■ Custom Select Custom in order to create a customized connector used to connect with other systems that are not Exchange servers. ■ Internal Internal Send connectors are used to send e-mail to servers in your Exchange organization. When selected, the connector will be configured to route e-mail to your internal Exchange servers as smart hosts. ■ Internet Internet Send connectors are used to send e-mail to the Internet. When selected, the connector will be configured to use Domain Name System (DNS) MX records to route e-mail. ■ Partner Partner Send connectors are used to send e-mail to partner domains. When selected, this connector will be configured to only allow connections to servers that authenticate with Transport Layer Security (TLS) certificates for Simple Mail Transfer Protocol (SMTP) domains that are included in the list of domain-secured domains.You can add domains to this list by using the - TLSSendDomainSecureList parameter in the Set-TransportConfig command. Figure 6.21 Selecting the Required Send Connector Type 4. On the Address space page shown in Figure 6.22, enter the domain or domains to which the Send connector should route mail. If the connector should be used to route outbound mail to the Internet simply add an asterisk (*). When ready click Next. www.syngress.com 288 Chapter 6 • Managing the Hub Transport Server Role 429_HTC_EXCC_06.qxd 2/8/07 3:52 PM Page 288 Figure 6.22 Specifying the Address Space 5. On the Network Settings page shown in Figure 6.23, specify how you want to send mail with the connector. Here, you can choose to use Domain Name System (DNS) “MX” records to route the mail automatically, or you can choose to have all mail routed to a specified smart host. Figure 6.23 Configuring Network Settings Managing the Hub Transport Server Role• Chapter 6 289 www.syngress.com 429_HTC_EXCC_06.qxd 2/8/07 3:52 PM Page 289 IMPORTANT If you’re a small shop using a cheap ISP that doesn’t allow outbound traffic on port 25 from your DSL, you typically need to route outbound mail through a smart host located at your ISP. 6. If you elected to use a smart host in the previous step, you now need to configure the authentication method used to properly authenticate with the specified smart host. If this is a smart host located at your ISP, you typically don’t need to authen- ticate, and can safely select None, as shown in Figure 6.24. Click Next. Figure 6.24 Configuring the Smart Host Authentication Settings www.syngress.com 290 Chapter 6 • Managing the Hub Transport Server Role 429_HTC_EXCC_06.qxd 2/8/07 3:52 PM Page 290 www.syngress.com Managing the Hub Transport Server Role• Chapter 6 291 7. Now it’s time to associate the connector with a Hub Transport server in the orga- nization (Figure 6.25).The wizard will try to do this for you, but you can change the selection if required. Click Next. Figure 6.25 Specifying the Source Server 8. On the Configuration Summary page, make sure you configured the connector as required, and then click Next. 9. On the Completion page, click Finish. TIP To create a Send connector via the Exchange Management Shell, you must use the New-SendConnector cmdlet. For example, to create a Send Connector similar to the one we generated in the previous steps, run the following command: New-SendConnector -Name ‘To ISP (Smart host)’ -Usage ‘Internet’ - AddressSpaces ‘smtp:*.exchangehosting.dk;1’ -DNSRoutingEnabled $true - UseExternalDNSServersEnabled $false -SourceTransportServers ‘EDFS03’ When you have created a Send connector, you can disable, enable, modify, and remove it by selecting the respective Send connector, and then choosing the required tasks in the Action pane. 429_HTC_EXCC_06.qxd 2/8/07 3:52 PM Page 291 Configuring DNS Lookups You can configure a Hub Transport server to use different settings for external and internal DNS lookups. Click the Properties of your Hub Transport server under the Server Configuration | Hub Transport work center node. On the External DNS Lookups tab shown in Figure 6.26, specify that DNS server(s) should be used to resolve IP addresses of servers outside your organization.As you can see, you have the option of using the DNS settings configured for one of the network cards in the server, or by specifying the IP address of the DNS server(s) directly.You have the exact same options available under the Internal DNS Lookups tab.The only difference is that under this tab you specify the DNS server(s) that should be used to resolve IP addresses of servers inside your organization. Figure 6.26 Configuring External DNS Lookups Configuring Outbound Message Limits You can configure how the Hub Transport server should process outbound messages.This is done by opening the Property page of the respective Hub Transport server object in the Result pane. Here, you click the Limits tab. As you can see in Figure 6.27, you have the option of setting the retry interval—in other words, how often the Hub Transport server should try to resend an outbound message to a destination server, which for some SMTP servers don’t accept the message the first time it’s sent. Under Message expiration, we can specify the amount of days a message held locally in a message queue as undeliverable should expire. As you can see, the default setting is 2 days, wherein the message will be removed from the message queue and a non-delivery report (NDR) will be sent to the sender of the message. www.syngress.com 292 Chapter 6 • Managing the Hub Transport Server Role 429_HTC_EXCC_06.qxd 2/8/07 3:52 PM Page 292 Figure 6.27 Configuring Outbound Message Limits In addition, we can specify after how many hours a non-deliver report (NDR) should be generated and delivered to the sender of the message. By default, the sender will be noti- fied every fourth hour. Finally, we can configure connection restrictions for concurrent outbound connections and concurrent outbound connections per domain. Unless you’re dealing with a very large organization, you should leave the connection restrictions at their defaults. Typically, the