IM Convergence - Alias domain

Similar Messages

• SharePoint 2013 - Incoming email with smtp alias domain

  Hi All
  I have configured the following for SharePoint 2013 Incoming email.
  CA - Incoming email - enabled
  Automatic and received mail from all servers
  email server display address: 
  [email protected]
  smtp installed on one SharePoint server and configured with
  defautl domain:  spservername.domain.net and alias domain: 
  spmail.domainname.net
  emails are receiced in SharePoint lists / library are working when incoming email settings using the default local smtp domain (spservername.domainname.net) but not working when using the alias domain (spmail.domainname.net).
  Can anyone advice of what I have done wrong or missing in my configuration?
  Thanks in advance for your comments or advices
  Swanl

  trevor
  I tried that but that did not work.  I got this error below.  Does that mean I need to create a DNS MX record for spmail.domainname.net to point it to the smtp server
  spservername.domain.net
  Thanks
  Xuan
  Swanl
  It looks like you have a DNS mis-configuration in this case with regards to how your MX record is configured (if it exists at all).
  Trevor Seward
  Follow or contact me at...
  &nbsp&nbsp
  This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

• Postfix Equivalent to qmail Alias Domains

  Hey all,
  I've been Googling, but can't find an answer to this one. Does postfix have the functionality equivalent to qmail's Alias Domains feature?
  I want to have one mail server to handle mail for all my servers, but without ditching the hostname part of my servers when sending mail. That was confusing.
  Example:
  I have 3 servers:
  earth.mydomain.com
  venus.mydomain.com
  mars.mydomain.com
  I want mail sent from each of those servers to be sent as '[email protected]' and '[email protected]' or whatever user on whichever server it's being sent from.
  I want to point the MX records for the above 3 servers, to the one server that handles mail for 'mydomain.com' and then have that server alias 'earth.mydomain.com' to 'mydomain.com'.
  [email protected] - delivered to [email protected]
  [email protected] - delivered to [email protected]
  [email protected] - delivered to [email protected]
  This way I don't have to maintain user tables on the mail server for every user on each server.
  This is subtly different to a catch-all virtual mailbox alias in that:
  1) I still only want to accept mail if the '[email protected]' exists (not catch all!).
  2) The forward should keep the user the same, but 'catchall' the host part of the domain.
  Last edited by fukawi2 (2009-08-15 22:58:35)

  No, unfortunately not.

• Question about Convergence per-domain customized login pages

  hi,
  Recently I installed JES 7 with Convergence 1u3 and have two domains:
  The default is defaultdomain.com
  test.com is my second hosted domain
  I would like to have different login page one per domain. So far I did this:
  iwcadmin -w test123 -o client.{test.com}.loginpage -v "/iwc_static/layout/login-test.html"
  And copy login.html to login-test.html and modify it.
  Also did an appserver restart.
  If I try this URL:
  http://mail.test.com/iwc_static/layout/login-test.html
  I can view the html page and enter to the convergence without problem.
  But my question is the following:
  If I try this URL:
  http://mail.test.com/iwc
  I get a redirect to:
  http://mail.defaultdomain.com/iwc_static/layout/login.html?lang=en&10.01_182620&svcs=abs,im,mail,calendar,c11n
  that behavior is correct? or am I missing something in my appserver/Convergence configuration?
  Thanks in advanced

  ofonseca wrote:
  Thank you Shane but still doesn't work.I tried your exact steps and still couldn't reproduce the problem you reported:
  ./iwcadmin -w password -o client.{test.com}.loginpage -v /iwc_static/layout/login-test.html
  cd /opt/sun/appserver/domains/domain1/docroot/
  cp iwc_static/layout/login.html iwc_static/layout/login-test.htmlRestart App-Server.
  Edited "hosts" file on client browser system to point mail.test.com at Convergence server IP address.
  Accessed: "http://mail.test.com/iwc"
  Redirected to: "http://mail.test.com/iwc_static/layout/login-test.html?lang=en-us&10.01_183235&svcs=abs,im,mail,calendar,c11n"
  When I enable AUTH debug logging (log.AUTH.loglevel = DEBUG), I also see a redirect message in the logs:
  iwc.log:AUTH: DEBUG from com.sun.comms.client.web.auth.IwcAuthController  Thread httpSSLWorkerThread-443-0 at 2009-10-20 23:28:24,468 - Redirecting to: http://mail.test.com/iwc_static/layout/login-test.html?lang=en-us&10.01_183235&svcs=abs,im,mail,calendar,c11n If you still have no luck after reviewing this, I suggest you log a Sun support request.
  Regards,
  Shane.

• Convergence per domain customization problem

  I have enabled customizations in the convergence installation and added the configuration objectclass/attribute to the domain. I copied the configuration sample to my c11n directory. My config.js looks like this:
  c11n.config = {
  // allDomain configuration
  allDomain: {
  module: "allDomain", // module name
  themeEnabled: true, // true if theme is customized
  i18nEnabled: true, // true if i18n is customized
  jsEnabled: true // true if js is customized
  // the last entry must not end with comma
  // replace sample.com for each domain configuration, change
  // domain name uwo_ca to example_com for javascript syntax and url syntax
  jestest_uwo_ca: {
  module: "jestest_uwo_ca", // module name
  themeEnabled: true, // true if theme is customized
  i18nEnabled: true, // true if i18n is customized
  jsEnabled: true // true if js is customized
  // the last entry must not end with comma
  }, // I have tried it without the , and with it
  I then copied the default allDomain files into the jestest_uwo_ca directories and modified all the paths to reflect the directory structure. When I startup convergence I get to "20% User Theme" and it hangs. Enabling debug logs, the last message is:
  PROTOCOL: DEBUG from com.sun.comms.client.protocol.delegate.agent.ClientOptionsA
  gent Thread httpSSLWorkerThread-80-0 at 2010-05-13 12:16:21,731 - Found domain
  specific client preferences, merging with default client prefs
  The theme worked when I used it in the allDomain but I would rather use the per domain features for all the customizations. There is nothing weird in the ldap directory logs or in the log messages before the "merging with default" messages. Any advice on how to debug?
  thanks
  steve

