On This Page
- Receive Connector Properties
- General Tab
- Network Tab
- Authentication Tab
- Permissions Group Tab
The receive connector is what configures Exchange on how it will receive email.
Exchange receives three kinds of emails - Internet, Inter-Server and Client traffic. You can have all three types of traffic using the same connectors.
During installation, Exchange creates two connectors "Default" and "Client". Default is designed for Internet and Inter-Server traffic, Client is designed for a POP3/IMAP client to use to send email via Exchange to external recipients.
If you are using Exchange without an Edge server, then to receive email from the internet you simply need to enable Anonymous on the Permissions Group tab of the Default Receive Connector. No other changes to the Receive Connector are required.
Receive Connector Properties
The GUI covers the most commonly used Receive Connector Properties and this is what is covered on this page.
The Name can be pretty much anything, usually used to identify the use.
The FQDN value on the Receive Connector is what appears in the banner when an inbound SMTP connection is made. From an end user point of view it is not a setting that has any effect on their email traffic flow.
Do not change the FQDN value on the default receive connector, particularly if you are in a multiple server environment. Doing so will cause problems with inter-server traffic. This will not cause a problem with receiving email from the internet, although any automated tests will fail because the FQDN doesn't resolve.
The Protocol Logging level is set to None by default. If enabled it will log in to the location of the Receive Protocol Log Path, which is set on the Properties of the Server, on the Log Settings tab.
The Maximum Message size (kb) setting is what size email the Connector will accept. Remember that there is some overhead in attachments, so if you want to accept 10mb messages you should probably change this setting to 13520 or higher. Remember if you change it here you also need to change the Maximum Receive Size setting in Global Settings on the Hub Transport role under Organisation Configuration.
The network tab controls how the Connector is used by the network card.
The first box at the top controls the IP address the Connector is bound to (if multiple) and the port it listens on to accept email.
If the IP address is invalid then it can stop Transport from starting, and remember that both sides of the communication must be using the same port. You cannot simply accept a random port to receive email from on the internet.
The second box controls what IP addresses the connector will accept email from.
When Exchange is accepting email from the internet for direct delivery, the default settings of 0.0.0.0-255.255.255.255 should be used. However if you are using a third party service to screen your email then you could place restrictions in this section. Remember to include any internal servers that are sending email through or to the server if you change the list.
This setting is also used if you are allowing internal servers to relay through the server, so that it cannot be abused by external senders.
In Exchange 2010, IPv6 addresses can also be listed here. If you are using IPv6 addresses externally (directly or via a tunnel) then you may have to review those settings as well. However, like the IPv4 settings, the default allows any address to send to your server.
The Authentication Tab covers how clients are authenticated to the Receive Connector, and also includes the use of TLS (aka SMTP over SSL) for secure email transfer. In most cases the default options are left alone. The last box (Externally Secured) should not be enabled as this means something else is controlling access and if you have the server exposed to the internet is can mean the server is an open relay.
Transport Layer Security means that the server will offer TLS and a server sending you email will use it if possible - known as Opportunist TLS.
The sub option of "Enable Domain Security (Mutual Auth TLS)" should only be enabled if the other settings for the domains that are using it are also configured - see this article for more information.
Basic Authentication is plain text, used by POP3/SMTP/IMAP clients to send email and therefore you can secure it by setting the sub option "Offer Basic authentication only after starting TLS". Clients will need to be configured to use TLS, so this is a setting that should either be configured before you start using the server, or only after an implementation plan has been agreed and possibly on a new connector to ease deployment.
Exchange Server authentication and Integrated Windows Authentication are usually used together and allow other Exchange servers, particularly Exchange 2003 servers to send email. If you are in a migration and replication traffic is not working, that can often be caused by these two options not being enabled.
The final option Externally Secured is designed for use with receiving email that is coming over a secure connection like a VPN. It is basically trusting something else to verify the connection and turns the server in to an open relay. Do not enable this option if the server is exposed to the internet. Exchange Servers must be enabled on the Permissions Groups tab to use this option.
Permissions Groups Tab
The final tab allows you to control the type of users who can connect to this Receive Connector.
Anonymous Users is other servers on the internet sending email to your server using MX record lookup. This is usually enabled on the "Default" Receive Connector. Enabling this option does not turn your server in to an open relay, unless other settings are applied with it.
Exchange Users, Exchange Servers and Legacy Exchange Servers are predefined sets of users.
Exchange users are simply authenticated users who are mail enabled. This group also bypasses the Antispam options if set.
Exchange servers are members of the Exchange Servers group.
Legacy Exchange servers are member of ExchangeLegacyInterop group.
The full list of the various permissions and what they are allowed to do can be found in the Receive Connectors reference at the end of this page.
Understanding Receive Connectors: http://technet.microsoft.com/en-us/library/aa996395.aspx