Pros and Cons â Configuring Exchange Internet Receive connector (Exchange 2010, 2007)
The scenario when there is no Edge server (Internet-facing Hub Transport server) requires one of the following actions:
1. Modify the default Receive connector to allow anonymous connections
http://technet.microsoft.com/en-us/library/bb738138.aspx
2. Configure Receive connector (to receive messages from all remote IP addresses through port 25)
http://technet.microsoft.com/en-us/library/bb125159.aspx
Modifying the Default Receive connector to allow anonymous access (item 1, above) seems to be the recommended approach.
The downsides of this approach are:
1. The usage of the default Receive connector is internal - this connector only accepts mail from other Exchange servers that are part of the same Exchange organization. By default, this connector doesn't accept anonymous submissions. Mixing internal traffic with external one doesn’t seem a good idea.
2. You cannot modify the FQDN (it is using by default the internal Exchange server name) of the Default Exchange Receive connector.
3. The external DNS records (forward and reverse) are using the Exchange Server public name – ex. “mail.yourexternaldomain.com”. External mail servers are establishing a session to “mail.yourexternaldomain.com”, and are getting a response from “exchange.internalADdomain.com”?!?
4. Finally, it is not a good idea to expose your AD and Exchange internal name to the Internet.
This leads us to the second approach – Configuring a default Internet Receive connector. This seems like a better option, from a design and security point of view. However, there are a couple of considerations, which I would like to put for a discussion here:
1. You have to modify first, the Default Receive connector, and change its remote IP address ranges. Otherwise you will get an error, when creating the Default Internet Receive connector = “A receive connector must have a unique combination of a local IP address, port bindings, and remote IP address ranges”. The easy way to do this is to change the scope to the local subnet(s), and set the default connector to all IPs. The more difficult approach is the way this is done in SBS 2008, which is a weird approach according to me. I would be happy to hear your opinion here.
2. Should we keep the local IP address of the connector to:
· All Available IPv4 (which again seems the recommended approach):
http://technet.microsoft.com/en-us/library/bb125159.aspx
· or specify a single IP
March 27th, 2010 8:16pm
I believe that you are overthinking this.
If you want to create a new connector (and I wouldn't call it
"Default" anything since it's not a default) you can simply give it a different
IP address.
-- Ed Crowley MVP"There are seldom good technological solutions to
behavioral problems.".
"3demo" wrote in message news:75c9f5f8-46d3-4bed-bdf2-79c0c6bcf0d1...
The scenario when
there is no Edge server (Internet-facing Hub Transport server) requires one of
the following actions:
1.
Modify the default Receive connector to allow
anonymous connections
http://technet.microsoft.com/en-us/library/bb738138.aspx
2.
Configure Receive connector (to receive messages from
all remote IP addresses through port 25)
http://technet.microsoft.com/en-us/library/bb125159.aspx
Modifying the
Default Receive connector to allow anonymous access (item 1, above) seems to
be the recommended approach.
The downsides of
this approach are:
1.
The usage of the default Receive connector is
internal - this connector only accepts mail from other Exchange servers that
are part of the same Exchange organization. By default, this connector doesn't
accept anonymous submissions. Mixing internal traffic with external one
doesnt seem a good idea.
2.
You cannot modify the FQDN (it is using by
default the internal Exchange server name) of the Default Exchange Receive
connector.
3.
The external DNS records (forward and reverse)
are using the Exchange Server public name ex. mail.yourexternaldomain.com.
External mail servers are establishing a session to
mail.yourexternaldomain.com, and are getting a response from
exchange.internalADdomain.com?!?
4.
Finally, it is not a good idea to expose your AD
and Exchange internal name to the Internet.
This leads us to the second approach
Configuring a default Internet Receive connector. This seems like a better
option, from a design and security point of view. However, there are a couple
of considerations, which I would like to put for a discussion
here:
1.
You have to modify first, the Default Receive
connector, and change its remote IP address ranges. Otherwise you will get an
error, when creating the Default Internet Receive connector = A receive
connector must have a unique combination of a local IP address, port bindings,
and remote IP address ranges. The easy way to do this is to change the scope
to the local subnet(s), and set the default connector to all IPs. The more
difficult approach is the way this is done in SBS 2008, which is a weird
approach according to me. I would be happy to hear your opinion
here.
2.
Should we keep the local IP address of the connector
to:
All Available IPv4 (which again seems the recommended
approach):
http://technet.microsoft.com/en-us/library/bb125159.aspx
or specify a single IP
Ed Crowley MVP
"There are seldom good technological solutions to behavioral problems."
Free Windows Admin Tool Kit Click here and download it now
March 29th, 2010 12:43am
Hi
My opinion is to keep the local IP address of the connector to all available.
Thanks Amit Haridas
August 12th, 2010 3:42pm