--- name: Neptune SBR Email Routing Setup description: How outbound email routing works on Neptune Exchange - SBR agent, MailProtector smarthost, send connectors, and common fix for new clients type: project --- ## Neptune Outbound Email Routing Chain 1. User sends mail from Exchange mailbox on Neptune (172.16.3.11) 2. **Microsoft.Exchange.SBR** transport agent (Priority 12) fires on OnResolved event 3. SBR reads config files at `C:\Program Files\Microsoft\Exchange Server\V15\TransportRoles\agents\Custom\`: - `Microsoft.Exchange.SBR.InternalDomains.config` — list of domains SBR handles - `Microsoft.Exchange.SBR.OverrideSettings.config` — maps `domain.com;domain.sbr` for routing - `Microsoft.Exchange.SBR.IgnoreAuthAs.config` — exclusions 4. SBR rewrites recipient routing to `.sbr` domain (e.g., `rieussetcorp.sbr`) 5. Exchange matches `.sbr` address space to the corresponding Send Connector (e.g., `Outbound.Sorensen`) 6. Send connector smarthosts through MailProtector: `domain-com.outbound.emailservice.io` 7. MailProtector relays to final destination There is also a **messageconcept ExSBR** agent at Priority 11 (`C:\Program Files\messageconcept\ExSBR\`). ## Common Issue: New client or server move When Neptune's IP changes or a new domain is added, MailProtector must have the sending server IP authorized. Without this, MailProtector accepts the relay but drops/rejects the message. **Fix (2026-03-22 for rieussetcorp.com):** Added 67.206.163.124 and 67.206.163.122 to MailProtector's authorized sender IPs. ## Neptune Location Neptune physically moved from ACG office (72.194.62.7) to Dataforth (67.206.163.124 inbound, 67.206.163.122 outbound). SNAT rule on Dataforth UDM (`/data/on_boot.d/10-neptune-snat.sh`) should force outbound to use .124. ## Access - WinRM: `172.16.3.11`, ACG\administrator, via pywinrm with NTLM - Exchange PS: Connect via `New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri http://neptune.acg.local/PowerShell/ -Authentication Kerberos` - Requires Tailscale route through D2TESTNAS (192.168.0.9) for 172.16.0.0/22 ## Known Issues (as of 2026-03-22) - 67.206.163.122 has no PTR record and is blacklisted by some providers - SNAT rule may not be active — outbound was going as .122 not .124 on 3/16. Need to check UDM (192.168.0.254) — couldn't auth via SSH tonight, check in morning - MAIL transport server still exists in Exchange config but server is decommissioned - Spam queues with junk domains (wwwyamaha666.ru, bestspatulas.com, etc.) - Tailscale 172.16.0.0/22 route moved from ACG pfSense to D2TESTNAS — may need permanent solution - UDM SSH password (Paper123!@#-unifi) was rejected — may have changed ## Resolved (2026-03-22) - rieussetcorp.com outbound: Added 67.206.163.124 and .122 to MailProtector authorized IPs — mail now flowing