I can has clevernessesses

[trixtah]

[Warning: please ignore unless you feel like indulging in Middle Techiespk]

I'm trying to rationalise the setup I have with the gateway mail servers at present, so that they don't rewrite the addresses that they are delivering to. We have a .com (the primary address) and a secondary .gov.au address for each mailbox. At present the default address is used for everything - if someone sends to the .gov.au address, it gets rewritten to the .com address. This seems to be slightly inefficient to me, and I was trying to rejig things so that all the address alternatives are treated in the same way, with no rewriting.

I got everything sorted out on the gateway side (yay Perl), but I could not make the Exchange servers accept a direct delivery to the secondary address - it refused connections, saying "invalid user". Exchange has a mechanism that automatically generates addresses for every account in the domain - when the user mailbox gets created, we certainly don't sit there typing each and every address in by hand. Our address generator looks like this:

@windows.domain.gov.au

%g.%s@extdomain.com

%g.%s@domain.gov.au

What that does is create addresses of "username@windows.domain.gov.au" and the primary and secondary addresses of firstname.secondname at our .com and .gov.au domains. The bolded address is the primary one. In theory, the Exchange server should accept mail for each of these addresses - if they're listed in the address generator, and some mailboxes have these addresses, mail should get delivered.

However, that delivery to the secondary address wasn't happening. ARGH. The domains were in the address generator, the addresses were being generated, and I was trying to send to an address I had checked actually existed. Bouncy bouncy bouncy.

Then I bethought myself of the concept of "authoritative destinations". If a message can't be delivered, sooner or later it needs to be bounced. A mail server needs to be told it's authoritative for a certain domain - otherwise, it's merely relaying to a given domain, even if the message can be delivered locally. The bounces I was getting were telling me that relay permission had been denied - it took me a little while to unravel, since that's a usual error if a certain address can't be found.

The Exchange servers are authoritative for the .com and the windows.domain addresses. They are not authoritative for the .gov.au addresses - those "belong" to the gateway servers. So, if Joe Bloggs has a mail account, but perhaps it's over quota, anyone who tries to send to the .com address will get the message bounced by the Exchange servers. If someone tries to send to his .gov.au address, it'll get bounced by the gateway servers. This is true even if the sender is also on same the internal Exchange server - Exchange forwards the message to the server that is authoritative for that mail domain (there's actually a bit more going on under the hood, but that's what it boils down to). If Joe cleans up his mailbox and there are not more bounces, messages will get accepted by the Exchange server, no matter what address was used to send to it.

That was fine, but why wasn't the mail being delivered even between the Exchange servers to .gov.au addresses if I did it manually? Then I thought of something else. The message transport protocol is SMTP. Exchange has quite a nice feature where you can secure SMTP traffic and only accept it from nominated servers. This is one mechanism to stop Exchange becoming an "open relay" (where any Tom, Dick and Harry in the world can connect to a mail server and send mail to anyone else in the world - there are still open relays lying around). By default, Exchange is configured to only accept mail from authenticated senders (such as anyone on the domain and other Exchange servers)... except for domains where it is authoritative - it has to accept mail to those .com primary addresses, or bounce it. Mail for other domains is being "relayed", even though the destination is actually the same mailboxes.

So the fix was exceedingly simple - add my gateway servers to the list of machines that are permitted to relay "via" the Exchange servers. Ba-ding! Message delivery to the .gov.au addresses is now working perfectly.

Now I just have to test whether a bounce gets processed correctly - if the gateway servers don't think they're authoritative for the .gov.au domain either (although I have configured them to think so), they'll try to send it back to the Exchange servers or out to the Internet... where it will come back, and go around and around and around. This is called a "message loop" and it is a Very Bad Thing.

Comments

[epi-lj.livejournal.com]

Go you! :)