  I started using the IE and got a javascript error outlined below. I rooted the problem down to using a symbolic link for jestest_uwo_ca. I guess it gets confused with all of the ../../../.. s.
  steve
  Webpage error details
  User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; (R1 1.6); InfoPath.1; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.0.04506.30; .NET CLR 3.0.04506.648; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
  Timestamp: Thu, 13 May 2010 18:08:46 UTC
  Message: Could not load 'c11n.jestest_uwo_ca.js.customize'; last tried '../../../c11n/jestest_uwo_ca/js/customize.js'
  Line: 20
  Char: 5357
  Code: 0
  URI: http://jestest.uwo.ca/iwc_static/js/dojotoolkit/dojo/dojo.js?12.01_213859

• Do i need alias domain

  hi
  i'm new on solaris and Sun Messaging Server
  I have some question about my work
  now i have aaa.com and my boss need add new domain like bbb.com ( he want to use bbb.com is default for out going mail ( keep aaa.com too ))
  and he want all mail to bbb.com and aaa.com point to the same mailbox
  i use Messaging Server Ver. 6.2
  i found someone talk about domain alias do i need it??
  and how should i do ?
  Please explain such as command or exsample 'cz i'm a baby with this system ,Please help
  Thank you very much for all reply
  ~>_<~

  shane_hjorth wrote:
  _naiton_ wrote:
  i'm new on solaris and Sun Messaging Server Please in future always provide the exact version of messaging server (./imsimta version). This may not be essential for this question but it is a good habit to get into.
  Sun Java(tm) System Messaging Server 6.2-3.04 (built Jul 15 2005)
  libimta.so 6.2-3.04 (built 01:43:03, Jul 15 2005)
  SunOS mail1 5.9 Generic_118558-34 sun4u sparc SUNW,Sun-Fire-V210
  now i have aaa.com and my boss need add new domain like bbb.com ( he want to use bbb.com is default for out going mail ( keep aaa.com too ))A straight-forward enough request.
  and he want all mail to bbb.com and aaa.com point to the same mailboxNo problem.
  i found someone talk about domain alias do i need it??This is where it gets tricky. There are two types of directory schema (specifications) which translate emails domains e.g. @domain.com to a location in the directory where users with @domain.com addresses exist e.g. o=myorg,o=isp. Schema 1 is the old layout, schema 2 is the new layout -- do you know which one you are using?
  i don't know how i can check it??
  What tools are you using to provision (create/modify/edit) user accounts for Messaging Server?
  Are you using Delegated Administrator (e.g. the web GUI -> http://hostname/da or the CLI -> ./commadmin <blah>) or do you edit the directory manually to allow new users to login?
  Regards,
  Shane.I dont have web GUI and i dont' know how to use ./commadmin command ~>_<~
  there is script for adding new user
  some of the script code
  ./ldapmodify -D cn="directory manager" -w xxxxxxx -a << EOF
  dn: uid=$name,ou=people,o=xxx.co.th,dc=xxx,dc=co,dc=th
  psIncludeInGAB: true
  iplanet-am-modifiable-by: cn=Top-level Admin Role,dc=eta,dc=co,dc=th
  inetCOS: platinum
  objectClass: top
  objectClass: iplanet-am-managed-person
  objectClass: iplanet-am-user-service
  objectClass: inetadmin
  objectClass: iplanetpreferences
  objectClass: inetsubscriber
  objectClass: person
  objectClass: organizationalperson
  objectClass: inetorgperson
  objectClass: inetuser
  objectClass: ipuser
  objectClass: nsmanagedperson
  objectClass: userpresenceprofile
  objectClass: inetmailuser
  objectClass: inetlocalmailrecipient
  objectClass: dspswuser
  mailHost: mail.xxx.co.th
  mail: [email protected]
  givenName: $name

• Postfix "virtual alias domain" / "mydestination"

  In /var/log/mail.log I often find the following line:
  do not list domain starenterprise.com in BOTH mydestination and
  virtualmailboxdomains
  I reviewed the document http://www.postfix.org/VIRTUAL_README.html where it is stated that not do this, but without stating a reason why.
  All I found during a search engine research was that in some cases a loop can occur, but it was mentioned in connection with a different Postfix topic, not virtual aliases one. And I also think that this doesn't play a role. If a loop occured, I should notice this that a mail account grows largely, shouldn't ?
  My mail service works fine and before doing a change here, I would like to know where is the problem when leaving it as it is currently. Unfortunately I did not found any information about this topic.
  In /etc/postfix/main.cf I have these lines (if I should post others, please let me know):
  myhostname = starenterprise.com
  mydomain = starenterprise.com
  virtualmailboxdomains = hash:/etc/postfix/virtual_domains
  mydestination = $myhostname,localhost.$mydomain,localhost
  In /etc/postfix/virtual_domains file I have starenterprise.com; but there is also a comment not to edit this file.
  So if there is a solution required, I would need to remove starenterprise.com from myhostname (since mydestination refers to). Is this correct ? But what to add then ? starenterprise.com is a domain of mine (the main one of the server, by the way) and used for sending/receiving mail and for naming the mail server.
  But first of all why should I do that ? I really read the Postfix virtual readme carefully, but confessed have no glue what can go wrong. Furthermore I don't want to hurt my running mail service. Hope for some light

  The offence is becuasae you cannot list a domain name as local and virtual,
  one or the other but not both.
  Since it's the main domain name that you have listed in the virtual list,
  removing it from the virtual list will correct the faux-pas.
  Okay, okay, I have removed our main domain from the virtual domain list and luckily anything still works.
  What I not understand and the only thing I really want to know is... what can happen worst when keeping the local domain also listed at the virtual domain list... go I then right straight to **** or need I fear the revange of the Postfix daemon ?
  Confessed I have problems seeing the difference of local and virtual domains, maybe also because the German version of SA headlines the virtual domain list box with "Locally available, virtual domains".
  I'm aware that it seems not to be good practice (otherwise no error/warning would appear, logically). But it is also not good practice to cross a road when the traffic light is red. So I look forward to someone that can tell me more.

• Adding an a domain alias

  Dear All,
  Would anyone please point me how can I add a domain alias for my existing domain...
  let's suppose my existing domain has the following dn
  dn: o=company.com,dc=company,dc=com
  my new alias should be in the form
  o=com-pany.net,dc=company,dc=com
  I am using messaging server 6.3 and DSEE 6.3
  Thanks,
  Scotty

  s@mira123 wrote:
  Would anyone please point me how can I add a domain alias for my existing domain...
  let's suppose my existing domain has the following dn
  dn: o=company.com,dc=company,dc=comIf you are using schema 2 then domain 'aliases' are set with the associatedDomain attribute.
  http://docs.sun.com/app/docs/doc/819-4428/bgahk?a=view
  So to add an "alias" domain you add the appropriate associatedDomain e.g.
  dn: o=company.com,dc=company,dc=com
  associatedDomain: com-pany.netRegards,
  Shane.

