Configure Exchange 2013 Internet mail flow during migration

• Author
• Recent Posts

Krishna Kumar

Krishna Kumar specializes in PowerShell, Exchange and Active Directory. Follow his blog SMTP Port 25.

Latest posts by Krishna Kumar (see all)

• Review of Stellar Phoenix Mailbox Exchange Recovery - Wed, Jul 22 2015
• Configure Exchange 2013 Internet mail flow during migration - Fri, Dec 27 2013
• Exchange 2013 DAG recovery in a stretched AD site – Part 2 - Wed, Dec 25 2013

In addition to installing, configuring, and testing Exchange 2013 Server, migration also consists of configuring and testing mail flow between Exchange 2013 and Exchange 2007/2010. Let’s continue with the preparation and configuration of mail flow between the Exchange 2013 server and internet.

Prepare a smart host to send and receive email

The smart host is generally a Sendmail, IronPort, or third-party appliance in the DMZ that protects (by way of content filtering, spam filtering, etc.) the Exchange server and connects internal Exchange organizations with the Internet. These appliances need to be configured in place to send and receive email via Exchange 2013.

Configuring a Receive connector to accept email

During installation of every Client Access Server (CAS) role, a “Default frontend <server name>” Receive connector is created to accept emails on port 25. By default, the Receive connector is configured to accept anonymous connections. Emails received from the Internet with an anonymous connection through this Receive connector are considered to be risky.

It would be ideal to secure the connector by restricting email from a specific IP address or by some authentication, as shown in in the screenshot below. If you have multiple CAS servers to accept incoming email, a “Default frontend <server name>” Receive connector must be configured on each server

Adding a smart host IP address to a Receive connector to accept email

Configuring a Send connector to send Internet email

In the existing Exchange 2007/2010 organization, a Send connector is created in place to send email to Internet domains (*). This Send connector uses an Exchange 2007/2010 as a source server, and you will need to replace this with an Exchange 2013 Mailbox Server.

Adding Exchange 2013 servers to a Send connector

You can also add an Exchange 2013 CAS system to a Send connector, but you must configure this with the “Proxy through client access server” option as shown below. With this option enabled, we will not be able to send all the outbound email through the Exchange 2013 Mailbox Server; rather, outbound mail will be proxied through the CAS server. This setting is useful for large organizations.

Enabling a Send connector to proxy through a client access server

Configuring a smart host to send and receive email

Once the Send/Receive connector is configured for an Exchange 2013 server, it is time to cut the email flow over from legacy Exchange 2007/2010 servers to the Exchange 2013 server. Final cutover is done on the smart host to send/receive emails via Exchange 2013 and stop delivering any new incoming email to Exchange 2007/2010 servers. Once the cutover is complete, the Exchange 2013 server will start accepting, processing, and delivering emails to mailboxes. Henceforth, all email will be sent through the Exchange 2013 servers.

Having a smart host is not mandatory and many smaller organizations may not have one. Although directly configuring Exchange to send/receive email from the Internet is not a recommended practice, it is still possible. In order to deliver email via the Internet, Exchange 2013 CAS servers should be configured with an Internet DNS server, and the Send connector should be configured to use MX records. Similarly, to accept email without a smart host, configure the Internet firewall to send email directly and to receive a connector running on the CAS server. A firewall with load balancing ability can balance the incoming email to multiple Internet-facing CAS servers.