Working with SMTP Connectors, Sites, and Links

SMTP connectors, Active Directory sites, and Active Directory links all have important roles to play in determining how Exchange routes and delivers messages in your organization. You can work with connectors, sites, and links in a variety of ways, but first you need a strong understanding of how connectors are used.

Connecting Source and Destination Servers

Exchange Server 2007 uses SMTP connectors to represent logically the connection between a source server and a destination server. How you configure an SMTP connector determines how Exchange Server transports messages using that connection. Because each SMTP connector represents a one-way connection, Exchange Server uses both Send and Receive connectors.

A Send connector is a logical gateway through which transport servers send all outgoing messages. When you create a Send connector, it is stored in Active Directory or Active Directory Application Mode (ADAM) as a connector object. Send connectors are not scoped to a single server. Multiple servers can use a single Send connector for sending messages. Send connectors deliver mail by either looking up a mail exchanger (MX) record on Domain Name System (DNS) server or by using a smart host as a destination. By default with DNS MX records, the DNS server settings you configure on the Transport server are used for name resolution. You can configure different settings for internal and external DNS lookups, if necessary. See the "Configuring DNS Look-ups" section of this chapter.

A Receive connector is a logical gateway through which all incoming messages are received. When you create a Receive connector, it is stored in Active Directory or ADAM as a connector object. Unlike Send connectors, Receive connectors are scoped to a single server and determine how that server listens for connections. The permissions on a Receive connector determine from whom the connector will accept Connections. The authentication mechanisms you configure for a Receive connector determine whether anonymous connections are allowed and the types of authentication that are permitted.

Exchange Server creates the Send and Receive connectors required for mail flow when you install your Hub Transport servers. If your organization also uses Edge Transport servers, Exchange creates the additional Send and Receive connectors required during the Edge Subscription process. You can also explicitly create Send and Receive connectors or automatically compute them from the organization topology using Active Directory sites and site-link information.

Viewing and Managing Active Directory Site Details

Hub Transport servers use Active Directory sites, and the costs that are assigned to the Active Directory Internet Protocol (IP) site links to determine the least-cost routing path to other Hub Transport servers in the organization. After a Hub Transport server determines the least-cost routing path, the server routes messages over the link or links in this path, and in this way, a source Hub Transport server relays messages to target Hub Transport servers. By default, when there are multiple Active Directory sites between the source and destination server, the Hub Transport servers that are located in Active Directory sites along the path between the source server and the target server don't process or relay the messages in any way. However, there are several exceptions:

• If you want messages to be processed en route, you can configure an Active Directory site as a hub site so that Exchange routes messages to the hub site to be processed by the site's Hub Transport servers before being relayed to a target server. The hub site must exist along the least-cost routing path between source and destination Hub Transport servers.

• If a message cannot be delivered to the target site, the Hub Transport server in the closest reachable site along the least-cost routing path of the target site queues the message for relay. The message is then relayed when the destination Hub Transport server becomes available.

You can use the Get-AdSite cmdlet to display the configuration details of an Active Directory site. If you do not provide an identity with this cmdlet, configuration information for all Active Directory sites is displayed.

Sample 15-1 provides the syntax and usage, as well as sample output, for the Get-AdSite cmdlet. Note that the output specifies whether the site is enabled as a hub site.

Sample 15-1: Get-AdSite cmdlet syntax and usage

 Syntax Get-AdSite [-Identity 'SiteIdentity'] Usage Get-AdSite -Identity 'First-Seattle-Site' Output Schema            : Microsoft.Exchange.Data.Directory.SystemConfiguration.AD                         SiteSchema HubSiteEnabled       :  False AdminDisplayName     : ObjectCategoryName   : site ExchangeVersion      : 0.0 (6.5.6500.0) CurrentObjectVersion : 0.1 (8.0.535.0) Name                 : First-Seattle-Site DistinguishedName    : CN=First-Seattle- Site, CN=Sites, CN=Configuration, DC=                        cpandl, DC=com Identity             : http://cpandl.com/Configuration/Sites/First-Seattle- Site Guid                 :  ObjectCategory       : http://cpandl.com/Configuration/Schema/Site ObjectClass          : {top, site} OriginalId           : http://cpandl.com/Configuration/Sites/First-Seattle- Site WhenChanged          : 6/28/2006 2:33:19 PM WhenCreated          : 6/28/2006 2:33:19 PM ObjectState          : Unchanged OriginatingServer    : http://corpsvr127.cpandl.com IsReadOnly           : False Id                   : http://cpandl.com/Configuration/Sites/First-Seattle- Site IsValid              : True 

You can use the Set-AdSite cmdlet to configure an Active Directory site as a hub site to override the default message routing behavior. When a hub site exists along the least-cost routing path between source and destination Hub Transport servers, messages are routed to the hub site for processing before they are relayed to the destination server.

Sample 15-2 provides the syntax and usage, as well as sample output, for the Set-AdSite cmdlet. To enable a site as a hub site, set the –HubSiteEnabled parameter to $true. To disable a site as a hub site, set the –HubSiteEnabled parameter to $false.