• How can I send email from my yahoo alias account in iPhone5 mail?

  How can I send email from my yahoo alias account in iPhone5 mail?
  I have 2 email accounts: [email protected] is an alias of [email protected]
  In my old iPhone3 I had these accounts set up so that I could send and receive email from both accounts. I did this using the following settings:
  ‘Other’ POP account info:
  Name: xyz
  Address: [email protected]
  Description: alias
  Incoming mail server:
  Host name: pop.mail.yahoo.com
  User name: [email protected]
  Password: password for yahoo account
  Server port: 995
  Outgoing mail server:
  SMTP: smtp.o2.co.uk (o2 is the name of my phone network)
  Server port: 25
  ‘Yahoo!’ account info:
  Name: xyz
  Address: [email protected]
  Password: password for yahoo account
  Description: Yahoo!
  Outgoing mail server:
  Primary server: Yahoo! SMTP server
  Server port: 465
  I’ve tried using the same settings in my new iPhone5, but it doesn’t work. I can receive mail to both accounts, and can send from the Yahoo account, but I cannot send mail from the alias account. When I try, it displays the message: “Cannot send mail. A copy has been placed in your Outbox. The recipient ‘[email protected]’ was rejected by the server”.
  I’ve tried to configure the POP alias account using combinations of ‘pop.mail.yahoo.com’, ‘pop.mail.yahoo.co.uk’, ‘apple.pop.mail.yahoo.co.uk’ and ‘apple.pop.mail.yahoo.com’, for the incoming host, and ‘smtp.o2.co.uk’, ‘smtp.mail.yahoo.com’, ‘smtp.mail.yahoo.co.uk’, ‘apple.smtp.mail.yahoo.com’ and ‘apple.smtp.mail.yahoo.co.uk’ for the outgoing mail server. None of these have worked.
  I’ve also tried setting it up using IMAP instead of POP without success. I tried configuring it using combinations of ‘imap.mail.yahoo.com’, ‘apple.imap.mail.yahoo.com’, ‘imap.mail.yahoo.co.uk’ and ‘apple.imap.mail.yahoo.co.uk’ for the incoming mail server and ‘smtp.o2.co.uk’, ‘smtp.mail.yahoo.com’, ‘smtp.mail.yahoo.co.uk’, ‘apple.smtp.mail.yahoo.com’ and ‘apple.smtp.mail.yahoo.co.uk’ for the outgoing mail server.
  Yahoo say that if I can't send Yahoo! Mail from my mail program, I may be accessing the Internet through an ISP that is blocking the SMTP port, and that if this is the case, I should try setting the SMTP port number to 587 when sending email via Yahoo!'s SMTP server. I don't think that this is the problem, but I tried it just to make sure - without success.
  I’ve also heard that the problem might have something to do with the SPF settings of my alias domain provider. I’m not too sure exactly what SPF settings are, or how to change them, but from what I can gather it seems unlikely that this is the problem given that I was able to send mail from my alias account on my old iPhone3.
  Any help much appreciated: how can I get my alias account to send emails in iPhone5 mail?
  Many thanks,
  Patrick

  A new development: I've tried sending emails from the alias several times over the past 24 hours, but in general I've deleted them if they haven't sent within about half an hour.
  However, one of the messages I left sitting in the outbox did send successfully in the end, but this took about an hour.
  So: perhaps my problem is not in fact that I am completely unable to send mail from my alias, but that I can only do so intermittently and extremely slowly, and by ignoring the "cannot send" message.
  Any help appreciated.

• Aliasing domain names

  I'm trying to create an alias of a domain name. That is <anyname>@a.com is the same mailbox as <anyname>@b.com. I was trying to use Delegated Administrator to set this up. In the DA interface, there is a box under root->a.com (menu)->organizations->Organization Properties->Domain Information there is a field called: "Alias Names for Domain". I set this to "b.com". I'm assuming this is supposed to be a domain alias.
  This seems to map into the ldap schema as: associateddomain: b.com
  However, when I send mail, it doesn't go through. Instead I get:
  05-Feb-2009 13:09:20.52 tcp_intranet JES 0 [email protected] rfc822; [email protected] 550 5.1.1 unknown or illegal alias: [email protected]
  My main question is the "Alias Names for Domain" supposed to work as I expect, or is it there to do something else.
  I am able to make it work if I set up a user alias in DA. That in, in DA, for user [email protected], I set 'Email Aliases:' to [email protected] Then mail to [email protected] works.
  Thanks!
  bash-3.2# ./imsimta version
  Sun Java(tm) System Messaging Server 7.0-3.01 64bit (built Dec 9 2008)
  libimta.so 7.0-3.01 64bit (built 09:24:13, Dec 9 2008)
  bash-3.2# ./commadmin -vV Delegated Administrator 6.4-3.01 (B2008-10-22)

  jandrusiak wrote:
  I'm trying to create an alias of a domain name. That is <anyname>@a.com is the same mailbox as <anyname>@b.com. I was trying to use Delegated Administrator to set this up. In the DA interface, there is a box under root->a.com (menu)->organizations->Organization Properties->Domain Information there is a field called: "Alias Names for Domain". I set this to "b.com". I'm assuming this is supposed to be a domain alias.
  This seems to map into the ldap schema as: associateddomain: b.com
  However, when I send mail, it doesn't go through. Instead I get:
  05-Feb-2009 13:09:20.52 tcp_intranet JES 0 [email protected] rfc822; [email protected] 550 5.1.1 unknown or illegal alias: [email protected]
  My main question is the "Alias Names for Domain" supposed to work as I expect, or is it there to do something else.
  I am able to make it work if I set up a user alias in DA. That in, in DA, for user [email protected], I set 'Email Aliases:' to [email protected]. Then mail to [email protected] works.
  There is two methods to create a domain alias. The first is an MTA-level domain rewrite rule which rewrites the envelope recipient address from <something>@b.com => <something>@a.com. This approach is much quicker to implement in the short term but has the disadvantage of limited flexibility i.e. users are "forced" to have the email alias.
  To achieve this domain alias you add the following rewrite rule to your imta.cnf file:
  b.com      $E$F$U%a.com@localhostThe second method is the one that you already started to implement. That method is to assign the alias domain (b.com) to a specific user/group schema 2 branch by adding "associateddomain: b.com". Then for each user who needs to have the alias, add an entry to their Email Aliases (mailalternateaddress:).
  The advantage of the second method is that you only have to assign an email alias to those users who want/need it. Also if the user has [email protected], there is no reason why they have to have [email protected], you could assign them [email protected] instead.
  I recommend you continue with the second method.
  Regards,
  Shane.

