Applies to: Exchange Server 2007 SP3, Exchange Server 2007 SP2, Exchange Server 2007 SP1, Exchange Server 2007
Topic Last Modified: 2007-08-28

This topic explains how to use the Exchange Management Console or the Exchange Management Shell to configure Internet mail flow through Microsoft Exchange Hosted Services or an external Simple Mail Transfer Protocol (SMTP) gateway.

Exchange Hosted Services is a set of four distinct hosted services:

Hosted Filtering, which helps organizations protect themselves from e-mail-borne malware
Hosted Archive, which helps organizations satisfy retention requirements for compliance
Hosted Encryption, which helps organizations encrypt data to preserve confidentiality
Hosted Continuity, which helps organizations preserve access to e-mail during and after emergency situations

These services integrate with any on-premise Exchange servers that are managed in-house or Hosted Exchange e-mail services that are offered through service providers. For more information about Exchange Hosted Services, see Microsoft Exchange Hosted Services.

In Microsoft Exchange Server 2007, to establish Internet mail flow through Exchange Hosted Services or an external SMTP gateway, you create a Send connector and a Receive connector between the Hub Transport servers in the Exchange organization and the external SMTP servers that process and route Internet e-mail.

The following authentication methods can be used in this scenario:

Basic authentication The Exchange 2007 Hub Transport servers and the external SMTP servers authenticate by using Basic authentication. A user name and password is required. This authentication method is unavailable for Exchange Hosted Services.

Externally secured The network connection between the Hub Transport servers and the external SMTP servers is secured by using a method that is external to Exchange 2007.

Note:
Configuring a Receive connector as externally secured without using an externally secured authentication method is functionally equivalent to configuring the Receive connector as an open relay for the external SMTP server. The messages that originate from the external SMTP server are treated as authenticated messages. The messages bypass anti-spam checks and message size limit checks. The external SMTP server is allowed to submit messages as if they originated from internal senders within your Exchange organization. For more information, see How to Allow Anonymous Relay on a Receive Connector.

Note:

Configuring a Receive connector as externally secured without using an externally secured authentication method is functionally equivalent to configuring the Receive connector as an open relay for the external SMTP server. The messages that originate from the external SMTP server are treated as authenticated messages. The messages bypass anti-spam checks and message size limit checks. The external SMTP server is allowed to submit messages as if they originated from internal senders within your Exchange organization. For more information, see How to Allow Anonymous Relay on a Receive Connector.

Anonymous relay This method should be considered the method of last resort. If you allow an external SMTP server to anonymously relay messages by using the designated Receive connector on the Hub Transport server, you must apply the following restrictions on the Receive connector:
- Local network settings If your Hub Transport server has multiple network adapters, restrict the Receive connector to listen only on the appropriate network adapter.
- Remote network settings Restrict the Receive connector to accept connections only from the specified server or servers. This restriction is necessary because the Receive connector is configured to accept relay from anonymous users. Restricting the source servers by IP address is the only measure of protection that is allowed on this Receive connector.
For more information, see How to Allow Anonymous Relay on a Receive Connector.

Before You Begin

To perform the following procedures, the account you use must be delegated the Exchange Organization Administrator role.

To perform the following procedure on a computer that has the Edge Transport server role installed, you must log on by using an account that is a member of the local Administrators group on that computer.

For more information about permissions, delegating roles, and the rights that are required to administer Exchange 2007, see Permission Considerations.

Before you start this procedure, verify that the following prerequisites are met:

If you are using Basic authentication, a domain account must exist in the Active Directory forest to use for Basic authentication. For example, create a domain user account that has the universal principal name (UPN) smtpgateway@fabrikam.com as the credentials that must be used for authentication by the SMTP gateway when delivering mail to the Exchange servers in the Fabrikam domain.
If you are using Basic authentication over Transport Layer Security (TLS), the target server must be configured to use an X.509 certificate that contains a fully qualified domain name (FQDN) that is the same as the FQDN of the Receive connector.
If you are using external authentication, a trusted network connection must exist between the Hub Transport server and the SMTP gateway server. This connection can be an IPsec association or virtual private network (VPN). Alternatively, the servers may reside in a trusted physically controlled network.

