Using an Exchange 2007 Edge Server as the Mail Relay of an Exchange 2003 Organization (Part 1)

If you would like to read the next part in this article series please go to Using an Exchange 2007 Edge Server as the Mail Relay of an Exchange 2003 Organization (Part 2).

Introduction

There was a time, a couple of years after the release of Exchange Server 2003 when Microsoft thought, in delivering a product called Exchange Edge Services, that they would have created an intelligent message transfer agent for the edge of a company’s network that would offer security, spam and virus protection. The fact is that Edge Services never saw the light of day as a standalone SKU. Instead, Microsoft released the Edge Transport Server role as part of Exchange Server 2007.

The Exchange Server 2007 Edge role is a very special role. It can not be collocated with any other Exchange Server 2007 role, it does not require Active Directory (it uses its own directory: Active Directory Application Mode – ADAM) and it is very, very secure. In fact, it is such an “independent” role, that it can be used as a smart host and the internet mail relay of an Exchange 2003 organization without requiring any of the migration steps necessary for an Exchange 2007 transition.

Although placing an Exchange 2007 Edge server as the mail relay of a messaging infrastructure does not require an upgrade of the Exchange organization to Exchange 2007, there are still some configuration tasks that need to be done. This article will describe all these tasks and all the required procedures.

Solution Topology

For the purpose this article, I installed the following environment on my test lab:


Figure 1: Solution Topology

All servers are virtualized with Windows Server 2008 Hyper-V.

Name

Role

Software

VM1

Domain Controller

Exchange Server 2003

Windows Server 2003 R2 SP2

Exchange Server 2003 SP2

E2K7EDGE

Edge Server

Windows Server 2003 R2 SP2 x64

Exchange Server 2007 SP1 + UR7

Forefront Server Security for Exchange 10 SP1

Table 1: List of servers

Configuration Tasks

The deployment of an Exchange 2007 Edge Transport server (also referred as Edge server or just Edge) to support an existing Exchange 2003 organization starts with the installation of the Exchange 2007 Edge server role and, optionally (but recommended), Forefront Security for Exchange Server. After that, the rest of the process can be broken down into the following tasks:

  1. Configure accepted domains on the Edge server

  2. Create a Send Connector from the Edge server to the Internet

  3. Create a Send Connector from the Edge server to the Exchange 2003 organization
    3.1. Configure the SMTP Virtual Server on Exchange Server 2003

  4. Create a Receive Connector on the Edge server that accepts connections from the Exchange 2003 organization
    4.1. Create an SMTP Send Connector from the Exchange 2003 organization to the Edge server

  5. Redirect the DNS mail exchange (MX) record(s) for the internal SMTP domain(s)


Figure 2:
Summary of configuration tasks (image courtesy of Microsoft)

1. Configure Accepted Domains

The first step is to configure accepted domains for which the Edge server will accept e-mail.

  1. On the Exchange Edge Server, open the Exchange Management Console (EMC), select Edge Transport, select the Accepted Domains tab and then on the Actions pane, select New Accepted Domain. Choose an appropriate Name and then fill in the Accepted Domain (Figure 3). An accepted domain can be configured as Authoritative, Internal Relay or External Relay. In this case we’ll configure it as an Authoritative Domain. Click New to create the entry.

To execute the very same task, but using a PowerShell cmdlet:
new-AcceptedDomain -Name ‘virtual.com’ -DomainName ‘virtual.com’ -DomainType ‘Authoritative’


Figure 3: New Accepted Domain

  1. Repeat this task for each SMTP domain that will be routed through the Edge server.

2. Create the Internet Send Connector

Send Connector is necessary to route e-mail messages to the Internet. Several Send Connectors can be configured (differentiated by the SMTP domain) or one universal connector with the address space defined as asterisk ( * ). E-mail messages can be routed directly to other SMTP servers, using DNS name resolution, or they can be routed through a smart host (such as a server hosted by an ISP).

  1. Back to the EMC, click the Send Connectors tab. In the Actions pane, click New Send Connector. In the Name field, type a name to identify the connector. In the Select the intended use for this connector field, select Internet (Figure 4). Click Next.


Figure 4: New SMTP Send Connector

  1.  On the Address space page (Figure 5), click Add. In the Add Address Space dialog box, enter “*” as the Address, 10 as the Cost (is a best practice not using the default 1) and then click OK. Click Next.


Figure 5: Address space

  1. On the Network settings page (Figure 6), the option Use domain name system (DNS) “MX” records to route mail automatically is selected. If this is the correct setting, click Next (if you must route mail through a smart host, I will explain how to do it later on this article, since the Send Connector that will be created to route mail to the Exchange 2003 Organization will have a smart host).


Figure 6: Network settings

  1. On the New Connector page (Figure 7), review the configuration summary and click New.


Figure 7
: New Connector

  1. On the Completion page, click Finish.

3. Create Internal Send Connector for Exchange 2003

In order to handle the received messages, the Edge server has to route them internally. It does this by using a Send Connector configured to route the messages destined to the internal SMTP domains through one or more Exchange 2003 bridgehead servers configured as a smart host.

  1. On the Edge server, open the EMC. Select Edge Transport, click the Send Connectors tab and then, in the Actions pane, click New Send Connector. In the New SMTP Send Connector wizard (Figure 8), type a Name for this connector. In the Select the intended use for this connector field, choose Internal, and then click Next.


Figure 8: New SMTP Send Connector

  1. On the Address space page, click Add. Several SMTP domains can be added as separate entries, or, in the Add Address Space dialog box, the — placeholder can be entered (Figure 9). The — placeholder represents all authoritative and internal relay domains configured as Accepted Domains. Click OK to close the dialog box, and then click Next.