Sample 15-2: Set-AdSite cmdlet syntax and usage

 Syntax Set-AdSite -Identity 'SiteIdentity'  [-HubSiteEnabled <$true | $false> Usage Set-AdSite -Identity 'First-Seattle-Site' -HubSiteEnabled $true 

Viewing and Managing Active Directory Site Link Details

You can use the Get-AdSiteLink cmdlet to view the configuration information about an Active Directory IP site link. This configuration information includes the value of the Exchange-specific cost, the cost assigned to the Active Directory IP site link, and a list of the sites in the IP site link.

Note

A good resource to learn more about Active Directory sites and site links is Windows Server 2003 Inside Out (Microsoft, 2004). See Chapter 35, "Configuring Active Directory Sites and Replication" and Chapter 39, "Active Directory Site Administration."

Sample 15-3 provides the syntax and usage, as well as sample output, for the Get-AdSiteLink cmdlet. Use the Identity parameter to retrieve the configuration information about a specific IP site link. If you do not provide an identity, the configuration information about all IP site links is returned.

Sample 15-3: Get-AdSiteLink cmdlet syntax and usage

 Syntax Get-AdSiteLink [-Identity 'SiteIdentity'] Usage Get-AdSiteLink -Identity 'PORTLANDSEATTLELINK' Output Schema                  : Microsoft.Exchange.Data.Directory.SystemConfiguration.AD                      SiteLinkSchema Cost                     : 100 ADCost                   : 100 ExchangeCost             : Sites                    : {Default-First-Site-Name} AdminDisplayName         : ObjectCategoryName       : siteLink ExchangeVersion          : 0.0 (6.5.6500.0) CurrentObjectVersion     : 0.1 (8.0.535.0) Name                     : PORTLANDSEATTLELINK DistinguishedName        : CN=PORTLANDSEATTLELINK, CN=IP, CN=Inter-Site Transports, CN=Sites, CN=Configuration, DC=cpandl, DC=com Identity           : http://cpandl.com/Configuration/Sites/Inter-Site Transports/IP/                            PORTLANDSEATTLELINK Guid                     :  ObjectCategory           : http://cpandl.com/Configuration/Schema/Site-Link ObjectClass              : {top, siteLink} OriginalId             : http://cpandl.com/Configuration/Sites/Inter-Site Transports/IP/                            PORTLANDSEATTLELINK WhenChanged              : 6/28/2006 2:33:19 PM WhenCreated              : 6/28/2006 2:33:19 PM ObjectState              : Unchanged OriginatingServer        : http://corpsvr127.cpandl.com IsReadOnly               : False Id                     : http://cpandl.com/Configuration/Sites/Inter-Site Transports/IP/                          PORTLANDSEATTLELINK IsValid                  : True 

By default, Exchange Server 2007 determines the least-cost routing path by using the cost that is assigned to the Active Directory IP site links. You can change this behavior by using the Set-AdSiteLink cmdlet to configure an Exchange-specific cost for Active Directory IP site links. After you configure it, the Exchange-specific cost is used instead of the Active Directory-assigned cost to determine the Exchange routing path.

Sample 15-4 provides the syntax and usage, as well as sample output, for the Set-AdSiteLink cmdlet. When there are multiple wide area network (WAN) paths between sites, you can set a higher site-link cost if you want to reduce the likelihood that a link will be used. You can set a lower site-link cost if you want to increase the likelihood that a link will be used.

Sample 15-4: Set-AdSiteLink cmdlet syntax and usage

 Syntax Set-AdSiteLink -Identity 'SiteIdentity'  -ExchangeCost Cost Usage Set-AdSiteLink -Identity 'PORTLANDSEATTLELINK'  -ExchangeCost 20 

Creating Send Connectors

Send connectors are the gateways through which Transport servers send messages. Exchange automatically creates the Send connectors required for mail flow. As an administrator, you can explicitly create Send connectors and then manage the configuration of these explicitly created Send connectors as necessary. You cannot, however, manage the configuration of Send connectors created implicitly by Exchange to enable mail flow. The key reasons for creating Send connectors are when you want to:

• Control explicitly how message routing works within domains or between domains.

• Control explicitly the hosts used as destinations or the way messages are routed over the Internet.

• Connect to an Exchange Server 2003 or Exchange 2000 Server routing group.

When you create Send connectors, you can encrypt message traffic sent over the link and require strict authentication. You can transmit messages to a designated server- called a smart host-or you can use DNS MX records to route messages. If you use a smart host, Exchange Server 2007 transfers messages directly to the smart host, which then sends out messages over an established link. The smart host allows you to route messages on a per-domain basis. If you use DNS MX records, Exchange Server 2007 performs a DNS lookup for each address to which the connector sends mail.

When you create a Send connector, you must either define the address space for the connector or link it to a specific Receive connector. The address space determines when the Send connector is used and the domain names to which the connector sends messages. For example, if you want to connect two domains in the same Exchange http://organization-dev.microsoft.com and http://corp.microsoft.com-you can create a Send connector in http://dev.microsoft.com, and then add an SMTP address type for the e-mail domain http://corp.microsoft.com.

