"Deep Exchange 2013"14 receive connector

The Receive connector is conceptually simpler than the Send connector, where each receive connector listens only for requests from the IP addresses and ports that you assign to it, and then sends the SMTP session out. The Receive connector uses permission groups to determine which senders are allowed to use the connector, which is a predefined set of security principals that have permissions on an object that is a receive connector in the current scenario, such as "Any user with a mailbox account" that is, Exchange users, or " Any Exchange Server in your organization, Exchange Servers. This model is similar to the NTFS permissions model, where users are placed in groups, and permissions are set on the object on the group. About permission groups more detailed table AH content ah, I do not write more here, you can refer to TechNet: http://technet.microsoft.com/en-us/library/jj673053 (v=exchg.150). aspx.

When the CAS role is just installed, the default is to create three receive connectors, the first named "Default Frontend+cas server name," using the Internet standard TCP25 port to receive SMTP traffic, and unlike Ex2007 and Ex2010, Exchange 2013 This receive connector can accept inbound anonymous messages by default, which means that you don't have to hook up anonymously to receive public mail after the installation is complete. The second is the "client Frontend+cas server name," which is used primarily for client connections, listens on TCP 587 connections and accepts only TLS connections that are SSL encrypted traffic. The last, "Outbound proxy frontend+cas server name", is used to listen for mail traffic sent by the Send connector on the MBX server.

When the MBX role is installed, two accept connectors are created by default:

The first is "Default +mbx server name", which accepts SMTP traffic between servers within an organization, listens on TCP 2525 ports on a full-role server, and listens on only TCP 25 on servers with only the MBX role

The second is "client PROXY+MBX server name", listening on TCP 465 port, receiving only client mail received from "client FrontEnd + CAS server name" on CAs.

The listening connectors on these mbx do not all use regular ports and have specific authentication settings that allow them to receive messages sent only from Exchange servers or authenticated users in the local ad forest. They (by default) also do not have IP address restriction settings, and clients should not connect directly to them and should connect to a connector on the CAS listening on port 587, which will proxy the request to MBX.

In summary, we can learn that by default on a full-role Ex2013 server, running the get-receiveconnector command will fetch 5 default connectors, such as:

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M01/6F/D5/wKioL1WqZnCTiKdcAAGNHNMqSOk134.jpg "title=" Image1.png "alt=" Wkiol1wqznctikdcaagnhnmqsok134.jpg "/>

Each receive connector will involve a property called "Transportrole", the Chinese version of Exchange translation is called "role", this property will have two values: "HubTransport Hub Transport" or "frontendtransport front-end transmission ", this attribute represents the place where the receive connector is applied (on MBX or CAs); It is important to note that this value cannot be modified after the connector has been created.

The default configuration from the top edge also shows that Microsoft is talking about the word "Typical installation" everywhere, and a typical installation does not need to add any additional receive connectors because the default receive connector is already listening on all TCP 25 port traffic for IPV4 and IPV6.

OK, when you think about creating a new receive connector, here are a few points to note:

1, which server needs this receive connector

2, this receive connector should be set to what kind of transportrole, if the environment has a full role server, then the default already has a HubTransport connector is listening to TCP 2525 port, There is also a default Frontendtransport connector listening on TCP 25 port, but this time you create a hubtransport connector, and bind TCP25, it will cause 2 kinds of role of the connector to listen to a port, At this point, there's a situation where a connector is not working (the service that starts listening on that port will always occupy that port, note that 2 roles correspond to 2 different services, and that you can create multiple connectors of the same role to listen on the same port, because they are the same service.) So when you create a connector on a full-role server, you have to be more careful.

3. What is the purpose of the new connector, which is to connect to two internal Exchange organizations, or to handle additional external SMTP traffic, or to connect Ex2013 to Ex2003, all of which must be well planned.

4. Do I need to adjust the maximum inbound message size on the receiving connector?

5. What permissions should be used by the client to use the Receive connector.

Once you've planned this, you can start using the EAC or EMS to create a new receive connector. Use the EAC to create a more intuitive one, such as opening a page for a new receive connector, assigning it a name first, then setting the role it belongs to, and finally the type,

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M01/6F/D8/wKiom1WqZMDhV7UnAAHNipni9_g294.jpg "title=" Image2.png "alt=" Wkiom1wqzmdhv7unaahnipni9_g294.jpg "/>

customization : One of the most flexible settings that can be used for multiple purposes, including cross-forest connections, or accepting messages from other SMTP messaging systems.

internal : is primarily used for connections between Exchange organizations. When you use the EAC to create the class receive connector, you cannot specify its listening port, so be aware of the firewall settings.

Internet: Mail traffic for accepting external SMTP servers

Partner: Use TLS security to receive mail or relay mail from a specified partner domain.

client : For client connections that support POP3 and IMAP4, or for devices such as scanners and copiers that call the SMTP service to send mail.

