Hi All,

I have had a longstanding question on the proper implementation of Exchange 
and how to reconcile the internal Windows Domain name versus the publicly 
registered web domain name.

It was my impression that Microsoft recommended using a different internal 
windows domain name, than your web domain name. In this case, you end up 
with 2 sets of email addresses; one AD based addresses which should not be 
used for external communication, and another set of publicly addressable, 
normally POP3, email accounts.

We like Exchange because of the conveniences that it would offer, such as 
calendar sharing, mailbox management, possible central spam management, 
etc...

Given the above situation, is it possible to use 1 set of exchange hosted 
email addresses for both external and internal use?

I'm sure it's an issue many of you have had to deal with before. Is there a 
correct way of addressing the situation?

Thanks for your help.

You simply modify the Recipient Policy (in Exchange Server 2003/2000) or 
Accepted Domain and EmailAddressPolicy (Exchange Server 2007) to reflect the 
external/registered domain.
-- 
Bharat Suneja
MVP - Exchange
www.zenprise.com
NEW blog location:
exchangepedia.com/blog
----------------------------------------------


"Tom Bombadill"  wrote in message 
news:urxMXNlJIHA.3636@TK2MSFTNGP03.phx.gbl...
> Hi All,
>
> I have had a longstanding question on the proper implementation of 
> Exchange and how to reconcile the internal Windows Domain name versus the 
> publicly registered web domain name.
>
> It was my impression that Microsoft recommended using a different internal 
> windows domain name, than your web domain name. In this case, you end up 
> with 2 sets of email addresses; one AD based addresses which should not be 
> used for external communication, and another set of publicly addressable, 
> normally POP3, email accounts.
>
> We like Exchange because of the conveniences that it would offer, such as 
> calendar sharing, mailbox management, possible central spam management, 
> etc...
>
> Given the above situation, is it possible to use 1 set of exchange hosted 
> email addresses for both external and internal use?
>
> I'm sure it's an issue many of you have had to deal with before. Is there 
> a correct way of addressing the situation?
>
> Thanks for your help.
>

Hi Bharat,

Forgive my ingnorance, but could you please elaborate on the idea a little 
further? We have an Exchange 2003. What modification do you need to make to 
the Recipient Policy, and how does it help address the problem? The way I 
see it, your AD based email addresses still remain unresolvable through 
Public DNS. So I still do not understand how you can use your AD based 
accounts for external communication.

If you know of any links that may shed light on this issue for me, I would 
grealy appreciate it.

Thanks,

"Bharat Suneja [MVP]"  wrote in message 
news:O4s%23lrmJIHA.3400@TK2MSFTNGP03.phx.gbl...
> You simply modify the Recipient Policy (in Exchange Server 2003/2000) or 
> Accepted Domain and EmailAddressPolicy (Exchange Server 2007) to reflect 
> the external/registered domain.
> -- 
> Bharat Suneja
> MVP - Exchange
> www.zenprise.com
> NEW blog location:
> exchangepedia.com/blog
> ----------------------------------------------
>
>
> "Tom Bombadill"  wrote in message 
> news:urxMXNlJIHA.3636@TK2MSFTNGP03.phx.gbl...
>> Hi All,
>>
>> I have had a longstanding question on the proper implementation of 
>> Exchange and how to reconcile the internal Windows Domain name versus the 
>> publicly registered web domain name.
>>
>> It was my impression that Microsoft recommended using a different 
>> internal windows domain name, than your web domain name. In this case, 
>> you end up with 2 sets of email addresses; one AD based addresses which 
>> should not be used for external communication, and another set of 
>> publicly addressable, normally POP3, email accounts.
>>
>> We like Exchange because of the conveniences that it would offer, such as 
>> calendar sharing, mailbox management, possible central spam management, 
>> etc...
>>
>> Given the above situation, is it possible to use 1 set of exchange hosted 
>> email addresses for both external and internal use?
>>
>> I'm sure it's an issue many of you have had to deal with before. Is there 
>> a correct way of addressing the situation?
>>
>> Thanks for your help.
>>
>

- Your AD namespace can be the same as your registered external domain(s) or 
it can be a different namespace, perhaps unregistered or even invalid (using 
a suffix like .local for instance... ).
- In the former case, no issues.
- In the latter case, the default Recipient Policy picks up your AD domain 
and uses it to create email addresses.
- You can modify it to use the external/registered domain.
- Regardless of email addresses, it's not like you're using one set of 
addresses to communicate internally, and another set to communicate with 
internet senders/recipients. Internally, Exchange looks up AD to resolve 
recipients. If recipients have email addresses using the registered domain 
(set as default), regardless of all other email addresses they may have (or 
not), it works for both internal and internet mail.
- As a sidenote, the only use for the registered domain (and email addresses 
using those) is for inbound mail sent by internet senders - the domain part 
is used to perform DNS lookups to route messages to your designated 
server(s). Outbound internet mail works regardless of email address used, 
but you won't be able to get replies if the address is invalid.
-- 
Bharat Suneja
MVP - Exchange
www.zenprise.com
NEW blog location:
exchangepedia.com/blog
----------------------------------------------


"Tom Bombadill"  wrote in message 
news:eaKcAZuJIHA.3916@TK2MSFTNGP02.phx.gbl...
> Hi Bharat,
>
> Forgive my ingnorance, but could you please elaborate on the idea a little 
> further? We have an Exchange 2003. What modification do you need to make 
> to the Recipient Policy, and how does it help address the problem? The way 
> I see it, your AD based email addresses still remain unresolvable through 
> Public DNS. So I still do not understand how you can use your AD based 
> accounts for external communication.
>
> If you know of any links that may shed light on this issue for me, I would 
> grealy appreciate it.
>
> Thanks,
>
> "Bharat Suneja [MVP]"  wrote in message 
> news:O4s%23lrmJIHA.3400@TK2MSFTNGP03.phx.gbl...
>> You simply modify the Recipient Policy (in Exchange Server 2003/2000) or 
>> Accepted Domain and EmailAddressPolicy (Exchange Server 2007) to reflect 
>> the external/registered domain.
>> -- 
>> Bharat Suneja
>> MVP - Exchange
>> www.zenprise.com
>> NEW blog location:
>> exchangepedia.com/blog
>> ----------------------------------------------
>>
>>
>> "Tom Bombadill"  wrote in message 
>> news:urxMXNlJIHA.3636@TK2MSFTNGP03.phx.gbl...
>>> Hi All,
>>>
>>> I have had a longstanding question on the proper implementation of 
>>> Exchange and how to reconcile the internal Windows Domain name versus 
>>> the publicly registered web domain name.
>>>
>>> It was my impression that Microsoft recommended using a different 
>>> internal windows domain name, than your web domain name. In this case, 
>>> you end up with 2 sets of email addresses; one AD based addresses which 
>>> should not be used for external communication, and another set of 
>>> publicly addressable, normally POP3, email accounts.
>>>
>>> We like Exchange because of the conveniences that it would offer, such 
>>> as calendar sharing, mailbox management, possible central spam 
>>> management, etc...
>>>
>>> Given the above situation, is it possible to use 1 set of exchange 
>>> hosted email addresses for both external and internal use?
>>>
>>> I'm sure it's an issue many of you have had to deal with before. Is 
>>> there a correct way of addressing the situation?
>>>
>>> Thanks for your help.
>>>
>>
>
>

Thanks for following up with me, Bharat!