Send connectors can be used by multiple Transport servers. When you create a Send connector within an Exchange 2007 organization, you can select the Hub Transport servers that are permitted to use the Send connector. When you create a Send connector on an Edge Transport server, the Send connector is configured for only that server.

To create a Send connector, complete the following steps:

1. Start Exchange Management Console. On an Edge Transport server, select Edge Transport. On a Hub Transport server, expand the Organization Configuration node, and then select Hub Transport.

2. On the Send Connectors tab in the details pane, right-click an open area, and then select New Send Connector. This starts the New SMTP Send Connector wizard, shown in Figure 15-1.

   
   Figure 15-1: Create a new SMTP Send connector.

3. In the Name text box, type a descriptive name for the connector, and then set the connector type. The available options are:

   • q Custom Creates a Send connector that sends mail to the address spaces you specify. No default group permissions are set.

   • q Internal Creates a Send connector for sending mail to another transport server in the organization, and sets the default permissions so that the Connector can be used by the Exchange Servers group.

   • q Internet Creates a Send connector that sends mail to external users over the Internet. Used with Edge Transport servers only with default permissions for the Anonymous and Partners groups.

   • q Legacy Creates a Send connector that sends mail to an Exchange 2003 or Exchange 2000 routing group, and sets the default permissions so that the connector can be used by the Legacy Servers groups. Legacy connectors can only use smart hosts.

   • q Partner Creates a Send connector that sends mail to partner domains. Partner domains cannot be configured as smart hosts. Only connections that authenticate with Transport Layer Security (TLS) are allowed by default. Partner domains must also be listed on the TLS Send Domain Secure list.

4. Click Next, and on the Address Space page, click Add. In the Add Address Space dialog box, enter the domain name to which this connector will send mail. To use this connector to send e-mail to all subdomains of the address space, select the Include All Subdomains check box. Click OK to close the Add Address Space dialog box. Repeat as necessary to add more address spaces to this connector. If you make a mistake, select the address space, and then click Remove. When you are finished, click Next to continue.

5. On the Network Settings page, select how you want to send e-mail with the Send connector. If you select Use Domain Name System (DNS) "MX" Records To Route Mail Automatically, the Send connector uses the DNS client service on the Transport server to query a DNS server and resolve the destination address. Skip steps 6–10.

6. If you select Route Mail Through The Following Smart Hosts, you have to specify the smart hosts to which mail should be forwarded for processing. Click Add.

7. In the Add Smart Host dialog box, select either IP Address or Fully Qualified Domain Name (FQDN) to specify how to locate the smart host. If you select IP Address, enter the IP address of the smart host. If you select Fully Qualified Domain Name (FQDN), enter the full domain name of the smart host. The Transport server must be able to resolve the FQDN.

8. Click OK to close the Add Smart Host dialog box. Repeat steps 6–8 as necessary to add more smart hosts to this connector. If you make a mistake, select the smart host, and then click Edit or Remove as appropriate. When you are finished, click Next to continue.

9. After you've configured smart hosts, you'll see the Configure Smart Host Authentication Settings page next. On this page, select the method that you want to use to authenticate your servers to the smart host. Choose one of the following options, and then click Next:

   • q Basic Authentication Standard authentication with wide compatibility. With basic authentication, the user name and password specified are passed as cleartext to the remote domain.

   • q Basic Authentication Over TLS Transport Layer Security (TLS) authentication is combined with basic authentication to allow encrypted authentication for servers with smart cards or X.509 certificates.

   • q Exchange Server Authentication Secure authentication for Exchange servers. With Exchange Server authentication, credentials are passed securely.

   • q Externally Secured Secure authentication for Exchange servers. With externally secured authentication, credentials are passed securely using an external security protocol for which the server has been separately configured, such as Internet Protocol Security (IPSec).

   Note

   With Basic Authentication or Basic Authentication Over TLS, you must provide the name and password for the account authorized to establish connectors to the designated smart hosts. All smart hosts must use the same user name and password.

10. When you are working with a Hub Transport server, you'll see the Source Server page next. If you are logged on to a Hub Transport, this server is added as the source server automatically. Click Add to associate the connect with Hub Transport server and Edge Subscriptions. In the Select Hub Transport And Subscribed Edge Transport Servers dialog box, select the Hub Transport server or the Edge subscription that will be used as the source server for sending messages to the address space that you previously specified, and then click OK. Repeat as necessary to add additional Transport servers. If you make a mistake, select the server, and then click Remove. When you are finished, click Next to continue.

11. On the New Connector page, review the configuration summary for the connector. To modify the settings, click Back. To create the Send connector, click New.

12. On the Completion page, click Finish.

In Exchange Management Shell, you can create Send connectors using the New-SendConnector cmdlet. The Usage parameter sets the Send connector type as Custom, Internal, Internet, or Legacy. The AddressSpaces parameter sets the address spaces for the Send connector by FQDN or IP address. The DNSRoutingEnabled parameter determines whether DNS MX records are used for lookups or smart hosts are used. To use DNS MX records, set DNSRoutingEnabled to $true. To use smart hosts, set DNSRoutingEnabled to $false, and then use the SmartHosts parameter to designate the smart hosts.