Figure 9: SMTP Address Space

  1. On the Network settings page (Figure 10), select Route mail through the following smart hosts, and then click Add. In the Add smart host dialog box, enter the IP Address or the FQDN of the Exchange 2003 bridgehead server that will receive the incoming messages. Click OK. More than one smart host can be configured, meaning Edge server will load-balance the connections between servers. Click Next.


Figure 10: Adding a smart host

From this point on, you must choose which type of security to implement:

  • [Error! Reference source not found.] Basic Authentication over TLS – Requires the creation of a domain account, member of the Exchange Domain Servers. Both servers must have a certificate. The Exchange 2003 SMTP Virtual Server must be configured to accept Basic Authentication over TLS.

  • [Error! Reference source not found.] Anonymous Access – Requires modification of the discretionary access control list (DACL) on this Send connector to grant the NT Authority\ANONYMOUS LOGON account the ms-Exch-SMTP-Send-Exch50 permission. On the Exchange 2003 bridgehead server, the Relay Restrictions of the SMTP Virtual Server should be configured and you must modify the registry to enable it to receive anonymous submission of Exch50 data (to preserve some information, such as the spam confidence level (SCL) for a message, when messages are relayed from the Edge Transport server).

The recommended setting is Basic Authentication with TLS to authenticate to the legacy Exchange server. 

Leave the New SMTP Send Connector wizard open and proceed to appropriate paragraph: Error! Reference source not found. or Error! Reference source not found..

Basic Authentication with TLS

  1. Create a user account (used by the Edge server to authenticate to Exchange 2003) in the Active Directory that services the Exchange organization (Figure 11). Add the account to the Exchange Domain Servers security group (Figure 12).


Figure 11: New AD user


Figure 12: User Properties

  1. On the Exchange 2003 server or servers that will receive messages from the Edge Transport server, open Exchange System Manager. Expand Servers, expand the desired server, expand Protocols and finally expand SMTP. Right-click Default SMTP Virtual Server and select Properties. Click the Access tab and then click Authentication. In the Authentication dialog box (Figure 13), select Basic authentication (password is sent in clear text) and Requires TLS encryption. Click OK.


Figure 13: SMTP Virtual Server Authentication

  1. Since TLS will be used, there should be a certificate configured for Exchange 2003 bridgehead server to use. On the Access tab click Certificate. On the Web Server Certificate Wizard, click Next. Follow the instructions on the remaining pages of the wizard to create a new certificate or to assign an existing certificate. Close Default SMTP Virtual Server Properties. Regarding the Edge server, the self-signed certificate will be accepted. In case you replaced the self-signed certificate, make sure the enabled certificate is signed by an authority both servers trust.
  2. Back to the Edge Server, on the Configure smart host authentication settings page (Figure 14), select Basic Authentication and Basic Authentication over TLS. In the User name and Password fields, enter the credentials for the previously created user account (use the domain\user format or user principal name (UPN) format). Click Next.


Figure 14: Smart host authentication settings

  1. On the New Connector page (Figure 15), review the configuration summary and click New to create the connector.


Figure 15: New Connector summary

  1. On the Completion page, click Finish.

Internal Send Connector with Anonymous Access

On the Exchange 2003 bridgehead server, configure the relay restrictions to enable only the Edge server to relay through this virtual server:

  1. Open Exchange System Manager. Expand Servers, expand the desired server, expand Protocols and finally expand SMTP. Right-click Default SMTP Virtual Server and select Properties. On the Access tab of Default SMTP Virtual Server Properties click Relay. On the Relay Restrictions dialog box (Figure 16) select Only the list below, click Add and then on the Computer dialog box, enter the IP address of the Edge server. Click OK twice to close the Default SMTP Virtual Server Properties.


Figure 16:  SMTP Virtual Relay Restrictions

  1. To modify the registry settings on the Exchange 2003 bridgehead server, open Registry Editor. Locate HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SMTPSVC\XEXCH50. Right-click XEXCH50, click New and select DWORD Value. Type SuppressExternal for the value name and leave it with the default value of 0 (Figure 17). The XEXCH50 properties are now allowed to be transmitted anonymously.


Figure 17: SupressExternal Registry key

  1. Next, we must allow XEXCH50 properties to be transmitted when e-mail is sent anonymously. Right-click XEXCH50 and create a new key. Type the number of the SMTP virtual server instance as the key value (the default virtual server instance is 1). Right-click the key that you’ve just created, point to New and select DWORD Value. Type Exch50AuthCheckEnabled as the name and leave the default value of 0 (Figure 18).


Figure 18: Exch50AuthCheckEnabled Registry key

  1. Back to the Edge server, on the Configure smart host authentication settings page (Figure 19), select Externally Secured (for example with IPsec). Click Next.


Figure 19: Smart host authentication settings

  1. On the New Connector page (Figure 20), review the configuration summary and click New to create the connector.


Figure 20: New connector summary

  1. On the Completion page, click Finish.
  2. Run the following command in the Exchange Management Shell to grant the permissions that are required to enable transmission of XExch50 data to the Exchange 2003 server:
    Add-AdPermission -Identity <“Send Connector Name”> -User “NT Authority\Anonymous Logon” -ExtendedRights ms-Exch-SMTP-Send-Exch50

Summary

This concludes the first part of this 2-part article. In the next part I will cover the remaining 2 steps for successfully deploying the most secure Exchange server to date as the internet facing relay for an Exchange 2003 Organization.

Related Links

If you would like to read the next part in this article series please go to Using an Exchange 2007 Edge Server as the Mail Relay of an Exchange 2003 Organization (Part 2).

About The Author

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top