A ban on dynamic IP addresses for Exchange Server

Some companies, including Microsoft, have decided to block any inbound email messages originating from a dynamic IP address in an effort to prevent spam. Unfortunately, while almost every large company uses a static IP address for its Exchange servers, smaller companies are often forced to use dynamic IP addresses.

Fortunately, you can configure Exchange Server to route mail through your ISP's SMTP server, so it appears to recipients as if the message came from the ISP's static IP address instead of your organization's dynamic IP address.

How to route Exchange Server email through an ISP's SMTP server

How to configure Microsoft Exchange Server to route mail through your ISP's SMTP server varies depending on the versions of Exchange Server that you are running. In Exchange 2000 and Exchange 2003, the SMTP connector replaces the Internet Mail Service used in earlier versions of Exchange Server.

For the purposes of this tip, I will assume that your Exchange Server deployment is running in mixed mode, and that you will need to create an SMTP connector. If you already have an SMTP connector in place, you can modify your existing connector rather than creating a new one.

1. Open Exchange System Manager.

2. Navigate to Administrative Groups -> your administrative group -> Routing Groups -> First Routing Group -> Connectors.

3. Right click on the Connectors container and select New -> SMTP Connectors to view the new connector's properties sheet.

4. Go to the General tab and enter a descriptive name for the connector into the space provided.

5. Just below the Name field, you are given the choice of using DNS to route messages to each address space on the connector, or to forward mail through a smart host. Choose the smart host option and then enter the IP address of your ISP's SMTP server into the space provided.

6. At this point, you must designate an SMTP virtual server to act as a local bridgehead server. To do so, click the Add button and then select the server that you want to designate as the local bridgehead.

7. To define an SMTP address space, select the Address tab and then either the Entire Organization or the Routing Group option to set the scope of the address space that you are about to define.

8. Click the Add button, select the SMTP option, and click OK.

9. You will now see a dialog box asking for an email domain and a cost. Go with the defaults and click OK to be taken back to the Address Space tab.

10. Verify that the "Allow Messages to be Relayed to these Domains" checkbox is not selected -- otherwise, the entire world may be able to relay mail through your Exchange Server.

11. Go back to the Advanced tab and click the Outbound Security button to view the Outbound Security dialog box.

12. Most ISPs require the Outbound Security option to be set to Anonymous Access, but you should check with your own individual ISP to see what settings they want you to ...
    
    To continue reading for free, register below or login

    Requires Membership to View

    To gain access to this and all member only content, please provide the following information:

    Email Address:
    
    
    

    By joining SearchExchange.com you agree to receive email updates from the TechTarget network of sites, including updates on new content, magazine or event notifications, new site launches and market research surveys. Please verify all information and selections above. You may unsubscribe at any time from one or more of the services you have selected by editing your profile or unsubscribing via email.
    
    TechTarget cares about your privacy. Read our Privacy Policy
    To read more you must become a member of SearchExchange.com

    As an existing member of the TechTarget network please activate your SearchExchange.com account 

    By joining SearchExchange.com you agree to receive email updates from the TechTarget network of sites, including updates on new content, magazine or event notifications, new site launches and market research surveys. Please verify all information and selections above. You may unsubscribe at any time from one or more of the services you have selected by editing your profile or unsubscribing via email.
    
    TechTarget cares about your privacy. Read our Privacy Policy
    
    
    

    Digg This!     StumbleUpon     Del.icio.us

    
    
    
    

    RELATED CONTENT Exchange Security Tips How to install Forefront Security for Exchange Server Is full email encryption the solution to Exchange security? Lock down direct file access and protect OWA users Controlling spam in Exchange 2007 at the edge transport server level When to use a self-signed certificate with Exchange Server 2007 Obtaining and verifying SSL certificates in Exchange Server How file-level antivirus software can harm your Exchange Server Understanding Exchange Server 2007 SP1 mobile security settings Which ActiveSync authentication method is best for your mobile device? Why you should secure Exchange 2007 using administrative policies Exchange Server Administration Tips Remove Exchange 2003 objects from AD to install Exchange 2010 Don'ts for optimal Exchange 2007 mailbox server efficiency Is your Exchange 2007 hub transport server healthy? Avoid Outlook 2007 performance issues during repairs Developing an Exchange 2007 server role DR plan How DSAccess service improves Exchange Server 2007 reliability An introduction to the Exchange Remote Connectivity Analyzer tool Monitor Exchange 2007 with disk- and RPC-related counters DPM 2007 replica inconsistencies in Exchange databases Track Exchange 2007 mailbox server health using database counters Spam and virus protection How to install Forefront Security for Exchange Server Block Web beacons and protect OWA users from spam Controlling spam in Exchange 2007 at the edge transport server level How file-level antivirus software can harm your Exchange Server Problems with email spoofing on SBS 2003 Exchange Insider e-zine Securing your Exchange Server 2007 journaling archives Troubleshooting Outlook Web Access issues on a 64-bit system Microsoft Exchange Server security dos and don'ts Troubleshooting Microsoft Exchange Server Event ID error 6009 Spam and virus protection Research

    RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary backscatter spam  (SearchExchange.com) greylist  (SearchExchange.com) image spam  (SearchExchange.com) KnujOn  (SearchExchange.com) Sender ID  (SearchExchange.com) spam confidence level  (SearchExchange.com) spamblock  (SearchExchange.com) spim  (SearchExchange.com) tarpitting  (SearchExchange.com) Vouch by Reference (VBR)  (SearchExchange.com)

    RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

    
    
    use.

13. Click OK repeatedly until all of the open dialog boxes are closed.

14. Now verify that the SMTP virtual server you designated to act as a local bridgehead is configured to listen on TCP port 25 by navigating to Administrative Groups -> your administrative group -> Servers -> the server that's hosting the designated SMTP virtual server -> Protocols -> SMTP -> the designated SMTP virtual server.

15. Right click on the designated SMTP virtual server and select Properties.

16. Go to the General tab and click on the Advanced button.

17. Verify that the SMTP virtual server is configured to listen on TCP port 25. If the designated port is something other than 25, you can use the Add button to add port 25 to the list of ports.

18. Your Exchange Server should now be configured to route outbound SMTP email through your ISP's SMTP server. To complete the process, simply restart the Microsoft Exchange Routing Engine service and the server's SMTP service.

Make sure your ISP isn't on any spam blacklists

Routing email through an ISP's SMTP server may not be enough to prevent your organization's email from being treated as spam.

There are numerous spam blacklists, and your ISP's SMTP server could potentially be listed on any of them. In the past, it has been a very tedious process to search through all of the blacklists to see where a block was coming from.

I recently discovered a handy Web site called DNSstuff.com that makes the process of searching the spam blacklists a lot easier. The site isn't solely dedicated to searching spam blacklists, but the front page offers an option to enter your (or in this case your ISP's) mail server's IP address. It will then check all of the spam blacklists to see if the IP address appears on any of them.

In all likelihood, your ISP's mail server isn't blacklisted, but it's still good to check to be sure. Running a quick scan of the blacklists up front can save you hours of pointless troubleshooting if your ISP is blacklisted and causing email delivery issues.

If you've verified that your ISP's SMTP server is not on a spam blacklist, but your organization's email still isn't being delivered, it's possible that the domains rejecting your email are using extremely restrictive spam filters.

Some filters will not only block all dynamically assigned IP addresses, but also email from any organization whose DNS server is not configured to meet the service's specifications.

One example of an overly restrictive spam filter is the SORBS Dynamic User and Host List (SORBS DUHL), which was originally intended to be a list of dynamically assigned IP address ranges. The idea was that organizations could reduce spam by blocking inbound email from any IP address within a listed range.

But as I outlined above, there is a simple technique that circumvents detection of your organization's IP dynamic IP address by routing mail through your ISP's SMTP server, which has a static IP address.

Spammers know this trick too. So if the absence of a dynamic IP address were the only criteria that SORBS used for blocking spammers, the list of dynamically assigned address ranges would quickly become useless. That being the case, SORBS came up with some additional requirements:

• The MX record of a domain needs to contain a host name that maps to the IP address involved. The "Time to Live" of the MX record needs to be at least 43,200 seconds.

• The A record for the host name needs to have a TTL of at least 43,200 seconds.

• The reverse DNS PTR record for the IP address involved needs to map back to the name given in the MX record, and to have a TTL of at least 43,200 seconds.

• If there are multiple MX entries, these rules apply to them all.

Organizations that filter email based on the SORBS-DUHL exclusion list are bound to reduce the amount of spam they receive, but they also risk making themselves inaccessible both to clients and potential clients, so I personally think this practice is a bad idea.

Even though I disagree with using the SORBS-DUHL exclusion list to filter spam, you can't ignore its requirements. Microsoft is only one of many companies now filtering inbound email using the SORBS-DUHL standards. So you might want to think about configuring your domain's DNS records to match the SORBS-DUHL requirements as a precaution.

About the author: Brien M. Posey, MCSE, is a Microsoft Most Valuable Professional for his work with Exchange Server, and has previously received Microsoft's MVP award for Windows Server and Internet Information Server (IIS). Brien has served as CIO for a nationwide chain of hospitals and was once responsible for the Department of Information Management at Fort Knox. As a freelance technical writer, Brien has written for Microsoft, TechTarget, CNET, ZDNet, MSD2D, Relevant Technologies and other technology companies. You can visit Brien's personal Web site at http://www.brienposey.com.

Do you have comments on this tip? Let us know.

Related information from SearchExchange.com: