User comments on ISPs
  >> Zen Internet


Register (or login) on our website and you will not see this ad.


Pages in this thread: 1 | 2 | 3 | (show all)   Print Thread
Standard User andyhud
(newbie) Fri 28-Jul-17 15:29:47
Print Post

Exchange Server Mail Relay - Zen Internet


[link to this post]
 
Hi Guys

I have a Zen Internet FTTP Circuit but I also have a BT Business FTTP Circuit.
I have an Exchange 2016 server and I'm trying to configure it to send email via "mailhost.zen.co.uk" using Authenticated Relay over TLS (Port 587). Problem is, its just bouncing back saying I'm not authenticated. (this is over the BT Business circuit of course, its fine if I send over the Zen FTTP circuit)

I just get back "smarthost01d.mail.zen.net.uk
Remote Server returned '550-This is not an open relay. To send through this server you must either be 550 on a Zen Internet IP address or be authenticated over TLS.
"

Has anyone managed to get any mail server to relay over TLS to mailhost.zen.co.uk that is NOT on a Zen Internet connection?

These are my exchange send connector settings

AddressSpaces : {SMTP:*;1}
AuthenticationCredential : System.Management.Automation.PSCredential
CloudServicesMailEnabled : False
Comment :
ConnectedDomains : {}
ConnectionInactivityTimeOut : 00:10:00
ConnectorType : Default
DNSRoutingEnabled : False
DomainSecureEnabled : False
Enabled : True
ErrorPolicies : Default
ForceHELO : False
Fqdn : mx1.mydomain.com
FrontendProxyEnabled : True
HomeMTA : Microsoft MTA
HomeMtaServerId : SERVER01
Identity : SERVER01 - Zen Send Connector
IgnoreSTARTTLS : False
IsScopedConnector : True
IsSmtpConnector : True
MaxMessageSize : 35 MB (36,700,160 bytes)
Name : SERVER01 - Zen Send Connector
Port : 587
ProtocolLoggingLevel : None
Region : NotSpecified
RequireOorg : False
RequireTLS : True
SmartHostAuthMechanism : BasicAuthRequireTLS
SmartHosts : {mailhost.zen.co.uk}
SmartHostsString : mailhost.zen.co.uk
SmtpMaxMessagesPerConnection : 20
SourceIPAddress : 0.0.0.0
SourceRoutingGroup : Exchange Routing Group (DWBGZMFD01QNBJR)
SourceTransportServers : {SERVER01}
TlsAuthLevel : EncryptionOnly
TlsCertificateName :
TlsDomain :
UseExternalDNSServersEnabled : False


(Note: I've edited a couple of lines above so my real internal server name etc dont show. I've also highlighted some key lines in bold).

Ironically, if I setup a mail client (like Thunderbird etc) and try that over my BT circuit it works with Authenticated Relay, just not when using Exchange.. its like it needs something else.

I'm using my Zen "Webmail" username for my username to auth with (zen123467@zen.co.uk) and my password. I've checked these credentials work via Zen's Webmail Service. They login fine.

Any ideas?

Cheers!

Andy
Standard User PaulKirby
(knowledge is power) Fri 28-Jul-17 16:51:35
Print Post

Re: Exchange Server Mail Relay - Zen Internet


[re: andyhud] [link to this post]
 
Have you tried using port 25 or 465, other than that I have no clue why its not working.

Paul

BTBroadband - Infinity 4 310Mbps (down), 31Mbps (up) FVA
TBB Speedtest | BQM #4 Linksys WRT 3200 ACM
Standard User andyhud
(newbie) Sat 29-Jul-17 14:00:05
Print Post

Re: Exchange Server Mail Relay - Zen Internet


[re: PaulKirby] [link to this post]
 
Hi there

Thanks for your reply. I tried 25 first of all, then saw on Zen's Support site for Outlook SMTP auth relay over TLS it used 587, so I tried that too

I can telnet port 25 and 587 successfully from my exchange server to "mailhost.zen.co.uk" and it responds, just can't auth. I could try to run the telnet commands manually and see if that works but its a faff converting the credentials into base64.

mailhost.zen.co.uk doesnt respond on 465...

Right now, I've got no idea why its not working...

Any other thoughts out there?

Cheers

Andy


Register (or login) on our website and you will not see this ad.

