azcomputerguru/claudetools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
e34f51fe5d430e3207e32c219b7b72987fb29124
claudetools/.claude/memory/project_neptune_sbr_email_routing.md
Mike Swanson ad88fc31f0 sync: Auto-sync from acg-guru-5070 at 2026-03-22 22:31:46 
Synced files:
- Session logs updated
- Latest context and credentials
- Command/directive updates

Machine: acg-guru-5070
Timestamp: 2026-03-22 22:31:46

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
2026-03-22 22:31:46 -07:00

2.8 KiB
Raw Blame History

name, description, type
name description type
Neptune SBR Email Routing Setup How outbound email routing works on Neptune Exchange - SBR agent, MailProtector smarthost, send connectors, and common fix for new clients project

Neptune Outbound Email Routing Chain

  1. User sends mail from Exchange mailbox on Neptune (172.16.3.11)
  2. Microsoft.Exchange.SBR transport agent (Priority 12) fires on OnResolved event
  3. SBR reads config files at C:\Program Files\Microsoft\Exchange Server\V15\TransportRoles\agents\Custom\:
    • Microsoft.Exchange.SBR.InternalDomains.config — list of domains SBR handles
    • Microsoft.Exchange.SBR.OverrideSettings.config — maps domain.com;domain.sbr for routing
    • Microsoft.Exchange.SBR.IgnoreAuthAs.config — exclusions
  4. SBR rewrites recipient routing to .sbr domain (e.g., rieussetcorp.sbr)
  5. Exchange matches .sbr address space to the corresponding Send Connector (e.g., Outbound.Sorensen)
  6. Send connector smarthosts through MailProtector: domain-com.outbound.emailservice.io
  7. MailProtector relays to final destination

There is also a messageconcept ExSBR agent at Priority 11 (C:\Program Files\messageconcept\ExSBR\).

Common Issue: New client or server move

When Neptune's IP changes or a new domain is added, MailProtector must have the sending server IP authorized. Without this, MailProtector accepts the relay but drops/rejects the message.

Fix (2026-03-22 for rieussetcorp.com): Added 67.206.163.124 and 67.206.163.122 to MailProtector's authorized sender IPs.

Neptune Location

Neptune physically moved from ACG office (72.194.62.7) to Dataforth (67.206.163.124 inbound, 67.206.163.122 outbound). SNAT rule on Dataforth UDM (/data/on_boot.d/10-neptune-snat.sh) should force outbound to use .124.

Access

  • WinRM: 172.16.3.11, ACG\administrator, via pywinrm with NTLM
  • Exchange PS: Connect via New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri http://neptune.acg.local/PowerShell/ -Authentication Kerberos
  • Requires Tailscale route through D2TESTNAS (192.168.0.9) for 172.16.0.0/22

Known Issues (as of 2026-03-22)

  • 67.206.163.122 has no PTR record and is blacklisted by some providers
  • SNAT rule may not be active — outbound was going as .122 not .124 on 3/16. Need to check UDM (192.168.0.254) — couldn't auth via SSH tonight, check in morning
  • MAIL transport server still exists in Exchange config but server is decommissioned
  • Spam queues with junk domains (wwwyamaha666.ru, bestspatulas.com, etc.)
  • Tailscale 172.16.0.0/22 route moved from ACG pfSense to D2TESTNAS — may need permanent solution
  • UDM SSH password (Paper123!@#-unifi) was rejected — may have changed

Resolved (2026-03-22)

  • rieussetcorp.com outbound: Added 67.206.163.124 and .122 to MailProtector authorized IPs — mail now flowing
Reference in New Issue View Git Blame Copy Permalink