This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(240, 21%, 33%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EC%3C/text%3E%3C/svg%3E)
Good evening,
Gone through quite possibly all online documents related to Exchange Receive Connectors so I feel as though I have a good understanding regarding the default connectors Exchange creates upon installation. Most articles seem to agree agree that leaving them alone is probably a better option (essentially just create new as needed). Based on my limited experience Exchange seems to do a pretty good job straight out of the box.
That said, here is my question(s)
If the goal of an environment is to completely lock down all mail relay to specific IP addresses based on requirements (internal and external ect), would the following 4 new Receive Connectors accomplish that goal? I have never heard of this being done before and definitely never seen it. Is it as straight forward as it sounds (examples below)?
1 Connector for Inbound mail flow locked down to the appliance IP addresses (essentially replacing the Default Frontend SERVERNAME connector.
1 Connector for internal relay marked for Anonymous (printers/applications/things like that) that require no username/password for authentication (locked down to IPs).
1 Connector for internal relay marked as Authenticated for devices/apps/ect that do require usernames/passwords for internal/external recipients (also locked to IPs).
1 Connector for Anonymous relay to external recipients only based on the following command (non accepted domains).
Add-ADPermission -User 'NT AUTHORITY\Anonymous Logon' -ExtendedRights MS-Exch-SMTP-Accept-Any-Recipient
Based on articles I have read, outside of adding Authentication types (TLS, Integrated Windows authentication, and Basic authentication) accordingly, does this work as expected? Definitely adding connectors that technically do not need to be since by default internal relay is already covered using the Default Frontend SERVERNAME. However, this would lock down all mail relay attempts if specific IP addresses were added to the appropriate scope would they not?
Thanks for any feedback you may have. Much appreciated.
Yes, that would work for the most part. However, when you lock down to IPs, they have to be exclusive to that connector.
In other words, for the 4th connector, if the IP connecting is the same IP or in the same IP range as an IP that is allowed to connect to the 2nd or 3rd connector using port 25, that wont work unless you happen to have multiple NICs and can scope that connector to its own local NIC.
The custom connectors have to each have their own unique remote IPs/Port combinations.
Make sense?
BTW, the way you tell which connector is being used to enable SMTP protocol logging on each one
The connector name will show up in those logs
https://learn.microsoft.com/en-us/exchange/mail-flow/connectors/configure-protocol-logging?view=exchserver-2019
We are crystal clear now sir. As always thank you for the extremely useful info :o)
CWT
Think I'm tracking.
1 Connector on SERVER1 set to 10.10.10.15
1 Connector set to range on SERVER2 10.10.10.10-10.10.10.20
Outcome = can't relay unless multi NIC? That correct?
Question:
Since individual IP addresses are connector specific and cannot be added to say all 4 Receive Connectors on all servers in the DAG, it also means that if that server hosting these single IP addresses is in maintenance mode, is rebooted, or goes completely offline mail relay completely breaks doesn't it? At least until that single server goes back online OR those IP addresses are copied over to another server that is accessible. Is that accurate?
Correct. Assuming both were listening on Port 25, Exchange would have no idea how to differentiate those SMTP Connections unless they were bound to different IPs on the same server because then you could send email to the specific IP on that server from that remote network range or IP.
For the second question: So what you do is duplicate each custom receive connector to each server, bound to that server's IP and that solves your availability issue. Unlike a send connector, which applies to the org and the source servers, receive connectors only apply to the specific server they are created on, so you need the same custom ones created on each server that may receive mail. Hope I understood your question correctly!
100% clear on the high availability portion (i totally misunderstood your first reply and that threw me for a loop :o) - totally my fault lol
The only thing I'm a little fuzzy on is the following. Based on what I though I understood, shouldn't Exchange use the most specific scoped setting that matches the connectors configuration? Essentially IP > IP Range > Network > All IPV4 address In the below example SERVER1 should be used when the client 10.10.10.15 attempts to relay correct?
SERVER1 Connector (ANON) with authentication and anon permissions set using port 25 and scope 10.10.10.15
SERVER2 Connector (ANON) we match the above configuration on SERVER1 EXCEPT we use the following range for its scope 10.10.10.10-10.10.10.20
Thanks for kicking the tires :o)
Oh yes, Sorry, I misread your scenario
You can have overlapping IP ranges on receive connectors and it will match on the most specific one ( Most Specific Remote IP). Sorry about, I was reading that as the same remote IP range.
So if one connector has a specific IP and the other has a range, then if that specific IP connects it will use that first connector. So your understanding on this is accurate.
So The issue with initial question still applies:
If you have a 4th connector that has no remote IP ranges defined, and an IP from a device in the 2 or 3rd connector Remote IP Range connects on port 25, it will use that 2 or 3 connector, not the 4th - because that is the most specific. :)
Glad you followed up on this!