Note It is not recommended that you allow your mail gateway to relay mail from one external host to another external host on the Internet.
Click on the illustration below to see mail flow through an Exchange SMTP mail gateway. This deployment is only an example, but it demonstrates fundamental guidelines for protecting your intranet mail system.Enlarge figure
In the illustrated example, a company called Winery Inc. has connected its Exchange intranet to the Internet. Their mail gateway has been configured with two network interfaces. One is connected to the corporate network (whose domain is winery-co.co) and the other network interface is connected to the Internet. The external network interface is bound to the external IP address, while the internal network interface is bound to an internal IP address.
Two SMTP virtual servers are set up on this mail gateway such that both have a local domain of winery-co.co, and all messages are delivered to the mailbox store. This way, messages for firstname.lastname@example.org will be correctly directed to the internal Exchange server containing the user's mailbox.
Virtual Server 1 is bound to the external IP address and is configured not to relay mail. Virtual Server 2 is bound to the internal IP address and can relay mail. Finally, the external network interface is not configured with any DNS servers, while the internal network interface is configured only with DNS servers on the intranet of winery-co.co. Winery Inc. has now set up their mail system so that the following rules apply:
The following chart demonstrates what will happen with different kinds of mail in Winery Inc.'s mail gateway configuration:
|Mail From||Addressed To||Result|
|Internet users||Internet users (not @winery-co.co)||Mail will be received at Virtual Server 1, which is configured to not relay mail.|
|Internet users||EricM@winery-co.co||Mail will be received at Virtual Server 1. Exchange will look up the server that contains EricM's mailbox and the message will be delivered.|
|EricM@winery-co.co||KimY@winery-co.co||All internal mail is handled by Virtual Server 2. The message is categorized and the internal destination server that contains KimY's mailbox is determined. This server should have a name like server.winery-co.co, so Exchange will know it is a local domain and won't try to resolve the host name.|
|KimY@winery-co.co||Internet users||The message will be received by Virtual Server 2. If addressed to email@example.com, the server will know it isn't a local domain and it will then call on a pre-determined list of external DNS servers to look up MX records against that domain. If successful, those DNS servers will send back a list of IP addresses that can receive mail for that domain. Virtual Server 2 will then try to initiate an SMTP session with each IP address on the list until the message is sent.|
|Spammers, unauthorized sender||winery-co.co||Message filtering configured on Virtual Server 1 will block these messages.|
Note For this deployment to work as described here, you have to configure an SMTP connector on the mail gateway. Set up a smart host for the SMTP address space * to the internal IP address used by Virtual Server 2.
Keep in mind that in this setup the mail gateway can only be configured with internal DNS servers. This may affect other applications in your organization that use DNS and need to use DNS servers other than your internal ones.
Related TopicsConfigure an SMTP Virtual Server Create an External DNS List