locked
What are the differences/risks of receiving internet emails directly on a Hub Transport connector? RRS feed

  • Question

  • We have a single Exchange 2016 server (no separate server with frontend role).

    If we receive internet emails on the "Default Frontend OURSERVER" connctor (Frontend role), we noticed that there is no way to reject emails that are sent to non existent internal addresses with a

    550 5.1.10 RESOLVER.ADR.RecipientNotFound

    just after the RCPT TO command. The emails are rejected after receiving the whole body of the email.

    This problem is solved if we receive internet emails on a newly created HubTransport connector with TLS+Basic Auth+Anonymous+Exchange Users enabled.

    But what are the risks (if any) to use a HubTransport connector?

    Are there other differences?

    Again we searched the internet, but only found confusing information.


    Friday, August 4, 2017 12:00 PM

All replies

  • As yours is multirole server, the Default Frontend OURSERVER should have port 25 in scope and Default Server HT should have port 2525.

    Creating a new HT connector  will cause conflicts with default server HT connectors if they are listening on same default port 25

    Friday, August 4, 2017 2:48 PM
  • Obviously we used another port.

    What I'm underlaying here is that there is no information about what are the risks (if any) to use a HubTransport connector to receive mail from Internet on a single Exchange server.

    Friday, August 4, 2017 2:51 PM
  • Hi.

    Microsoft recommend use Edge services for protection Exchange  Services.

    Edge Transport servers

    SMTP relay is very easy, but slowly.  

     Setup and Configure SMTP Server on Windows Server 2012 

    You can use any other SMTP front end for protection and filter email. It's maybe internet or on premise services/server. 

    Best practices for configuring EOP

    This is old services, but good example. Protecting Your Microsoft Exchange Organization with Microsoft Forefront Security for Exchange Server


    MCITP, MCSE. Regards, Oleg

    Friday, August 4, 2017 3:11 PM
  • Hi,

    Per my experience, it’s the same on receiving emails. From another point of view, it will increase the exposure of your internal Exchange to threats on the Internet without Edge transport server or EOP.

    Hope it helps.


    Regards,

    Jason Chao


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Proposed as answer by Jason.Chao Saturday, August 12, 2017 8:05 AM
    Monday, August 7, 2017 6:19 AM