Applies to: Exchange Server 2010 SP3, Exchange Server 2010 SP2
Topic Last Modified: 2012-07-23
You can use the EMC or the Shell to configure Internet mail flow through Microsoft Exchange Hosted Services or an external SMTP gateway.
Exchange Hosted Services is a set of four distinct hosted services:
- Hosted Filtering, which helps organizations protect themselves
from e-mail-borne malware
- Hosted Archive, which helps them satisfy retention requirements
for compliance
- Hosted Encryption, which helps them encrypt data to preserve
confidentiality
- Hosted Continuity, which helps them preserve access to e-mail
during and after emergency situations
These services integrate with any on-premises Exchange servers that are managed in-house or Hosted Exchange e-mail services that are offered through service providers. For more information about Exchange Hosted Services, see Microsoft Exchange Hosted Services.
In Exchange Server 2010, to establish Internet mail flow through Exchange Hosted Services or an external SMTP gateway, you create a Send connector and a Receive connector between the Hub Transport servers in the Exchange organization and the external SMTP servers that process and route Internet e-mail.
The following authentication methods can be used in this scenario:
- Basic authentication The servers
running the Exchange 2010 Hub Transport server role and the
external SMTP servers authenticate by using Basic authentication. A
user name and password is required. This authentication method is
unavailable for Exchange Hosted Services.
- Externally Secured The network
connection between the Hub Transport servers and the external SMTP
servers is secured by using a method that's external to Exchange
2010.
Note: Configuring a Receive connector as externally secured without using an Externally Secured authentication method is functionally equivalent to configuring the Receive connector as an open relay for the external SMTP server. The messages that originate from the external SMTP server are treated as authenticated messages. The messages bypass anti-spam checks and message size limit checks. The external SMTP server is allowed to submit messages as if they originated from internal senders within your Exchange organization. For more information, see Allow Anonymous Relay on a Receive Connector. - Anonymous relay This method should be
considered the method of last resort. If you allow an external SMTP
server to anonymously relay messages by using the designated
Receive connector on the Hub Transport server, you must apply the
following restrictions on the Receive connector:
- Local network settings If your Hub
Transport server has multiple network adapters, restrict the
Receive connector to listen only on the appropriate network
adapter.
- Remote network settings Restrict the
Receive connector to accept connections only from the specified
server or servers. This restriction is necessary because the
Receive connector is configured to accept relay from anonymous
users. Restricting the source servers by IP address is the only
measure of protection that's allowed on this Receive connector.
- Local network settings If your Hub
Transport server has multiple network adapters, restrict the
Receive connector to listen only on the appropriate network
adapter.
Looking for other management tasks related to managing message routing? Check out Managing Message Routing.
Prerequisites
- If you're using Basic authentication, a domain account must
exist in the Active Directory forest. For example, create a domain
user account that has the user principal name (UPN)
smtpgateway@fabrikam.com as the credentials that must be used for
authentication by the SMTP gateway when delivering mail to the
Exchange servers in the Fabrikam domain.
- If you're using Basic authentication over Transport Layer
Security (TLS), the target server must be configured to use an
X.509 certificate that contains a fully qualified domain name
(FQDN) that's the same as the FQDN of the Receive connector.
- If you're using external authentication, a trusted network
connection must exist between the Hub Transport server and the SMTP
gateway server. This connection can be an IPsec association or
virtual private network (VPN). Alternatively, the servers may
reside in a trusted physically controlled network.
Establish Internet mail flow between a Hub Transport server and an external SMTP gateway by using Basic authentication
You need to be assigned permissions before you can perform this procedure. To see what permissions you need, see the "Send connectors" entry in the Transport Permissions topic.
Note: |
---|
Because the default Receive connector will accept e-mail submissions from the authenticated SMTP gateway, a new Receive connector isn't needed when using Basic Authentication. |
Use the EMC to establish Internet mail flow between a Hub Transport server and an external SMTP gateway by using Basic authentication
- On the Hub Transport server, open the EMC. Expand
Organization Configuration, click Hub Transport, and
then, in the action pane, click New Send connector.
