Friday, May 25, 2012

Setting Up a New Exchange Server

On a pretty regular basis I see requests in support forums about setting up new Exchange servers and verifying functionality. So, first I’d like to discuss the overall configuration and then how you can test it. I’m going to assume, you’ve already installed Exchange.

Authoritative Domains
The domain name that you use for email such as,, must be configured as an authoritative domain in Exchange Server 2010. Doing this tells Exchange that it is responsible for that email domain and should accept messages for it. The steps on how to configure an authoritative domain are here:

E-mail Address Policy
To give your users email addresses, you need an email address policy that contains your domain name and the format of the email address that you want to use. The default may or may not be what you want. Any new email address policies you create have a higher priority than the default. More information about configuring email address policies is here:

Mail Flow from the Internet
Mail messages from the internet can be delivered directly to your email server or go through an SMTP relay. The SMTP relay is in a DMZ (perimeter network) and performs antivirus and antispam scanning before passing messages to your internal system. If you have an SMTP relay then you need to configure your external firewall to forward port 25 to the SMTP relay. Then configure the SMTP relay to forward messages to the Exchange server on the internal network.

Most of the Microsoft documentation for Exchange assumes that you are using an Edge Transport server for SMTP relay. However, this is not required. In fact, most organizations that I work with do not have an Edge Transport server. They have a third party product that performs the role of an SMTP relay.

Many smaller organizations do not have a DMZ and forward port directly from the external firewall to the Exchange server. In most cases, this is fine. It all depends on how security paranoid you want to be. The use of an SMTP relay is more useful for offloading the work of anti-spam and anti-virus from the main Exchange server than it is at any sort of security.

Receive Connectors
By default, Exchange Server 2010 has a receive connector configured to listen on port 25. However, it does not accept unauthenticated connections. To allow this connector named “Default servername“ to accept messages from the Internet, you need to modify the properties and all Anonymous authentication.

For more information about receive connectors see:

Allowing anonymous authentication does not make your Exchange server an open relay. This connector will only accept messages for internal recipients.

Send Connectors
Exchange Server 2010 used send connectors to figure out how to deliver messages outside of the Exchange organization. There are no send connectors created by default. To allow message delivery to the Internet you need to create a send connector with the scope  of *. \

You also need to configure how the send connector delivers messages. By default it will use DNS settings and attempt to deliver directly to the Internet. This is appropriate if you do not have an SMTP relay. If you have an SMTP relay, you should configure it to send messages to the SMTP relay. Some people also choose to relay outgoing messages through their ISP. Be aware that if you are relaying out going messages through an SMTP relay or your ISP, then you can’t check delivery status in the queues of your Exchange server.

For more information about send connectors see:

DNS Records
Finally, you need DNS records that allow other people to find your email servers. For an email domain you need two records:
  •  Host (A) record such as that resolves to the external IP address on your firewall.
  •  Mail Exchanger (MX) record for the domain that point to the host record.
Internet mail servers lookup and MX record for your domain then based on that MX record they are directed to your server name and IP address.

Testing Incoming Mail
The fastest way to test incoming mail is by sending a test message from another system. However you can also:
Be aware that many ISPs block all inbound and outbound traffic on port 25 if you do not have a business account and a static IP address. They do this to stop malware on client computers from sending out spam.

No comments:

Post a Comment