• Domain aliasing with iMS 5.2?

  We're testing iMS 5.2 with direct ldap to ds 5.1 and need to do a domain alias. We have our-name.com and ourname.com. We always use ourname.com but some still use the original our-name.com so we would like it to work as an alias. Vanity domain isn't viable.
  The provisioning guide has the ldif code for creating an aliased domain entry in the directory. This went without a problem. But what do I have to do to get IMS to recognize our-name.com is just an alias for ourname.com?
  THANKS!

  In 5.2 or even 5.1, you can simply create the domain alias in LDAP and let the MTA do the rest.
  dc=sample,dc=com,o=internet
  inetdomainbasedn: o=sample, o=hostings, o=isp.com
  dc=alias,dc=com,o=internet
  aliasedobjectname=dc=sample,dc=com,o=internet
  it used to work fine in 5.1 but I can't make it work in 5.2 (direct ldap) : I looked at the directory server logs and ims indeed follows "aliasedobjectname", then searches in the inetdomainbasedn. BUT it searches for the "alias domain" email address ([email protected]), not for the aliased one ([email protected])
  Adding [email protected] as a mailAlternate or mailSupplement attribute is NOT a workaround :<

• Nickname or alias - neither

  Soon i will have mx records pointing to my gwia for domain midbook.com. I have some users to create, however, these users are currently in our groupwise system as arvig.com addresses. They will want their midbook.com mail forwarded to their arvig.com address.
  In the past, I have created external users since they do not need novell login, then chose the domain from the drop down on internet addressing, and just did a rule to forward mail to their arvig.com account, setting visibility in address book to none.
  This won't work : We cannot create two objects with same name - for instance, dalem is already novell/groupwise login id on arvig.com.... i cannot create another groupwise object, even with a different domain name called dalem. So I am not sure how to accomplish this.
  The only thing I can possibly do, is to change their initial login to dalemo (add one more letter of last name) so that the object is different in edirectory.
  I have checked into nickname, but doens't seem to let me have different domain name. I have checked into alias, but these users do not want to send as their alias domain name, they want to be known to the world as arvig.com now.
  Thank you in advance.

  StacieWhite wrote:
  > Soon i will have mx records pointing to my gwia for domain midbook.com. I
  > have some users to create, however, these users are currently in our
  > groupwise system as arvig.com addresses. They will want their midbook.com
  > mail forwarded to their arvig.com address.
  well, quite honestly, all of this is unnecessary. I receive mail for
  [email protected], [email protected] [email protected] through the same GWIA to
  the same userid. All you have to do is add the new midbook.com as a valid
  iDomain (in Internet Addressing) and mail will just start delivering to your
  users both at arvig.com and midbook.com. You set which is the "default" for
  outbound, but all inbound addresses are valid UNLESS you choose the option
  of "this user is known only by this address" in the Internet Addressing
  overrides.
  In other words, the same user can happily receive mail for as many domain
  names as you have without any nicknames or aliases involved. Nicknames and
  aliases are only use for the "userid" portion of the name (and aliases are
  deprecated and no longer even necessary now that there is Internet
  Addressing in GW).
  Danita
  Novell Knowledge Partner
  Moving GroupWise to Linux?
  http://www.caledonia.net/gwmove.html

• How To Install A (Almost) Working Lion Server With Profile Management/SSL/OD/Mail/iCal/Address Book/VNC/Web/etc.