Sample 15-5 provides the syntax and usage for the New-SendConnector cmdlet. With Basic Authentication or Basic Authentication Over TLS, you will be prompted to provide credentials.

Sample 15-5: New-SendConnector cmdlet syntax and usage

 Syntax New-SendConnector -Name 'Name'  [-AuthenticationCredential 'Credentials']  [-AuthMechanism <'None'|'BasicAuth'|'BasicAuthPlusTls'                  |'ExchangeServer'|'ExternalAuthoritative'>]  [-DNSRoutingEnabled <$true | $false>]  [-Enabled <$true | $false>]  [-ExternallySecuredAsPartnerDomain 'SmtpDomain'  [-LinkedReceiveConnector 'ReceiveConnectorIdentity']  [-RequireTLS <$true | $false >]  [-SmartHosts 'SmartHosts']  [-SourceTransportServers 'TranportServers']  [-Usage <'Custom'|'Internal'|'Internet'|'Legacy'>]  [-UseExternalDNSServersEnabled <$true | $false>] Usage for DNS MX records New-SendConnector -Name 'http://Adatum.com Send Connector'  -Usage 'Custom'  -AddressSpaces 'http://smtp:*.adatum.com;1'  -DNSRoutingEnabled $true  -AuthMechanism 'None'  -SourceTransportServers 'CORPSVR127' Usage for Smart hosts New-SendConnector -Name 'http://Cohovineyards.com'  -Usage 'Custom'  -AddressSpaces 'http://smtp:*.cohovineyards.com;1'  -DNSRoutingEnabled $false  -SmartHosts '[192.168.10.52]'  -AuthMechanism 'BasicAuth'  -SourceTransportServers 'CORPSVR127 

Viewing and Managing Send Connectors

The Exchange Management tools only provide access to the Send connectors you've explicitly created. On Hub Transport servers, Send connectors created by Exchange Server are not displayed or configurable. On Edge Transport servers, you can view and manage the internal Send connector used to connect to the Hub Transport servers in your Exchange organization.

To view the Send connectors and manage their configuration, start Exchange Management Console. On an Edge Transport server, select Edge Transport, and then click the Send Connectors tab in the details pane. On a Hub Transport server, expand the Organization Configuration node, select Hub Transport, and then click the Send Connectors tab in the details pane. Send connectors you've created are listed by name and status. You can now:

• Change a connector's properties To change a connector's properties, right-click the connector, and then select Properties. Use the Properties dialog box to manage the connector's properties.

• Enable a connector To enable a connector, right-click it, and then select Enable.

• Disable a connector To disable a connector, right-click it, and then select Disable.

• Remove a connector To remove a connector, right-click it, and then select Remove.

In Exchange Management Shell, you can view, update, or remove Send connectors using the Get-SendConnector, Set-SendConnector, or Remove-SendConnector cmdlets, respectively. Samples 15-6–15-8 provide the syntax and usage. With Get-SendConnector, if you don't specify an identity, the cmdlet returns a list of all administrator-configured Send connectors.

Sample 15-6: Get-SendConnector cmdlet syntax and usage

 Syntax Get-SendConnector Get-SendConnector -Identity 'ConnectorIdentity' Usage Get-SendConnector -Identity 'http://Adatum.com Send Connector' 

Sample 15-7: Set-SendConnector cmdlet syntax and usage

 Syntax Set-SendConnector -Identity 'ConnectorIdentity'  [-Name 'NewName']  [-AuthenticationCredential 'Credentials']  [-AuthMechanism <'None'|'BasicAuth'|'BasicAuthPlusTls'  |'ExchangeServer'|'ExternalAuthoritative'>]  [-DNSRoutingEnabled <$true | $false>]  [-Enabled <$true | $false>]  [-ExternallySecuredAsPartnerDomain 'SmtpDomain'  [-LinkedReceiveConnector 'ReceiveConnectorIdentity']  [-RequireTLS <$true | $false>]  [-SmartHosts 'SmartHosts']  [-SourceTransportServers 'TranportServers']  [-Usage <'Custom'|'Internal'|'Internet'|'Legacy'>]  [-UseExternalDNSServersEnabled <$true | $false>] Usage Set-SendConnector -Name 'http://Adatum.com Send Connector'  -Usage 'Custom'  -AddressSpaces 'http://smtp:*.adatum.com;1'  -DNSRoutingEnabled $true -SmartHosts:  -AuthMechanism 'None'  -SourceTransportServers 'CORPSVR127' 

Sample 15-8: Remove-SendConnector cmdlet syntax and usage

 Syntax Remove-SendConnector -Identity 'ConnectorIdentity' Usage Remove-SendConnector -Identity 'http://Adatum.com Send Connector' 

Configuring Send Connector DNS Lookups

You can configure different settings for internal and external DNS lookups by configuring a Transport server's External DNS Lookups and Internal DNS Lookups properties. External DNS Lookup servers are used to resolve the IP addresses of servers outside your organization. Internal DNS Lookup servers are used to resolve IP addresses of servers inside the organization.

