My private collection of articles found on the net, i dont own them but they helped me.: Client to Server Secure SMTP Connectivity in Exchange Server 2007

Personal collection of useful articles found on the web, NOT for public use, just for MY quick reference. Just in case you created one.
   Specializing in Office Communications Server, Exchange, Active Directory ,TMG 2010, ISA 2006,System Center Operations Manager and Powershell

Client to Server Secure SMTP Connectivity in Exchange Server 2007

There seems to be some confusion as to how TLS connectivity to works. Many people think, that by default, Client to Server SMTP communication to is not encrypted and are asking, "How to secure Client to Server SMTP communication." Well the answer is, it already is.... Let me explain.

By default, in Exchange Server 2007, there are two receive connectors. One is for Server to Server SMTP and the other is for Client to Server SMTP which is really used for POP3/IMAP clients to send mail via SMTP. I will talk a bit later about clients who are directly connected via MAPI. For this article, we will be talking about Client to Server SMTP.

When creating a Receive Connector, there are several Usage Types that can be selected:

--list--Client (Unavailable on Edge Transport Servers - External Client to Server SMTP must require direct access to the Hub Transport Server (not recommended) or use ISA 2006 to publish port 587 directly to a Hub Transport Server)
--list--Custom
--list--Internal
--list--Internet
--list--Partner

Depending on which Usage Type you select, certain Authentication Groups will be selected. For example, for our scenario, the Client Usage Type will allow the Permission Group of Exchange Users which is exactly what we need.

In , Microsoft wanted to comply with updated RFC standards and kept Server to Server SMTP communication over port 25 and segregated Client to Server communications over port 587. More details are formalized in RFC 4409.

So how do we really restrict only authenticated clients to use TLS when talking over the SMTP protocol with Exchange Server 2007. This is really a combination of the Authentication and Permission Groups Tab. First, we will have a look at the Permission Groups Tab.

As you can see, this Client Receive Connector only allows the Exchange Users group by default. This means that when a user connects to Exchange and authenticates, they are defined as an Exchange User and are allowed access to use this connector and use the SMTP protocol over the port defined in the Network Tab; this case being port 587. Once authenticated, the Exchange Users are granted the following permissions:

--list--Ms-Exch-SMTP-Submit
--list--Ms-Exch-SMTP-Accept-Any-Recipient
--list--Ms-Exch-Bypass-Anti-Spam
--list--Ms-Exch-Accept-Headers-Routing

As you can see, the Exchange Users are allowed to Submit SMTP using this Receive Connector.

Now, we have to define if the Client to Server SMTP authentication for the selected Permission Groups is encrypted or not encrypted. This is done on the Authentication tab.

By default, Client to Server Authentication is encrypted using TLS via this Client Receive Connector. TLS is advertised and when using POP3/IMAP4, basic authentication, credentials will only be available after initiating a TLS encrypted connection.

As a side note, if you want to allow an anonymous application such as a Web Application to relay off of your server, you would do the following:

--list--Create a new Receive Connector with the Custom Usage Group
--list--For Remote Network Settings, remove 0.0.0.0-255.255.255.255, and then add the IP Address of the remote server that requires relaying permissions
--list--Once the new Custom Receive Connector is created, go into the properties of this connector, go to the Permission Groups Tab > Add Anonymous Users

If you look at the Authentication Tab, only Transport Layer Security will be selected. This is called Opportunistic TLS which means that TLS will be accepted and is the preferred method for communication, but TLS will not be required.

To activate Anonymous users to use this connector for relaying, you must issue the following command:
Get-ReceiveConnector "Receive Connector Name" | Add-ADPermission -User "NT AUTHORITY\ANONYMOUS LOGON" -ExtendedRights "Ms-Exch-SMTP-Accept-Any-Recipient"

Note: If you enable Anonymous users on a connector, that does not give them the permission to relay. The above command gives the Anonymous Logon account permission to Ms-Exch-SMTP-Accept-Any-Recipient (relaying) on the specified connector. That way, once you have allowed anonymous users to use that connector as well as grant them Ms-Exch-SMTP-Accept-Any-Recipient, they will now be able to relay via the specified connector.

If your application will be relaying SMTP using separate domain names, make sure you create the necessary Accepted Domains with the appropriate Internal Relay or External Relay settings for those domains. You do not want to choose Authoritative because Exchange will think it is authoritative for these mailboxes, and when Exchange sees these mailboxes do not exist, an NDR will be sent back to the sending server.