Hardware Load Balancing a Relay Connector

This is not a re-post of Pmeijden's blog, but you should read his blog first in order to understand what I am trying to show here.

One of the solutions mentioned in his article is to

1. Add HLB IP to the Anonymous Relay connector on each HT server.
2. Create IP Allow rules with a default Block rule on the HLB to control who can relay

This has been proved to work. But if email from outside also goes through the HLB, inbound email will hit the Anonymous relay connector instead of Default Receive Connector since the Anonymous Relay Connector has a specific IP defined. This would still work if you have any hosted service (Postini, FOPE, etc) or another OnPrem email gateway. All you have to do is to add Postini\FOPE\Gateway IP to the allow rule. So your server still cannot be used for open relay.

But what if you don’t have either of those or you just don’t want any other traffic to hit the Anonymous Relay connector (for logging\troubleshooting purpose). So the solution is to do the following:

• Add additional NIC to each HT server with additonal IP

Note: do not add the additional IP to the existing NIC as this will also register the additonal IP on the DNS server. If you use an additional NIC, you can then disable DNS registration on the NIC. Also, you do not need to define Default Gateway for the additoinal NIC since it only needs to talk to the load balancer which is on the same subnet.

• Change the Default Receive Connector to listen on the original IP\NIC and the Anonymous Receive Connector to listen on the additional IP\NIC.
• Create a 2^nd VIP on the HLB to balance between the additional IPs over TCP 25
• Add HLB IP to the Anonymous Relay Connector.
• On the HLB, create IP allow\block rule to only allow specific IPs to hit the 2^nd VIP.    

Now inbound mail will hit the Default Receive Connector while relay mail will hit the Anonymous Relay Connector.