Configure Internet Mail Flow Through Exchange Hosted Services or an External SMTP Gateway: Exchange 2010 Help

Configure Internet Mail Flow Throug...

Collapse All

Language Filter

More Resources

Related Blog Articles

Visit the Exchange Team Blog

more...

Related Forum Discussions

Ask a question

Visit the forums

Configure Internet Mail Flow Through Exchange Hosted Services or an External SMTP Gateway

Applies to: Exchange Server 2010 SP2

Topic Last Modified: 2011-03-19

You can use the EMC or the Shell to configure Internet mail flow through Microsoft Exchange Hosted Services or an external SMTP gateway.

Exchange Hosted Services is a set of four distinct hosted services:

Hosted Filtering, which helps organizations protect themselves from e-mail-borne malware
Hosted Archive, which helps them satisfy retention requirements for compliance
Hosted Encryption, which helps them encrypt data to preserve confidentiality
Hosted Continuity, which helps them preserve access to e-mail during and after emergency situations

These services integrate with any on-premises Exchange servers that are managed in-house or Hosted Exchange e-mail services that are offered through service providers. For more information about Exchange Hosted Services, see Microsoft Exchange Hosted Services.

In Exchange Server 2010, to establish Internet mail flow through Exchange Hosted Services or an external SMTP gateway, you create a Send connector and a Receive connector between the Hub Transport servers in the Exchange organization and the external SMTP servers that process and route Internet e-mail.

The following authentication methods can be used in this scenario:

Basic authentication The servers running the Exchange 2010 Hub Transport server role and the external SMTP servers authenticate by using Basic authentication. A user name and password is required. This authentication method is unavailable for Exchange Hosted Services.

Externally Secured The network connection between the Hub Transport servers and the external SMTP servers is secured by using a method that's external to Exchange 2010.

Note:
Configuring a Receive connector as externally secured without using an Externally Secured authentication method is functionally equivalent to configuring the Receive connector as an open relay for the external SMTP server. The messages that originate from the external SMTP server are treated as authenticated messages. The messages bypass anti-spam checks and message size limit checks. The external SMTP server is allowed to submit messages as if they originated from internal senders within your Exchange organization. For more information, see Allow Anonymous Relay on a Receive Connector.

Note:

Configuring a Receive connector as externally secured without using an Externally Secured authentication method is functionally equivalent to configuring the Receive connector as an open relay for the external SMTP server. The messages that originate from the external SMTP server are treated as authenticated messages. The messages bypass anti-spam checks and message size limit checks. The external SMTP server is allowed to submit messages as if they originated from internal senders within your Exchange organization. For more information, see Allow Anonymous Relay on a Receive Connector.

Anonymous relay This method should be considered the method of last resort. If you allow an external SMTP server to anonymously relay messages by using the designated Receive connector on the Hub Transport server, you must apply the following restrictions on the Receive connector:
- Local network settings If your Hub Transport server has multiple network adapters, restrict the Receive connector to listen only on the appropriate network adapter.
- Remote network settings Restrict the Receive connector to accept connections only from the specified server or servers. This restriction is necessary because the Receive connector is configured to accept relay from anonymous users. Restricting the source servers by IP address is the only measure of protection that's allowed on this Receive connector.
For more information, see Allow Anonymous Relay on a Receive Connector.

Looking for other management tasks related to managing message routing? Check out Managing Message Routing.

Prerequisites

If you're using Basic authentication, a domain account must exist in the Active Directory forest. For example, create a domain user account that has the user principal name (UPN) smtpgateway@fabrikam.com as the credentials that must be used for authentication by the SMTP gateway when delivering mail to the Exchange servers in the Fabrikam domain.
If you're using Basic authentication over Transport Layer Security (TLS), the target server must be configured to use an X.509 certificate that contains a fully qualified domain name (FQDN) that's the same as the FQDN of the Receive connector.
If you're using external authentication, a trusted network connection must exist between the Hub Transport server and the SMTP gateway server. This connection can be an IPsec association or virtual private network (VPN). Alternatively, the servers may reside in a trusted physically controlled network.