Procedure

To establish mail flow to and from the Internet through Exchange Hosted Services or an external SMTP gateway, follow these steps:

Create a Send connector on the Hub Transport server to send e-mail to Exchange Hosted Services or the external SMTP gateway.
Create a Receive connector on the Hub Transport server to receive e-mail from Exchange Hosted Services or the external SMTP gateway. An additional Receive connector is only required if you are using external authentication or anonymous relay. If Basic authentication is used, the default Receive connector will accept e-mail submissions from the authenticated SMTP gateway.

Configure the external SMTP gateway server to route and process e-mail to and from your Hub Transport servers.

Note:
For more information about how to configure the external SMTP gateway to route and process e-mail to and from your Hub Transport servers, see Microsoft Exchange Hosted Services or the documentation for the external SMTP gateway as appropriate. Documentation of these procedures is outside the scope of this topic.

Establishing Internet Mail Flow Between a Hub Transport Server and a External SMTP Gateway by Using Basic Authentication

The following procedures establish Internet mail flow between a Hub transport server and an external SMTP gateway by using Basic authentication. These procedures do not apply to Exchange Hosted Services.

To use the Exchange Management Console to establish Internet mail flow between a Hub Transport server and an external SMTP gateway by using Basic authentication

On the Hub Transport server, open the Exchange Management Console. Expand Organization Configuration, click Hub Transport, and then, in the action pane, click New Send connector.
On the New SMTP Send Connector wizard Introduction page, in the Name field, type a unique name for the connector.
From the Select the intended use for this connector drop-down list, select Custom, and then click Next.
On the Address Space page, click Add. In the Add Address Space dialog box, type "*" for the name of the remote SMTP domain, and then click Next.
On the Network Settings page, only the Route all mail through the following smart hosts: setting can be selected. Click Add.
In the Add Smart Host dialog box, in the IP address or Fully qualified domain name (FQDN) field, type the IP address or FQDN of the external SMTP gateway server, and then click OK. To specify more than one SMTP gateway as a smart host, click Add and enter additional IP addresses or FQDNs, and then click Next.
On the Smart host security settings page, select Basic Authentication or Basic Authentication over TLS, type the user name and password that will be used to authenticate the connection, and then click Next.
On the Source Server page, click Add. In the Select Hub Transport and subscribed Edge Transport servers dialog box, select one or more Hub Transport servers in your organization, click OK, and then click Next.
On the New Connector page, click New, and then on the Completion page, click Finish.

To use the Exchange Management Shell to establish Internet mail flow between a Hub Transport server and an external SMTP gateway by using Basic authentication

Run the following command:
Copy Code
$mycred = get-credential
In the dialog box that appears, enter the credentials for the user account on the external SMTP gateway server. Enter the user name and provide the user's password. Click OK.

	Copy Code
$mycred = get-credential

To create a new Send connector named "ToInternetGateway" that is used by the Hub Transport server named "HubA" that connects to the external SMTP gateway named "smtpgateway1.contoso.com" by using Externally Secured authentication, run the following command:

	Copy Code
New-SendConnector -Name "ToInternetGateway" -AddressSpaces "*" -SmartHosts "smtpgateway1.contoso.com" -SmartHostAuthMechanism BasicAuth,BasicAuthRequireTLS -AuthenticationCredential $mycred -SourceTransportServers "HubA" -DNSRoutingEnabled $false

Copy Code

New-SendConnector -Name "ToInternetGateway" -AddressSpaces "*" -SmartHosts "smtpgateway1.contoso.com" -SmartHostAuthMechanism BasicAuth,BasicAuthRequireTLS -AuthenticationCredential $mycred -SourceTransportServers "HubA" -DNSRoutingEnabled $false

Establishing Internet Mail Flow Between a Hub Transport Server and Exchange Hosted Services or an External SMTP Gateway by Using Externally Secured Authentication

The following procedures establish Internet mail flow between a Hub transport server and an external SMTP gateway by using Externally Secured authentication. These procedures are functionally equivalent to the procedures for establishing Internet mail flow between a Hub Transport server and Exchange Hosted Services.