  I recently installed a fresh version of Lion Server after attempting to fix a broken upgrade. With some help from others, I've managed to get all the new features working and have kept notes, having found that many or most of the necessary installation steps for both the OS and its services are almost entirely undocumented. When you get them working, they work great, but the entire process is very fragile, with simple setup steps causing breaks or even malicious behaviors. In case this is useful to others, here are my notes.
  Start with an erased, virgin, single guid partitioned drive. Not an upgrade. Not simply a repartitioned drive. Erased. Clean. Anything else can and probably will break the Lion Server install, as I discovered myself more than once. Before erasing my drive, I already had Lion and made a Lion install DVD from instructions widely available on the web. I suppose you could also boot into the Lion recovery partition and use disk utility to erase the OS X partition then install a new partition, but I cut a DVD. The bottom line is to erase any old OS partitions. And of course to have multiple, independent backups: I use both Time Machine with a modified StdExclusions.plist and Carbon Copy Cloner.
  Also, if you will be running your own personal cloud, you will want to know your domain name ahead of time, as this will be propagated everywhere throughout server, and changing anything related to SSL on Lion Server is a nightmare that I haven't figured out. If you don't yet have a domain name, go drop ten dollars at namecheap.com or wherever and reserve one before you start. Soemday someone will document how to change this stuff without breaking Lion Server, but we're not there yet. I'll assume the top-level domain name "domain.com" here.
  Given good backups, a Lion Install DVD (or Recovery Partition), and a domain name, here are the steps, apparently all of which must be more-or-less strictly followed in this order.
  DVD>Disk Utility>Erase Disk  [or Recovery Partition>Disk Utility>Erase Partition]
  DVD>Install Lion
  Reboot, hopefully Lion install kicks in
  Update, update, update Lion (NOT Lion Server yet) until no more updates
  System Preferences>Network>Static IP on the LAN (say 10.0.1.2) and Computer name ("server" is a good standbye)
  Terminal>$ sudo scutil --set HostName server.domain.com
  App Store>Install Lion Server and run through the Setup
  Download install Server Admin Tools, then update, update, update until no more updates
  Server Admin>DNS>Zones [IF THIS WASN'T AUTOMAGICALLY CREATED (mine wasn't): Add zone domain.com with Nameserver "server.domain.com." (that's a FQDN terminated with a period) and a Mail Exchanger (MX record) "server.domain.com." with priority 10. Add Record>Add Machine (A record) server.domain.com pointing to the server's static IP. You can add fancier DNS aliases and a simpler MX record below after you get through the crucial steps.]
  System Prefs>Network>Advanced>Set your DNS server to 127.0.0.1
  A few DNS set-up steps and these most important steps:
  A. Check that the Unix command "hostname" returns the correct hostname and you can see this hostname in Server.app>Hardware>Network
  B. Check that DNS works: the unix commands "host server.domain.com" and "host 10.0.1.2" (assuming that that's your static IP) should point to each other. Do not proceed until DNS works.
  C. Get Apple Push Notification Services CA via Server.app>Hardware>Settings><Click toggle, Edit... get a new cert ...>
  D. Server.app>Profile Manager>Configure... [Magic script should create OD Master, signed SSL cert]
  E. Server.app>Hardware>Settings>SSL Certificate> [Check to make sure it's set to the one just created]
  F. Using Server.app, turn on the web, then Server.app>Profile Manager> [Click on hyperlink to get to web page, e.g. server.domain.com/profilemanager] Upper RHS pull-down, install Trust Profile
  G. Keychain Access>System>Certificates [Find the automatically generated cert "Domain", the one that is a "Root certificate authority", Highlight and Export as .cer, email to all iOS devices, and click on the authority on the device. It should be entered as a trusted CA on all iOS devices. While you're at it, highlight and Export... as a .cer the certificate "IntermediateCA_SERVER.DOMAIN.COM_1", which is listed an an "Intermediate CA" -- you will use this to establish secure SSL connections with remote browsers hitting your server.]
  H. iOS on LAN: browse to server.domain.com/mydevices> [click on LHS Install trust cert, then RHS Enroll device.
  I. Test from web browser server.domain.com/mydevices: Lock Device to test
  J. ??? Profit
  12. Server Admin>DNS>Zones> Add convenient DNS alias records if necessary, e.g., mail.domain.com, smtp.domain.com, www.domain.com. If you want to refer to your box using the convenient shorthand "domain.com", you must enter the A record (NOT alias) "domain.com." FQDN pointing to the server's fixed IP. You can also enter the convenient short MX record "domain.com." with priority 11. This will all work on the LAN -- all these settings must be mirrored on the outside internet using the service from which you registered domain.com.
  You are now ready to begin turning on your services. Here are a few important details and gotchas setting up cloud services.
  Firewall
  Server Admin>Firewall>Services> Open up all ports needed by whichever services you want to run and set up your router (assuming that your server sits behind a router) to port forward these ports to your router's LAN IP. This is most a straightforward exercise in grepping for the correct ports on this page, but there are several jaw-droppingly undocumented omissions of crucial ports for Push Services and Device Enrollment. If you want to enroll your iOS devices, make sure port 1640 is open. If you want Push Notifications to work (you do), then ports 2195, 2196, 5218, and 5223 must be open. The Unix commands "lsof -i :5218" and "nmap -p 5218 server.domain.com" (nmap available from Macports after installing Xcode from the App Store) help show which ports are open.
  SSH
  Do this with strong security. Server.app to turn on remote logins (open port 22), but edit /etc/sshd_config to turn off root and password logins.
  PermitRootLogin no
  PasswordAuthentication no
  ChallengeResponseAuthentication no
  I'm note sure if toggling the Allow remote logins will load this config file or, run "sudo launchctl unload -w /System/Library/LaunchAgents/org.openbsd.ssh-agent.plist ; sudo launchctl load -w /System/Library/LaunchAgents/org.openbsd.ssh-agent.plist" to restart the server's ssh daemon.
  Then use ssh-keygen on remote client to generate public/private keys that can be used to remotely login to the server.
  client$ ssh-keygen -t rsa -b 2048 -C client_name
  [Securely copy ~/.ssh/id_rsa.pub from client to server.]
  server$ cat id_rsa.pub > ~/.ssh/known_hosts
  I also like DenyHosts, which emails detected ssh attacks to [email protected]. It's amazing how many ssh attacks there are on any open port 22. Not really an added security feature if you've turned off password logins, but good to monitor. Here's a Lion Server diff for the config file /usr/share/denyhosts:
  $ diff denyhosts.cfg-dist denyhosts.cfg
  12c12
  < SECURE_LOG = /var/log/secure
  > #SECURE_LOG = /var/log/secure
  22a23
  > SECURE_LOG = /var/log/secure.log
  34c35
  < HOSTS_DENY = /etc/hosts.deny
  > #HOSTS_DENY = /etc/hosts.deny
  40a42,44
  > #
  > # Mac OS X Lion Server
  > HOSTS_DENY = /private/etc/hosts.deny
  195c199
  < LOCK_FILE = /var/lock/subsys/denyhosts
  > #LOCK_FILE = /var/lock/subsys/denyhosts
  202a207,208
  > LOCK_FILE = /var/denyhosts/denyhosts.pid
  > #
  219c225
  < ADMIN_EMAIL =
  > ADMIN_EMAIL = [email protected]
  286c292
  < #SYSLOG_REPORT=YES
  > SYSLOG_REPORT=YES
  Network Accounts
  User Server.app to create your network accounts; do not use Workgroup Manager. If you use Workgroup Manager, as I did, then your accounts will not have email addresses specified and iCal Server WILL NOT COMPLETELY WORK. Well, at least collaboration through network accounts will be handled clunkily through email, not automatically as they should. If you create a network account using Workgroup Manager, then edit that account using Server.app to specify the email to which iCal invitations may be sent. Server.app doesn't say anything about this, but that's one thing that email address entry is used for. This still isn't quite solid on Lion Server, as my Open Directory logs on a freshly installed Lion Server are filled with errors that read:
  2011-12-12 15:05:52.425 EST - Module: SystemCache - Misconfiguration detected in hash 'Kerberos':
       User 'uname' (/LDAPv3/127.0.0.1) - ID 1031 - UUID 98B4DF30-09CF-42F1-6C31-9D55FE4A0812 - SID S-0-8-83-8930552043-0845248631-7065481045-9092
  Oh well.
  Email
  Email aliases are handled with the file /private/etc/postfix/aliases. Do something like this
  root:           myname
  admin:          myname
  sysadmin:       myname
  certadmin:      myname
  webmaster:      myname
  my_alternate:   myname
  Then run "sudo newaliases". If your ISP is Comcast or some other large provider, you probably must proxy your outgoing mail through their SMTP servers to avoid being blocked as a spammer (a lot of SMTP servers will block email from Comcast/whatever IP addresses that isn't sent by Comcast). Use Server.app>Mail to enter your account information. Even then, the Lion Server default setup may fail using this proxy. I had to do this with the file /private/etc/postfix/main.cf:
  cd /etc/postfix
  sudo cp ./main.cf ./main.cf.no_smtp_sasl_security_options
  sudo echo 'smtp_sasl_security_options = noanonymous' >> ./main.cf
  sudo serveradmin stop mail
  sudo serveradmin start mail
  Finally, make sure that you're running a blacklisting srevice yourself! Server Admin>Mail>Filter> Use spamhaus.org as a blacklister. Finally, set up mail to use strong Kerberos/MD5 settings under on Server Admin>Mail>Advanced. Turn off password and clear logins. The settings should be set to "Use" your SSL cert, NOT "Require". "Require" consistently breaks things for me.
  If you already installed the server's Trust Certificate as described above (and opened up the correct ports), email to your account should be pushed out to all clients.
  iCal Server
  Server.app>Calendar>Turn ON and Allow Email Invitations, Edit... . Whatever you do, do NOT enter your own email account information in this GUI. You must enter the account information for local user com.apple.calendarserver, and the password for this account, which is stored in the System keychain: Keychain Access>System> Item com.apple.servermgr_calendar. Double-click and Show Password, copy and paste into Server.app dialog. This is all described in depth here. If you enter your own account information here (DO NOT!), the iCal Server will delete all Emails in your Inbox just as soon as it reads them, exactly like it works for user com.apple.calendarserver. Believe me, you don't want to discover this "feature", which I expect will be more tightly controlled in some future update.
  Web
  The functionality of Server.app's Web management is pretty limited and awful, but a few changes to the file /etc/apache2/httpd.conf will give you a pretty capable and flexible web server, just one that you must manage by hand. Here's a diff for httpd.conf:
  $ diff httpd.conf.default httpd.conf
  95c95
  < #LoadModule ssl_module libexec/apache2/mod_ssl.so
  > LoadModule ssl_module libexec/apache2/mod_ssl.so
  111c111
  < #LoadModule php5_module libexec/apache2/libphp5.so
  > LoadModule php5_module libexec/apache2/libphp5.so
  139,140c139,140
  < #LoadModule auth_digest_apple_module libexec/apache2/mod_auth_digest_apple.so
  < #LoadModule encoding_module libexec/apache2/mod_encoding.so
  > LoadModule auth_digest_apple_module libexec/apache2/mod_auth_digest_apple.so
  > LoadModule encoding_module libexec/apache2/mod_encoding.so
  146c146
  < #LoadModule xsendfile_module libexec/apache2/mod_xsendfile.so
  > LoadModule xsendfile_module libexec/apache2/mod_xsendfile.so
  177c177
  < ServerAdmin [email protected]
  > ServerAdmin [email protected]
  186c186
  < #ServerName www.example.com:80
  > ServerName domain.com:443
  677a678,680
  > # Server-specific configuration
  > # sudo apachectl -D WEBSERVICE_ON -D MACOSXSERVER -k restart
  > Include /etc/apache2/mydomain/*.conf
  I did "sudo mkdir /etc/apache2/mydomain" and add specific config files for various web pages to host. For example, here's a config file that will host the entire contents of an EyeTV DVR, all password controlled with htdigest ("htdigest ~uname/.htdigest EyeTV uname"). Browsing to https://server.domain.com/eyetv points to /Users/uname/Sites/EyeTV, in which there's an index.php script that can read and display the EyeTV archive at https://server.domain.com/eyetv_archive. If you want Apache username accounts with twiddles as in https://server.domain.com/~uname, specify "UserDir Sites" in the configuration file.
  Alias /eyetv /Users/uname/Sites/EyeTV
  <Directory "/Users/uname/Sites/EyeTV">
      AuthType Digest
      AuthName "EyeTV"
      AuthUserFile /Users/uname/.htdigest
      AuthGroupFile /dev/null
      Require user uname
      Options Indexes MultiViews
      AllowOverride All
      Order allow,deny
      Allow from all
  </Directory>
  Alias /eyetv_archive "/Volumes/Macintosh HD2/Documents/EyeTV Archive"
  <Directory "/Volumes/Macintosh HD2/Documents/EyeTV Archive">
      AuthType Digest
      AuthName "EyeTV"
      AuthUserFile /Users/uname/.htdigest
      AuthGroupFile /dev/null
      Require user uname
      Options Indexes MultiViews
      AllowOverride All
      Order allow,deny
      Allow from all
  </Directory>
  I think you can turn Web off/on in Server.app to relaunch apached, or simply "sudo apachectl -D WEBSERVICE_ON -D MACOSXSERVER -k restart".
  Securely copy to all desired remote clients the file IntermediateCA_SERVER.DOMAIN.COM_1.cer, which you exported from System Keychain above. Add this certificate to your remote keychain and trust it, allowing secure connections between remote clients and your server. Also on remote clients: Firefox>Advanced>Encryption>View Certificates>Authorities>Import...> Import this certificate into your browser. Now there should be a secure connection to https://server.domain.com without any SSL warnings.
  One caveat is that there should be a nice way to establish secure SSL to https://domain.com and https://www.domain.com, but the automagically created SSL certificate only knows about server.domain.com. I attempted to follow this advice when I originally created the cert and add these additional domains (under "Subject Alternate Name Extension"), but the cert creation UI failed when I did this, so I just gave up. I hope that by the time these certs expire, someone posts some documentation on how to manage and change Lion Server SSL scripts AFTER the server has been promoted to an Open Directory Master. In the meantime, it would be much appreciated if anyone can post either how to add these additional domain names to the existing cert, or generate and/or sign a cert with a self-created Keychain Access root certificate authority. In my experience, any attempt to mess with the SSL certs automatically generated just breaks Lion Server.
  Finally, if you don't want a little Apple logo as your web page icon, create your own 16×16 PNG and copy it to the file /Library/Server/Web/Data/Sites/Default/favicon.ico. And request that all web-crawling robots go away with the file /Library/Server/Web/Data/Sites/Default/robots.txt:
  User-agent: *
  Disallow: /
  Misc
  VNC easily works with iOS devices -- use a good passphrase. Edit /System/Library/LaunchDaemons/org.postgresql.postgres.plist and set "listen_addresses=127.0.0.1" to allow PostgreSQL connections over localhost. I've also downloaded snort/base/swatch to build an intrusion detection system, and used Macports's squid+privoxy to build a privacy-enhanced ad-blocking proxy server.

