After
the installation of the Microsoft Exchange Server 2010 Edge Transport
server role, you must configure the appropriate Send and Receive
Connectors. Until this has been accomplished, the server will be unable
to send SMTP messages to, or receive them from, the Internet and your
internal Hub Transport servers.
As discussed in the
previous section, to complete the configuration of the Send Connector on
an Edge Transport server, you subscribe the server to the organization
using EdgeSync, which then replicates the appropriate connectors to the
Edge Transport server. If you do not use EdgeSync, you must manually
create and configure the connector.
This section
covers additional information about Edge Transport server connectors
that was not touched on in the previous section.
An Edge Transport server
must have at least four required connectors to function properly. The
first two, both Send Connectors, are created and configured for you
automatically during the EdgeSync process:
A Send Connector
must exist that is configured to send messages to the Internet.
Typically, the address space for this connector is set to * (all
Internet domains). DNS routing is used to resolve destinations. The
usage type for this connection is set to “Internet.” This connector is
created automatically when you use EdgeSync to subscribe the server to
an Active Directory site.
A
Send Connector must exist that is configured to send messages to the
Hub Transport servers in the Exchange Server organization. The address
space for this connector can either be *, or you can manually list each
of the domains for which you are processing mail. The smart hosts for
the connector should be configured as your
Hub Transport servers, and the usage type set to “Internal.” This
connector is also created automatically during the subscription process.
The next two required connectors are Receive Connectors:
A Receive
Connector must exist that is configured to accept messages from the
Internet. Usually, this connector is configured to accept connections
from any IP address range. Furthermore, it is normally configured to
allow anonymous access. When configuring the local network bindings for
this connection, they should be set to the external-facing IP address of
the Edge Transport server, and the usage type should be set to
“Internet.”
A
second Receive Connector must exist that is configured to accept
messages from Hub Transport servers in your organization. For security
purposes, you can configure this connector to accept connections only
from your Hub Transport servers by listing their IP address ranges. The
local network bindings for this connector should be configured as the
internal-facing IP address of the Edge Transport server, and the usage
type should be set to “Internal.”
Configuring Receive Connectors on the Edge Transport Server
When you install the Edge
Transport server, one Receive Connector is automatically created. This
connector is configured by default to accept SMTP traffic from all IP
address ranges, and it is bound to all IP addresses associated with the
local server. The usage type is set to “Internet,” and the connection
will accept anonymous connections. It is recommended that you modify the
settings of this Receive Connector and create a second one for internal
usage. To perform this procedure, follow these steps:
1. | Start the Exchange Management Console on the Edge Transport server.
|
2. | In the console tree, select Edge Transport.
|
3. | In
the results pane, select the appropriate Edge Transport server and
then, on the bottom half of the pane, click the Receive Connectors tab.
|
4. | Select the default connector and, in the action pane, click Properties.
|
5. | Click
the Network tab, and edit the existing Local IP Addresses (by default,
set to All Available). Configure this address to be the IP address of
the Internet-facing network adapter of the Edge Transport server. Save
your changes and exit, as no other changes are needed on this connector.
|
6. | Next,
in the action pane, click New Receive Connector. On the Introduction
page, enter a name for this connector, and select a usage type as
Internal. Click Next to continue.
|
7. | On
the Remote Network Settings page, modify the Remote IP Addresses and
configure them to accept mail from the IP addresses assigned to your Hub
Transport servers. Save the settings and click New to create the
connector.
|
8. | After
the connector has been created, you must make one more modification.
Select the connector in the results pane and select Properties in the
action pane. Click the Network tab, and double-click the Local IP
Address(es) entry, currently set to (All Available). Click the Specify
an IP Address option button, and enter the IP address of the
internal-facing network adapter of the Edge Transport server. Save all
settings and exit, as no other changes are needed on this connector.
|
Configuring Send Connectors on the Edge Transport Server
As discussed in the
section on Hub Transport servers, the Send Connectors needed on your
Edge Transport server are automatically generated by the EdgeSync
service. If you elect to not create an Edge subscription, you must
manually configure the Send Connectors.
Automatic Creation of Send Connectors
To automatically create
the Send Connector on the Edge Transport server, follow the instructions
in the previous section titled “Automatic Creation of Send Connectors” in the “Hub Transport Server Connectors” section.