So let's see if I got this straight.

Our internal domain name:    abc.local
Our Internet domain name:    xyz.com

I went to Exchange System Manager | Recepients > Recepient Policies > 
Default Policy > Properties > E-mail Addresses (Policy) tab and here's what 
I see:

SMTP        @abc.local
X400        c=us;a= ;p=abc;o=Exchange;

Both entries are checked.

Are you saying I need to make a change here to somehow replace the AD domain 
name with the xyz.com domain name? If so, what changes do I need to make?

Thanks again.


"Bharat Suneja [MVP]"  wrote in message 
news:eCjxOXvJIHA.1208@TK2MSFTNGP05.phx.gbl...
>- Your AD namespace can be the same as your registered external domain(s) 
>or it can be a different namespace, perhaps unregistered or even invalid 
>(using a suffix like .local for instance... ).
> - In the former case, no issues.
> - In the latter case, the default Recipient Policy picks up your AD domain 
> and uses it to create email addresses.
> - You can modify it to use the external/registered domain.
> - Regardless of email addresses, it's not like you're using one set of 
> addresses to communicate internally, and another set to communicate with 
> internet senders/recipients. Internally, Exchange looks up AD to resolve 
> recipients. If recipients have email addresses using the registered domain 
> (set as default), regardless of all other email addresses they may have 
> (or not), it works for both internal and internet mail.
> - As a sidenote, the only use for the registered domain (and email 
> addresses using those) is for inbound mail sent by internet senders - the 
> domain part is used to perform DNS lookups to route messages to your 
> designated server(s). Outbound internet mail works regardless of email 
> address used, but you won't be able to get replies if the address is 
> invalid.
> -- 
> Bharat Suneja
> MVP - Exchange
> www.zenprise.com
> NEW blog location:
> exchangepedia.com/blog
> ----------------------------------------------
>
>
> "Tom Bombadill"  wrote in message 
> news:eaKcAZuJIHA.3916@TK2MSFTNGP02.phx.gbl...
>> Hi Bharat,
>>
>> Forgive my ingnorance, but could you please elaborate on the idea a 
>> little further? We have an Exchange 2003. What modification do you need 
>> to make to the Recipient Policy, and how does it help address the 
>> problem? The way I see it, your AD based email addresses still remain 
>> unresolvable through Public DNS. So I still do not understand how you can 
>> use your AD based accounts for external communication.
>>
>> If you know of any links that may shed light on this issue for me, I 
>> would grealy appreciate it.
>>
>> Thanks,
>>
>> "Bharat Suneja [MVP]"  wrote in message 
>> news:O4s%23lrmJIHA.3400@TK2MSFTNGP03.phx.gbl...
>>> You simply modify the Recipient Policy (in Exchange Server 2003/2000) or 
>>> Accepted Domain and EmailAddressPolicy (Exchange Server 2007) to reflect 
>>> the external/registered domain.
>>> -- 
>>> Bharat Suneja
>>> MVP - Exchange
>>> www.zenprise.com
>>> NEW blog location:
>>> exchangepedia.com/blog
>>> ----------------------------------------------
>>>
>>>
>>> "Tom Bombadill"  wrote in message 
>>> news:urxMXNlJIHA.3636@TK2MSFTNGP03.phx.gbl...
>>>> Hi All,
>>>>
>>>> I have had a longstanding question on the proper implementation of 
>>>> Exchange and how to reconcile the internal Windows Domain name versus 
>>>> the publicly registered web domain name.
>>>>
>>>> It was my impression that Microsoft recommended using a different 
>>>> internal windows domain name, than your web domain name. In this case, 
>>>> you end up with 2 sets of email addresses; one AD based addresses which 
>>>> should not be used for external communication, and another set of 
>>>> publicly addressable, normally POP3, email accounts.
>>>>
>>>> We like Exchange because of the conveniences that it would offer, such 
>>>> as calendar sharing, mailbox management, possible central spam 
>>>> management, etc...
>>>>
>>>> Given the above situation, is it possible to use 1 set of exchange 
>>>> hosted email addresses for both external and internal use?
>>>>
>>>> I'm sure it's an issue many of you have had to deal with before. Is 
>>>> there a correct way of addressing the situation?
>>>>
>>>> Thanks for your help.
>>>>
>>>
>>
>>
>

Go to the recipient policy. On the e-mail address tab, click new. Select 
SMTP. In the address field, type in @xyz.com, select 'This Exchange 
organization is responsible...'. Click OK.

Select the new address, clisk on 'Set as Primary'.

You're done. Whenever you create a new user, he will get a @abc.local, 
@xyz.com and a X.400 address with the @xyz.com as primary.

"Tom Bombadill"  wrote in
news:OFkRl3vJIHA.3356@TK2MSFTNGP02.phx.gbl: 

> Thanks for following up with me, Bharat!
> 
> So let's see if I got this straight.
> 
> Our internal domain name:    abc.local
> Our Internet domain name:    xyz.com
> 
> I went to Exchange System Manager | Recepients > Recepient Policies > 
> Default Policy > Properties > E-mail Addresses (Policy) tab and here's
> what I see:
> 
> SMTP        @abc.local
> X400        c=us;a= ;p=abc;o=Exchange;
> 
> Both entries are checked.
> 
> Are you saying I need to make a change here to somehow replace the AD
> domain name with the xyz.com domain name? If so, what changes do I
> need to make? 
> 
> Thanks again.
> 
> 
> "Bharat Suneja [MVP]"  wrote in message 
> news:eCjxOXvJIHA.1208@TK2MSFTNGP05.phx.gbl...
>>- Your AD namespace can be the same as your registered external
>>domain(s) or it can be a different namespace, perhaps unregistered or
>>even invalid (using a suffix like .local for instance... ).
>> - In the former case, no issues.
>> - In the latter case, the default Recipient Policy picks up your AD
>> domain and uses it to create email addresses.
>> - You can modify it to use the external/registered domain.
>> - Regardless of email addresses, it's not like you're using one set
>> of addresses to communicate internally, and another set to
>> communicate with internet senders/recipients. Internally, Exchange
>> looks up AD to resolve recipients. If recipients have email addresses
>> using the registered domain (set as default), regardless of all other
>> email addresses they may have (or not), it works for both internal
>> and internet mail. - As a sidenote, the only use for the registered
>> domain (and email addresses using those) is for inbound mail sent by
>> internet senders - the domain part is used to perform DNS lookups to
>> route messages to your designated server(s). Outbound internet mail
>> works regardless of email address used, but you won't be able to get
>> replies if the address is invalid.
>> -- 
>> Bharat Suneja
>> MVP - Exchange
>> www.zenprise.com
>> NEW blog location:
>> exchangepedia.com/blog
>> ----------------------------------------------
>>
>>
>> "Tom Bombadill"  wrote in message 
>> news:eaKcAZuJIHA.3916@TK2MSFTNGP02.phx.gbl...
>>> Hi Bharat,
>>>
>>> Forgive my ingnorance, but could you please elaborate on the idea a 
>>> little further? We have an Exchange 2003. What modification do you
>>> need to make to the Recipient Policy, and how does it help address
>>> the problem? The way I see it, your AD based email addresses still
>>> remain unresolvable through Public DNS. So I still do not understand
>>> how you can use your AD based accounts for external communication.
>>>
>>> If you know of any links that may shed light on this issue for me, I
>>> would grealy appreciate it.
>>>
>>> Thanks,
>>>
>>> "Bharat Suneja [MVP]"  wrote in message 
>>> news:O4s%23lrmJIHA.3400@TK2MSFTNGP03.phx.gbl...
>>>> You simply modify the Recipient Policy (in Exchange Server
>>>> 2003/2000) or Accepted Domain and EmailAddressPolicy (Exchange
>>>> Server 2007) to reflect the external/registered domain.
>>>> -- 
>>>> Bharat Suneja
>>>> MVP - Exchange
>>>> www.zenprise.com
>>>> NEW blog location:
>>>> exchangepedia.com/blog
>>>> ----------------------------------------------
>>>>
>>>>
>>>> "Tom Bombadill"  wrote in message 
>>>> news:urxMXNlJIHA.3636@TK2MSFTNGP03.phx.gbl...
>>>>> Hi All,
>>>>>
>>>>> I have had a longstanding question on the proper implementation of
>>>>> Exchange and how to reconcile the internal Windows Domain name
>>>>> versus the publicly registered web domain name.
>>>>>
>>>>> It was my impression that Microsoft recommended using a different 
>>>>> internal windows domain name, than your web domain name. In this
>>>>> case, you end up with 2 sets of email addresses; one AD based
>>>>> addresses which should not be used for external communication, and
>>>>> another set of publicly addressable, normally POP3, email
>>>>> accounts. 
>>>>>
>>>>> We like Exchange because of the conveniences that it would offer,
>>>>> such as calendar sharing, mailbox management, possible central
>>>>> spam management, etc...
>>>>>
>>>>> Given the above situation, is it possible to use 1 set of exchange
>>>>> hosted email addresses for both external and internal use?
>>>>>
>>>>> I'm sure it's an issue many of you have had to deal with before.
>>>>> Is there a correct way of addressing the situation?
>>>>>
>>>>> Thanks for your help.
>>>>>
>>>>
>>>
>>>
>> 
> 
> 
>