Standard User 10forcash
(regular) Sat 29-Jul-17 16:49:41
Print Post

Re: Exchange Server Mail Relay - Zen Internet


[re: andyhud] [link to this post]
 
The sending domain needs to be in your control, (i.e. verifiably yours) and registered with BT business as a mail server, you then need to set up a 'smarthost' within Exchange to send via smtp.btconnect.com port 25. If using to forward to another sending domain, auth needs to be on and set to the credentials for the ultimate sending domain, if using BT as the sending domain, auth needs to be off.
Standard User andyhud
(newbie) Sat 29-Jul-17 18:03:46
Print Post

Re: Exchange Server Mail Relay - Zen Internet


[re: 10forcash] [link to this post]
 
In reply to a post by 10forcash:
The sending domain needs to be in your control, (i.e. verifiably yours) and registered with BT business as a mail server, you then need to set up a 'smarthost' within Exchange to send via smtp.btconnect.com port 25. If using to forward to another sending domain, auth needs to be on and set to the credentials for the ultimate sending domain, if using BT as the sending domain, auth needs to be off.


Hi there, thanks for your reply, but I think you may have mis-understood my question?

My issue is not with BT or their mailserver(s), my issue is trying to send email via Exchange 2016 to the ZEN Internet Mail Server (mailhost.zen.co.uk) using Authentication over TLS but from a non-Zen Internet connection (e.g. a BT one, but it could be any ISP, just not Zen).

My send connector is already configured with a smart host (see above, its in bold) for mailhost.zen.co.uk, but I'm getting bounce backs saying I'm unable to relay because the Auth over TLS is failing (and thats the reason for my query)

I own all my domain names, but they are not with BT nor Zen, but thats actually irrelevant to this issue.

Any additional thoughts you have would be appreciated

Thanks
Standard User 10forcash
(regular) Sat 29-Jul-17 21:37:43
Print Post

Re: Exchange Server Mail Relay - Zen Internet


[re: andyhud] [link to this post]
 
Because you are transiting SMTP traffic over BT's infrastructure, it is effectively the first hop in a mail relay, therefore the above configuration applies. You can find more detail as to why on the BT Business fora, like this snippet:-

"Allow me to explain the situation, and the resolution.



Firstly, you *do* need to use BT's SMTP relay. You can configure a connector for this purpose, or just enter the smtp relay (mail.btconnect.com or whatever) in the smart host box of the SMTP Virtual Server's outbound-connection tab.



The problem though, is that if you tell Exchange (2003) to use authentication, which BT say they require, then Exchange will *fail* when it gets through to one of BT's cluster of SMTP servers which does not accept authentication. This is different to Outlook Express for example, which will just send the message without AUTH if the server doesn't accept AUTH. BT's servers can't seem to make their minds up whether they want AUTH or not. So you should leave auth turned off and use mail.btconnect.com or mail.btclick.com whichever it is.. I can't remember). This works for me on many sites.



The reason you have to use your ISP's relay rather than direct delivery via DNS MX lookups, is because it is simply not accepted practice to deliver directly any more. End user IP addresses are contained within many DNS blocklists (DUL - dial-up user lists as they were once known). Many ISPs now will not accept direct delivery of mail from end user IP addresses



You make sure your WHOIS postal address matches the BT account holder's address, then you call up BT on 0845 600 7020 and have your domain added for 'mail relay' on their whitelist, then your outbound mail works."

It's an old post but still explains the situation quite well.
Standard User jchamier
(eat-sleep-adslguide) Sat 29-Jul-17 21:39:22
Print Post

Re: Exchange Server Mail Relay - Zen Internet


[re: andyhud] [link to this post]
 
Why do you want to use Zen smarthost from another network even authenticated?

Might be that Zen haven't allowed relay from your source subnet even with SMTP AUTH.

plusnet unlimited fibre 80/20 - 2 Jun 14 - Sync at 28/Jul/17: 64,899/9,065 - G.INP & 3.3 dB SNRm
18 years of UK broadband since 1999 ntl:cable modem trial - Asus RT-AC68U and HG612 - BQM
Standard User 10forcash
(regular) Sat 29-Jul-17 21:56:42
Print Post

Re: Exchange Server Mail Relay - Zen Internet


[re: jchamier] [link to this post]
 
Failover was the assumption I was making, otherwise it makes no sense.
It would be easier to set up two SMTP routes, with the preferred one having a lower cost, that way, if it is failover, the emails will still be sent once the lower cost route times out.

