none
Exchange 2003 to Exchange 2010 Migration - Question about default RECEIVE connector

    Question

  • Hi,

    We are migrating from Exchange 2003 to 2010.

    I am summarizing the steps in order to get there. For the time being I have the following question.

    We will have 2 servers with CAS and HT roles coexisting in the same box. CASHT01 / CASHT02.

    An overview of the migration:

    1.) Front end migration
    2.) Outbound Routing Migration
    3.) Inbound Routing Migration
    3.) Mailbox migration

    For step #2 I will be modifying the Default Receive connector for each of my HT servers in order to allow "Anonymous users"

    By doing this the connector will accept email from external servers on non-Exchange servers. (Server Configuration / Hub Transport)

    The Exchange 2003 SMTP servers is opened for everyone in the LAN that needs to relay email through it. We have applications, devices etc that have SMTP clients and send email notifications.

    I know I can create a 2nd Receive connector and include the IP of those devices which will allow them to relay through the new connector, the problem is that nobody has a list of them we would like to allow everyone in the LAN to be able to send through the DEFAULT receive connector.

    Are there any specific setting that I have to modify in the DEFAULT receive connector in order to allow this? I have been told the Exchange server has to be enabled (permission group) which is already by default and Authentication TAB "Externally Secured"
    Wednesday, February 29, 2012 2:47 AM

Answers

  • As stated above, you need to create a new receive connector.  CASHT01 and CASHT02 need to use "exchange auth" to eachother and open relay needs "externally secured", which cannot be on the same connector.

    Create a new connector called "unauthenticated relay" or something to this effect and adjust the network IP range.  You can then list client subnets.  Just be sure not to include the Exchange server's range here, or you'll send them to the wrong connector.  Once you're good on the network list, tick the "externally secured" and "anonymous" checkboxes.



    Mike Crowley | MVP
    My Blog-- Planet Technologies




    Wednesday, February 29, 2012 7:45 AM
    Moderator

All replies

  • Although not recommended due to potentially security risks with email being forwarded through Exchange by an infected workstation, this can be done easily.  Just create a new Recieve Connector, name it App relay.  Leave 'Local Network Settings' at the defaults and the 'Remote Network Settings' just add the subnets that you are using internally (ie 192.168.1.0/24) and than make sure you allow anonymous connections.  That should do it.

    JAUCG

    Wednesday, February 29, 2012 4:50 AM
  • As stated above, you need to create a new receive connector.  CASHT01 and CASHT02 need to use "exchange auth" to eachother and open relay needs "externally secured", which cannot be on the same connector.

    Create a new connector called "unauthenticated relay" or something to this effect and adjust the network IP range.  You can then list client subnets.  Just be sure not to include the Exchange server's range here, or you'll send them to the wrong connector.  Once you're good on the network list, tick the "externally secured" and "anonymous" checkboxes.



    Mike Crowley | MVP
    My Blog-- Planet Technologies




    Wednesday, February 29, 2012 7:45 AM
    Moderator
  • All right. So this what I am planning to do:

    1.) Create a new receive connector called "Unauthenticated Relay"

    2.) Use this local IP addresses to receive mail - "All available IPv4" port 25

    3.) Receive mail from remote servers that have these IPs - I will list the workstations subnets.

    4.) Permissions group - Enable Only Exchange Servers

    5.) Authentication - Enable Externally Secured (TLS is enabled by default)

    The DEFAULT connector is configured as follows:

    1.) Use this local IP addresses to receive mail - "All available IPv4"/"All available IPv6" port 25

    2.) Receive mail from remote servers that have these IPs - I will list the workstations subnets.

    3.) Permissions group - Enabled Anonymous, Exchange users, Exchange servers, Legacy Exchange servers

    4.) Authentication - Enabled -> TLS, Basic Authentication (after TLS), Exchange Server Authent, Integrated Windows Auth.

    At this point I will be able to receive external email traffic and my  apps/devices sitting at the LAN will be able to relay emails inside and outside of the ORG.

    I just need to create a SEND connector in order for everyone to be able to SEND email outside of the ORG to external domains.

    Send Connector:

    1.) Name: Internet Email (Exchange 2010)
    2.) Intended use: Internet
    3.) SMTP select Address space "*" then Include all subdomains
    4.) Network Settings: Use domain name DNS MX records
    5.) Source Server - I have 2 CASHT01/CASHT02 - Would I be able to select both servers?

    Is that correct?

    Wednesday, February 29, 2012 2:26 PM
  • One more thing, you need Anonymous on the Permissions Group on the receive connector and you need to remove any subnets where your Exchange servers live.  Just add the IPs for those devices in the same subnet.  If the machines are outside the Exchange server subnet, then you can add the subnet as Ed said.

    For the Send Connector, yes you can source both servers for redundancy.

    Here is a good writeup on connectors - http://exchangepedia.com/2007/01/exchange-server-2007-how-to-allow-relaying.html


    JAUCG

    Friday, March 02, 2012 9:59 PM