To configure DNS Lookup servers, complete these steps:

1. Start Exchange Management Console. On an Edge Transport server, select Edge Transport. On a Hub Transport server, expand the Server Configuration node, and then select the Hub Transport node.

2. In the details pane, right-click the server, and then select Properties.

3. On the External DNS Lookups tab, specify how external lookups should be performed:

   • q To use DNS settings from the server's network card or cards for external lookups, select Use Network Card DNS settings, and then either choose All Available to use all configured settings or a specific network card to use the configured settings of that card.

   • q To use a specific DNS server for external lookups, click Use These DNS Servers. Then type the IP address of a DNS server to use for external lookups, and then click Add. Repeat this process to specify multiple servers.

4. On the Internal DNS Lookups tab, specify how internal look ups should be performed:

   • q To use DNS settings from the server's network card or cards for internal lookups, select Use Network Card DNS settings, and then either choose All Available to use all configured settings or a specific network card to use the configured settings of that card.

   • q To use a specific DNS server for internal lookups, click Use These DNS Servers. Then type the IP address of a DNS server to use for internal look-ups, and then click Add. Repeat this process to specify multiple servers.

5. Click OK to save your settings.

Setting Send Connector Limits

Send connector limits determine how mail is delivered once a connection has been established and the receiving computer has acknowledged that it's ready to receive the data transfer. After a connection has been established and the receiving computer has acknowledged that it's ready to receive the data transfer, Exchange Server attempts to deliver messages queued for delivery to the computer. If a message can't be delivered on the first attempt, Exchange Server tries to send the message again after a specified time. Exchange Server keeps trying to send the message at the intervals you've specified until the expiration time-out is reached. When the time limit is reached, the message is returned to the sender with a nondelivery report (NDR). The default expiration time-out is two days.

After multiple failed attempts to deliver a message, Exchange Server generates a delay notification and queues it for delivery to the user who sent the message. Notification doesn't occur immediately after failure. Instead, Exchange Server sends the delay notification message only after the notification delay interval and then only if the message hasn't already been delivered. The default delay notification is four hours.

With SMTP, you have much more control over outgoing connections than you do over incoming connections. You can limit the number of simultaneous connections and the number of connections per domain. These limits set the maximum number of simultaneous outbound connections. By default, the maximum number of connections is 1000, and the maximum number of connections by domain is 20.

You can view or change the Send connector limits by completing the following steps:

1. Start Exchange Management Console. On an Edge Transport server, select Edge Transport. On a Hub Transport server, expand the Server Configuration node, and then select the Hub Transport node.

2. In the details pane, right-click the server, and then select Properties.

3. On the Limits tab, use the following options for retrying unsuccessful outbound connections:

   • q Outbound Connection Failure Retry Interval (Minutes) Sets the retry interval for subsequent connection attempts to a remote server where previous connections have failed. The default is 60 minutes.

   • q Transient Failure Retry Interval (Seconds) Sets the interval at which the server immediately retries when it encounters a connection failure with a remote server. The default is 300 seconds.

   • q Transient Failure Retry Attempts Sets the maximum number of times that the server immediately retries when it encounters a connection failure with a remote server. The default is six. If you enter 0 as the number of retry attempts or the maximum number of attempts has been reached, the server no longer immediately retries a connection and instead waits according to the outbound connection failure retry interval.

   • q Subsequent Retry Interval (Minutes) Sets the amount of time to wait after the fourth and subsequent delivery attempts. The default is 15 minutes.

4. When messages that cannot be delivered reach the Maximum Time Since Submission value, they expire and Exchange server generates a nondeliver report (NDR). To set the expiration time-out for messages, enter the desired message expiration value in the Maximum Time Since Submission (Days) text box. The default expiration time-out for messages is two days.

5. When messages are delayed longer than the allowed delay interval, Exchange server sends a delay notification to the sender. To set the amount of time to wait before notifying senders of a delay, enter the desired wait time in the Delay Notification text box. The default wait time is four hours.

6. To remove outgoing connection limits, clear the Maximum Concurrent Out-bound Connections check box. To set an outgoing connection limit, select the Maximum Concurrent Outbound Connections check box, and then type the limit value. The default limit is 1,000 outbound connections.

7. To remove outgoing connection limits per domain, clear the Maximum Concurrent Outbound Connections Per Domain check box. To set an outgoing connection limit per domain, select the Maximum Concurrent Outbound Connections Per Domain check box, and then type the limit value. The default limit is 20 out-bound connections per domain.

8. Click OK to save your settings.

Creating Receive Connectors

Receive connectors are the gateways through which Transport servers receive messages. Exchange creates the Receive connectors required for mail flow automatically. The receive permissions on a Receive connector determine who is allowed to send mail through the connector.

As an administrator, you can explicitly create Receive connectors and then manage the configuration of those explicitly created Receive connectors as necessary. You cannot, however, manage the configuration of connectors created implicitly by Exchange to enable mail flow. The key reasons for creating SMTP connectors are when you want to:

• Control explicitly how messages are received within domains or between domains.

• Control explicitly the permitted incoming connections.

• Receive mail from an Exchange 2003 or Exchange 2000 routing group.