Wow, that sounds really simple, Asher. Thanks!

I have a follow on question, though it may go a little beyond the realm of 
the original issue.

As you might have guessed by now, our Exchange is sitting inside our 
network, behind the firewall, using a private static IP address. I've 
already configured it as our SMTP server. So all POP3 accounts in Outlook 
clients point to it for outgoing server.

Now what steps do I need to take in order to have our outside mail directly 
come to the Exchange and simply bypass the POP3 boxes, currently hosted by 
our Domain Name registrar (AIT)?

Regards,



"Asher_N"  wrote in message 
news:Xns99E8A6CA44CD61203214562@207.46.248.16...
> Go to the recipient policy. On the e-mail address tab, click new. Select
> SMTP. In the address field, type in @xyz.com, select 'This Exchange
> organization is responsible...'. Click OK.
>
> Select the new address, clisk on 'Set as Primary'.
>
> You're done. Whenever you create a new user, he will get a @abc.local,
> @xyz.com and a X.400 address with the @xyz.com as primary.
>
> "Tom Bombadill"  wrote in
> news:OFkRl3vJIHA.3356@TK2MSFTNGP02.phx.gbl:
>
>> Thanks for following up with me, Bharat!
>>
>> So let's see if I got this straight.
>>
>> Our internal domain name:    abc.local
>> Our Internet domain name:    xyz.com
>>
>> I went to Exchange System Manager | Recepients > Recepient Policies >
>> Default Policy > Properties > E-mail Addresses (Policy) tab and here's
>> what I see:
>>
>> SMTP        @abc.local
>> X400        c=us;a= ;p=abc;o=Exchange;
>>
>> Both entries are checked.
>>
>> Are you saying I need to make a change here to somehow replace the AD
>> domain name with the xyz.com domain name? If so, what changes do I
>> need to make?
>>
>> Thanks again.
>>
>>
>> "Bharat Suneja [MVP]"  wrote in message
>> news:eCjxOXvJIHA.1208@TK2MSFTNGP05.phx.gbl...
>>>- Your AD namespace can be the same as your registered external
>>>domain(s) or it can be a different namespace, perhaps unregistered or
>>>even invalid (using a suffix like .local for instance... ).
>>> - In the former case, no issues.
>>> - In the latter case, the default Recipient Policy picks up your AD
>>> domain and uses it to create email addresses.
>>> - You can modify it to use the external/registered domain.
>>> - Regardless of email addresses, it's not like you're using one set
>>> of addresses to communicate internally, and another set to
>>> communicate with internet senders/recipients. Internally, Exchange
>>> looks up AD to resolve recipients. If recipients have email addresses
>>> using the registered domain (set as default), regardless of all other
>>> email addresses they may have (or not), it works for both internal
>>> and internet mail. - As a sidenote, the only use for the registered
>>> domain (and email addresses using those) is for inbound mail sent by
>>> internet senders - the domain part is used to perform DNS lookups to
>>> route messages to your designated server(s). Outbound internet mail
>>> works regardless of email address used, but you won't be able to get
>>> replies if the address is invalid.
>>> -- 
>>> Bharat Suneja
>>> MVP - Exchange
>>> www.zenprise.com
>>> NEW blog location:
>>> exchangepedia.com/blog
>>> ----------------------------------------------
>>>
>>>
>>> "Tom Bombadill"  wrote in message
>>> news:eaKcAZuJIHA.3916@TK2MSFTNGP02.phx.gbl...
>>>> Hi Bharat,
>>>>
>>>> Forgive my ingnorance, but could you please elaborate on the idea a
>>>> little further? We have an Exchange 2003. What modification do you
>>>> need to make to the Recipient Policy, and how does it help address
>>>> the problem? The way I see it, your AD based email addresses still
>>>> remain unresolvable through Public DNS. So I still do not understand
>>>> how you can use your AD based accounts for external communication.
>>>>
>>>> If you know of any links that may shed light on this issue for me, I
>>>> would grealy appreciate it.
>>>>
>>>> Thanks,
>>>>
>>>> "Bharat Suneja [MVP]"  wrote in message
>>>> news:O4s%23lrmJIHA.3400@TK2MSFTNGP03.phx.gbl...
>>>>> You simply modify the Recipient Policy (in Exchange Server
>>>>> 2003/2000) or Accepted Domain and EmailAddressPolicy (Exchange
>>>>> Server 2007) to reflect the external/registered domain.
>>>>> -- 
>>>>> Bharat Suneja
>>>>> MVP - Exchange
>>>>> www.zenprise.com
>>>>> NEW blog location:
>>>>> exchangepedia.com/blog
>>>>> ----------------------------------------------
>>>>>
>>>>>
>>>>> "Tom Bombadill"  wrote in message
>>>>> news:urxMXNlJIHA.3636@TK2MSFTNGP03.phx.gbl...
>>>>>> Hi All,
>>>>>>
>>>>>> I have had a longstanding question on the proper implementation of
>>>>>> Exchange and how to reconcile the internal Windows Domain name
>>>>>> versus the publicly registered web domain name.
>>>>>>
>>>>>> It was my impression that Microsoft recommended using a different
>>>>>> internal windows domain name, than your web domain name. In this
>>>>>> case, you end up with 2 sets of email addresses; one AD based
>>>>>> addresses which should not be used for external communication, and
>>>>>> another set of publicly addressable, normally POP3, email
>>>>>> accounts.
>>>>>>
>>>>>> We like Exchange because of the conveniences that it would offer,
>>>>>> such as calendar sharing, mailbox management, possible central
>>>>>> spam management, etc...
>>>>>>
>>>>>> Given the above situation, is it possible to use 1 set of exchange
>>>>>> hosted email addresses for both external and internal use?
>>>>>>
>>>>>> I'm sure it's an issue many of you have had to deal with before.
>>>>>> Is there a correct way of addressing the situation?
>>>>>>
>>>>>> Thanks for your help.
>>>>>>
>>>>>
>>>>
>>>>
>>>
>>
>>
>>
>

Firewall:
1) NAT: Most commercial firewalls allow you to set up a NAT (Network Address 
Translation) rule to map a server's internal IP address to an external IP 
address provided by your ISP.
2) Access Rule: Allow inbound SMTP (tcp port 25) to the server.
Test: From a computer outside the firewall, telnet to smtp port  (telnet 
x.x.x.x 25) where x.x.x.x is the external IP address.