To use the Exchange Management Console to establish Internet mail flow between a Hub Transport server and an external SMTP gateway by using external authentication

Create a new Send connector on the Hub Transport server to the external SMTP gateway by following these steps:
1. Open the Exchange Management Console. Expand Organization Configuration, click Hub Transport, and then in the action pane, click New Send connector.
2. On the New SMTP Send connector wizard Introduction page, in the Name field, type a unique name for the connector. From the Select the intended use for this connector drop-down list, select Internal, and then click Next.
3. On the Address Space page, click Add. In the Add Address Space dialog box, type "*", and then click Next.
4. On the Network Settings page, only the Route all mail through the following smart hosts: setting can be selected. Click Add.
5. In the Add Smart Host dialog box, in the IP address or Fully qualified domain name (FQDN), type the IP address or FQDN of the SMTP gateway server, and then click OK. To specify more than SMTP gateway server as a smart host, click Add and enter additional IP addresses or FQDNs, and then click Next.
6. On the Smart host security settings page, select Externally Secured (for example with IPsec), and then click Next.
7. On the Source Server page, click Add. In the Select Hub Transport and subscribed Edge Transport servers dialog box, select one or more Hub Transport servers in your organization, click OK, and then click Next.
8. On the New Connector page, click New, and then on the Completion page, click Finish.
Create a new Receive connector on the Hub Transport server to receive mail from the external SMTP gateway by following these steps:
1. Open the Exchange Management Console. Expand Server Configuration, click Hub Transport, and then in the action pane, click New Receive Connector.
2. On the New SMTP Receive Connector wizard Introduction page, in the Name field, type a unique name for the connector.
3. From the Select the intended use for this connector drop-down list, select Internal, and then click Next.
4. On the Remote Network settings page, delete the all network ranges entry, and then click Add.
5. In the Add IP Address(es) of Remote Servers dialog box, type the IP address of the external SMTP gateway server, click OK, and then click Next.
6. On the New Connector page, click New, and then on the Completion page, click Finish.
For the Receive connector that you just created, set the authentication method to Externally Secured by following these steps:
1. In the task pane, select the Receive connector that you created in step 2, and then in the action pane, click Properties.
2. Click the Authentication tab. Clear the check boxes for Basic Authentication and Exchange Server, select Externally Secured (for example with IPsec), and then click OK.

To use the Exchange Management Shell to establish Internet mail flow between a Hub Transport server and an external SMTP gateway by using external authentication

To create a new Send connector named "ToInternetGateway" that is used by the Hub Transport server named "HubA" that is configured to send outgoing e-mail through the external SMTP gateway named "smtpgateway1.contoso.com" by using Externally Secured authentication, run the following command:

	Copy Code
New-SendConnector -Name "ToInternetGateway" -Usage Internal -AddressSpaces "*" -SmartHosts "smtpgateway1.contoso.com" -SmartHostAuthMechanism ExternalAuthoritative -SourceTransportServers "HubA" -DNSRoutingEnabled $false

Copy Code

New-SendConnector -Name "ToInternetGateway" -Usage Internal  -AddressSpaces "*" -SmartHosts "smtpgateway1.contoso.com" -SmartHostAuthMechanism ExternalAuthoritative -SourceTransportServers "HubA" -DNSRoutingEnabled $false

To create a new Receive connector on the Hub Transport server named "HubA" that uses Externally Secured authentication to receive mail from the external SMTP gateway that has the IP address 192.168.1.10, run the following command:
Copy Code
New-ReceiveConnector -Name "FromInternetGateway" -Server HubA -Usage Internal -RemoteIPRanges 192.168.1.10 -AuthMechanism ExternalAuthoritative

	Copy Code
New-ReceiveConnector -Name "FromInternetGateway" -Server HubA -Usage Internal -RemoteIPRanges 192.168.1.10 -AuthMechanism ExternalAuthoritative

Establishing Internet Mail Flow Between a Hub Transport Server and a External SMTP Gateway by Using Anonymous Relay

The following procedures establish Internet mail flow between a Hub transport server and an external SMTP gateway by using anonymous relay.

To use the Exchange Management Console to establish Internet mail flow between a Hub Transport server and an external SMTP gateway by using anonymous relay