- On the New Send Connector wizard Introduction page, in
the Name field, type a unique name for the connector.
- From the Select the intended use for this Send connector
drop-down list, select Custom, and then click
Next.
- On the Address space page, click Add. In the
SMTP Address Space dialog box, type "*" in the
Address field, and then click OK. Click
Next.
- On the Network settings page, only the Route mail
through the following smart hosts setting can be selected.
Select this setting and click Add.
- In the Add smart host dialog box, in the IP
address or Fully qualified domain name (FQDN) field,
type the IP address or FQDN of the external SMTP gateway server,
and then click OK. To specify more than one SMTP gateway as
a smart host, click Add and enter additional IP addresses or
FQDNs, and then click Next.
- On the Configure smart host authentication settings
page, select Basic Authentication, click Basic
Authentication over TLS, type the user name and password that
will be used to authenticate the connection, and then click
Next.
- On the Source Server page, click Add. In the
Select Hub Transport and subscribed Edge Transport servers
dialog box, select one or more Hub Transport servers in your
organization, click OK, and then click Next.
- On the New Connector page, click New, and then on
the Completion page, click Finish.
Use the Shell to establish Internet mail flow between a Hub Transport server and an external SMTP gateway by using Basic authentication
- Run the following command.
Copy Code $mycred = Get-Credential
- In the dialog box that appears, enter the credentials for the
user account on the external SMTP gateway server. Enter the user
name and provide the user's password. Click OK.
- This example creates the Send connector ToInternetGateway
that's used by the Hub Transport server HubA that connects to the
external SMTP gateway smtpgateway1.contoso.com by using basic
authentication.
Copy Code New-SendConnector -Name "ToInternetGateway" -AddressSpaces "*" -SmartHosts "smtpgateway1.contoso.com" -SmartHostAuthMechanism BasicAuth,BasicAuthRequireTLS -AuthenticationCredential $mycred -SourceTransportServers "HubA" -DNSRoutingEnabled $false
For detailed syntax and parameter information, see New-SendConnector.
Establish Internet mail flow between a Hub Transport server and Exchange Hosted Services or an external SMTP gateway by using Externally Secured authentication
You need to be assigned permissions before you can perform this procedure. To see what permissions you need, see the "Send connectors" and "Receive connectors" entries in the Transport Permissions topic.
Use the EMC to establish Internet mail flow between a Hub Transport server and Exchange Hosted Services or an external SMTP gateway by using Externally Secured authentication
- Create a Send connector on the Hub Transport server to the
external SMTP gateway by following these steps:
- Expand Organization Configuration, click Hub
Transport, and then in the action pane, click New Send
connector.
- On the New Send Connector wizard Introduction page, in
the Name field, type a unique name for the connector. From
the Select the intended use for this connector drop-down
list, select Internal, and then click Next.
- On the Address Space page, click Add. In the
Add Address Space dialog box, type "*" in the
Address field, and then click OK. Click
Next.
- On the Network Settings page, only the Route mail
through the following smart hosts setting can be selected.
Click Add.
- In the Add smart host dialog box, in the IP
address or Fully qualified domain name (FQDN) field,
type the IP address or FQDN of the SMTP gateway server, and then
click OK. To specify more than SMTP gateway server as a
smart host, click Add and enter additional IP addresses or
FQDNs, and then click Next.
- On the Configure smart host authentication settings
page, select Externally Secured (for example with IPsec),
and then click Next.
- On the Source Server page, click Add. In the
Select Hub Transport and subscribed Edge Transport servers
dialog box, select one or more Hub Transport servers in your
organization, click OK, and then click Next.
- On the New Connector page, click New, and then on
the Completion page, click Finish.
- Expand Organization Configuration, click Hub
Transport, and then in the action pane, click New Send
connector.
- Create a Receive connector on the Hub Transport server to
receive mail from the external SMTP gateway by following these
steps:
- Expand Server Configuration, click Hub Transport,
and then in the action pane, click New Receive
Connector.