External DNS:
1) A Record: In the external DNS (may be hosted by your ISP/Domain 
Registrar) create an A record to map server's fqdn to the external address 
(from the NAT rule you created above).
Test from outside: nslookup server.domain.com
2) MX Record: Create/modify MX record to point to the A record.
Test from outside: nslookup -type=MX domain.com

Now it's time to send a test message using telnet or from any external email 
systems.

-- 
Bharat Suneja
MVP - Exchange
www.zenprise.com
NEW blog location:
exchangepedia.com/blog
----------------------------------------------


"Tom Bombadill"  wrote in message 
news:Oi2ZrwwJIHA.1208@TK2MSFTNGP05.phx.gbl...
> Wow, that sounds really simple, Asher. Thanks!
>
> I have a follow on question, though it may go a little beyond the realm of 
> the original issue.
>
> As you might have guessed by now, our Exchange is sitting inside our 
> network, behind the firewall, using a private static IP address. I've 
> already configured it as our SMTP server. So all POP3 accounts in Outlook 
> clients point to it for outgoing server.
>
> Now what steps do I need to take in order to have our outside mail 
> directly come to the Exchange and simply bypass the POP3 boxes, currently 
> hosted by our Domain Name registrar (AIT)?
>
> Regards,
>
>
>
> "Asher_N"  wrote in message 
> news:Xns99E8A6CA44CD61203214562@207.46.248.16...
>> Go to the recipient policy. On the e-mail address tab, click new. Select
>> SMTP. In the address field, type in @xyz.com, select 'This Exchange
>> organization is responsible...'. Click OK.
>>
>> Select the new address, clisk on 'Set as Primary'.
>>
>> You're done. Whenever you create a new user, he will get a @abc.local,
>> @xyz.com and a X.400 address with the @xyz.com as primary.
>>
>> "Tom Bombadill"  wrote in
>> news:OFkRl3vJIHA.3356@TK2MSFTNGP02.phx.gbl:
>>
>>> Thanks for following up with me, Bharat!
>>>
>>> So let's see if I got this straight.
>>>
>>> Our internal domain name:    abc.local
>>> Our Internet domain name:    xyz.com
>>>
>>> I went to Exchange System Manager | Recepients > Recepient Policies >
>>> Default Policy > Properties > E-mail Addresses (Policy) tab and here's
>>> what I see:
>>>
>>> SMTP        @abc.local
>>> X400        c=us;a= ;p=abc;o=Exchange;
>>>
>>> Both entries are checked.
>>>
>>> Are you saying I need to make a change here to somehow replace the AD
>>> domain name with the xyz.com domain name? If so, what changes do I
>>> need to make?
>>>
>>> Thanks again.
>>>
>>>
>>> "Bharat Suneja [MVP]"  wrote in message
>>> news:eCjxOXvJIHA.1208@TK2MSFTNGP05.phx.gbl...
>>>>- Your AD namespace can be the same as your registered external
>>>>domain(s) or it can be a different namespace, perhaps unregistered or
>>>>even invalid (using a suffix like .local for instance... ).
>>>> - In the former case, no issues.
>>>> - In the latter case, the default Recipient Policy picks up your AD
>>>> domain and uses it to create email addresses.
>>>> - You can modify it to use the external/registered domain.
>>>> - Regardless of email addresses, it's not like you're using one set
>>>> of addresses to communicate internally, and another set to
>>>> communicate with internet senders/recipients. Internally, Exchange
>>>> looks up AD to resolve recipients. If recipients have email addresses
>>>> using the registered domain (set as default), regardless of all other
>>>> email addresses they may have (or not), it works for both internal
>>>> and internet mail. - As a sidenote, the only use for the registered
>>>> domain (and email addresses using those) is for inbound mail sent by
>>>> internet senders - the domain part is used to perform DNS lookups to
>>>> route messages to your designated server(s). Outbound internet mail
>>>> works regardless of email address used, but you won't be able to get
>>>> replies if the address is invalid.
>>>> -- 
>>>> Bharat Suneja
>>>> MVP - Exchange
>>>> www.zenprise.com
>>>> NEW blog location:
>>>> exchangepedia.com/blog
>>>> ----------------------------------------------
>>>>
>>>>
>>>> "Tom Bombadill"  wrote in message
>>>> news:eaKcAZuJIHA.3916@TK2MSFTNGP02.phx.gbl...
>>>>> Hi Bharat,
>>>>>
>>>>> Forgive my ingnorance, but could you please elaborate on the idea a
>>>>> little further? We have an Exchange 2003. What modification do you
>>>>> need to make to the Recipient Policy, and how does it help address
>>>>> the problem? The way I see it, your AD based email addresses still
>>>>> remain unresolvable through Public DNS. So I still do not understand
>>>>> how you can use your AD based accounts for external communication.
>>>>>
>>>>> If you know of any links that may shed light on this issue for me, I
>>>>> would grealy appreciate it.
>>>>>
>>>>> Thanks,
>>>>>
>>>>> "Bharat Suneja [MVP]"  wrote in message
>>>>> news:O4s%23lrmJIHA.3400@TK2MSFTNGP03.phx.gbl...
>>>>>> You simply modify the Recipient Policy (in Exchange Server
>>>>>> 2003/2000) or Accepted Domain and EmailAddressPolicy (Exchange
>>>>>> Server 2007) to reflect the external/registered domain.
>>>>>> -- 
>>>>>> Bharat Suneja
>>>>>> MVP - Exchange
>>>>>> www.zenprise.com
>>>>>> NEW blog location:
>>>>>> exchangepedia.com/blog
>>>>>> ----------------------------------------------
>>>>>>
>>>>>>
>>>>>> "Tom Bombadill"  wrote in message
>>>>>> news:urxMXNlJIHA.3636@TK2MSFTNGP03.phx.gbl...
>>>>>>> Hi All,
>>>>>>>
>>>>>>> I have had a longstanding question on the proper implementation of
>>>>>>> Exchange and how to reconcile the internal Windows Domain name
>>>>>>> versus the publicly registered web domain name.
>>>>>>>
>>>>>>> It was my impression that Microsoft recommended using a different
>>>>>>> internal windows domain name, than your web domain name. In this
>>>>>>> case, you end up with 2 sets of email addresses; one AD based
>>>>>>> addresses which should not be used for external communication, and
>>>>>>> another set of publicly addressable, normally POP3, email
>>>>>>> accounts.
>>>>>>>
>>>>>>> We like Exchange because of the conveniences that it would offer,
>>>>>>> such as calendar sharing, mailbox management, possible central
>>>>>>> spam management, etc...
>>>>>>>
>>>>>>> Given the above situation, is it possible to use 1 set of exchange
>>>>>>> hosted email addresses for both external and internal use?
>>>>>>>
>>>>>>> I'm sure it's an issue many of you have had to deal with before.
>>>>>>> Is there a correct way of addressing the situation?
>>>>>>>
>>>>>>> Thanks for your help.
>>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>
>>>
>>>
>>>
>>
>
>

Hi Bharat,

I totally understand the "External DNS" changes. On the firewall changes 
though, isn't what you are describing different aspects of port forwarding? 
In other words, I can allow inbound access at port 25, and forward those 
packets to the Exchange server.