The type here represents a set of permissions models applied to the default settings of the Receive connector, a combination of encryption methods, a receive connector that supports seven authentication methods, and the default 5 connectors that support Basic authentication for TLS, integrated authentication, Basic authentication, and TLS encryption, and then in addition to the client The ExchangeServer authentication method is supported outside of the frontend connector. All seven methods of verification are as follows:

Validation methods	Describe
No	Do not use validation methods
Transport Layer Security TLS	The Receive connector declares itself to support TLS and will receive a TLS request, requiring certificate support.
Integrated Windows authentication (Integrated)	NTLM and Kerberos, used within the same forest
Basic Authentication (BasicAuth)	Name implies
Provide basic authentication only after TLS is enabled (BASICAUTHREQUIRETLS)	Basic authentication over TLS encrypted channels, requiring certificate support.
Exchange servers (Exchange Server)	Generic Security Service Application Programming Interface (GSSAPI) and Mutual GSSAPI (you say this who knows!) ）
External protection (externalauthoritative)	Use IPSec to encrypt external server traffic.

Assuming that you currently need to create a receive connector to receive mail from a Linux qmail in your environment, you can use EMS to run the following command:

New-receiveconnector–name "Receive from Qmail" –usage custom–bindings ' 0.0.0.0:9925 ' –remoteipranges ' 192.168.70.1 ' –se RVer Ex01.itcharger.com

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M02/6F/D5/wKioL1WqZsLBD7-0AAGdnpUAxDY181.jpg "title=" Image3.png "alt=" Wkiol1wqzslbd7-0aagdnpuaxdy181.jpg "/>

OK, we'll look at the properties of this connector after the creation is complete.

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M02/6F/D8/wKiom1WqZPKznFNrAANXLwSwFYY490.jpg "title=" Image4.png "alt=" Wkiom1wqzpkznfnraanxlwswfyy490.jpg "/>

Note that if you do not specify its app role with the-transportrole parameter when you create a new receive connector, Exchange sets it as the Hub Transport role by default, but the Receive connector for the Hub Transport role does not receive external inbound messages directly. Inbound messages should be received first through the Receive connector on the FET role, and then routed to the corresponding drop group. So we must pay more attention to this situation.

When a new receive connector is created, Exchange applies some default settings and the administrator considers changes to these default settings, including:

1, add a permission group for the connector, as mentioned earlier, Exchange is based on the type of Receive connector you choose to apply the default permissions settings, it does not know your real needs. So in the above example, to receive the traffic to your qmail mail system, you have to open the anonymous user group.

2, modify the connector verification method. To prevent traffic theft, try to turn on TLS

3. Modify the banner message of the Default SMTP service response (that is, the first message received after you telent the 25 port of the Exchange server, see), the default if not set, is the information that tells you that the Exchange ESMTP Mail Service is ready to complete, Then tell you the current time. Some administrators may consider this information to be a security risk and be exploited by some 0day vulnerabilities. You can replace the default banner with 7-bit ASCII characters, and modify this place in Exchange2013 only through EMS.

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M00/6F/D5/wKioL1WqZvLAyA1eAADB6Tg0jZ8642.jpg "title=" Image5.png "alt=" Wkiol1wqzvlaya1eaadb6tg0jz8642.jpg "/>

4, modify other configuration, such as the maximum size of a single message, the maximum number of individual headers, and so on. These changes can only be done through EMS, such as here is an example: setting up a new receive connector that is just established to allow TLS and basic authentication methods, display a custom banner, and then reduce the maximum message size to 3MB, and finally bring a changed comment with a comment up to 256 characters long

Set-receiveconnector–identity ' ex01\receive from Qmail ' –authmechanism ' TLS, BasicAuth ' –banner ' hehe ' –maxmessagesi Ze 3mb–comment ' configured for TLS '

One of the most common configurations we've been involved with is the ability to turn anonymous trunking on and off, which is equivalent to adding a permission to a permission group that adds a ms-exch-smtp-accept-any-recipient to the anonymous user rights group in the anonymous relay scenario, as follows

Get-receiveconnector–identity ' ex01\receive from Qmail ' | Add-adpermission–user ' NT authority\anonymous LOGON ' –extendedrights ' ms-exch-smtp-accept-any-recipient '

This anonymous relay lets Exchange act as a mail relay server on the one hand, and the turn on relay feature forces all messages that pass through the connector to go through the anti-spam components on Exchange. On the other hand is also a relatively vulnerable to attack vulnerability, so the general anonymous relay needs to specify a good address range, so as to avoid being poisoned by the client to use, relay a large number of spam.

Delivery agents and external connectors

Sometimes an administrator may encounter a non-SMTP messaging system that needs to communicate with local exchange for mail, and for this purpose, a feature called a foreign connector is available in the previous Exchange version, but in the Exchange 2013 release, This feature is updated to be called the "Delivery Agent", which corresponds to the delivery Agent connector. A foreign connector uses a local or shared drop directory to send outbound messages to the external system through file transfers. The delivery agent is written by a third party according to its own requirements, Exchange2013 the default delivery agent only supports text messaging agents. Since we are not likely to have access to these two things, so here I would like to introduce a pen. Attached to TechNet link, if you encounter in the environment, you can refer to:

1. External connector: https://technet.microsoft.com/zh-cn/library/aa996779 (v=exchg.150). aspx

2, Delivery Agent: https://technet.microsoft.com/zh-cn/library/dd638118 (v=exchg.150). aspx

Receive connectors We'll talk about this, and the next chapter will show you how TLS is God's horse and why it's so important.

This article is from the "Castamere Rainy season" blog, be sure to keep this source http://sodaxu.blog.51cto.com/8850288/1675947

"Deep Exchange 2013"14 receive connector