- On the New Receive Connector wizard Introduction page,
in the Name field, type a unique name for the connector.
- From the Select the intended use for this connector
drop-down list, select Internal, and then click
Next.
- On the Remote Network settings page, remove the all
network ranges entry, and then click Add.
- In the Add IP Address(es) of Remote Servers dialog box,
type the IP address of the external SMTP gateway server, click
OK, and then click Next.
- On the New Connector page, click New, and then on
the Completion page, click Finish.
- Expand Server Configuration, click Hub Transport,
and then in the action pane, click New Receive
Connector.
- For the Receive connector that you just created, set the
authentication method to Externally Secured by following these
steps:
- In the task pane, select the Receive connector that you created
in step 2, and then in the action pane, click
Properties.
- Click the Authentication tab. Clear the check boxes for
Basic Authentication and Exchange Server, select
Externally Secured (for example with IPsec), and then click
OK.
- In the task pane, select the Receive connector that you created
in step 2, and then in the action pane, click
Properties.
Use the Shell to establish Internet mail flow between a Hub Transport server and Exchange Hosted Services or an external SMTP gateway by using Externally Secured authentication
- This example creates the Send connector ToInternetGateway used
by the Hub Transport server HubA that's configured to send outgoing
e-mail through the external SMTP gateway smtpgateway1.contoso.com
by using Externally Secured authentication.
Copy Code New-SendConnector -Name "ToInternetGateway" -Usage Internal -AddressSpaces "*" -SmartHosts "smtpgateway1.contoso.com" -SmartHostAuthMechanism ExternalAuthoritative -SourceTransportServers "HubA" -DNSRoutingEnabled $false
- This example creates the Receive connector FromInternetGateway
on the Hub Transport server HubA that uses Externally Secured
authentication to receive mail from the external SMTP gateway that
has the IP address 192.168.1.10.
Copy Code New-ReceiveConnector -Name "FromInternetGateway" -Server HubA -Usage Internal -RemoteIPRanges 192.168.1.10 -AuthMechanism ExternalAuthoritative
For detailed syntax and parameter information, see New-SendConnector and New-ReceiveConnector.
Establish Internet mail flow between a Hub Transport server and an external SMTP gateway by using anonymous relay
You need to be assigned permissions before you can perform this procedure. To see what permissions you need, see the "Send connectors" and "Receive connectors" entries in the Transport Permissions topic.
Use the EMC and Shell to establish Internet mail flow between a Hub Transport server and an external SMTP gateway by using anonymous relay
Note: |
---|
This procedure uses the EMC for steps 1 through 4. The last step of this procedure, granting relay permission to anonymous access on the Receive connector, can't be performed by using the EMC. You must use the Shell for that step. |
- Create a Send connector on the Hub Transport server to the
external SMTP gateway by following these steps:
- Expand Organization Configuration, click Hub
Transport, and then in the action pane, click New Send
connector.
- On the New Send Connector wizard Introduction page, in
the Name field, type a unique name for the connector. From
the Select the intended use for this Send connector
drop-down list, select Internet, and then click
Next.
- On the Address space page, click Add. In the
SMTP Address Space dialog box, type "*" in the
Address field, and then click OK. Click
Next.
- On the Network settings page, only the Route mail
through the following smart hosts setting can be selected.
Click Add.
- In the Add smart host dialog box, in the IP
address or Fully qualified domain name (FQDN) field,
type the IP address or FQDN of the SMTP gateway server, and then
click OK. To specify more than SMTP gateway server as a
smart host, click Add and enter additional IP addresses or
FQDNs, and then click Next.
- On the Configure smart host authentication settings
page, select None, and then click Next.
- On the Source Server page, click Add. In the
Select Hub Transport and subscribed Edge Transport servers
dialog box, select one or more Hub Transport servers in your
organization, click OK, and then click Next.
- On the New Connector page, click New, and then on
the Completion page, click Finish.
- Expand Organization Configuration, click Hub
Transport, and then in the action pane, click New Send
connector.
- Create a Receive connector on the Hub Transport server to
receive mail from the external SMTP gateway by following these
steps:
- Expand Server Configuration, click Hub Transport,
and then in the action pane, click New Receive
Connector.
- On the New Receive Connector wizard Introduction page,
in the Name field, type a unique name for the connector.
- From the Select the intended use for this connector
drop-down list, select Custom, and then click
Next.
- On the Local Network settings page, remove the existing
All Available IPv4 entry, and then click Add.
- In the Add Receive Connector Binding dialog box, select
Specify an IP address. Type an IP address assigned to a
network adapter on the local server that's best able to communicate
with the external SMTP gateway. Make sure that the Port
field has the value 25 and click OK. Leave the
Specify the FQDN this connector will provide in response to HELO
or EHLO field blank, and then click Next.
- On the Remote Network settings page, remove the all
network ranges entry, and then click Add.
- In the Add IP Addresses of Remote Servers dialog box,
type the IP address of the external SMTP gateway server, click
OK, and then click Next.
- On the New Connector page, review the Configuration
Summary. If you're satisfied, click New. If you'd like
to make changes, click Back.
- On the Completion page, review the following, and then
click Finish to close the wizard:
- A status of Completed indicates that the wizard
completed the task successfully.
- A status of Failed indicates that the task wasn't
completed. If the task fails, review the summary for an
explanation, and then click Back to make any configuration
changes.
- A status of Completed indicates that the wizard
completed the task successfully.
- Expand Server Configuration, click Hub Transport,
and then in the action pane, click New Receive
Connector.
- For the Receive connector that you just created, add the
Anonymous permission group by following these steps:
- In the task pane, select the Receive connector that you created
in step 2, and then in the action pane, click
Properties.
- Click the Permission Groups tab. Select Anonymous
users, and then click OK. Click OK to save your
changes and exit the Properties page.
- In the task pane, select the Receive connector that you created
in step 2, and then in the action pane, click
Properties.
- For the Receive connector that you just modified, grant the
relay permission to the Anonymous logon security principal by
following these steps:
- Open the Shell.
- Run the following command using the name of the Receive
connector that you created in step 2 and modified in
step 3.
Copy Code Get-ReceiveConnector "Receive Connector Name" | Add-ADPermission -User "NT AUTHORITY\ANONYMOUS LOGON" -ExtendedRights "Ms-Exch-SMTP-Accept-Any-Recipient"
- Open the Shell.
For detailed syntax and parameter information, see Get-ReceiveConnector and Add-ADPermission topics.
Use the Shell to establish Internet mail flow between a Hub Transport server and an external SMTP gateway by using anonymous relay
- This example creates the Send connector ToInternetGateway used
by the Hub Transport server HubA that's configured to send outgoing
e-mail through the external SMTP gateway smtpgateway1.contoso.com
by using anonymous relay.
Copy Code New-SendConnector -Name "ToInternetGateway" -Usage Internet -AddressSpaces "*" -SmartHosts "smtpgateway1.contoso.com" -SmartHostAuthMechanism None -SourceTransportServers "HubA" -DNSRoutingEnabled $false
- This example creates the Receive connector FromInternetGateway
on the Hub Transport server HubA that listens on local IP address
10.2.3.4 on port 25 for anonymous connections from an SMTP gateway
server at the IP address 192.168.5.77.
Copy Code New-ReceiveConnector -Name "FromInternetGateway" -Server HubA -Usage Custom -PermissionGroups AnonymousUsers -Bindings 10.2.3.4:25 -RemoteIpRanges 192.168.5.77
- This example grants the relay permission to the Anonymous logon
security principal on the Receive connector that you created in
step 2.
Copy Code Get-ReceiveConnector "FromInternetGateway" | Add-ADPermission -User "NT AUTHORITY\ANONYMOUS LOGON" -ExtendedRights "Ms-Exch-SMTP-Accept-Any-Recipient"
For detailed syntax and parameter information, see New-SendConnector, New-ReceiveConnector, Get-ReceiveConnector, and Add-ADPermission.