I have generally had bad experiences with port forwarding. I've done that 
for FTP and VPN connections on different servers, and in both cases I 
eventually had rootkits and hacks dropped in to our network. And that was 
without advertising our external IP address through the public DNS. I'd be 
very reluctant to take that kind of risk with the Exchange, since it's also 
a DC. And the firewall device we're running is a Watchguard Firebox, so I 
believe it's a good quality commercial product.

On the other hand, we do have a DMZ network on the Watchguard. What are your 
thoughts on utilizing that feature to secure the server?

Thanks for your input,


"Bharat Suneja [MVP]"  wrote in message 
news:uuKKBDxJIHA.3400@TK2MSFTNGP03.phx.gbl...
> Firewall:
> 1) NAT: Most commercial firewalls allow you to set up a NAT (Network 
> Address Translation) rule to map a server's internal IP address to an 
> external IP address provided by your ISP.
> 2) Access Rule: Allow inbound SMTP (tcp port 25) to the server.
> Test: From a computer outside the firewall, telnet to smtp port  (telnet 
> x.x.x.x 25) where x.x.x.x is the external IP address.
>
> External DNS:
> 1) A Record: In the external DNS (may be hosted by your ISP/Domain 
> Registrar) create an A record to map server's fqdn to the external address 
> (from the NAT rule you created above).
> Test from outside: nslookup server.domain.com
> 2) MX Record: Create/modify MX record to point to the A record.
> Test from outside: nslookup -type=MX domain.com
>
> Now it's time to send a test message using telnet or from any external 
> email systems.
>
> -- 
> Bharat Suneja
> MVP - Exchange
> www.zenprise.com
> NEW blog location:
> exchangepedia.com/blog
> ----------------------------------------------
>
>
> "Tom Bombadill"  wrote in message 
> news:Oi2ZrwwJIHA.1208@TK2MSFTNGP05.phx.gbl...
>> Wow, that sounds really simple, Asher. Thanks!
>>
>> I have a follow on question, though it may go a little beyond the realm 
>> of the original issue.
>>
>> As you might have guessed by now, our Exchange is sitting inside our 
>> network, behind the firewall, using a private static IP address. I've 
>> already configured it as our SMTP server. So all POP3 accounts in Outlook 
>> clients point to it for outgoing server.
>>
>> Now what steps do I need to take in order to have our outside mail 
>> directly come to the Exchange and simply bypass the POP3 boxes, currently 
>> hosted by our Domain Name registrar (AIT)?
>>
>> Regards,
>>
>>
>>
>> "Asher_N"  wrote in message 
>> news:Xns99E8A6CA44CD61203214562@207.46.248.16...
>>> Go to the recipient policy. On the e-mail address tab, click new. Select
>>> SMTP. In the address field, type in @xyz.com, select 'This Exchange
>>> organization is responsible...'. Click OK.
>>>
>>> Select the new address, clisk on 'Set as Primary'.
>>>
>>> You're done. Whenever you create a new user, he will get a @abc.local,
>>> @xyz.com and a X.400 address with the @xyz.com as primary.
>>>
>>> "Tom Bombadill"  wrote in
>>> news:OFkRl3vJIHA.3356@TK2MSFTNGP02.phx.gbl:
>>>
>>>> Thanks for following up with me, Bharat!
>>>>
>>>> So let's see if I got this straight.
>>>>
>>>> Our internal domain name:    abc.local
>>>> Our Internet domain name:    xyz.com
>>>>
>>>> I went to Exchange System Manager | Recepients > Recepient Policies >
>>>> Default Policy > Properties > E-mail Addresses (Policy) tab and here's
>>>> what I see:
>>>>
>>>> SMTP        @abc.local
>>>> X400        c=us;a= ;p=abc;o=Exchange;
>>>>
>>>> Both entries are checked.
>>>>
>>>> Are you saying I need to make a change here to somehow replace the AD
>>>> domain name with the xyz.com domain name? If so, what changes do I
>>>> need to make?
>>>>
>>>> Thanks again.
>>>>
>>>>
>>>> "Bharat Suneja [MVP]"  wrote in message
>>>> news:eCjxOXvJIHA.1208@TK2MSFTNGP05.phx.gbl...
>>>>>- Your AD namespace can be the same as your registered external
>>>>>domain(s) or it can be a different namespace, perhaps unregistered or
>>>>>even invalid (using a suffix like .local for instance... ).
>>>>> - In the former case, no issues.
>>>>> - In the latter case, the default Recipient Policy picks up your AD
>>>>> domain and uses it to create email addresses.
>>>>> - You can modify it to use the external/registered domain.
>>>>> - Regardless of email addresses, it's not like you're using one set
>>>>> of addresses to communicate internally, and another set to
>>>>> communicate with internet senders/recipients. Internally, Exchange
>>>>> looks up AD to resolve recipients. If recipients have email addresses
>>>>> using the registered domain (set as default), regardless of all other
>>>>> email addresses they may have (or not), it works for both internal
>>>>> and internet mail. - As a sidenote, the only use for the registered
>>>>> domain (and email addresses using those) is for inbound mail sent by
>>>>> internet senders - the domain part is used to perform DNS lookups to
>>>>> route messages to your designated server(s). Outbound internet mail
>>>>> works regardless of email address used, but you won't be able to get
>>>>> replies if the address is invalid.
>>>>> -- 
>>>>> Bharat Suneja
>>>>> MVP - Exchange
>>>>> www.zenprise.com
>>>>> NEW blog location:
>>>>> exchangepedia.com/blog
>>>>> ----------------------------------------------
>>>>>
>>>>>
>>>>> "Tom Bombadill"  wrote in message
>>>>> news:eaKcAZuJIHA.3916@TK2MSFTNGP02.phx.gbl...
>>>>>> Hi Bharat,
>>>>>>
>>>>>> Forgive my ingnorance, but could you please elaborate on the idea a
>>>>>> little further? We have an Exchange 2003. What modification do you
>>>>>> need to make to the Recipient Policy, and how does it help address
>>>>>> the problem? The way I see it, your AD based email addresses still
>>>>>> remain unresolvable through Public DNS. So I still do not understand
>>>>>> how you can use your AD based accounts for external communication.
>>>>>>
>>>>>> If you know of any links that may shed light on this issue for me, I
>>>>>> would grealy appreciate it.
>>>>>>
>>>>>> Thanks,
>>>>>>
>>>>>> "Bharat Suneja [MVP]"  wrote in message
>>>>>> news:O4s%23lrmJIHA.3400@TK2MSFTNGP03.phx.gbl...
>>>>>>> You simply modify the Recipient Policy (in Exchange Server
>>>>>>> 2003/2000) or Accepted Domain and EmailAddressPolicy (Exchange
>>>>>>> Server 2007) to reflect the external/registered domain.
>>>>>>> -- 
>>>>>>> Bharat Suneja
>>>>>>> MVP - Exchange
>>>>>>> www.zenprise.com
>>>>>>> NEW blog location:
>>>>>>> exchangepedia.com/blog
>>>>>>> ----------------------------------------------
>>>>>>>
>>>>>>>
>>>>>>> "Tom Bombadill"  wrote in message
>>>>>>> news:urxMXNlJIHA.3636@TK2MSFTNGP03.phx.gbl...
>>>>>>>> Hi All,
>>>>>>>>
>>>>>>>> I have had a longstanding question on the proper implementation of
>>>>>>>> Exchange and how to reconcile the internal Windows Domain name
>>>>>>>> versus the publicly registered web domain name.
>>>>>>>>
>>>>>>>> It was my impression that Microsoft recommended using a different
>>>>>>>> internal windows domain name, than your web domain name. In this
>>>>>>>> case, you end up with 2 sets of email addresses; one AD based
>>>>>>>> addresses which should not be used for external communication, and
>>>>>>>> another set of publicly addressable, normally POP3, email
>>>>>>>> accounts.
>>>>>>>>
>>>>>>>> We like Exchange because of the conveniences that it would offer,
>>>>>>>> such as calendar sharing, mailbox management, possible central
>>>>>>>> spam management, etc...
>>>>>>>>
>>>>>>>> Given the above situation, is it possible to use 1 set of exchange
>>>>>>>> hosted email addresses for both external and internal use?
>>>>>>>>
>>>>>>>> I'm sure it's an issue many of you have had to deal with before.
>>>>>>>> Is there a correct way of addressing the situation?
>>>>>>>>
>>>>>>>> Thanks for your help.
>>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>
>>>>
>>>>
>>>
>>
>>
>