  Privacy Enhancing Filtering Proxy and SSH Tunnel
  Lion Server comes with its own web proxy, but chaining Squid and Privoxy together provides a capable and effective web proxy that can block ads and malicious scripts, and conceal information used to track you around the web. I've posted a simple way to build and use a privacy enhancing web proxy here. While you're at it, configure your OS and browsers to block Adobe Flash cookies and block Flash access to your camera, microphone, and peer networks. Read this WSJ article series to understand how this impacts your privacy. If you configure it to allow use for anyone on your LAN, be sure to open up ports 3128, 8118, and 8123 on your firewall.
  If you've set up ssh and/or VPN as above, you can securely tunnel in to your proxy from anywhere. The syntax for ssh tunnels is a little obscure, so I wrote a little ssh tunnel script with a simpler flexible syntax. This script also allows secure tunnels to other services like VNC (port 5900). If you save this to a file ./ssht (and chmod a+x ./ssht), example syntax to establish an ssh tunnel through localhost:8080 (or, e.g., localhost:5901 for secure VNC Screen Sharing connects) looks like:
  $ ./ssht 8080:[email protected]:3128
  $ ./ssht 8080:alice@:
  $ ./ssht 8080:
  $ ./ssht 8018::8123
  $ ./ssht 5901::5900  [Use the address localhost:5901 for secure VNC connects using OS X's Screen Sharing or Chicken of the VNC (sudo port install cotvnc)]
  $ vi ./ssht
  #!/bin/sh
  # SSH tunnel to squid/whatever proxy: ssht [-p ssh_port] [localhost_port:][user_name@][ip_address][:remotehost][:remote_port]
  USERNAME_DEFAULT=username
  HOSTNAME_DEFAULT=domain.com
  SSHPORT_DEFAULT=22
  # SSH port forwarding specs, e.g. 8080:localhost:3128
  LOCALHOSTPORT_DEFAULT=8080      # Default is http proxy 8080
  REMOTEHOST_DEFAULT=localhost    # Default is localhost
  REMOTEPORT_DEFAULT=3128         # Default is Squid port
  # Parse ssh port and tunnel details if specified
  SSHPORT=$SSHPORT_DEFAULT
  TUNNEL_DETAILS=$LOCALHOSTPORT_DEFAULT:$USERNAME_DEFAULT@$HOSTNAME_DEFAULT:$REMOT EHOST_DEFAULT:$REMOTEPORT_DEFAULT
  while [ "$1" != "" ]
  do
    case $1
    in
      -p) shift;                  # -p option
          SSHPORT=$1;
          shift;;
       *) TUNNEL_DETAILS=$1;      # 1st argument option
          shift;;
    esac
  done
  # Get local and remote ports, username, and hostname from the command line argument: localhost_port:user_name@ip_address:remote_host:remote_port
  shopt -s extglob                        # needed for +(pattern) syntax; man sh
  LOCALHOSTPORT=$LOCALHOSTPORT_DEFAULT
  USERNAME=$USERNAME_DEFAULT
  HOSTNAME=$HOSTNAME_DEFAULT
  REMOTEHOST=$REMOTEHOST_DEFAULT
  REMOTEPORT=$REMOTEPORT_DEFAULT
  # LOCALHOSTPORT
  CDR=${TUNNEL_DETAILS#+([0-9]):}         # delete shortest leading +([0-9]):
  CAR=${TUNNEL_DETAILS%%$CDR}             # cut this string from TUNNEL_DETAILS
  CAR=${CAR%:}                            # delete :
  if [ "$CAR" != "" ]                     # leading or trailing port specified
  then
      LOCALHOSTPORT=$CAR
  fi
  TUNNEL_DETAILS=$CDR
  # REMOTEPORT
  CDR=${TUNNEL_DETAILS%:+([0-9])}         # delete shortest trailing :+([0-9])
  CAR=${TUNNEL_DETAILS##$CDR}             # cut this string from TUNNEL_DETAILS
  CAR=${CAR#:}                            # delete :
  if [ "$CAR" != "" ]                     # leading or trailing port specified
  then
      REMOTEPORT=$CAR
  fi
  TUNNEL_DETAILS=$CDR
  # REMOTEHOST
  CDR=${TUNNEL_DETAILS%:*}                # delete shortest trailing :*
  CAR=${TUNNEL_DETAILS##$CDR}             # cut this string from TUNNEL_DETAILS
  CAR=${CAR#:}                            # delete :
  if [ "$CAR" != "" ]                     # leading or trailing port specified
  then
      REMOTEHOST=$CAR
  fi
  TUNNEL_DETAILS=$CDR
  # USERNAME
  CDR=${TUNNEL_DETAILS#*@}                # delete shortest leading +([0-9]):
  CAR=${TUNNEL_DETAILS%%$CDR}             # cut this string from TUNNEL_DETAILS
  CAR=${CAR%@}                            # delete @
  if [ "$CAR" != "" ]                     # leading or trailing port specified
  then
      USERNAME=$CAR
  fi
  TUNNEL_DETAILS=$CDR
  # HOSTNAME
  HOSTNAME=$TUNNEL_DETAILS
  if [ "$HOSTNAME" == "" ]                # no hostname given
  then
      HOSTNAME=$HOSTNAME_DEFAULT
  fi
  ssh -p $SSHPORT -L $LOCALHOSTPORT:$REMOTEHOST:$REMOTEPORT -l $USERNAME $HOSTNAME -f -C -q -N \
      && echo "SSH tunnel established via $LOCALHOSTPORT:$REMOTEHOST:$REMOTEPORT\n\tto $USERNAME@$HOSTNAME:$SSHPORT." \
      || echo "SSH tunnel FAIL."