default settings should be sufficient for most organizations, but if you’re in a situation where you need to adjust them a little, this is the place to do it. Receive Connectors A Receive connector represents an inbound connection point for SMTP, and controls how a Hub Transport server receives messages over SMTP. No Receive connector, no inbound mail.This means that in order for a Hub Transport server to receive messages from the Internet (from e-mail clients as well as other e-mail servers), at least one Receive connector is required. When you install the Hub Transport server role on a server, two Receive connectors are created by default. A Client <servername> and a Default <servername> receive connector, as shown in Figure 6.28.These two connectors are required in order for internal mail flow to work. www.syngress.com Managing the Hub Transport Server Role• Chapter 6 293 429_HTC_EXCC_06.qxd 2/8/07 3:52 PM Page 293 Figure 6.28 Default Receive Connectors NOTE By default, a Hub Transport server only accepts inbound messages from other Transport servers (that is, Hub Transport and Edge Transport servers) that are part of the Exchange organization, authenticated Exchange users, and internal legacy Exchange servers (Exchange 2000 and 2003). This means that e-mail servers that are external to the organization by default cannot deliver messages to a Hub Transport server. The reason behind this decision is to make Hub Transport servers secure out of the box by default. “But isn’t it a little too aggressive to not allow inbound messages from the Internet?” I hear some of you grumble. Well, perhaps it is, but since the Exchange Product group is convinced that all organizations around the globe will deploy an Edge Transport server in their perimeter networks, the Exchange Product Group doesn’t see this as an issue at all. Luckily, it’s a rather painless process to allow untrusted e-mail servers (that is, e-mail servers not part of the Exchange organization except the Edge Transport server) to deliver mes- sages directly to a Hub Transport server. I’ll show you how in the section titled “Configuring the Hub Transport Server as an Internet-Facing SMTP Server” later in this chapter. www.syngress.com 294 Chapter 6 • Managing the Hub Transport Server Role 429_HTC_EXCC_06.qxd 2/8/07 3:52 PM Page 294 A Receive connector only listens for connections that match the settings configured on the respective connector.That is, connections that are received through a specific local IP address and port, and from a particular IP address range. Receive connectors are local to the Hub Transport server on which they’re created.This means that a receive connector created on one Hub Transport server cannot be used by another Hub Transport server in the organi- zation. So, by creating Receive connectors, you can control which server should receive messages from a particular IP address or IP address range. In addition, you can create custom connector properties for messages arriving from a particular IP address or IP address range. You could, for example, allow larger message sizes, more recipients per message (both of these will be covered later in this chapter) or perhaps more inbound connections. Creating a Receive Connector To create a Receive connector, you must perform the following steps: 1. Open the Exchange Management Console and select Hub Transport under the Server Configuration work center node (shown back in Figure 6.28). 2. In the Result pane, select the Hub Transport server on which you want to create the Receive connector. 3. Now click New Receive Connector in the Action pane. 4. The New SMTP Receive Connector wizard will appear.Type a descriptive name for the connector, and select the type of connector you want to create. As can be seen in Figure 6.29, you can select between five different Receive connector types: ■ Custom This option is used to create customized Receive connectors, which are used to connect with systems that are not Exchange servers. ■ Internet This option is used to create a Receive connector that will receive e-mail from servers on the Internet.This connector will be configured to accept connections from anonymous users. ■ Internal Internal Receive connectors are used to receive e-mail from servers within your Exchange organization. Note that this connector type will be configured to only accept connections from internal Exchange servers. ■ Client Client Receive connectors are used to receive e-mail from authenti- cated Exchange users.This means that this connector will be configured to only accept client submissions from authenticated Exchange users. ■ Partner Partner Receive connectors are used to receive e-mail from partner domains.This connector will be configured to only accept connections from servers that authenticate with Transport Layer Security (TLS) certificates for SMTP domains included in the list of domain-secured domains.You can add domains to this list by using the -TLSReceiveDomainSecureList parameter in the Set-TransportConfig command. www.syngress.com Managing the Hub Transport Server Role• Chapter 6 295 429_HTC_EXCC_06.qxd 2/8/07 3:52 PM Page 295 Figure 6.29 Selecting the Receive Connector Type 5. When you have selected the type of connector you want to create, click Next. 6. As shown in Figure 6.30, you now have the option of modifying the IP address and port that should be used to receive mail. With Custom, Internet, and Partner Receive connectors, you also have the option of entering a FQDN that should be provided in response to HELO and EHLO commands. When ready, click Next. Figure 6.30 Entering the Local IP Addresses that Should Be Used to Receive Mail 296 Chapter 6 • Managing the Hub Transport Server Role www.syngress.com 429_HTC_EXCC_06.qxd 2/8/07 3:52 PM Page 296 7. On the Configuration Summary page, click New. On the Completion page, click Finish. TIP To create a Receive connector via the Exchange Management Shell, you must use the New-ReceiveConnector cmdlet. For example, to create a Receive Connector similar