hi. this current Exchange 2013 i am now managing have been handed over to me years ago. the receive connectors have been the same thru all upgrades ever since Exchange 2000.

the receive connectors (there are 4 of them; all of having role of "FrontEndTransport"), in the security tab, almost all the authentication boxes are ticked (normal?). in the scoping tab, well only one of four connectors have my servers VLAN in there. the rest have 0.0.0.0 - 255.255.255.255 which i think should not be.

now to test for relaying, internally i used telnet and the mail from using the domain xxx.com which it accepted. so i guess there is no authentication going on before sending an email.

question is, what really should be configured in the security and scope tab of this receive connectors so that my servers/applications can send emails, Outlook users can send/receive internally and from outside?

Hi Reno, 

By default Receive connectors are scoped to 0.0.0.0-255.255.255.255. This doesnt mean that relay is enabled. You can restrict this scope including only the IP addresses or subnets of other devices that connect to the server with smtp.

To know if you have anonymous relay enabled you can try this:

 Telnet servername 25
 helo test
 mail from: user@domain.com
 rcpt to: user@externaldomain.com

After the "rcpt to" you should receive an error about unable to relay, if it returns an "ok" this could be wrong because an anonymous user can relay to an external domain. The relay configuration doesnt impact Exchange users because they dont use direct smtp (unless your clients use IMAP or POP, in this case there is a specific connector that listens by default on port 587).

Regarding authentication it would depend on your mail flow scenarios.

Internal applications or devices could send internal emails with default configuration, you can configure this to use the default client receive connector (port 587) with basic authentication if the device or application allow it (this connector would allow external email too). 

One great resource about this topic would be this:

http://exchangeserverpro.com/exchange-2013-configure-smtp-relay-connector

regards,

hi, thanks for the link.

on that article where it discusses "how exchange 2013 know which receive connector to use", it says selection is on a most specific match wins basis.

i have two receive connectors that seems to be redundant, the first one have a list of IP addresses of my servers in its scoping as well as anonymous ticked in the security tab. the second receive connector in its scoping have 0.0.0.0 to 255.255.255.255 as well as anonymous ticked in the security tab.

if the selection is on a most specific match wins basis, the second receive connector always gets the connection from my app server (tested by removing the tick mark on anonymous and sending test email then app server will complain of not being able to send).

so how does Exchange 2013 decide which receive connector to use?

can you please post the output of the 2 receive connectors by running the below command 

Get-ReceiveConector | fl

Hi Reno, regarding "most specific match wins", lets see an example:

 "Connector A" 
   Listens on all IP addresses on port 25
   Remote IP range 0.0.0.0-255.255.255.255

 "Connector B"
   Listens on all IP addresses on port 25
   Remote IP 192.168.1.20

In this scenario if server "appsrv01" with IP address "192.168.1.20" tries to send mail it will always going to use connector B.

To understand what is happening in your case it would be helpful to have the output of the get-receiveconnector cmdlet as Sathish requested, and the ip addres of the "app server" you mention on your last post.

hi,

I tried twice to paste the output here but I keep getting "unexpected error" everytime. how else can I send you the output?

Hi,

By default, there are three receive connectors with FrontendTransport Role.

Name             : Default Frontend EX2013
AuthMechanism    : Tls, Integrated, BasicAuth, BasicAuthRequireTLS, ExchangeServer
RemoteIPRanges   : {::-ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff, 0.0.0.0-255.255.255.255}
TransportRole    : FrontendTransport
PermissionGroups : AnonymousUsers, ExchangeServers, ExchangeLegacyServers

Name             : Outbound Proxy Frontend EX2013
AuthMechanism    : Tls, Integrated, BasicAuth, BasicAuthRequireTLS, ExchangeServer
RemoteIPRanges   : {::-ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff, 0.0.0.0-255.255.255.255}
TransportRole    : FrontendTransport
PermissionGroups : AnonymousUsers, ExchangeServers

Name             : Client Frontend EX2013
AuthMechanism    : Tls, Integrated, BasicAuth, BasicAuthRequireTLS
RemoteIPRanges   : {::-ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff, 0.0.0.0-255.255.255.255}
TransportRole    : FrontendTransport
PermissionGroups : ExchangeUsers

And danielnb has explained your question how does Exchange 2013 decide which receive connector to use

To share the output, you can save the output to txt file, then upload to cloud drive and post the shared link of that file.

Best Regards.

hi,

yes i would think so on a fresh install but my connectors were an amalgamation of previous connectors since Exchange 2000 :)

i have uploaded the link to OneDrive http://1drv.ms/1MRnsXc

Hi Reno, i think the relay connectors are misconfigured, among other things i see you are using "authmechanism" TLS, ExternalAuthoritative but in permissiongroups all the options are selected.

In general when you configure external relay with TLS, ExternalAuthoritative the only option you should select on PermissionGroups is ExchangeServers, scoping only to trusted IP addresses.

I think the best you can do is to gather more information about connector usage (may be enabling protocol logging). This way you can be sure about which connectors are being used and from which servers.

hi, that's my feeling just by the looks of it.

i am enabling protocol logging, hopefully will find out which are redundant connectors.

btw, if i select in PermissionGroups is ExchangeServers, plus scoping only to trusted IP addresses, will that not prevent Oracle servers from relaying to my Exchange server since it's not an Exchange server?

• Edited by Reno Mardo 22 hours 52 minutes ago

hi,

enabled protocol logging for a couple of hours. no logs created. i enabled for all receive connectors.

location of log is D:\Program Files\Microsoft\Exchange Server\V15\TransportRoles\Logs\Hub\ProtocolLog\SmtpReceive

it has remain empty up to this time.

You are checking the logs in the right path only , not sure why its not recording the logs.

Can  you restart the transport service and see the results