• On Windows 2012 Terminal Server Outlook fails to connect to Exchange 2013

  I have a new install of Windows 2012.  I have two physical servers.  One is a W2012 std Domain Controller ("DC").  The Second is configured as W2012 HyperV  ("HV").  Under HV I have
  two VMs.  One VM is W2012/Exchange 2013 ("ExchVM) and the other is W2012/Terminal Server ("VMTS").  All systems are behind a firewall appliance.  Exchange is working via Outlook and OWA internally and externally.  The self
  created SSL must be installed manually on external machines since it comes up as an untrusted certificate.  Once installed remote outlook works and OWA works.  I have configured the terminal server and I am able
  to login remotely as various users under my "TS group".  The problem is when ever I attempt to open Outlook for the 1st time, it fails to connect to the exchange server.   (Open Outlook 2013, click next
  on the splash screen, "Yes" Add an Email Account splash screen, click next, Auto Account screen populates NAME and Email Address correctly, click next, Searching for mail server settings..., check on establishing network connection, check on searching
  for alias@ domain, then fails the logging on to the mail server)  The error reads:  "Outlook cannot log on.  Verify you are connected to the network and are using the proper server and mailbox name.  The
  connection to Microsoft Exchange is unavailable.  Outlook must be online or connected to complete this action."   I am connected in RDS from offsite, and from the RD session I can access shared folders on ExchVM and DC.  I have
  tried have verified the server Exchange server name is correct via "Get=ClientAccessServer" command.  I have also tried to use the guid via "Get-Mailbox
  ALIAS | fl name, exchangeguid.  Keep in mind all desktop users on the network are connecting to Outlook without issue.
  I would appreciate any thoughts on solving this issue.