- It's not recommended to install Exchange on a DC, but unavoidable in many 
cases including when using Microsoft's own Small Business Server (or in most 
other single-server environments).
- Yes, in that case it's not advisable to expose your Exchange/DC directly 
to the internet for SMTP - though again many small environments end up doing 
just that because of lack of resources or lax security requirements (or 
absence thereof)
- Options are:
1) add a SMTP server - you can use IIS SMTP server or an anti-spam/security 
appliance like Barracude, IronPort, etc. - to the DMZ. Point MX to it for 
inbound, configure it to forward to Exchange, open smtp to Exchange from 
that box. For outbound, add the box as a smarthost on the SMTP Connector for 
*.
2) Use a service provider like Postini as your MX target, allow Postini's 
servers to  connect to your Exchange on SMTP
3) Mix of both of the above
-- 
Bharat Suneja
MVP - Exchange
www.zenprise.com
NEW blog location:
exchangepedia.com/blog
----------------------------------------------


"Tom Bombadill"  wrote in message 
news:On7pZK7JIHA.2480@TK2MSFTNGP05.phx.gbl...
> Hi Bharat,
>
> I totally understand the "External DNS" changes. On the firewall changes 
> though, isn't what you are describing different aspects of port 
> forwarding? In other words, I can allow inbound access at port 25, and 
> forward those packets to the Exchange server.
>
> I have generally had bad experiences with port forwarding. I've done that 
> for FTP and VPN connections on different servers, and in both cases I 
> eventually had rootkits and hacks dropped in to our network. And that was 
> without advertising our external IP address through the public DNS. I'd be 
> very reluctant to take that kind of risk with the Exchange, since it's 
> also a DC. And the firewall device we're running is a Watchguard Firebox, 
> so I believe it's a good quality commercial product.
>
> On the other hand, we do have a DMZ network on the Watchguard. What are 
> your thoughts on utilizing that feature to secure the server?
>
> Thanks for your input,
>
>
> "Bharat Suneja [MVP]"  wrote in message 
> news:uuKKBDxJIHA.3400@TK2MSFTNGP03.phx.gbl...
>> Firewall:
>> 1) NAT: Most commercial firewalls allow you to set up a NAT (Network 
>> Address Translation) rule to map a server's internal IP address to an 
>> external IP address provided by your ISP.
>> 2) Access Rule: Allow inbound SMTP (tcp port 25) to the server.
>> Test: From a computer outside the firewall, telnet to smtp port  (telnet 
>> x.x.x.x 25) where x.x.x.x is the external IP address.
>>
>> External DNS:
>> 1) A Record: In the external DNS (may be hosted by your ISP/Domain 
>> Registrar) create an A record to map server's fqdn to the external 
>> address (from the NAT rule you created above).
>> Test from outside: nslookup server.domain.com
>> 2) MX Record: Create/modify MX record to point to the A record.
>> Test from outside: nslookup -type=MX domain.com
>>
>> Now it's time to send a test message using telnet or from any external 
>> email systems.
>>
>> -- 
>> Bharat Suneja
>> MVP - Exchange
>> www.zenprise.com
>> NEW blog location:
>> exchangepedia.com/blog
>> ----------------------------------------------
>>
>>
>> "Tom Bombadill"  wrote in message 
>> news:Oi2ZrwwJIHA.1208@TK2MSFTNGP05.phx.gbl...
>>> Wow, that sounds really simple, Asher. Thanks!
>>>
>>> I have a follow on question, though it may go a little beyond the realm 
>>> of the original issue.
>>>
>>> As you might have guessed by now, our Exchange is sitting inside our 
>>> network, behind the firewall, using a private static IP address. I've 
>>> already configured it as our SMTP server. So all POP3 accounts in 
>>> Outlook clients point to it for outgoing server.
>>>
>>> Now what steps do I need to take in order to have our outside mail 
>>> directly come to the Exchange and simply bypass the POP3 boxes, 
>>> currently hosted by our Domain Name registrar (AIT)?
>>>
>>> Regards,
>>>
>>>
>>>
>>> "Asher_N"  wrote in message 
>>> news:Xns99E8A6CA44CD61203214562@207.46.248.16...
>>>> Go to the recipient policy. On the e-mail address tab, click new. 
>>>> Select
>>>> SMTP. In the address field, type in @xyz.com, select 'This Exchange
>>>> organization is responsible...'. Click OK.
>>>>
>>>> Select the new address, clisk on 'Set as Primary'.
>>>>
>>>> You're done. Whenever you create a new user, he will get a @abc.local,
>>>> @xyz.com and a X.400 address with the @xyz.com as primary.
>>>>
>>>> "Tom Bombadill"  wrote in
>>>> news:OFkRl3vJIHA.3356@TK2MSFTNGP02.phx.gbl:
>>>>
>>>>> Thanks for following up with me, Bharat!
>>>>>
>>>>> So let's see if I got this straight.
>>>>>
>>>>> Our internal domain name:    abc.local
>>>>> Our Internet domain name:    xyz.com
>>>>>
>>>>> I went to Exchange System Manager | Recepients > Recepient Policies >
>>>>> Default Policy > Properties > E-mail Addresses (Policy) tab and here's
>>>>> what I see:
>>>>>
>>>>> SMTP        @abc.local
