Every now and then I get a question relating to running an Exchange server on an internet connection that only has a dynamic public IP address available. This is most common when people are running an Exchange Server test environment at home with a residential, consumer-grade internet connection. But it also comes up occasionally for businesses running on those types of internet connections.
There’s three challenges that present themselves here:
- Inbound connections to the server such as OWA (HTTPS) or incoming email (SMTP) will stop working if the dynamic IP changes and the DNS records for your external URLs (such as the OWA URL) and MX records aren’t updated to the new IP address
- Outbound mail flow from a dynamic IP will often be blocked due to IP reputation issues or spam block lists
- Outbound mail flow will often be blocked by the ISP not allowing outbound SMTP connections from dynamic IP ranges
Each of those has a solution and depending on your circumstances you may be able to solve them all, but I know that in some cases the problems are not able to be overcome. But let’s take a look at the solutions anyway.
Inbound Connections to a Dynamic Public IP Address
First, the inbound connections. If you’re trying to learn about Exchange Server then having inbound connectivity to services such as Outlook Anywhere, OWA, and ActiveSync is helpful, and so is being able to establish inbound mail flow or to set up a Hybrid configuration with Office 365.
The solution I use for dynamic IP addresses is to sign up with a dynamic DNS provider. There are a variety of providers out there, some are free and some are paid. You can shop around and choose one you’re comfortable with. Most recently I used No-IP who have a free option.
I set up a free hostname similar to “mytestlab.no-ip.org”. My DSL router includes a feature that will automatically update No-IP with my new public IP address each time it changes (as an alternative, they provide a client that you can install to handle this). If my IP doesn’t change for 30 days then I simply click a link in an email that No-IP sends me to re-confirm that I am using the hostname. If you want to avoid that 30 day confirmation process their paid plans are very inexpensive, and you can even use them to host your own domain name.
However, I don’t use that free hostname for my Exchange namespaces. Instead, I set up my Exchange namespaces (such as “mail.exchange2013demo.com”) as CNAME records in DNS that alias to the “mytestlab.no-ip.org” hostname. This allows me to still acquire SSL certificates for my Exchange server because I am the owner of exchange2013demo.com, whereas I am not the owner of no-ip.org and therefore can’t buy SSL certificates for hostnames in that domain.
The same applies to my MX records. I configure normal MX records, for example mail.exchange2013demo.com, and alias that to the no-ip.org hostname.
So inbound connections to an Exchange Server on a dynamic public IP can work by using:
- A dynamic DNS provider
- A DSL router that supports the dynamic DNS provider, or the provider’s downloadable client software
- CNAME records in DNS for my namespaces and MX records that alias to the dynamic hostname
I have not encountered any issues with the above solution so it should work for test environments or real production environments, though I generally wouldn’t recommend it for production environments.
Outbound Connections from a Dynamic Public IP Address
Outbound connections tend to be more troublesome because there are two common issues. But the solution for both is the same, it just depends whether your ISP supports it.
At the heart of the issue is how untrustworthy the dynamic IP address ranges for residential/consumer ISPs are, given their history of residential computers being compromised and used as botnets to spread spam, malware, or DDoS attacks. Any email sent from such an IP address is likely to be junked or blocked entirely during the initialization of the SMTP connection.
Another factor is that many ISPs block outbound SMTP connections from their customers to the internet at large, only allowing them to specific hosts such as the ISP’s own SMTP servers.
While this isn’t a big deal for a test lab that just wants to send some test messages, it is nice to see that your outbound email actually works, so if you can get around it with minimal effort then it’s worth it.
The basic solution is to configure your outgoing email to use the ISP server as a smart host.
If your ISP does not provide a smart host, and offers no way to request an exception to the rules, then you may be out of luck. I have seen some people get around this using a VPN tunnel and a smart host service, so all is not lost, but it makes things more complex overall.
If you’re trying to set up a Hybrid with Office 365 things become a bit harder. Although the Hybrid configuration itself can be set up, you’re likely to have your Hybrid mail flow from on-prem to the cloud rejected due to your dynamic IP address. You can request that the IP address be unblocked by Microsoft, which they’ll generally do without any problems, but the next time your dynamic IP address changes you could be blocked again. Still, for the sake of learning how Hybrid configurations are set up you may only need it working for a few days while you do your testing.
Those are my tips for running an Exchange Server on a dynamic IP address. They mostly apply to test environments. If you’re trying to run a production system on a dynamic IP you can expect some other concerns to arise, particularly around mail flow and things like managing SPF records, as well as optimizing your DNS record TTLs so that there is no lengthy disruption every time your IP address changes. So for production your mileage may vary, but for testing it is perfectly fine.
If you’ve got any additional tips you want to share with people from your own experience running Exchange on a dynamic IP address please leave a comment below.