Edited by 10forcash (Sat 29-Jul-17 22:01:05)

Standard User CecilWard
(newbie) Sun 30-Jul-17 01:11:17
Print Post

Re: Exchange Server Mail Relay - Zen Internet


[re: andyhud] [link to this post]
 
Andy,

Can't help you with Zen, but I use UKServers Ltd's (trading as 'virtualnames') email system for SMTP over TLS. You will need an account, which is peanuts per year. Then you just need to authenticate as you are doing now and your source IP can be whatever you need. I have been using them for 15 years and they are superb, brilliant support, extremely reliable and unbeatable value. See http://www.virtualnames.co.uk/email_services.php and there is a page with detailed settings for smtp https://support.ukservers.net/support/solutions/arti...

See what you think.
Standard User CecilWard
(newbie) Sun 30-Jul-17 01:16:05
Print Post

Re: Exchange Server Mail Relay - Zen Internet


[re: andyhud] [link to this post]
 
I would be surprised if an ISP, Zen included, let anyone use their servers when not coming from one of their client networks, even with smtp-auth. That's why I use a non-ISP mail service provider for all of my email, then it all just works from anywhere.

An ISP probably would not want the hassle of trying to locate an abuse coming from an IP address that they don't know anything about, whereas if it is one of their own customer networks then they can just track down and shoot the customer responsible,
Standard User Geordish
(regular) Sun 30-Jul-17 08:51:56
Print Post

Re: Exchange Server Mail Relay - Zen Internet


[re: andyhud] [link to this post]
 
Hi Andy,

I use Zen's mailservers to send outbound from gmail for reasons I don't remember. Works fine.

Here are my settings: http://imgur.com/a/tqoLK

This guides may also be useful:
https://support.zen.co.uk/kb/KnowledgebaseArticle.as...
https://www.authsmtp.com/exchange-2016/exchange2016_...

Hope it helps.

Edited by Geordish (Sun 30-Jul-17 08:59:07)

Standard User andyhud
(newbie) Sun 30-Jul-17 09:32:32
Print Post

Re: Exchange Server Mail Relay - Zen Internet


[re: Geordish] [link to this post]
 
Hi All, firstly thanks for all the comments, its appreciated. I'm going to respond to each of them below so if your interested read on, otherwise I understand!

10forcash - I genuinely appreciate your feedback and comments but I'm really sorry but what you are saying is incorrect. In the simplest sense of the world I am trying to send email via Zen's mail servers (mailhost.zen.co.uk) but on a non-Zen Internet Connection. In my case this network connection is on BT's network, but if we simplified it, it could be a wifi hotspot in a cafe, airport terminal, sky broadband, plusnet etc. It does not matter, just as long as the connection is not one of Zen's

Zen offer 2 ways to send mail via their mail servers:

1. If your on a Zen Internet connection (like Zen FTTP/FTTC) then you can send via Zen's mailserver (mailhost.zen.co.uk) with no authentication needed in any sense. This is because of course your on their network so they automatically "trust" you. You also dont need to tell them what email domains (e.g you@yourdomain.com) your sending from.

2. Zen offer the ability to send via their mailservers via authentication if your not on their network (e.g another ISP's internet/airport/cafe etc) - Instead you must auth via TLS so they have another way to trust you.

Its defined very simply here in this Zen KB article for configuring Outlook 2010 to send via their mailserver. You configure it to use Auth via TLS so no matter where you are in the world you can send email. Otherwise it would mean you also need to change your SMTP settings when your travelling to send email depending on the network connection your currently using. That is not really feasible. In addition, Outlook 201x doesn't allow you to send via DNS so your only choice is via a mail server.

https://support.zen.co.uk/kb/Knowledgebase/Broadband...

Quote "This article provides a step-by-step guide on how to change the settings in Outlook 2010 to send and receive your Zen Broadband email while travelling with a laptop, or using a computer, when not connected through your Zen Broadband service."

I should clarify that I configured a Thunderbird mail client on the same BT internet connection as our Exchange environment to send via Auth with TLS using one of my own domain names via Zen's mailserver (mailhost.zen.co.uk) and it works fine. This proves it works, just not playing ball via Exchange.