Establish Internet mail flow between a Hub Transport server and an external SMTP gateway by using Basic authentication

You need to be assigned permissions before you can perform this procedure. To see what permissions you need, see the "Send connectors" entry in the Transport Permissions topic.

Note:
Because the default Receive connector will accept e-mail submissions from the authenticated SMTP gateway, a new Receive connector isn't needed when using Basic Authentication.

Use the EMC to establish Internet mail flow between a Hub Transport server and an external SMTP gateway by using Basic authentication

On the Hub Transport server, open the EMC. Expand Organization Configuration, click Hub Transport, and then, in the action pane, click New Send connector.
On the New Send Connector wizard Introduction page, in the Name field, type a unique name for the connector.
From the Select the intended use for this Send connector drop-down list, select Custom, and then click Next.
On the Address space page, click Add. In the SMTP Address Space dialog box, type "*" in the Address field, and then click OK. Click Next.
On the Network settings page, only the Route mail through the following smart hosts setting can be selected. Select this setting and click Add.
In the Add smart host dialog box, in the IP address or Fully qualified domain name (FQDN) field, type the IP address or FQDN of the external SMTP gateway server, and then click OK. To specify more than one SMTP gateway as a smart host, click Add and enter additional IP addresses or FQDNs, and then click Next.
On the Configure smart host authentication settings page, select Basic Authentication, click Basic Authentication over TLS, type the user name and password that will be used to authenticate the connection, and then click Next.
On the Source Server page, click Add. In the Select Hub Transport and subscribed Edge Transport servers dialog box, select one or more Hub Transport servers in your organization, click OK, and then click Next.
On the New Connector page, click New, and then on the Completion page, click Finish.

Use the Shell to establish Internet mail flow between a Hub Transport server and an external SMTP gateway by using Basic authentication

Run the following command.
```
$mycred = Get-Credential
```
In the dialog box that appears, enter the credentials for the user account on the external SMTP gateway server. Enter the user name and provide the user's password. Click OK.

This example creates the Send connector ToInternetGateway that's used by the Hub Transport server HubA that connects to the external SMTP gateway smtpgateway1.contoso.com by using basic authentication.

New-SendConnector -Name "ToInternetGateway" -AddressSpaces "*" -SmartHosts "smtpgateway1.contoso.com" -SmartHostAuthMechanism BasicAuth,BasicAuthRequireTLS -AuthenticationCredential $mycred -SourceTransportServers "HubA" -DNSRoutingEnabled $false

For detailed syntax and parameter information, see New-SendConnector.

Establish Internet mail flow between a Hub Transport server and Exchange Hosted Services or an external SMTP gateway by using Externally Secured authentication

You need to be assigned permissions before you can perform this procedure. To see what permissions you need, see the "Send connectors" and "Receive connectors" entries in the Transport Permissions topic.

Use the EMC to establish Internet mail flow between a Hub Transport server and Exchange Hosted Services or an external SMTP gateway by using Externally Secured authentication

