In Exchange 2007\2010, Receive connectors represent an incoming connection point for Simple Mail Transfer Protocol (SMTP) communications. Send connectors represent a logical gateway through which all outgoing messages are sent. For end-to-end mail flow, the Hub Transport server must have connectors that support mail flow to and from the Internet and from other Hub Transport servers in the organization.
Sometimes, you may need to allow an application server to relay off of your Exchange server. The top rule is that you want to keep relay restricted as tightly as possible, even on servers that are not connected to the Internet. Usually this is done with authentication and/or restricting by IP address. Exchange 2007\2010 is configured to accept and relay email from hosts that authenticate by default. Both the “Default” and “Client” receive connectors are configured this way out of the box. Authenticating is the simplest method to submit messages, and preferred in many cases.
Below you find information on how to configure a receive connector to allow application servers to relay messages through the Exchange environment. This method works for both Exchange 2007 and 2010. Because existing Exchange 2007\2010 servers do not need to authenticate with this connector, their IP addresses MUST be excluded from the range of internal IPs on the relay connector.
1. The first step is to create a new receive connector. From the Server Configuration, click ok Hub Transport. Select the first server and in the results pane, right click and select New Receive Connector or click on New Receive Connector from the Actions menu
2. Provide a descriptive name for the connector and select Custom under Intended Use then click Next
3. On the Local Network Settings page, accept the default settings and click Next
4. The Remote Network Settings page is where you will specify the IP ranges of servers that will be allowed to submit mail. Click Edit, provide the range of IP addresses or a single address for one server and click Next. If you need to add more IP addresses to the range, follow the same steps mentioned. Since the Exchange 2007\2010 servers will not require authentication to submit mail, make sure that ALL Exchange 2007\2010 servers (regardless of their roles) are excluded from this IP range!
5. Click New to have the connector created then click Finish to close the wizard. After successful creation of the connector, it should appear in the list
6. Open the properties of the connector and go to the Permission Groups tab. Select only Exchange Servers, click Apply then click on the Authentication tab
7. On the Authentication tab, Transport Layer Security (TLS) is already selected to allow all communication between hub transport servers to be secured. Select Externally Secured (for example, with IPSEC), click Apply and then OK