I'm well versed in DNS mail delivery via MX records and yes its not best practice and while it can work reasonably well if your rPTR's are configured etc its not foolproof.

On the other hand, sending email via BT's mail servers even if your on their network requires you to tell them about your own domain names your sending from (that are not registered via BT) so they are added to their mail relay 'whitelist' as you mention. Again, I'm well across this having done this many times.

I should clarify I have no issue sending via BT's mail servers, if I want to send via them I'll use "mail.btconnect.com". My issue is when sending via Zen's mail servers on a non-Zen network connection.

@jchamier - The reason why is for resiliency. I have also found sometimes BT's mail servers have more bad days than others (that of course is subjective and just my own experience) plus the hassle of registering new domains for mail relay whitelisting can be a challenge depending who you speak to on the end of the phone at BT. Zen dont have this restriction as long as your authenticated either by being on one of their network connections, or as we have discussed, via Authentication credentials over TLS.

@10forcash - Correct, failover is an option and costings I'm well across. Its something we are doing now, but I'm just looking into other options which was the original reason for the post.

@CecilWard - Thanks, this is interesting and I appreciate the info and links. I'll take a look. This was something I was using with another company a few years back but reverted back to our ISP's mail servers for mail relay (for reasons I can't recall), but appreciate the links. Thanks

@Geordish - Thanks for this, this again backs up my comments that this ability to send email via Zen's mail servers while not on their network is indeed possible so appreciate the image and link. Your settings look right to me which is why they are working (!) but for me something is awry.

We are actually bumping up the protocol logging tomorrow so we can see if we can fish out why its failing.

I hope my responses are read in the correct manner but again thanks for all the feedback

Cheers

Edited by andyhud (Sun 30-Jul-17 10:04:56)

Standard User jchamier
(eat-sleep-adslguide) Sun 30-Jul-17 11:05:46
Print Post

Re: Exchange Server Mail Relay - Zen Internet


[re: andyhud] [link to this post]
 
Having re-read your posts, I'm pretty sure you've rule out the problem being Zen or BT - the problem is how to configure Exchange to handle the authentication in the same way as Thunderbird did. In times gone by I would have suggested a wireshark capture from both applications, but given TLS this is no longer any use.

You might need to find an Exchange forum rather than this Broadband forum - as you've already proved, the connection works if you can authenticate - so the real issue is that Exchange isn't sending what you need it to send. I used to know Exchange, but never had to do authenticated send, and its changed a lot in the last 5 / 6 years.

plusnet unlimited fibre 80/20 - 2 Jun 14 - Sync at 28/Jul/17: 64,899/9,065 - G.INP & 3.3 dB SNRm
18 years of UK broadband since 1999 ntl:cable modem trial - Asus RT-AC68U and HG612 - BQM
Standard User andyhud
(newbie) Sun 30-Jul-17 18:13:30
Print Post

Re: Exchange Server Mail Relay - Zen Internet


[re: jchamier] [link to this post]
 
In reply to a post by jchamier:
Having re-read your posts, I'm pretty sure you've rule out the problem being Zen or BT - the problem is how to configure Exchange to handle the authentication in the same way as Thunderbird did. In times gone by I would have suggested a wireshark capture from both applications, but given TLS this is no longer any use.

You might need to find an Exchange forum rather than this Broadband forum - as you've already proved, the connection works if you can authenticate - so the real issue is that Exchange isn't sending what you need it to send. I used to know Exchange, but never had to do authenticated send, and its changed a lot in the last 5 / 6 years.


Thanks Jchamier. You have hit the nail on the head. It does work just not via Exchange. I work with Exchange every day since the days of Exchange 4.0 so well versed in the technology which bugs me as to why this one isnt working!

The reason for posting here was because I wanted to see if anyone else had got any mail server (Unix/IIS/Exchange etc) to work with Zen Mail Servers using Auth with TLS and not just Exchange. I have asked a similar question on the Exchange forums also

I'll see what the verbose protocol logging throws up tomorrow... I'm sure its something simple.

