That's what we have here, but the issue is that it then allows to send to any external email address, they want to restrict it to the internal domain and a *trusted* domain only.
Some systems have a legitimate need to be sending to all external domains, and we add the IPs of those to the allowed list. We have another contract that is a subset of the parent organisation, and that domain is set as an internal relay, so if the mailbox isn't on that exchange environment the mails get sent to the smart host. I'd sorry of hoped that the external relay domain would have worked for the issue on this contract, I.e. Relay all mail it receives on the receiver connector from the apps servers straight to the smart host. That way only anything that has a legitimate need to email beyond those 2 domains needs to be added to the allowed list. I'll just tell them that it can't be done, and they need to get security approval before getting added to the allowed list. Much simpler on my side :-) Tony On 22 Jul 2015 17:59, "Kurt Buff" <[email protected]> wrote: > We have a similar situation here, also using Exchange 2010 - we have > two classes of non-human email senders, those that send emails for > internal use only and are allowed to send anonymously but only > internally, and those that come from our CRM and go to external > customers - we've allowed these to send anonymously also. > > The approach I took was to set up an extra IP address (with matching > FQDN in DNS - I used "allowanonymousinternal.example.tld" and > "allowanonymousexternal.example.tld") on the Exchange server for each > of the two new connectors, then limit incoming to each connector to > specific sending IP addresses. > > So far it's worked well for us. > > Kurt > > On Wed, Jul 22, 2015 at 7:27 AM, Tony Patton <[email protected]> wrote: > > Hi folks, > > > > We have a requirement to try to restrict applications relaying via > Exchange > > to the internal domain and another email domain, without opening it up to > > allow emails to relay to any and all domains, unless the IP has been > added > > to the allowed list. > > > > The internal Exchange domain is CompanyA.com, which routes all external > > emails to MimeSweeper filters, no Exchange Edge servers are implemented. > > > > We do have smtp receive connectors set up for the applications to relay > with > > IP address restrictions, but is either an all or nothing as far as > external > > email goes and Security aren't happy with that approach. The sending > > servers/applications either can't or won't use Authentication, so all > > connections to the receive connector is Anonymouns. > > The Send connector is configured to route mail via the smart hosts by > IP, so > > doesn't try to resolve the CompanyB.com MX record. > > > > Remote domains is the Default *, and a single Send Connector with > address * > > pointing to the MimeSweeper servers. > > > > Can an Accepted Domain configured as "External Relay Domain" with the > > CompanyB.com domain accomplish what we are being asked to do? I.e. any > > server not allowed by IP can then send to both domains, with the emails > for > > CompanyB sent to the MimeSweeper filters as normal? Or is there another > > "safe" way to do this? Or something I'm missing completely? > > > > Obviously we don't want to impact emails being sent by CompanyA users to > > CompanyB users. > > > > The servers are Exchange 2010 SP3 RU6, soon to be RU9, if that has a > bearing > > on it. > > > > If it can't be done easily or safely, for various definitions of both, > they > > will just have to fight it out with the security team. > > > > I've looked at various TechNet & MSExchange.org articles, but everything > > I've come across assumes that Edge servers in place, so looking for > > alternate confirmation on whether it will work or not. > > > > If I haven't explained it correctly, hit me with a big stick, I've been > > coming back to this over the course of the day so may be a bit muddled :) > > > > Thanks, > > > > Tony > > >