Create a new Send connector on the Hub Transport server to the external SMTP gateway by following these steps:
1. Open the Exchange Management Console. Expand Organization Configuration, click Hub Transport, and then in the action pane, click New Send connector.
2. On the New SMTP Send connector wizard Introduction page, in the Name field, type a unique name for the connector. From the Select the intended use for this connector drop-down list, select Internet, and then click Next.
3. On the Address Space page, click Add. In the Add Address Space dialog box, type "*", and then click Next.
4. On the Network Settings page, only the Route all mail through the following smart hosts: setting can be selected. Click Add.
5. In the Add Smart Host dialog box, in the IP address or Fully qualified domain name (FQDN), type the IP address or FQDN of the SMTP gateway server, and then click OK. To specify more than SMTP gateway server as a smart host, click Add and enter additional IP addresses or FQDNs, and then click Next.
6. On the Smart host security settings page, select None, and then click Next.
7. On the Source Server page, click Add. In the Select Hub Transport and subscribed Edge Transport servers dialog box, select one or more Hub Transport servers in your organization, click OK, and then click Next.
8. On the New Connector page, click New, and then on the Completion page, click Finish.
Create a new Receive connector on the Hub Transport server to receive mail from the external SMTP gateway by following these steps:
1. Open the Exchange Management Console. Expand Server Configuration, click Hub Transport, and then in the action pane, click New Receive Connector.
2. On the New SMTP Receive Connector wizard Introduction page, in the Name field, type a unique name for the connector.
3. From the Select the intended use for this connector drop-down list, select Custom, and then click Next.
4. On the Local network settings page, delete the existing All Available entry, and then click Add.
5. In the Add Receive Connector Binding dialog box, select Specify an IP address. Type an IP address that is assigned to a network adapter on the local server that is best able to communicate with the external SMTP gateway. Make sure that the Port field has the value 25, click OK, and then click Next.
6. On the Remote Network settings page, delete the all network ranges entry, and then click Add.
7. In the Add IP Address(es) of Remote Servers dialog box, type the IP address of the external SMTP gateway server, click OK, and then click Next.
For the Receive connector that you just created, add the Anonymous permission group by following these steps:
1. In the task pane, select the Receive connector that you created in step 2, and then in the action pane, click Properties.
2. Click the Permission Groups tab. Select Anonymous users, and then click OK. Click OK to save your changes and exit the Properties page.
For the Receive connector that you just modified, grant the relay permission to the Anonymous logon security principal by following these steps:
1. Open the Exchange Management Shell.
2. Run the following command using the name of the Receive connector that you created in step 2 and modified in step 3:
  Copy Code
  
  Get-ReceiveConnector "Receive Connector Name" | Add-ADPermission -User "NT AUTHORITY\ANONYMOUS LOGON" -ExtendedRights "Ms-Exch-SMTP-Accept-Any-Recipient"

	Copy Code
Get-ReceiveConnector "Receive Connector Name" \| Add-ADPermission -User "NT AUTHORITY\ANONYMOUS LOGON" -ExtendedRights "Ms-Exch-SMTP-Accept-Any-Recipient"

To use the Exchange Management Shell to establish Internet mail flow between a Hub Transport server and an external SMTP gateway by using anonymous relay

	Copy Code
New-SendConnector -Name "ToInternetGateway" -Usage Internet -AddressSpaces "*" -SmartHosts "smtpgateway1.contoso.com" -SmartHostAuthMechanism None -SourceTransportServers "HubA" -DNSRoutingEnabled $false

Copy Code

New-SendConnector -Name "ToInternetGateway" -Usage Internet -AddressSpaces "*" -SmartHosts "smtpgateway1.contoso.com" -SmartHostAuthMechanism None -SourceTransportServers "HubA" -DNSRoutingEnabled $false

To create a new Receive connector named "FromInternetGateway" on the Hub Transport server named "HubA" that listens on local IP address 10.2.3.4 on port 25 for anonymous connections from an SMTP gateway server at the IP address 192.168.5.77, run the following command:
Copy Code
New-ReceiveConnector -Name "FromInternetGateway" -Server HubA -Usage Custom -PermissionGroups AnonymousUsers -Bindings 10.2.3.4:25 -RemoteIpRanges 192.168.5.77
To grant the relay permission to the Anonymous logon security principal on the Receive connector that you created in step 2, run the following command:
Copy Code
Get-ReceiveConnector "FromInternetGateway" | Add-ADPermission -User "NT AUTHORITY\ANONYMOUS LOGON" -ExtendedRights "Ms-Exch-SMTP-Accept-Any-Recipient"

	Copy Code
New-ReceiveConnector -Name "FromInternetGateway" -Server HubA -Usage Custom -PermissionGroups AnonymousUsers -Bindings 10.2.3.4:25 -RemoteIpRanges 192.168.5.77

	Copy Code
Get-ReceiveConnector "FromInternetGateway" \| Add-ADPermission -User "NT AUTHORITY\ANONYMOUS LOGON" -ExtendedRights "Ms-Exch-SMTP-Accept-Any-Recipient"

For More Information

For more information, see the following topics: