Applies to: Exchange Server 2010 SP3, Exchange Server 2010 SP2

Topic Last Modified: 2012-10-26

Receive connectors represent a logical gateway through which all inbound messages are received. Receive connectors are configured on a per-server basis, and they control how that server receives messages from the Internet, e-mail clients, and other messaging servers.

By default, the Receive connectors required for internal mail flow are automatically created when the Hub Transport server role is installed. Similarly, when you install the Edge Transport server role, the Receive connector capable of receiving mail from the Internet and from Hub Transport servers is automatically created. However, end-to-end mail flow is possible only after the Edge Transport server is subscribed to the Active Directory site by using the Edge Subscription process. Other scenarios, such as an Internet-facing Hub Transport server or an Edge Transport server that doesn't use EdgeSync, require manual connector configuration to establish end-to-end mail flow.

You can use the EMC or the Shell to configure the properties of a Receive connector.

Don't perform this procedure on an Edge Transport server that has been subscribed to the Exchange organization by using EdgeSync. Instead, make the changes on the Hub Transport server. The changes are then replicated to the Edge Transport server next time EdgeSync synchronization occurs.

Looking for other management tasks related to connectors? Check out Managing Connectors.


  • You must have an existing Receive connector. For detailed steps about creating a Receive connector, see Create an SMTP Receive Connector.

  • You should determine the specific usage for this Receive connector so you can correctly configure its properties. To learn more about Receive connectors, see Understanding Receive Connectors.

What Do You Want to Do?

Use the EMC to configure the properties of a Receive connector

You need to be assigned permissions before you can perform this procedure. To see what permissions you need, see the "Receive connectors" entry in the Transport Permissions topic.

  1. If you are configuring a Receive connector on a Hub Transport server, expand Server Configuration in the console tree, and select Hub Transport. On an Edge Transport server, select Edge Transport in the console tree.

  2. In the work pane, select the Receive Connectors tab, and then double-click the Receive connector you want to configure.

  3. Use the General tab to modify the general properties of the Receive connector:

    • Connector name   To rename the connector, type a new name in the Connector name field, and then click Apply.

    • Connector status   This field shows whether the connector is enabled. You can't change a connector's status from the properties page. You need to use the Enable or Disable actions in the EMC or the corresponding Shell commands. For detailed steps about enabling or disabling Receive connectors, see Enable or Disable a Receive Connector.

    • Modified   This field shows the last date that the connector settings were modified.

    • Protocol logging level   Use this drop-down list to select the protocol logging level. Select None to turn off protocol logging. Select Verbose to turn on protocol logging.

    • Specify the FQDN this connector will provide in response to HELO or EHLO   This field specifies the fully qualified domain name (FQDN) that the transport server uses to identify itself whenever a destination server name is required during an inbound SMTP connection. To learn more about how the value of this field is used, see Understanding Receive Connectors.

    • Maximum message size (KB)   To set a maximum message size for messages that can pass through this connector, select the check box next to Maximum message size (KB) and enter a value in kilobytes (KB). The valid input range is from 64 through 2097151 KB. To remove any restriction on the maximum message size, clear the check box next to Maximum message size (KB).

  4. Use the Network tab to specify the IP addresses and TCP ports on which this Receive connector receives connections. You can also configure the IP address ranges from which this Receive connector accepts connections. The following options are available:

    • Use these local IP Addresses to receive mail   Use this list to specify the IP addresses and port numbers on which this Receive connector listens for incoming mail. For each entry, you must specify a different set of IP addresses or specify all available IP addresses. The following options are available:

      Add   To add a new IP address or port number, click Add. The following options are available in the window that appears:

      Use all IP addresses available on this server   Select this option to use all IP addresses associated with this computer. This is the recommended option.

      Specify an IP address   Select this option to use a specific IP address associated with this computer.

      You must specify a local IP address that's valid for the Hub Transport server or Edge Transport server on which the Receive connector is located. If you specify an invalid local IP address, the Microsoft Exchange Transport service may fail to start when the service is restarted.
      Port   This field identifies the TCP port number on which this Receive connector listens for incoming mail. TCP port 25 is the default port used for message transmission between SMTP servers.

      Edit   Click Edit to change an existing IP address or port.

      Remove   Click Remove icon to remove an existing IP address.

    • Receive mail from remote servers that have these IP addresses   Use this list to specify the IP address or IP address range from which this Receive connector accepts connections. To add the remote IP address or remote IP address range, use one of the following methods:

      Add - IP Address   To enter an IP address without a subnet mask, or to specify the subnet mask by using Classless Interdomain Routing (CIDR) notation, click Add or the drop-down arrow next to Add and select IP Address. In the Add IP address(es) of Remote Servers dialog box, enter the IP address directly or specify a subnet using the CIDR notation. For example, if you enter, the Receive connector accepts messages from that host only, but if you specify, the Receive connector accepts messages from the entire class C subnet of

      Add - IP and Mask   To enter an IP address or subnet together with a subnet mask in dotted decimal notation, click the drop-down arrow next to Add and select IP and Mask. In the Add Remote Servers - IP and Mask dialog box, specify the IP address and the subnet mask.

      Add - IP Range   To specify an IP address range by using the first IP address and the last IP address in the range, click the drop-down arrow next to Add and select IP Range. In the Add Remote Servers - IP Range dialog box, specify the start and end addresses of the IP range.

      Edit   To edit an existing IP address range, select the IP address range, and then click Edit.

      Remove   To remove an existing IP address range, select the IP address range, and then click Remove icon.

  5. Use the Authentication tab to configure security options for incoming SMTP connections:

    • Transport Layer Security (TLS)   Select this option to offer Transport Layer Security (TLS) transmission for all messages received by this connector. When you select this option, the STARTTLS keyword is advertised in the EHLO response to connecting SMTP servers, and TLS authentication is accepted.

      Enable Domain Security (Mutual Auth TLS)   To instruct this Receive connector to accept a mutual TLS connection from a remote server, select this check box. There are additional configuration steps required before you can enable mutual TLS. For more information about configuring mutual TLS, see Using Domain Security: Configuring Mutual TLS.

    • Basic Authentication   Select this option to offer Basic authentication for all mail received by this connector. When you select Basic Authentication, the AUTH keyword is advertised in the EHLO response to connecting SMTP servers, and Basic authentication is accepted. Because the user name and password are sent in plaintext when Basic authentication is used, Basic authentication without encryption isn't recommended.

      Offer Basic Authentication only after starting TLS   When you select this option, the connector starts TLS first, and then after TLS encryption is complete, the connector offers Basic authentication.

    • Exchange Server authentication   Select this option to authenticate by using an Exchange authentication mechanism, such as TLS direct trust or Kerberos through TLS.

    • Integrated Windows authentication   Select this option to use Integrated Windows authentication, which represents NTLM, Kerberos, and Negotiate authentication mechanisms.

    • Externally Secured (for example, with IPsec)   Use this option if the incoming connections to this Receive connector are secured by external means. For example, use this option if the connection is physically secured over a private network or by using Internet Protocol security (IPsec). When you select this option, you make an assertion of external security that can't be programmatically verified by Exchange. Before you select this authentication method, you must first select the Exchange servers permissions group on the Permission Groups tab.

  6. Use the Permission Groups tab to select the permission groups assigned to this Receive connector. A permission group is a predefined set of permissions granted to well-known groups of users, computers, or security groups. Members of the selected permission groups on this tab are allowed to submit messages to this Receive connector.

    When selected on this tab, each permission group is granted a different set of permissions. For example, members of the Exchange users permission group are granted the ms-Exch-Bypass-Anti-Spam extended right whereas anonymous users aren't. To see a complete list of extended rights granted to each permission group, see "Permission Groups" in Understanding Receive Connectors.
    The following options are available:

    • Anonymous users   Non-authenticated users

    • Exchange users   Authenticated user accounts

    • Exchange servers   Members of the Exchange Servers universal security group

    • Legacy Exchange servers   Members of the ExchangeLegacyInterop universal security group

    • Partners   Partner service accounts

Use the Shell to configure the properties of a Receive connector

You need to be assigned permissions before you can perform this procedure. To see what permissions you need, see the "Receive connectors" entry in the Transport Permissions topic.

You can use the Set-ReceiveConnector cmdlet to modify all available settings for an existing Receive connector. In this example, the following changes are made to the configuration of the Receive connector Connection from

  • Change the maximum message size allowed on the connector to 50 megabytes (MB).

  • Enable protocol logging on the Receive connector.

  • Set the tarpitting interval.

Copy Code
Set-ReceiveConnector "Connection from" -MaxMessageSize 50MB -ProtocolLoggingLevel Verbose

The values that you specify by using the Set-ReceiveConnector cmdlet parameters replace the existing values configured on the Receive connector. This isn't an issue for single value attributes such as maximum message size, but it can be a problem for multivalued attributes such as remote IP address ranges. To preserve any existing values in a multivalued attribute, you must specify the existing value and any new values that you want to add when you run the Set-ReceiveConnector cmdlet.

For example, assume that you want to add the subnet to the IP addresses from which the Connection from Receive connector accepts messages. Currently, this Receive connector is configured to accept messages only from the IP range of to This example does this by specifying the existing value along with the new value being added.

Copy Code
Set-ReceiveConnector "Connection from" -RemoteIPRanges "",""

If you have numerous values for a multivalued property, you may not want to retype all of the values just to add another value. Instead, you can use temporary Shell variables. This example also adds the subnet to the remote IP ranges of the Connection from connector using the temporary variable $ConnectorConfiguration.

Copy Code
$ConnectorConfiguration = Get-ReceiveConnector "Connection from"
$ConnectorConfiguration.RemoteIPRanges += ""
Set-ReceiveConnector "Connection from" -RemoteIPRanges $ConnectorConfiguration.RemoteIPRanges

When you specify a tarpitting interval time on a Receive connector, tarpitting is enabled. The default value is 5 seconds, and we recommend that you start at this value. Use caution if you decide to change this value. An overly long interval could disrupt ordinary mail flow, whereas an overly brief interval may not be as effective in thwarting a directory harvest attack. If you change the tarpitting interval value, do it in small increments.

The following example changes the tarpitting interval of the “Connection from” connector by increasing it to 6 seconds.

Copy Code
Set-ReceiveConnector "Connection from" -TarpitInterval 00:00:06

For detailed syntax and configuration information, see Set-ReceiveConnector.