Avatar of Netcompany
Netcompany
Flag for Denmark asked on

Receive connector for external SmartHost usage

Setup:
One internal MS Exchange 2010 Edge Transport server named EDGESRV01
Two internal MS Exchange 2010 Hub transport servers named HUBSRV01 and HUBSRV01 and HUBSRV02
One external mail server named EXTMAILSRV01 with the IP Address 10.0.0.10.

All internal servers are in the ”mycompany.com” domain that I’m managing.

What I want:
Make it possible for EXTMAILSRV01 to relay through EDGESRV01 with from-address no-reply@mycompany.com and send to an external address or @mycompany.com-address.

The connection from EXTMAILSRV1 to EDGESRV01 has to be secured with password and encryption in some way and EXTMAILSRV should only be able to send with no-reply@mycompany.com.
 
It's kind of a SmartHost i want to create.

What know:
Restrict connections only from 10.0.0.10 in a new receive connector. The authentication is set to MTLS and Basic Authentication after starting TLS. Permission Group is set to Anonymous users.

The receive connector will be linked to two send connectors designated to this setup. One send connector for recipients within the organization, which will use the internal Hub Transport servers as smart hosts, and one send connector for other recipients (external), which will use DNS to find the recipient mail server.

Where I’m stuck:
I don’t know how to secure the receive connector with a password (or username and password).  What to do?

How do I restrict what address EXTMAILSRV01 can send from?

Also I not sure if it’s wise to use MTLS between my Edge Transport and external servers?!

Please help :)
Exchange

Avatar of undefined
Last Comment
Antonio Vargas

8/22/2022 - Mon
Antonio Vargas

Well you dont restrict a receive connector to accept only from one user. what you can do is:

1- create a receive connector and bind it only to the IP address of extmailsrv01
2- either use anonymous or autenticated users. then it's up to your extmailsrv01 config to configure a user to authenticate agains the receive connector or to dont fill in a username and password and therefore try to send e-mail unauthenticated

also be aware that if the extmailsrv01 is sending mail non authenticated, and you want him to also send e-mail outside the organization, the receive connector needs the "externally secured" option ticked on.

i was a little confuse about you having send connectors to send e-mail internally and with hub servers as smarthosts. that doesnt make any sense. internally you dont use the send connectors. the send connectors of one organization are used only to send e-mail outside that org.

but anyway the relevant information that you need to know is above.

hope it helps.
Netcompany

ASKER
#GreatVargas
Where do I set up user and password for authenticating with the receive connector? And can I bind the authentication to Domain Users?

About the inbound send connector: It’s necessary to have an inbound send connector, or else inbound mails won’t get to the hub transport servers.
ASKER CERTIFIED SOLUTION
Antonio Vargas

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
Netcompany

ASKER
Then how do the extmailsrv01 specify the domain credentials when sending to this Receive Connector?

About the Send Connector, an inbound Send Connector will be created when running New-EdgeSubscription: http://technet.microsoft.com/en-us/library/aa997438. Take a look under "Automatically Create an Inbound Send Connector".
Your help has saved me hundreds of hours of internet surfing.
fblack61
Antonio Vargas

Well that's up to the configuration on the extmailsrv01. probably on the same section that you choose the ip address of the server to relay mail to, you should have a place to put in the user credentials and therefore authenticate. there should be an option to use credentials. either this is on the code of an application sending e-mails, on an appliance or any other software that does the same function.

and yes you are talking about specific edge to hub comunication send connectors.