Cheers

Andy
Standard User fredfox
(experienced) Sun 30-Jul-17 18:19:28
Print Post

Re: Exchange Server Mail Relay - Zen Internet


[re: andyhud] [link to this post]
 
I'm no expert so not surprised if I've got the wrong end of the stick here smile

You're trying to relay mail from your exchange server via Zen, but using instruction Zen have provided for setting up a mail client to authenticate to their server for send / receive mail from you own account? Aren't they two different things ?

I can use my Exchange 2016 server to send direct without using a smarthost from my Zen FTTP connection so really don't understand why you need to use one smile

Pipex
Nildram
UKFSN
Be *
Xilo / Uno
Now -> Zen and BT

Fibre is here ! FTTP smile
Standard User BatBoy
(sensei) Sun 30-Jul-17 18:31:38
Print Post

Re: Exchange Server Mail Relay - Zen Internet


[re: fredfox] [link to this post]
 
In reply to a post by fredfox:
I can use my Exchange 2016 server to send direct without using a smarthost from my Zen FTTP connection so really don't understand why you need to use one smile
He wants to send mail from his Zen smarthost while connected to BT
Standard User andyhud
(newbie) Sun 30-Jul-17 18:33:28
Print Post

Re: Exchange Server Mail Relay - Zen Internet


[re: fredfox] [link to this post]
 
In reply to a post by fredfox:
I'm no expert so not surprised if I've got the wrong end of the stick here smile

You're trying to relay mail from your exchange server via Zen, but using instruction Zen have provided for setting up a mail client to authenticate to their server for send / receive mail from you own account? Aren't they two different things ?

I can use my Exchange 2016 server to send direct without using a smarthost from my Zen FTTP connection so really don't understand why you need to use one smile


Hi Fred, no problem!

Yes and no, they are 2 different things (sending email via Zen using Authentication from an Outlook client directly over the internet) or (sending email via Zen using Authentication from Microsoft Exchange directly over the internet)

While they are 2 different things, they are using (or should be using) the same method to send email via Zen's mail servers.

Exchange with no smart host defined will send via DNS which means Exchange will do a direct MX record lookup of the recipients email address, find their mail server and send direct to that. It does work, but sometimes can fail if for example the recipients mail server is restricted to only receive email from their ISPs/AntiSpam host mail servers or can't successfully do a reverse DNS lookup of your IP address your Exchange server is sending from. Best practice is generally to send via a mail server (like Zen's for example)

My issue is I'm trying to send email from our Exchange 2016 environment via Zen's mail server but from a non Zen internet connection, in this example a BT internet connection but it could be any provider, just not Zen. Unfortunately its just not working, but does work if I use a simple mail client over the same internet circuit

I'm 99.9% sure its a config in Exchange that needs tweaking, just got to find it.

Cheers

Andy
Standard User 10forcash
(regular) Sun 30-Jul-17 20:55:32
Print Post

Re: Exchange Server Mail Relay - Zen Internet


[re: andyhud] [link to this post]
 
Are both the endpoint and mail server using the same TLS Version? You should have SSL 3.0 & TLS 1.0 disabled on exchange.- also confused that you mentioned Unix and IIS as mail servers...

Edited by 10forcash (Sun 30-Jul-17 20:56:55)

Standard User fredfox
(experienced) Sun 30-Jul-17 21:50:15
Print Post

Re: Exchange Server Mail Relay - Zen Internet


[re: andyhud] [link to this post]
 
Thank you smile and good luck ! Can you update this thread when you find a solution, never looked at smarthost (seen when setting up Exchange) so I'd be interested in knowing how you fixed it smile

Pipex
Nildram
UKFSN
Be *
Xilo / Uno
Now -> Zen and BT

Fibre is here ! FTTP smile
Standard User andyhud
(newbie) Sun 30-Jul-17 22:17:52
Print Post

Re: Exchange Server Mail Relay - Zen Internet


[re: fredfox] [link to this post]
 
Ok, update.. problem fixed after I decided to have a look this evening remotely... all working now via Exchange 2016 sending to Zen's mail servers on a non-Zen Internet circuit via Authentication with TLS.