Unlike Send connectors, Receive connectors are used by only a single, designated Transport server. When you create a Receive connector within an Exchange 2007 organization, you can select the Hub Transport or Edge Transport server with which the connector should be associated and configure the specific binding for that connector. A binding is a combination of IP addresses and ports on which the Receive connector listens. You cannot create a Receive connector that duplicates the bindings of existing Receive connectors. Each Receive connector must have a unique binding.

Note

Exchange Server 2007 uses standard SMTP or Extended SMTP (ESMTP) to deliver mail. As the ESMTP standard is more efficient and secure than SMTP, SMTP connectors always try to initiate ESMTP sessions before trying to initiate standard SMTP sessions. SMTP connectors initiate ESMTP sessions with other mail servers by issuing an EHLO start command. SMTP connectors initiate SMTP sessions with other mail servers by issuing the HELO start command.

To create a Receive connector, complete the following steps:

1. Start Exchange Management Console. On an Edge Transport server, select Edge Transport. On a Hub Transport server, expand the Server Configuration node, and then select the Hub Transport node. On the Receive Connectors tab in the details pane, select the server on which you want to create the receive connection, and then click the server's Receive Connectors tab.

2. In the details pane, below Receive Connectors, right-click an open area, and then select New Receive Connector. This starts the New SMTP Receive Connector wizard, shown in Figure 15-2.

   
   Figure 15-2: Create a new SMTP Receive connector.

3. In the Name text box, type a descriptive name for the connector, and then set the connector type. The available options are:

   • q Custom Creates a Receive connector bound to a specific port or IP address on a server with multiple receive ports or IP addresses. Can also be used to specify a remote IP address from which the connector receives messages. No default group permissions are set.

   • q Internal Creates a Receive connector to receive messages from another Transport server in the organization. For Edge Transport servers, it sets the default permissions so that the connector can be used by the Exchange Servers group. For Hub Transport servers, it sets the default permissions so that the connector can be used by the Exchange Servers and Exchange Users groups.

   • q Internet Creates a Receive connector that accepts incoming connections from the Internet. Sets default permissions for the Anonymous group.

   • q Client Creates a Receive connector used to receive mail from users of Microsoft Exchange. Only connections from authenticated Microsoft Exchange users are accepted by default.

   • q Partner Creates a Receive connector used to receive mail from partner domains. Partner domains cannot be configured as smart hosts. Only Connections that authenticate with Transport Layer Security (TLS) are allowed by default. Partner domains must also be listed on the TLS Receive Domain Secure list.

   • q Legacy Creates a Receive connector that accepts incoming connections from an Exchange 2003 or Exchange 2000 routing group, and sets the default permissions so that the connector can be used by the Legacy Servers groups.

4. Click Next. For Custom, Partner, and Internet Receive connectors, you can specify the local IP addresses and the port on which mail can be received. By default, Custom and Internet Receive connectors are configured to receive mail over port 25 on all available IP addresses for which the server is configured. Port 25 is the default TCP port for SMTP. To use a different configuration, select the default entry on the Local Network Settings page, and then click Remove. You can now create new entries by clicking Add. In the Add Receive Connector Binding dialog box, select Use All Available IP Addresses to have the connector listen for connections on all the IP addresses that are assigned to the network adapters on the local server. Select Specify An IP Address if you want to type an IP address that is assigned to a network adapter on the local server, and have the connector listen for connections only on this IP address. As necessary, modify the listen port value. Click OK.

5. For Custom, Partner, and Internet Receive connectors, you can specify the FDQN the Transport server provides in response to HELO or EHLO messages on the Local Network Settings page. In the Specify The FQDN This Connector Will Provide In Response To HELO or EHLO text box, type the name that the server advertises, such as http://mailserver83.cpandl.com. Click Next.

6. On the Remote Network Settings page, you can specify the remote IP addresses from which the server can receive mail. By default, Receive connectors are configured to accept mail from all remote IP addresses, which is why the IP address range 0.0.0.0 – 255.255.255.255 is set as the default entry. You'll only want to change this behavior if you want to limit the servers that are permitted to send mail to the Transport server. To use a different configuration, select the default entry on the Remote Network Settings page, and then click Remove. To specify the remote servers by a range of IP addresses, click the small arrow next to Add, and then select IP Range. In the Add Remote Servers – IP Address Range dialog box, enter a start IP address and an end IP address for the first acceptable range of IP addresses, and then click OK. Repeat this process as necessary to configure other acceptable IP address ranges. Click Next.

7. On the New Connector page, review the configuration summary for the connector. If you want to modify the settings, click Back. To create the Receive connector by using the settings in the configuration summary, click New.

8. On the Completion page, click Finish.

In Exchange Management Shell, you can create Receive connectors using the New-ReceiveConnector cmdlet. The Usage parameter sets the Receive connector type as Custom, Internal, Internet, or Legacy. The Bindings parameter sets the internal IP addresses and ports on which to listen. The FQDN parameter sets the FQDN to advertise in response to HELO or EHLO messages. The RemoteIPRanges parameter provides a comma-separated list of acceptable IP address ranges. The Server parameter specifies the server on which to create the Receive connector.