>>>>> X400        c=us;a= ;p=abc;o=Exchange;
>>>>>
>>>>> Both entries are checked.
>>>>>
>>>>> Are you saying I need to make a change here to somehow replace the AD
>>>>> domain name with the xyz.com domain name? If so, what changes do I
>>>>> need to make?
>>>>>
>>>>> Thanks again.
>>>>>
>>>>>
>>>>> "Bharat Suneja [MVP]"  wrote in message
>>>>> news:eCjxOXvJIHA.1208@TK2MSFTNGP05.phx.gbl...
>>>>>>- Your AD namespace can be the same as your registered external
>>>>>>domain(s) or it can be a different namespace, perhaps unregistered or
>>>>>>even invalid (using a suffix like .local for instance... ).
>>>>>> - In the former case, no issues.
>>>>>> - In the latter case, the default Recipient Policy picks up your AD
>>>>>> domain and uses it to create email addresses.
>>>>>> - You can modify it to use the external/registered domain.
>>>>>> - Regardless of email addresses, it's not like you're using one set
>>>>>> of addresses to communicate internally, and another set to
>>>>>> communicate with internet senders/recipients. Internally, Exchange
>>>>>> looks up AD to resolve recipients. If recipients have email addresses
>>>>>> using the registered domain (set as default), regardless of all other
>>>>>> email addresses they may have (or not), it works for both internal
>>>>>> and internet mail. - As a sidenote, the only use for the registered
>>>>>> domain (and email addresses using those) is for inbound mail sent by
>>>>>> internet senders - the domain part is used to perform DNS lookups to
>>>>>> route messages to your designated server(s). Outbound internet mail
>>>>>> works regardless of email address used, but you won't be able to get
>>>>>> replies if the address is invalid.
>>>>>> -- 
>>>>>> Bharat Suneja
>>>>>> MVP - Exchange
>>>>>> www.zenprise.com
>>>>>> NEW blog location:
>>>>>> exchangepedia.com/blog
>>>>>> ----------------------------------------------
>>>>>>
>>>>>>
>>>>>> "Tom Bombadill"  wrote in message
>>>>>> news:eaKcAZuJIHA.3916@TK2MSFTNGP02.phx.gbl...
>>>>>>> Hi Bharat,
>>>>>>>
>>>>>>> Forgive my ingnorance, but could you please elaborate on the idea a
>>>>>>> little further? We have an Exchange 2003. What modification do you
>>>>>>> need to make to the Recipient Policy, and how does it help address
>>>>>>> the problem? The way I see it, your AD based email addresses still
>>>>>>> remain unresolvable through Public DNS. So I still do not understand
>>>>>>> how you can use your AD based accounts for external communication.
>>>>>>>
>>>>>>> If you know of any links that may shed light on this issue for me, I
>>>>>>> would grealy appreciate it.
>>>>>>>
>>>>>>> Thanks,
>>>>>>>
>>>>>>> "Bharat Suneja [MVP]"  wrote in message
>>>>>>> news:O4s%23lrmJIHA.3400@TK2MSFTNGP03.phx.gbl...
>>>>>>>> You simply modify the Recipient Policy (in Exchange Server
>>>>>>>> 2003/2000) or Accepted Domain and EmailAddressPolicy (Exchange
>>>>>>>> Server 2007) to reflect the external/registered domain.
>>>>>>>> -- 
>>>>>>>> Bharat Suneja
>>>>>>>> MVP - Exchange
>>>>>>>> www.zenprise.com
>>>>>>>> NEW blog location:
>>>>>>>> exchangepedia.com/blog
>>>>>>>> ----------------------------------------------
>>>>>>>>
>>>>>>>>
>>>>>>>> "Tom Bombadill"  wrote in message
>>>>>>>> news:urxMXNlJIHA.3636@TK2MSFTNGP03.phx.gbl...
>>>>>>>>> Hi All,
>>>>>>>>>
>>>>>>>>> I have had a longstanding question on the proper implementation of
>>>>>>>>> Exchange and how to reconcile the internal Windows Domain name
>>>>>>>>> versus the publicly registered web domain name.
>>>>>>>>>
>>>>>>>>> It was my impression that Microsoft recommended using a different
>>>>>>>>> internal windows domain name, than your web domain name. In this
>>>>>>>>> case, you end up with 2 sets of email addresses; one AD based
>>>>>>>>> addresses which should not be used for external communication, and
>>>>>>>>> another set of publicly addressable, normally POP3, email
>>>>>>>>> accounts.
>>>>>>>>>
>>>>>>>>> We like Exchange because of the conveniences that it would offer,
>>>>>>>>> such as calendar sharing, mailbox management, possible central
>>>>>>>>> spam management, etc...
>>>>>>>>>
>>>>>>>>> Given the above situation, is it possible to use 1 set of exchange
>>>>>>>>> hosted email addresses for both external and internal use?
>>>>>>>>>
>>>>>>>>> I'm sure it's an issue many of you have had to deal with before.
>>>>>>>>> Is there a correct way of addressing the situation?
>>>>>>>>>
>>>>>>>>> Thanks for your help.
>>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>>
>>>>
>>>
>>>
>>
>
>

Worse thing you can do is put Exchange in a DMZ.

First, unless the DMZ has no path to the LAN at all, they are there to 
merely slow down a hacker. If I can get thru the firewall to get to the 
DMZ, how long to you think it'll take me to go all the way.

Most important, Exchange needs to talk to AD. An Exchange server in the 
DMZ means you have to open all the protocols required to speak to AD.

"Tom Bombadill"  wrote in
news:On7pZK7JIHA.2480@TK2MSFTNGP05.phx.gbl: 

