Re: [exim] verify = recipient/callout --> Exchange2013

Top Page
Delete this message
Reply to this message
Author: Patrick von der Hagen
Date:  
To: exim-users
New-Topics: Re: [exim] verify = recipient/callout --> Exchange2013
Subject: Re: [exim] verify = recipient/callout --> Exchange2013
On 17.11.2014 10:08, Heiko Schlittermann wrote:
> Heiko Schlittermann <hs@???> (Mo 17 Nov 2014 10:06:44 CET):
>> Patrick von der Hagen <patrick.hagen@???> (Mo 17 Nov 2014 10:03:22 CET):
>>> On 17.11.2014 02:05, Viktor Dukhovni wrote:
>>> [...]
>>>>>     - Unterstanding the AD structure of the Exchange (Forwardings,
>>>>>       Aliases, Groups, ?) is probably not straight forward ?

>>>>
>>>> Actually it is rather simple, I've used this for a decade:
>>>>
>>>>     query_filter = proxyAddresses=smtp:%s
>>>>     result_attribute = mail
>>> I'm not sure this will work easily in all situations, e.g. following
>>> referrals. Still, why not just fix the exchange configuration?
>>> https://support.prolateral.com/index.php?/Knowledgebase/Article/View/204/35/how-do-i-reject-incoming-email-for-unknown-users-in-ms-exchange-2013

>>
>> Statement of the Exchange-Admin: this link describes settings you've to
>> do anyway. It does not solve our problem.
>
> I do not read it that way, since the "screenshot" on the above page
> indicates "success"

I just had a chat with my exchange-admins and they confirmed that
exchange 2013 is capable of rejectingt unknown recipients like we are
used to. When we go in production with exchange 2013, exim will not
detect any differences.

Some background (which might be wrong in details):
Exchange is running several "roles"
(http://exchangeserverpro.com/exchange-2013-server-roles/) which you can
distribute over several servers or combine on a single one. All of them
seem to open port 25 for communication and you do run into issues when
you combine them on a single server, with different roles competing for
port 25. You have (!) to talk to the Edge Transport Server, which might
not be listening on port 25 if it shares a server with the other roles.
It seems to be optional
(http://blog.enowsoftware.com/solutions-engine/bid/182845/Does-your-environment-need-an-Exchange-2013-Edge-Transport-server),
but I would consider setups without and Edge-Transport-server to be
incomplete due to the recipient-verification issues.

The other roles can't verify recipients in an exim-callout.

So I guess, whenever there are issues with Exchange 2013 and callout,
either the excange-staff decided not to install an
edge-transport-server, since some anti-spam-appliance is considered to
perform that task, or they run some other role on port 25 and the
edge-transport-server on some non-standard-port, without realizing that
this might be an issue....



--
Karlsruher Institut für Technologie (KIT)
Steinbuch Centre for Computing (SCC)

Patrick von der Hagen

Zirkel 2, Gebäude 20.21, Raum 005.1
76131 Karlsruhe
Telefon: +49 721 608-46433
E-Mail: hagen@???
Web: http://www.scc.kit.edu

KIT - Universität des Landes Baden-Württemberg und
nationales Forschungszentrum in der Helmholtz-Gemeinschaft