Friday, October 07, 2011

Configuring Mail Flow in a Single Exchange Server 2007


Exchange Server 2007 has 5 (five) distinct roles: Mailbox, Client Access Server, Hub Transport, Edge Transport and Unified Messaging. Some of these can be installed together or they can also be distributed among servers. The number of servers to be utilized by Exchange Server can vary due to several factors, such as:
  • Number of users using the Message System,
  • High Availability roles,
  • Fault tolerant roles,
  • Cluster environments.
Sometimes in a small company a single Exchange Server 2007 deployment becomes necessary (Figure 01), in this kind of deployment the three roles will be together: Client Access Server, Mailbox and Hub Transport Server. We have to perform some additional tasks to enable the Hub Transport Server role to send and receive Internet messages. In this article we will see the required steps that must be done on the Hub Transport role.

Figure 01: A single Exchange Server 2007 with all roles

Setting up the Send Connector

One of our tasks is to configure the Exchange Server 2007 box to properly send messages to the Internet.
  1. Open the Exchange Management Console.
  2. Expand Organization Configuration.
  3. Click on Hub Transport.
  4. Click on the Send Connectors tab.
  5. In Toolbox Action, click on New Send Connector.
  6. Introduction. Fill in the field Name and choose Internet on the list, as shown in Figure 02. Click on Next.

Figure 02: Creating a Send Connector in a single Exchange Server box
  1. Click on Add, in the new window fill in the field Domain with * and click OK. The result can be seen in Figure 03.

Figure 03: All the external messages will go through this new connector
  1. Network settings. Choose your preferred method of routing the SMTP message. If you have a relay server you should click on Route mail through the following smart hosts and define your smart host server; or if you have DNS Resolution and this server is responsible for delivering messages then click on the first option Use domain name system (DNS) “MX” records to route mail automatically. Figure 04.

Figure 04: Choosing DNS resolution to route the messages
  1. Source Server. We have a single box and it is already listed. Click on Next.
  2. New Connector. A summary with all previous settings, click on New.
  3. Completion. Final screen where we can see the cmdlet utilized to create the New Send Connector, just click on Finish.
Now, it’s time to validate if our send connector is working as expected, to do that let’s send a test message from any internal user to an external recipient, we will see the message in the Queue Viewer, as shown in Figure 05.

Figure 05: The Queue Viewer

Setting up the Receive Connector

Our next task is to allow it to receive Internet messages. By default when an SMTP connection is made in a Hub Transport Server it will be dropped with a 5.7.1 Client was not authenticated error message, as shown in Figure 06.

Figure 06: Default behavior when an anonymous connection tries to submit a message to a Hub Transport Server
To enable an anonymous connection to submit messages and change the FQDN name greeting we will tinker with the Receive Connector. By default Exchange Server 2007 has two Receive Connectors at installation:
  • A receive connector that is configured to accept all messages through SMTP port 25, the name will be Receive ServerName, in our article this is Receive Srv-2k7i
  • A receive connector that is configured to accept all messages through SMTP port 587; this connector should be used by all non-MAPI clients, following RFC 2476.
Our objective is to set up our single Exchange Server 2007 box to receive Internet messages, so we are going to work with the Receive ServerName connector:
  1. Open the Exchange Management Console.
  2. Expand Server Configuration.
  3. Click on Hub Transport, select the server on the Result Panel.
  4. In the Work Panel right-click on Default Server Name Receive Connector and then click Properties.
  5. Click on Properties on Toolbox Actions.
  6. General Tab, change the FQDN name of this connector to user your external Exchange name instead of your internal exchange name and domain, as shown in Figure 07.

Figure 07: Changing the FQDN that the Receive Connector will provide in response to the HELO or EHLO SMTP verb
The second setting that we should enable is the Anonymous User checkbox in Permissions Groups. This option will allow all Internet traffic to go through our single Exchange Server 2007 box, as shown in Figure 08.

Figure 08: Enabling Anonymous Connection on the Default Receive Connector
Okay, time to validate our settings! Let’s try to send a message using telnet to validate the FQDN in the greetings message and if the receive connector is accepting anonymous connection as well. (Figure 09)

Figure 09: Receive Connector with the new settings
Right now, we are able to resolve Internet mails through the Hub Transport Server.

How can I do the same steps using Exchange Management Shell?

Let’s go over the required commands to set up the receive connector using the Exchange Management Shell.
To define the FQDN, we can use the following cmdlet:
Set-ReceiveConnector “<Connector-Name>” –Fqdn:name.company.ca
To set up Anonymous Authentication we can use these following cmdlets:
Get-ReceiveConnector “<Connector-Name>” | Select PermissionsGroups
Now take a note of the current groups, because if we run the cmdlet specifying only the new group that we want (AnonymousUsers) it will override the current settings and the only group will be AnonymousUsers. To avoid this, we have to use the current value plus the new value when using the Set-ReceiveConnector cmdlet.
Set-ReceiveConnector “<Connector-Name>” –PermissionGroups:<AnonymousUsers, ExchangeUsers, ExchangeServers, ExchangeLegacyServers, Partners>

Installing the Anti Spam Transport Agents

Now, let’s deploy the Anti Spam Transport Agents to protect our single Exchange Server 2007 against spammers. When we deploy the Transport Agents on a Hub Transport Server we will enable these following features:
  • Connection filtering
  • Content filtering
  • Sender ID
  • Sender filtering
  • Recipient filtering
  • Sender reputation
To install the Anti Spam Transport Agents on a single Exchange Server box, follow these steps:
  1. Open the Exchange Management Shell.
  2. Go to the Exchange Server 2007 installation folder (the default path is c:\Program Files\Microsoft\Exchange Server).
  3. Go to the Scripts subfolder.
  4. Run the script called Install-AntiSpamAgents.ps1, as shown in Figure 10.
  5. Restart-Service MSExchangeTransport.

Figure 10: Installing the Anti Spam agents on a Hub Transport Server
After that process, we can see a new tab called Anti-spam under Hub Transport icon at Organization level, as shown in Figure 11. Now we can start to work on the Anti-spam to protect our Exchange Server 2007 organization.

Figure 11: The available anti-spam Transport Agents on the single Exchange Server
How about the Attachment filtering? This feature is only available on the Edge Transport Server role, but we can use Microsoft Forefront Security for Exchange that includes this functionality with extra options to filter attachments, and it can be installed on a single Exchange Server box.

Troubleshooting

Okay, now we have completed all necessary steps to enable a Hub Transport server to send and receive messages. Now we have to validate the firewall settings to allow this Hub Transport to work properly. Here are some points that should be covered:
  • The firewall must redirect the external IP address that is listening on SMTP 25 port to the Exchange Server.
  • If you are using DNS resolution the firewall must allow the Exchange Server 2007 box to use SMTP 25 port to outbound (Internet).
  • If you are using a Smart Host, the firewall should allow only SMTP port 25 to the specific relay server.
  • If you still have problems with the message flow, you can use the Mail Flow Troubleshooter tool, as shown in Figure 12.

Figure 12: Using the Exchange Mail Flow Troubleshooter

No comments:

Explaining DNS Concepts - DNS Servers-DNS Queries-DNS Records

3 types of DNS queries— recursive, iterative, and non-recursive 3 types of DNS servers— DNS Resolver, DNS Root Server and Authoritative Name...