Sample 15-9 provides the syntax and usage for the New-ReceiveConnector cmdlet. With Basic Authentication or Basic Authentication Over TLS, you will be prompted to provide credentials.

Sample 15-9: New-ReceiveConnector cmdlet syntax and usage

 Syntax new-ReceiveConnector -Name 'Name'  [-Usage: <'Custom'|'Internal'|'Internet'|'Legacy'>]  [-Bindings 'Bindings']  [-Fqdn 'FQDN']  [-RemoteIPRanges 'IPRange1','IPRange2',…]  [-Server 'Server'] Usage New-ReceiveConnector -Name 'Custom Receive Connector'  -Usage 'Custom'  -Bindings '0.0.0.0:425'  -Fqdn 'http://mailserver85.cpandl.com'  -RemoteIPRanges '0.0.0.0-255.255.255.255'  -Server 'CORPSVR127' 

Viewing and Managing Receive Connectors

To view all available Receive connectors, start Exchange Management Console, and expand the Server Configuration node. On an Edge Transport server, select Edge Transport. On a Hub Transport server, select Hub Transport. On the Receive Connectors tab in the details pane, select the server on which you want to create the Receive connector, and then click the server's Receive Connectors tab. Receive connectors are listed by name and status. You can now:

• Change a connector's properties To change a connector's properties, right-click the connector, and then select Properties. Use the Properties dialog box to manage the connector's properties.

• Enable a connector To enable a connector, right-click it, and then select Enable.

• Disable a connector To disable a connector, right-click it, and then select Disable.

• Remove a connector To remove a connector, right-click it, and then select Remove.

When configuring Receive connector properties, you can specify the security mechanisms that can be used for incoming connections on the Authentication tab. Use any combination of the following:

• Transport Layer Security Allow encrypted authentications with TLS for servers with smart cards or X.509 certificates.

• Enable Domain Security (Mutual Auth TLS) When TLS is enabled, you can also enable domain security to require mutual authentication.

• Basic Authentication Allows basic authentication. With basic authentication, the user name and password specified are passed as cleartext to the remote domain.

• Offer Basic Authentication Only After Starting TLS Allows basic authentication only within an encrypted TLS session.

• Exchange Server Authentication Allows secure authentication for Exchange servers. With Exchange Server authentication, credentials are passed securely.

• Integrated Windows Authentication Allows secure authentication using NT LAN Manager (NTLM) or Kerberos.

• Externally Secured Allows secure external authentication. With externally secured authentication, credentials are passed securely using an external security protocol for which the server has been separately configured, such as IPSec.

Also, when configuring Receive connector properties, you can specify the security who is allowed to connect on the Permission Groups tab. Use any combination of the following:

• Anonymous Users Allows unauthenticated, anonymous users to connect to the Receive connector.

• Exchange Users Allows connections by authenticated users who are valid recipients in the organization.

• Exchange Servers Allows connections by authenticated servers that are members of the Exchange Server Administrator group.

• Legacy Exchange Servers Allows connections by authenticated servers that are members of the ExchangeLegacyInterop group.

• Partners Allows connections by authenticated servers that are members of partner domains, as listed on the TLS Receive Domain Secure list.

In Exchange Management Shell, you can view, update, or remove Receive connectors using the Get-ReceiveConnector, Set-ReceiveConnector, or Remove-ReceiveConnector cmdlets, respectively. Samples 15-10–15-12 provide the syntax and usage. With Get-ReceiveConnector, you can return a list of all available Receive connectors if you don't specify an identity or server. If you want to see only the Receive connectors configured on a particular server, use the Server parameter.

Sample 15-10: Get-ReceiveConnector cmdlet syntax and usage

 Syntax Get-ReceiveConnector [-Identity 'Server\ConnectorIdentity']  [-Server 'Server'] Usage Get-ReceiveConnector Get-ReceiveConnector -Identity 'Corpsvr127\http://Adatum.com Receive Connector' Get-ReceiveConnector -Server 'Corpsvr127, 