Create a Send connector on the Hub Transport server to the external SMTP gateway by following these steps:
1. Expand Organization Configuration, click Hub Transport, and then in the action pane, click New Send connector.
2. On the New Send Connector wizard Introduction page, in the Name field, type a unique name for the connector. From the Select the intended use for this connector drop-down list, select Internal, and then click Next.
3. On the Address Space page, click Add. In the Add Address Space dialog box, type "*" in the Address field, and then click OK. Click Next.
4. On the Network Settings page, only the Route mail through the following smart hosts setting can be selected. Click Add.
5. In the Add smart host dialog box, in the IP address or Fully qualified domain name (FQDN) field, type the IP address or FQDN of the SMTP gateway server, and then click OK. To specify more than SMTP gateway server as a smart host, click Add and enter additional IP addresses or FQDNs, and then click Next.
6. On the Configure smart host authentication settings page, select Externally Secured (for example with IPsec), and then click Next.
7. On the Source Server page, click Add. In the Select Hub Transport and subscribed Edge Transport servers dialog box, select one or more Hub Transport servers in your organization, click OK, and then click Next.
8. On the New Connector page, click New, and then on the Completion page, click Finish.
Create a Receive connector on the Hub Transport server to receive mail from the external SMTP gateway by following these steps:
1. Expand Server Configuration, click Hub Transport, and then in the action pane, click New Receive Connector.
2. On the New Receive Connector wizard Introduction page, in the Name field, type a unique name for the connector.
3. From the Select the intended use for this connector drop-down list, select Internal, and then click Next.
4. On the Remote Network settings page, remove the all network ranges entry, and then click Add.
5. In the Add IP Address(es) of Remote Servers dialog box, type the IP address of the external SMTP gateway server, click OK, and then click Next.
6. On the New Connector page, click New, and then on the Completion page, click Finish.
For the Receive connector that you just created, set the authentication method to Externally Secured by following these steps:
1. In the task pane, select the Receive connector that you created in step 2, and then in the action pane, click Properties.
2. Click the Authentication tab. Clear the check boxes for Basic Authentication and Exchange Server, select Externally Secured (for example with IPsec), and then click OK.

Use the Shell to establish Internet mail flow between a Hub Transport server and Exchange Hosted Services or an external SMTP gateway by using Externally Secured authentication

This example creates the Send connector ToInternetGateway used by the Hub Transport server HubA that's configured to send outgoing e-mail through the external SMTP gateway smtpgateway1.contoso.com by using Externally Secured authentication.
```
New-SendConnector -Name "ToInternetGateway" -Usage Internal -AddressSpaces "*" -SmartHosts "smtpgateway1.contoso.com" -SmartHostAuthMechanism ExternalAuthoritative -SourceTransportServers "HubA" -DNSRoutingEnabled $false
```
This example creates the Receive connector FromInternetGateway on the Hub Transport server HubA that uses Externally Secured authentication to receive mail from the external SMTP gateway that has the IP address 192.168.1.10.
```
New-ReceiveConnector -Name "FromInternetGateway" -Server HubA -Usage Internal -RemoteIPRanges 192.168.1.10 -AuthMechanism ExternalAuthoritative
```

For detailed syntax and parameter information, see New-SendConnector and New-ReceiveConnector.

Establish Internet mail flow between a Hub Transport server and an external SMTP gateway by using anonymous relay

Use the EMC and Shell to establish Internet mail flow between a Hub Transport server and an external SMTP gateway by using anonymous relay

Note:
This procedure uses the EMC for steps 1 through 4. The last step of this procedure, granting relay permission to anonymous access on the Receive connector, can't be performed by using the EMC. You must use the Shell for that step.