to the one we generated in the previous steps, run the fol- lowing command: New-ReceiveConnector -Name ‘Special Receive Connector’ -Usage ‘Custom’ -Bindings ‘0.0.0.0:25’ -Fqdn ‘mail.exchangedogfood.dk’ - RemoteIPRanges ‘0.0.0.0-255.255.255.255’ -Server ‘EDFS03’ At any time, you can modify an existing Receive connector as required.You do this by selecting the respective Receive connector and clicking Properties in the Action pane. In addition, any existing Receive connectors can be disabled, enabled, and removed as necessary. You do this by selecting the particular Receive connector and clicking the required task in the Action pane. Managing Message Size and Recipient Limits Like previous versions of Exchange, Exchange 2007 allows you to restrict the size of mes- sages users can send and receive.The message size limits can be set globally in the organiza- tion on a per-server, per-connector level, and/or a per-user basis. Message size and recipient limits can only be configured using the Exchange Management Shell. In the following, I’ll show you how to configure these limits. Configuring Global Limits By default, the global limits are set to unlimited, as can be seen in Figure 6.31. Figure 6.31 Listing Global Limits Managing the Hub Transport Server Role• Chapter 6 297 www.syngress.com 429_HTC_EXCC_06.qxd 2/8/07 3:52 PM Page 297 [...]... server uses Active Directory Application Mode (ADAM) to store the required Active Directory data, which is data such as accepted domains, recipients, safe senders, send connectors, and a Hub Transport server list (used to generate dynamic connectors so that you don’t need to create them manually) It’s important to understand that the EdgeSync replication is encrypted by default and that the replication... longer based on separate Exchange routing groups Instead Exchange 2007 takes advantage of the existing site topology in Active Directory Because Exchange 2007 is now dependent on Active Directory sites—that is, Hub Transport servers use Active Directory sites as well as the cost assigned to the Active Directory IP site link to determine the least-cost routing path to other Hub Transport servers within the... experiencing The tool automatically determines what set of data is required to troubleshoot the identified symptoms and collects configuration data, performance counters, event logs, and live tracing information from an Exchange server and other appropriate sources.The tool analyzes each subsystem to determine individual bottlenecks and component failures, and then aggregates the information to provide root... process from Active Directory to ADAM.This means that no data is replicated from ADAM to AD The first time that EdgeSync replication occurs, the ADAM store is populated, and after that, data from Active Directory is replicated at fixed intervals.You can specify the intervals or use the default settings, which, for configuration data, is every hour and every fourth hour for recipient data SOME INDEPENDENT... 429_HTC_EXCC_ 06. qxd 3 06 2/8/07 3:52 PM Page 3 06 Chapter 6 • Managing the Hub Transport Server Role Figure 6. 35 The Exchange Mail Flow Troubleshooter Tool Configuring the Hub Transport Server as an Internet-Facing Transport Server One of the design goals for Exchange 2007 was to be as secure as possible, by default, in the same way that the Hub Transport server is configured to only accept messages from internal Exchange. .. well as know how to configure most of the features available with this server role NOTE Exchange 2007 also includes a new feature called Domain Security, which provides a set of functionality that offers a low-cost alternative to S/MIME or other message-level security solutions The purpose of the Domain Security feature set is to provide administrators a way to manage secured message paths over the... and designate acceptable character sets for messages that are sent to, and received from, the remote domain Under the Accepted Domains tab, we specify the SMTP domains for which our Exchange 2007 organization should either be authoritative, relay to an e-mail server in another Active Directory Forest within the organization, or relay to an email server outside the respective Exchange organization E-mail... that can be configured to match the specific needs of an organization Premium journaling lets you create journal rules for single mailbox recipients or for entire groups within the organization Send connectors are used to control how Hub Transport servers send messages using SMTP, and how connections are handled with other e-mail servers.This means that a Hub Transport server requires a Send connector... Transport Server Role• Chapter 6 3 Highlight the respective Hub Transport server in the Result pane, as shown in Figure 6. 36 Figure 6. 36 The Default Receive Connector in the Exchange Management Console 4 Open the Properties page of the Default Receive Connector in the Work pane 5 Click the Permissions Groups tab, check Anonymous users and click OK, as shown in Figure 6. 37 Figure 6. 37 The... SMTP-receive, the Pickup directory, or the store driver.The categorizer retrieves messages from this queue and, among other things, determines the location of the recipient and the route to that location After categorization, the message is moved to a delivery queue or to the unreachable queue Each Exchange 2007 transport server has only one Submission queue Messages that are in the Submission queue . ■ Custom Select Custom in order to create a customized connector used to connect with other systems that are not Exchange servers. ■ Internal Internal Send connectors are used to send e-mail to servers. queue used to isolate messages that are detected to be potentially harmful to the Exchange 2007 system after a server failure. Messages that contain errors potentially fatal to the Exchange Server. of the Exchange organization, authenticated Exchange users, and internal legacy Exchange servers (Exchange 2000 and 2003). This means that e-mail servers that are external to the organization