I am having a very hard time getting clear about receive connectors in Exchange 2010, which I have unhappily inherited.
I have read a lot of articles and books, but nothing presents the information I need in a clear way, and some of the articles are conflicting, which is expected but doesn't make this any easier.
The reason for asking these questions together is that some of them impact others, and if asked separately they would probably not make clear what I need to accomplish.
My Exchange server is Hub role internet-facing. There is no edge or filter between it and the outside.
I recently implemented split DNS, and I want to know if the "Server" and "Fqdn" attributes should be changed to the public DNS name for my mail server, as in "mail.domain.com".
The "Name" attribute is only a label for the connector which shows in the Exchange Management Console.
The "Identity" attribute is related to the GUID. Again, it currently shows as \<"Name" attribute>. The question is whether I can change that to the public DNS name for my mail server, "mail.domain.com".
I need to know if the DistinguishedName attribute can or should also be changed.
Some of my existing connectors have a value for the "DistinguishedName" attribute which reads "CN=,CN=SMTP Receive Connectors,CN=Protocols,CN=,CN=Servers,CN=Exchange Administrative Group,(…),CN=Administrative Groups,CN=First Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=,DC=". I know that at one point a migration was done from Exchange 2003, and that it was not cleaned up, so to speak. I need to know if I can simply remove connectors with that value, or whether they need to be replaced with other ones.
The "Default" connector, as I understand it, receives email from the internet on port 25 from any IP (0.0.0.0-255.255.255.255).
I need to understand how AuthMechanism, RequireTLS and PermissionGroups relate to each other, and where RequireTLS is appropriate, as in I don't want to lose email by forcing TLS.
I want to configure TLS. I need to understand where "opportunistic" vs "mutual" applies, as in do I use it for both internet and internal, or only internet.
I want to understand which values should be set for the "AuthMechanism" attribute, and why, given that I want to configure TLS.
I have internal applications which I think need separate connectors, from what I have read. I need to know if that is true, and how to configure that.
I have multifunction printers which send scans via email, which I think also need separate connectors, and I need to know how to configure that.
I have a third party who needs to send email using my DNS name and IP, which I think is called "relay". I need to know if that is correct, and how to configure it.
Links to articles which don't present specific instructions on how to accomplish what I listed above are not helpful.
Explanations of how these connectors are used for my specific needs are very helpful, and I appreciate the help.
Best Answer
What you'll most likely want to do is start with several connectors. Classify your clients like the following, for example:
Which should give you 3 receive connectors. Outlook clients should be limited to port(s) 585 and 587. You can use the (All Available IPv4) option to filter them, assuming you do not expose your client submission port to the public internet. You can also limit it to the internal IP address of your Exchange server if you wish.
Correct. You can leave that range "as-is."
AuthMechanism configures the methods available for authentication. Exchange Server authentication is between two Exchange Servers. Basic Authentication is more or less standard, but for an External source, you'll want to ONLY Offer Basic Authentication after starting TLS. Otherwise, you're sending your usernames and passwords over the internet using plaintext if you have clients using SMTP to send email from outside your network.
Integrated Windows Authentication uses built-in ( surprise! ) Windows Authentication - for example, are you logged into the Active Directory domain on a workstation? Then Integrated Windows Authentication will use those credentials without having to include a password in your Outlook setup. Best used for Internal Clients, not including devices.
Opportunistic means that you'll use TLS if it's available or if it's requested. Mutual means that you need to have a trusted ( issued by a trusted root CA ) certificate installed on both servers. Probably not what you want. A lot of email servers use self-signed certificates and simply request TLS but do not request Client certificates.
Internal Connector for devices: I typically allow SMTP ( bind to port 25 ) ( internal IP address ), limit "remote servers" to internal subnets, offer basic authentication ( no TLS ), offer TLS in opportunistic, Permission Groups ( anonymous ) to allow devices to send without an account.
I have internal applications which I think need separate connectors, from what I have read. I need to know if that is true, and how to configure that.
Well, it depends on how you're going to separate them out. If you need a specific connector for an application, you need to be able to identify it by IP address, authentication type, and encryption requirement.
Controlling relay security is an entirely different question... Get the above working as you want first, then follow up on that. If you want to understand what this stuff means, you're going to need to read a book on Exchange, rather than just a simple tutorial. You're going to have to read some RFCs as well.