 service on our server was enabled and that a receive connector was created that explicitly permitted the IP Address of the oracle server, was configured for Externally Secured authentication and which had a permission group set for Exchange Servers. This same receive connector is also used by our multi function printers to provide scan to email. In this situation the Exchange server and the Oracle server sat on the same subnet.
    >
    >For PCI Compliance reasons we recently moved the Orcale database to a different subnet using a firewall as the router with the intention to limit access to the oracle server to specified subnets and machines. The firewall is configured at the moment to allow the Oracle server to go anywhere and do anything but the firewall limits incoming traffic to specific servers and clients but does not filter traffic based on port/protocl. This has all worked fine except for this issue with the Oracle server sending emails - now it can't. I put the new IP address of the Oracle server into the receive connector and made no other changes assuming this would work but it doesn't. I've created a new receive connector just for the oracle server but that doesn't work either. When I telnet from the Oracle server to the Exchange server on port 25 and do a helo command the response I receive uses our external FQDN not the internal one causing me to believe that the Exchange server is applying our
    >internet facing receive connector not the internal one (see below). I'm puzzled by this as I thought the Exchange server uses the receive connector that most closely matches to the incoming request - which would be the connector containing the IP address. However as a test I even put the IP address into the internet Receive connector but the exchange server will still not accept emails.
    >
    >To verify that things were working normally on the original subnet with the original receive connector I used telnet from our sharepoint server and this worked fine using the correct Receive connector and responding with the right FQDN and IP's, when I try the same process from the Oracle server it fails.
    >
    >This from our Sharepoint server which lives on the same subnet as the Exchange Server
    >
    >220 mailserver.internal.group Microsoft ESMTP MAIL Service ready at Thu, 4 Aug 2011 1 6:52:11 +0100 helo 250 mailserver.internal.com Hello [192.168.0.50] mail from:jsherlock@external.co.uk
    >
    >250 2.1.0 Sender OK
    >
    >This from our Oracle server
    >
    >
    >
    >220 mailserver.external.co.uk Microsoft ESMTP MAIL Service ready at Thu, 4 Aug 2011 16:58:24 +0100 helo 250 ex.ucb.co.uk Hello [192.168.0.13] mail from:jsherlock@external.co.uk 550 5.7.1 Client does not have permissions to send as this sender
    >
    >I can only assume that the Exchange server is not accepting that the traffic from the new subnet is part of the domain but rather is external and consequenly denies access. Naturally the new subnet is including in AD Sites and Services and both servers can ping each other and DNS resolution works fine. The firewall is not performing NAT on the traffic and given the loose nature of the firewall rules is acting mostly as a router. To clarify one point we use a different internal domain name to our external domain name.
    >
    >Research I've done on the net has not assisted me although I may well be simply phrasing my search criteria poorly but I'm at loss as to how to fix the issue.
    >
    >If anyone here has any insight or ideas as to how I may resolve the issue I would be most appreciative. Many thanks for your time reading this,
     
    Have a look at the SMTP Receive protocol logs and see what IP address
    is being used by that Oracle server.
     
    If it's behind a firewall the address it uses may be NATed and the
    Exchange server sees is the IP address of the firewall, not the
    address of the Oracle server.
     
    ---
    Rich Matheisen
    MCSE+I, Exchange MVP
     

    --- Rich Matheisen MCSE+I, Exchange MVP
    Friday, August 5, 2011 2:03 AM
  • Hello

     

    Thanks for your reply.   I checked the logs as requested but the logs indicated the correct IP was being picked up but the wrong, internet facing, connector was being used.   What was really odd was that the internet facing connector in use was disabled in the console which made me think that whilst the console was updating with the settings as we changed them the underlying service that utilizes these connectors was not.  Consequently I took the decision to restart the Edge Sync, PoP3 and tranport services.  As a result the system is now working as intended and the Oracle server can now send emails again.

     

    I should have thought to check the logs myself as they confirmed what I had already thought was happening.  Restarting services is something I don't like to do unscheduled on a mail server but it only took 2 minutes so fortunately no-one in the office seemed to notice.

     

    Thanks once again for the speedy response and pointing me in the right direction to complete the troubleshooting.

     

    Blessings

     

    Jez

    • Marked as answer by JPSherlock Friday, August 5, 2011 10:40 AM
    Friday, August 5, 2011 10:40 AM