Sample 15-11: Set-ReceiveConnector cmdlet syntax and usage

 Syntax Set-ReceiveConnector -Identity 'Identity' [-AuthMechanism <'None'|'Tls'|'Integrated'|'BasicAuth'|'BasicAuthPlusTls'                          |'ExchangeServer'|'ExternalAuthoritative'>]  [-BinaryMimeEnabled <$true | $false>]  [-Bindings 'Binding']  [-ChunkingEnabled <$true | $false>]  [-ConnectionInactivityTimeout 'TimeSpan']  [-ConnectionTimeout 'TimeSpan']  [-DefaultDomain 'AcceptedDomain']  [-DeliveryStatusNotificationEnabled <$true | $false>]  [-EightBitMimeEnabled <$true | $false>]  [-Enabled <$true | $false>]  [-EnhancedStatusCodesEnabled <$true | $false>]  [-ExternallySecuredAsPartnerDomain 'SmtpDomain']  [-Fqdn 'FQDN']  [-MaxHeaderSize 'Size']  [-MaxHopCount NumHops]  [-MaxInboundConnection 'Limit']  [-MaxInboundConnectionPercentagePerSource 'Percent']  [-MaxInboundConnectionPerSource 'Limit']  [-MaxLocalHopCount NumHops]  [-MaxLogonFailures NumFailures]  [-MaxMessageSize 'Size']  [-MaxProtocolErrors 'Limit']  [-MaxRecipientsPerMessage NumRecipients]  [-MessageRateLimit 'Limit']  [-Name 'Name']  [-PermissionGroups <'None'|'AnonymousUsers'|'ExchangeUsers'       |'ExchangeServers'|'ExchangeLegacyServers'|'Partners'|'Custom']  [-PipeliningEnabled <$true | $false>]  [-ProtocolLoggingLevel <None | Basic>]  [-RemoteIPRanges 'IPRange1', 'IPRange2',…]  [-RequireEHLODomain <$true | $false>]  [-RequireTLS <$true | $false>]  [-SizeEnabled <$true | $false>]  [-TarpitInterval 'TimeSpan'] Usage set-ReceiveConnector -Identity 'Corpsvr127\Custom Receive Connector'  -Usage 'Custom'  -Bindings '0.0.0.0:425'  -Fqdn 'http://mailserver85.cpandl.com'  -RemoteIPRanges '0.0.0.0-255.255.255.255' 

Sample 15-12: Remove-ReceiveConnector cmdlet syntax and usage

 Syntax Remove-ReceiveConnector <Identity 'ConnectorIdentity' Usage Remove-ReceiveConnector -Identity 'CorpSvr127\http://Adatum.com Receive Connector' 

Connecting to Exchange 2003 or Exchange 2000 Routing Groups

Although Exchange 2007 doesn't use routing groups, you must create routing group connectors to route messages between Exchange Server 2007 Hub Transport servers and Exchange Server 2003 or Exchange 2000 Server routing groups. You can manage routing group connectors only by using Exchange Management Shell.

You can view, create, update, or remove routing group connectors using the Get-RoutingGroupConnector, New-RoutingGroupConnector, Set-RoutingGroupConnector, or Remove-RoutingGroupConnector cmdlet, respectively. With Get-RoutingGroup-Connector, you can return a list of all available Receive connectors if you don't specify an identity or server. If you want to see only the Receive connectors configured on a particular server, use the Server parameter.

When you are creating or updating a routing group connector using New-RoutingGroup-Connector or Set-RoutingGroupConnector, you specify source and target servers. The source and target servers must be Exchange 2007 Hub Transport servers or Exchange Server 2003 or Exchange 2000 Server bridgehead servers. By using the Bidirectional parameter, you can specify whether the connector is used for one-way or two-way mail flow. If you specify a two-way connector, a reciprocal connector is created in the target routing group.

Samples 15-13–15-16 provide the syntax and usage for the Get-RoutingGroupConnector, New-RoutingGroupConnector, Set-RoutingGroupConnector, and Remove-Routing-GroupConnector cmdlets.

Sample 15-13: Get-RoutingGroupConnector cmdlet syntax and usage

 Syntax Get-RoutingGroupConnector [<Identity 'RoutingGroup\ConnectorIdentity'] [-Server 'Server'] Usage Get-RoutingGroupConnector -Server 'Corpsvr127, 

Sample 15-14: New-RoutingGroupConnector cmdlet syntax and usage

 Syntax New-RoutingGroupConnector -Name 'Name'  -SourceTransportServers 'SourceServer1', 'SourceServer2',…  -TargetTransportServers 'TransportServer1', 'TransportServer2',…  [-BiDirectional <$true | $false>]  [-Cost ConnectorCost]  [-PublicFolderReferralsEnabled <$true | $false>] Usage New-RoutingGroupConnector -Name 'Exchange 2003 Interop'  -SourceTransportServers 'http://Exchange2007Server12.cpandl.com'  -TargetTransportServers 'http://Exchange2003Server08.cpandl.com'  -Cost 100  -BiDirectional $true 

Sample 15-15: Set-RoutingGroupConnector cmdlet syntax and usage

 Syntax Set-RoutingGroupConnector -Identity 'Group\Connector Identity'  [-Name 'Name']  [-SourceTransportServers 'SourceServer1', 'SourceServer2',…]  [-TargetTransportServers 'TransportServer1', 'TransportServer2',…]  [-BiDirectional <$true | $false>]  [-Cost ConnectorCost]  [-PublicFolderReferralsEnabled <$true | $false>] Usage Set-RoutingGroupConnector -Identity 'Exchange Administrator Group\Exchange 2003 Interop' -Name 'Exchange 2003 Interop'  -SourceTransportServers 'http://Exchange2007Server12.cpandl.com'  -TargetTransportServers 'http://Exchange2003Server08.cpandl.com'  -Cost 100  -BiDirectional $true 

Sample 15-16: Remove-RoutingGroupConnector cmdlet syntax and usage

 Syntax Remove-RoutingGroupConnector [-Identity 'RoutingGroup\ConnectorIdentity'] Usage Remove-RoutingGroupConnector -Identity 'Exchange Administrator Group\Exchange 2003 Interop'