Create a Send connector on the Hub Transport server to the external SMTP gateway by following these steps:
1. Expand Organization Configuration, click Hub Transport, and then in the action pane, click New Send connector.
2. On the New Send Connector wizard Introduction page, in the Name field, type a unique name for the connector. From the Select the intended use for this Send connector drop-down list, select Internet, and then click Next.
3. On the Address space page, click Add. In the SMTP Address Space dialog box, type "*" in the Address field, and then click OK. Click Next.
4. On the Network settings page, only the Route mail through the following smart hosts setting can be selected. Click Add.
5. In the Add smart host dialog box, in the IP address or Fully qualified domain name (FQDN) field, type the IP address or FQDN of the SMTP gateway server, and then click OK. To specify more than SMTP gateway server as a smart host, click Add and enter additional IP addresses or FQDNs, and then click Next.
6. On the Configure smart host authentication settings page, select None, and then click Next.
7. On the Source Server page, click Add. In the Select Hub Transport and subscribed Edge Transport servers dialog box, select one or more Hub Transport servers in your organization, click OK, and then click Next.
8. On the New Connector page, click New, and then on the Completion page, click Finish.
Create a Receive connector on the Hub Transport server to receive mail from the external SMTP gateway by following these steps:
1. Expand Server Configuration, click Hub Transport, and then in the action pane, click New Receive Connector.
2. On the New Receive Connector wizard Introduction page, in the Name field, type a unique name for the connector.
3. From the Select the intended use for this connector drop-down list, select Custom, and then click Next.
4. On the Local Network settings page, remove the existing All Available IPv4 entry, and then click Add.
5. In the Add Receive Connector Binding dialog box, select Specify an IP address. Type an IP address assigned to a network adapter on the local server that's best able to communicate with the external SMTP gateway. Make sure that the Port field has the value 25 and click OK. Leave the Specify the FQDN this connector will provide in response to HELO or EHLO field blank, and then click Next.
6. On the Remote Network settings page, remove the all network ranges entry, and then click Add.
7. In the Add IP Addresses of Remote Servers dialog box, type the IP address of the external SMTP gateway server, click OK, and then click Next.
8. On the New Connector page, review the Configuration Summary. If you're satisfied, click New. If you'd like to make changes, click Back.
9. On the Completion page, review the following, and then click Finish to close the wizard:
  - A status of Completed indicates that the wizard completed the task successfully.
  - A status of Failed indicates that the task wasn't completed. If the task fails, review the summary for an explanation, and then click Back to make any configuration changes.
For the Receive connector that you just created, add the Anonymous permission group by following these steps:
1. In the task pane, select the Receive connector that you created in step 2, and then in the action pane, click Properties.
2. Click the Permission Groups tab. Select Anonymous users, and then click OK. Click OK to save your changes and exit the Properties page.
For the Receive connector that you just modified, grant the relay permission to the Anonymous logon security principal by following these steps:
1. Open the Shell.
2. Run the following command using the name of the Receive connector that you created in step 2 and modified in step 3.
  Get-ReceiveConnector "Receive Connector Name" | Add-ADPermission -User "NT AUTHORITY\ANONYMOUS LOGON" -ExtendedRights "Ms-Exch-SMTP-Accept-Any-Recipient"

For detailed syntax and parameter information, see Get-ReceiveConnector and Add-ADPermission topics.

Use the Shell to establish Internet mail flow between a Hub Transport server and an external SMTP gateway by using anonymous relay

This example creates the Send connector ToInternetGateway used by the Hub Transport server HubA that's configured to send outgoing e-mail through the external SMTP gateway smtpgateway1.contoso.com by using anonymous relay.
```
New-SendConnector -Name "ToInternetGateway" -Usage Internet -AddressSpaces "*" -SmartHosts "smtpgateway1.contoso.com" -SmartHostAuthMechanism None -SourceTransportServers "HubA" -DNSRoutingEnabled $false
```
This example creates the Receive connector FromInternetGateway on the Hub Transport server HubA that listens on local IP address 10.2.3.4 on port 25 for anonymous connections from an SMTP gateway server at the IP address 192.168.5.77.
```
New-ReceiveConnector -Name "FromInternetGateway" -Server HubA -Usage Custom -PermissionGroups AnonymousUsers -Bindings 10.2.3.4:25 -RemoteIpRanges 192.168.5.77
```

This example grants the relay permission to the Anonymous logon security principal on the Receive connector that you created in step 2.

Get-ReceiveConnector "FromInternetGateway" | Add-ADPermission -User "NT AUTHORITY\ANONYMOUS LOGON" -ExtendedRights "Ms-Exch-SMTP-Accept-Any-Recipient"

For detailed syntax and parameter information, see New-SendConnector, New-ReceiveConnector, Get-ReceiveConnector, and Add-ADPermission.