Exchange 2013 transport role won’t start unless custom receive connector is disabled

exchange-2013windows-server-2012-r2

We have one Exchange 2013 server (EX13 – Exchange 2013 SP1 on Win2012R2). CAS and MBX roles installed. When I start the server up, the Microsoft Exchange Transport service does not start. I figured out that if I disable my custom “Receive Connector” that allows internal devices to relay mail off the server, then the service will start. The receive connector shows up in EAC with Role as HubTransport. If you look at the properties of the receive connector, on the security section the only box in the Authentication area that is checked is TLS. In Permission Groups only Anonymous users is checked. If you go to the scoping section, in the first box are all of the IP Addresses of the devices that relay off the server, and the bottom box (Network adapter bindings) is one default entry of “(All available IPv4) Port 25”).

Also in “Receive Connectors” there are 5 other default connectors that I did not add. They are:

Client Frontend EX13 (FrontendTransport) – bound to port 587

Client Proxy EX13 (HubTransport) – bound to port 465

Default Frontend EX13 (FrontendTransport) – bound to port 25

Default EX13 (HubTransport) – bound to port 2525

Outbound Proxy Frontend EX13 (Frontend Transport) – bound to port 717

My suspicion is the “Default Frontend EX13” receive connector is causing the problem because it is also bound to port 25. This is further supported by the fact that I can also start the Microsoft Exchange Transport service if I first stop the Microsoft Exchange Frontend Transport service, as if they are arguing over who gets port 25! Do I even need the Default Frontend EX13 receive connector? Why is it there? I am doing my best to try and wrap my head around all of this, so if someone could explain the differences between all of these connectors I would greatly appreciate it!

Best Answer

Exchange needs to be able to select ONE receive connector for every incoming connection.

It checks two parameters for the incoming connection:

The IP port number the connection is trying to reach. And
The IP address the connection is coming from.

In order for the transport to run correctly you need to ensure that no two connectors conflict on those two parameters.

So in your case the "Default Frontend" connector is already bound to (port 25 AND any address) and now you add another custom receive connector bound to (port 25 and some specific addresses). These two conflict because for the specific addresses they would both want to be responsible and that causes your problem with the transport service.

Solution: Please exclude the specific addresses that you configured in your custom receive connector from the Default Frontend connector scoping.

Related Solutions

Exchange 2013 Client Frontend connector will not accept TLS

First check whether the Tls AuthMechanism is enabled on the connector:

Get-ReceiveConnector -Identity "SERVER\Default Frontend SERVER" | Format-List

If this is not the case, enable it:

Set-ReceiveConnector -Identity "SERVER\Default Frontend SERVER" -AuthMechanism "None,Tls"

Then also make sure that you have a certificate for the Smtp service registered:

Get-ExchangeCertificate | Format-List

Finally verify everything: http://www.checktls.com/index.html

Exchange server 2013 receive connector confusion

Not completely sure what you mean by:

I want only authenticated users from my domains to be able to send emails.

I think your requirement is to only allow authenticated users to relay mail through your mail server.

Based on that assumption here is my answer:

Your Exchange server is already configured to your requirements by default.

Here is how:

Exchange 2013 receives email through "Receive Connectors".

During the installation of Exchange a number of receive connectors are automatically setup for you. Read this for more info: TechNet - Receive Connectors. The one we care about in this discussion is the Default FrontEnd receive connector.

This connector is primarily responsible for receiving email from outside your organization on port 25 (SMTP). You must leave anonymous access allowed on this connector if you want to allow incoming email from the internet. This is the typical configuration unless your exchange server is behind another device such as a spam filter.

By allowing "Anonymous" users on this connector you are telling exchange to accept incoming mail from anonymous senders. But you are not allowing anonymous users to send mail through your server. Meaning, email received on this connector by an anonymous client must be destined for a mailbox inside your Exchange organization or it will be rejected.

The reason for this is a little more complex, but it comes down to the fact that checking that box for "Anonymous" only grants a certain set of permissions to anonymous user. Relaying email is not one of those granted permissions.

To summarize, you do not need to anything. Exchange, by default will not all unauthenticated users to relay mail through your server. You can test this by manually initiating a telnet session to your exchange server and trying to relay mail from an outside email address to another outside email address. You should receive an error. Details on how to do this here: TechNet - Telnet to test SMTP

Best Answer

Related Solutions

Exchange 2013 Client Frontend connector will not accept TLS

Exchange server 2013 receive connector confusion

Related Topic