  Hi,
  According to your workaround, it seems that the Outlook Anywhere configuration in Outlook client is not correct when using the Autodiscover service.
  Once you connected to Exchange server by manually settings, please run Test E-mail AutoConfiguration tool in external Outlook client to check the autodiscover service:
  open Outlook - press CTRL key - right click on the Outlook icon from right bottom corner taskbar - Test Email AutoConfiguration. Put your email address - uncheck use guessmart and secure guessmart authentication - click Test to check your Autodiscover service.
  Please check the Log tab and confirm whether the Autodiscover service is connected successfully. Also confirm if the connection issue happens to all external users when they open Outlook for the 1st time. In Exchange server, please make sure
  autodiscover.domain.com has been included in your Exchange certificate which is assigned with IIS service.
  Regards,
  Winnie Liang
  TechNet Community Support

• Unable to send to external email recipients - Multi Tenant Exchange 2013 - MultiRole servers in DAG

  Greetings all, I hope someone can help.
  I have created a Exchange 2013 multi-tenant organization, with two servers, both multi-role - CAS and Mailbox roles.
  Internal mail flow is fine (external email addresses can send to the domain).
  External firewall port forwards ports 443 and 25 to the Internal DAG IP address.
  There are two multi-role Exchange servers that are members of the DAG.
  I am able to connect to OWA and ECP via https://externalIP/OWA and https://alias.domain.com/OWA
  No SSL certificates have been purchased or installed yet.
  Exchange URLs have not been changed since default configuration at install.
  OWA and ECP works both internal and external.
  External DNS works with SPF and PTR records correctly configured
  Exchange RCA - Send test only fails with one Spam Listing (this Blacklist provider now flags all domains and you cannot ask to be removed)
  Send Connectors are the default ones created during install. Receive connector is standard configuration with  - * - 
  When sending email to an external address, I receive a failure notice
  ServerName.test.corp.int gave this error:
  Unable to relay 
  Your message wasn't delivered due to a permission or security issue. It may have been rejected by a moderator, the address may only accept email from certain senders, or another restriction may be preventing delivery.
  More Info - 
  ServerName.test.corp.int
  Remote Server returned '550 5.7.1 Unable to relay'
  I have been troubleshooting this for many hours with no progress.
  I have created new Send Connectors for the server that is advising that it is unable to relay, but they have all failed.
  I have tried setting the Internal IP address for Exhange Server 1 (Exchange Server 2 reports failure), with most combinations of Security (Anonymous, Exchange Users, etc).
  I have also tried with the IP range 192.168.11.0/24 to allow the whole the subnet, I still receive the unable to relay failure notice.
  I have tried this guide - hxxps://glazenbakje.wordpress.com/2012/12/30/exchange-2013-how-to-configure-an-internal-relay-connector/ - with different combinations, still no resolution.
  I am at a loss as to why I can't send out with the default configuration. I would assume that email would flow out without any changes, but this does not happen.
  Can someone please assist before I lose my sanity.
  Thanks in advance,
  Terry

  Greetings all, I hope someone can help.
  I have created a Exchange 2013 multi-tenant organization, with two servers, both multi-role - CAS and Mailbox roles.
  Internal mail flow is fine.
  Incoming mail from external senders is also fine. - 
  external email addresses can send to the domain).
  External firewall port forwards ports 443 and 25 to the Internal DAG IP address.
  There are two multi-role Exchange servers that are members of the DAG.
  I am able to connect to OWA and ECP via https://externalIP/OWA and https://alias.domain.com/OWA
  No SSL certificates have been purchased or installed yet.
  Exchange URLs have not been changed since default configuration at install.
  OWA and ECP works both internal and external.
  External DNS works with SPF and PTR records correctly configured
  Exchange RCA - Send test only fails with one Spam Listing (this Blacklist provider now flags all domains and you cannot ask to be removed)
  Receive Connectors are the default ones created during install. Send connector is standard configuration with  - * - 
  When sending email to an external address, I receive a failure notice
  ServerName.test.corp.int gave this error:
  Unable to relay 
  Your message wasn't delivered due to a permission or security issue. It may have been rejected by a moderator, the address may only accept email from certain senders, or another restriction may be preventing delivery.
  More Info - 
  ServerName.test.corp.int
  Remote Server returned '550 5.7.1 Unable to relay'
  I have been troubleshooting this for several days with no progress.
  I have created new Receive Connectors for the server that is advising that it is unable to relay, but they have all failed.
  I have tried setting the Internal IP address for Exhange Server 1 (Exchange Server 2 reports failure), with most combinations of Security (Anonymous, Exchange Users, etc).
  I have also tried with the IP range 192.168.11.0/24 to allow the whole the subnet, I still receive the unable to relay failure notice.
  I have tried this guide - hxxps://glazenbakje.wordpress.com/2012/12/30/exchange-2013-how-to-configure-an-internal-relay-connector/ - with different combinations, still no resolution.
  Even more info - Further troubleshooting -
  I found my one of my Exchange servers had an extra NIC. I have since added a second NIC to the other server, so now both Exchange servers have dual NICs. I removed the DAG cleanly and recreated the DAG from scratch, using this link -
  hxxp://careexchange.in/how-to-create-a-database-availability-group-in-exchange-2013/ 
  The issue still exists, even with a newly created DAG. I also found that the Tenant Address Books were not 'applied'. I applied them but still no resolution
  I think the issue is related to multi-tenant configuration even though the error says that it can't relay. The unable to relay message can appear when sending from a domain that the Organization does not support. Like trying to email as [email protected]
  when you domain name is apple.com - But through extensive research I still can't resolve the issue.
  Can someone please assist before I lose my sanity.
  Thanks in advance,
  Terry