> Hi Bharat,
> 
> I totally understand the "External DNS" changes. On the firewall
> changes though, isn't what you are describing different aspects of
> port forwarding? In other words, I can allow inbound access at port
> 25, and forward those packets to the Exchange server.
> 
> I have generally had bad experiences with port forwarding. I've done
> that for FTP and VPN connections on different servers, and in both
> cases I eventually had rootkits and hacks dropped in to our network.
> And that was without advertising our external IP address through the
> public DNS. I'd be very reluctant to take that kind of risk with the
> Exchange, since it's also a DC. And the firewall device we're running
> is a Watchguard Firebox, so I believe it's a good quality commercial
> product. 
> 
> On the other hand, we do have a DMZ network on the Watchguard. What
> are your thoughts on utilizing that feature to secure the server?
> 
> Thanks for your input,
> 
> 
> "Bharat Suneja [MVP]"  wrote in message 
> news:uuKKBDxJIHA.3400@TK2MSFTNGP03.phx.gbl...
>> Firewall:
>> 1) NAT: Most commercial firewalls allow you to set up a NAT (Network 
>> Address Translation) rule to map a server's internal IP address to an
>> external IP address provided by your ISP.
>> 2) Access Rule: Allow inbound SMTP (tcp port 25) to the server.
>> Test: From a computer outside the firewall, telnet to smtp port 
>> (telnet x.x.x.x 25) where x.x.x.x is the external IP address.
>>
>> External DNS:
>> 1) A Record: In the external DNS (may be hosted by your ISP/Domain 
>> Registrar) create an A record to map server's fqdn to the external
>> address (from the NAT rule you created above).
>> Test from outside: nslookup server.domain.com
>> 2) MX Record: Create/modify MX record to point to the A record.
>> Test from outside: nslookup -type=MX domain.com
>>
>> Now it's time to send a test message using telnet or from any
>> external email systems.
>>
>> -- 
>> Bharat Suneja
>> MVP - Exchange
>> www.zenprise.com
>> NEW blog location:
>> exchangepedia.com/blog
>> ----------------------------------------------
>>
>>
>> "Tom Bombadill"  wrote in message 
>> news:Oi2ZrwwJIHA.1208@TK2MSFTNGP05.phx.gbl...
>>> Wow, that sounds really simple, Asher. Thanks!
>>>
>>> I have a follow on question, though it may go a little beyond the
>>> realm of the original issue.
>>>
>>> As you might have guessed by now, our Exchange is sitting inside our
>>> network, behind the firewall, using a private static IP address.
>>> I've already configured it as our SMTP server. So all POP3 accounts
>>> in Outlook clients point to it for outgoing server.
>>>
>>> Now what steps do I need to take in order to have our outside mail 
>>> directly come to the Exchange and simply bypass the POP3 boxes,
>>> currently hosted by our Domain Name registrar (AIT)?
>>>
>>> Regards,
>>>
>>>
>>>
>>> "Asher_N"  wrote in message 
>>> news:Xns99E8A6CA44CD61203214562@207.46.248.16...
>>>> Go to the recipient policy. On the e-mail address tab, click new.
>>>> Select SMTP. In the address field, type in @xyz.com, select 'This
>>>> Exchange organization is responsible...'. Click OK.
>>>>
>>>> Select the new address, clisk on 'Set as Primary'.
>>>>
>>>> You're done. Whenever you create a new user, he will get a
>>>> @abc.local, @xyz.com and a X.400 address with the @xyz.com as
>>>> primary. 
>>>>
>>>> "Tom Bombadill"  wrote in
>>>> news:OFkRl3vJIHA.3356@TK2MSFTNGP02.phx.gbl:
>>>>
>>>>> Thanks for following up with me, Bharat!
>>>>>
>>>>> So let's see if I got this straight.
>>>>>
>>>>> Our internal domain name:    abc.local
>>>>> Our Internet domain name:    xyz.com
>>>>>
>>>>> I went to Exchange System Manager | Recepients > Recepient
>>>>> Policies > Default Policy > Properties > E-mail Addresses (Policy)
>>>>> tab and here's what I see:
>>>>>
>>>>> SMTP        @abc.local
>>>>> X400        c=us;a= ;p=abc;o=Exchange;
>>>>>
>>>>> Both entries are checked.
>>>>>
>>>>> Are you saying I need to make a change here to somehow replace the
>>>>> AD domain name with the xyz.com domain name? If so, what changes
>>>>> do I need to make?
>>>>>
>>>>> Thanks again.
>>>>>
>>>>>
>>>>> "Bharat Suneja [MVP]"  wrote in message
>>>>> news:eCjxOXvJIHA.1208@TK2MSFTNGP05.phx.gbl...
>>>>>>- Your AD namespace can be the same as your registered external
>>>>>>domain(s) or it can be a different namespace, perhaps unregistered
>>>>>>or even invalid (using a suffix like .local for instance... ).
>>>>>> - In the former case, no issues.
>>>>>> - In the latter case, the default Recipient Policy picks up your
>>>>>> AD domain and uses it to create email addresses.
>>>>>> - You can modify it to use the external/registered domain.
>>>>>> - Regardless of email addresses, it's not like you're using one
>>>>>> set of addresses to communicate internally, and another set to
>>>>>> communicate with internet senders/recipients. Internally,
>>>>>> Exchange looks up AD to resolve recipients. If recipients have
>>>>>> email addresses using the registered domain (set as default),
>>>>>> regardless of all other email addresses they may have (or not),
>>>>>> it works for both internal and internet mail. - As a sidenote,
>>>>>> the only use for the registered domain (and email addresses using
>>>>>> those) is for inbound mail sent by internet senders - the domain
>>>>>> part is used to perform DNS lookups to route messages to your
>>>>>> designated server(s). Outbound internet mail works regardless of
>>>>>> email address used, but you won't be able to get replies if the
>>>>>> address is invalid. -- 
>>>>>> Bharat Suneja
>>>>>> MVP - Exchange
>>>>>> www.zenprise.com
>>>>>> NEW blog location:
>>>>>> exchangepedia.com/blog
>>>>>> ----------------------------------------------
>>>>>>
>>>>>>
>>>>>> "Tom Bombadill"  wrote in message
>>>>>> news:eaKcAZuJIHA.3916@TK2MSFTNGP02.phx.gbl...
>>>>>>> Hi Bharat,
>>>>>>>
>>>>>>> Forgive my ingnorance, but could you please elaborate on the
>>>>>>> idea a little further? We have an Exchange 2003. What
>>>>>>> modification do you need to make to the Recipient Policy, and
>>>>>>> how does it help address the problem? The way I see it, your AD
>>>>>>> based email addresses still remain unresolvable through Public
>>>>>>> DNS. So I still do not understand how you can use your AD based
>>>>>>> accounts for external communication. 
>>>>>>>
>>>>>>> If you know of any links that may shed light on this issue for
>>>>>>> me, I would grealy appreciate it.
>>>>>>>
>>>>>>> Thanks,
>>>>>>>
>>>>>>> "Bharat Suneja [MVP]"  wrote in message
>>>>>>> news:O4s%23lrmJIHA.3400@TK2MSFTNGP03.phx.gbl...
>>>>>>>> You simply modify the Recipient Policy (in Exchange Server
>>>>>>>> 2003/2000) or Accepted Domain and EmailAddressPolicy (Exchange
>>>>>>>> Server 2007) to reflect the external/registered domain.
>>>>>>>> -- 
>>>>>>>> Bharat Suneja
>>>>>>>> MVP - Exchange
>>>>>>>> www.zenprise.com
>>>>>>>> NEW blog location:
>>>>>>>> exchangepedia.com/blog
>>>>>>>> ----------------------------------------------
>>>>>>>>
>>>>>>>>
>>>>>>>> "Tom Bombadill"  wrote in message
>>>>>>>> news:urxMXNlJIHA.3636@TK2MSFTNGP03.phx.gbl...
>>>>>>>>> Hi All,
>>>>>>>>>
>>>>>>>>> I have had a longstanding question on the proper
>>>>>>>>> implementation of Exchange and how to reconcile the internal
>>>>>>>>> Windows Domain name versus the publicly registered web domain
>>>>>>>>> name. 
>>>>>>>>>
>>>>>>>>> It was my impression that Microsoft recommended using a
>>>>>>>>> different internal windows domain name, than your web domain
>>>>>>>>> name. In this case, you end up with 2 sets of email addresses;
>>>>>>>>> one AD based addresses which should not be used for external
>>>>>>>>> communication, and another set of publicly addressable,
>>>>>>>>> normally POP3, email accounts.
>>>>>>>>>
>>>>>>>>> We like Exchange because of the conveniences that it would
>>>>>>>>> offer, such as calendar sharing, mailbox management, possible
>>>>>>>>> central spam management, etc...
>>>>>>>>>
>>>>>>>>> Given the above situation, is it possible to use 1 set of
>>>>>>>>> exchange hosted email addresses for both external and internal
>>>>>>>>> use? 
>>>>>>>>>
>>>>>>>>> I'm sure it's an issue many of you have had to deal with
>>>>>>>>> before. Is there a correct way of addressing the situation?
>>>>>>>>>
>>>>>>>>> Thanks for your help.
>>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>>
>>>>
>>>
>>>
>> 
> 
>