Problem was we had a setting enabled on our Exchange Send connector to "Proxy" outbound messages via the Client Access Role on Exchange (this feature was introduced in Exchange 2013). It allows organisations to simplify (as one example) how outbound mail flow is sent out to the internet and force it through a single/group of Client Access servers. This only applies to Exchange 2013/2016-->

Problem seemed to be that Zen's mail server didn't introduce back the AUTH command (telling Exchange to send the zen username/password to authenticate with) during the telnet negotiation after the STARTTLS command was issued (for reasons I'm not yet clear on). Instead I changed this specific Send Connector in Exchange to not proxy outbound email via our Client Access Servers and instead just send it straight out via the Transport "Service" on the mailbox server directly to Zen's 'mailhost.zen.co.uk' and hey presto, it worked. Looking at the protocol logs that I set to verbose to troubleshoot you can then see the session getting stood up, TLS negotiating, authentication credentials getting sent, email being sent and then the session stood down.

This kind of 'proxy' setup would only apply to people using Exchange 2013 onwards and I suspect that other mail server platforms probably dont have the ability to "proxy" outbound email via different parts of their platform.

Fred - Hope this helps, but its not really related to smarthost(s)... they are just a mail server you assign in your send connectors to send mail via.. in this case, I am using Zen's "mailhost.zen.co.uk". If you don't populate anything (which is the default) then Exchange will just send via DNS as explained earlier.

10forcash - Yep, SSL 3 and TLS 1.0 disabled as part of our standard server build. As for UNIX and IIS, what I am referring to is the ability to have a mail server running on UNIX (like Exim or Postfix) or say using the SMTP service built into IIS to send mail.

Hope some, no matter how little of this has been useful.. as suspected it turns out it was a setting/config change on Exchange and nothing to do with BT and/or Zen from a network connection/mail relay perspective.

Cheers

Andy

p.s Here is a snippet from the Exchange logs showing the transaction. I've edited a few names and removed all the certificate CN names etc (too much to word wrap)

The 81.x.x.x is my BT Business FTTP Static IP range.

220 smarthost01b.mail.zen.net.uk ESMTP Exim 4.80 Sun, 30 Jul 2017 20:56:11 +0000",
EHLO mx.mydomain.com,
250 smarthost01b.mail.zen.net.uk Hello mx.mydomain.com [81.x.x.x] SIZE 36700160 8BITMIME ETRN PIPELINING STARTTLS HELP,
STARTTLS,
220 TLS go ahead,

CN=*.mydomain.com, OU=PositiveSSL Wildcard, OU=Domain Control Validated CN=COMODO RSA Domain Validation Secure Server CA,
CN=*.zen.co.uk, OU=COMODO SSL Wildcard, OU=Hosted by Zen Internet LTD, OU=Domain Control Validated
TLS protocol SP_PROT_TLS1_2_CLIENT negotiation succeeded using bulk encryption algorithm CALG_AES_256 with strength 256 bits,
Valid,Chain validation status
CN=*.zen.co.uk, OU=COMODO SSL Wildcard, OU=Hosted by Zen Internet LTD, OU=Domain Control Validated
EHLO mx.mydomain.com,
250 smarthost01b.mail.zen.net.uk Hello mx.mydomain.com [81.x.x.x] SIZE 36700160 8BITMIME ETRN PIPELINING AUTH PLAIN LOGIN HELP,
AUTH LOGIN,
334 <authentication information>,
<Binary Data>,
<,334 <authentication information>,
<Binary Data>,
<,235 Authentication succeeded,
,,sending message with RecordId 43142946488393 and InternetMessageId <be4ce1c2db5846b99e6bd3b7152a761e@mydomain.co.uk>
MAIL FROM:<andy@mydomain.co.uk> SIZE=4739,
RCPT TO:<andy@myotherdomain.com>,
250 OK,
250 Accepted,
DATA,
354 Enter message, ending with ""."" on a line by itself",
250 OK id=1dbvFz-0000Ih-HH,
QUIT,
221 smarthost01b.mail.zen.net.uk closing connection,

Edited by andyhud (Sun 30-Jul-17 22:31:26)

Standard User fredfox
(experienced) Sun 30-Jul-17 22:37:56
Print Post

Re: Exchange Server Mail Relay - Zen Internet


[re: andyhud] [link to this post]
 
Glad it's sorted and thanks for the explanation smile Time to play and learn some more!

Pipex
Nildram
UKFSN
Be *
Xilo / Uno
Now -> Zen and BT

Fibre is here ! FTTP smile
Pages in this thread: 1 | 2 | 3 | (show all)   Print Thread

Jump to