Manual Completion of Send Connectors
To manually complete the configuration of the first Send Connector, do the following:
1. | Start the Exchange Management Console on the Edge Transport server.
|
2. | In the console tree, select Edge Transport.
|
3. | In
the results pane, select the appropriate Edge Transport server and
then, on the bottom half of the pane, click the Send Connectors tab.
|
4. | In the action pane, click New Send Connector.
|
5. | On the Introduction page, type a name for the connector, and set the usage to Internet. Click Next to continue.
|
6. | On
the Address Space page, click Add. Set the Domain to * and ensure the
Include All Subdomains option is selected. Click Next to continue.
|
7. | On
the Network Settings page, select Use Domain Name System (DNS) “MX”
Records to Route Mail Automatically. Click Next to continue. Save all
settings and exit, as no further configuration is needed on this
connector.
|
To manually complete the configuration of the second Send Connector, do the following:
1. | Start the Exchange Management Console on the Edge Transport server.
|
2. | In the console tree, select Edge Transport.
|
3. | In
the results pane, select the appropriate Edge Transport server and
then, on the bottom half of the pane, click the Send Connectors tab.
|
4. | In the action pane, click New Send Connector.
|
5. | On the Introduction page, type a name for the connector, and set the usage to Internal. Click Next to continue.
|
6. | On
the Address Space page, click Add. Set the domain to the domain(s) for
which you accept mail. If you have more than one accepted domain,
configure additional entries. Ensure the Include All Subdomains option
is selected. Click Next to continue.
|
7. | On the Network Settings page, select Route All Mail Through the Following Smart Hosts, and click Add.
|
8. | Enter
the IP address or FQDN of one of your Hub Transport servers as the
smart host. Click OK to continue. To add additional Hub Transport
servers, click Add again. When you are ready, click Next to continue.
|
9. | On the Smart Host Security Settings page, ensure the None option button is selected, and click Next.
|
10. | Review all entries and, after all entries are correct, click New to create the connector.
|
Setting Message Delivery Limits
One of the most
important security measures you can implement on your SMTP connectors is
setting message delivery limits. Message delivery limits prevent users
from sending large messages through Exchange Server that can tie up
Exchange Server resources (processing time, queue availability, disk
storage, and more). When this occurs, the results can be just as bad as
experiencing a DoS attack. Implementing these limits also encourages
users to use alternative delivery methods, such as file shares,
compression of attachments, and even document management portals.
In Exchange Server 2010,
message delivery limits are set on specific Send and Receive Connectors
using the Exchange Management Shell.
To determine the
current maximum message size on a particular connector, perform the
following procedure. For this example, you will work with a Receive
Connector. To perform the same tasks on a Send Connector, replace the receiveconnector command with sendconnector.
1. | Start the Exchange Management Shell.
|
2. | Get a list of the existing connectors by using the following command:
A list of existing Receive Connectors is returned. For this example, use a connector named “Default VMW-EXCHANGE1.”
|
3. | To view the configuration of a specific connector, use the following command:
get-receiveconnector "default vmw-exchange1" |format-list
|
A detailed configuration of the connector is returned.
By default, the maximum message size is set to 10MB. To change this maximum message size, perform the following procedure:
1. | In the Exchange Management Shell, type the following command:
set-receiveconnector "default vmw-exchange1" -MaxMessageSize 20MB
|
2. | If you now view the configuration of the specific connector (as shown previously), you will see that the new maxmessagesize limit has been implemented.
|
Note
Configuring
a different sending and receiving message size limit can cause
potential problems. For example, if you configured a 5MB limit on sent
messages, but a 10MB limit on received messages, a user might receive an
email from an external source with a 9MB attachment. They would be able
to receive the message, but any attempts to forward it to a co-worker
would fail because of the sending restriction. A good best practice is
to set these limits to the same size.
Another important
message delivery limit that can be used to secure Exchange Server 2010
involves the number of recipients that a message can be sent to at any
one time. Limiting the maximum number of recipients limits internal
users’ ability to essentially spam the enterprise with large numbers of
emails.
Configuring the maximum
number of recipients per message is done similarly to setting the
maximum message size previously. The default setting is 200, but you can
configure it to whatever number you desire. For this example, you will
change this setting to 500 recipients. To do so, type the following
command in the Exchange Management Shell:
set-receiveconnector "default vmw-exchange1" –MaxRecipientsPerMessage 500
The
majority of the configuration settings for the Send and Receive
Connectors must be configured through the Exchange Management Shell.
Configuring Authoritative Domains
When an Exchange
Server organization is responsible for handling message delivery to
recipients in a particular domain, the organization is called authoritative
for that domain. Configuring an authoritative domain in Exchange Server
2010 is a two-step process: First, you create an accepted domain, and
second, you set the domain type as authoritative.
An accepted domain
is any SMTP namespace that the Edge Transport server(s) in your
organization sends messages to or receives messages from. Your
organization might have one or more domains, so you might have more than
one authoritative domain.
Note
If you have
subscribed your Edge Transport server to the Exchange Server
organization using the EdgeSync process, do not perform these procedures
directly on the Edge Transport server. Instead, perform the steps on a
Hub Transport server and allow it to replicate to the Edge Transport
server during the next synchronization.
To create an authoritative domain, perform the following command in the Exchange Management Shell on your Hub Transport server:
New-AcceptedDomain –Name "CompanyABC" –DomainName companyabc.com –DomainType Authoritative
You
must be logged on as an account that is a member of the Organization
Management group and that is a member of the local Administrators group
on the server. Also, replace this name with your own domain name in
place of companyabc.com in the example.
