Home   Kaiming

 

Network Layout

accepted domain network layout

Create several mailboxes:

$password=Read-Host ''Enter Password''  -asSecureString

New-Mailbox -Name 'work1' -Alias 'work1' -OrganizationalUnit 'work.com' -UserPrincipalName 'work1@work.com' -SamAccountName 'work1' -FirstName 'work1' -Initials '' -LastName '' -Password $password  -Database 'EX20071\First Storage Group\Mailbox Database'

New-Mailbox -Name 'abc1' -Alias 'abc1' -OrganizationalUnit 'ABC.work.com' -UserPrincipalName 'abc1@ABC.work.com' -SamAccountName 'abc1' -FirstName 'abc1' -Initials '' -LastName '' -Password $password  -Database 'EX20073\First Storage Group\Mailbox Database'

New-Mailbox -Name 'canoe1' -Alias 'canoe1' -OrganizationalUnit 'Canoe.com' -UserPrincipalName 'canoe1@Canoe.com' -SamAccountName 'canoe1' -FirstName 'canoe1' -Initials '' -LastName '' -Password $password  -Database 'W2008\First Storage Group\Mailbox Database'

The e-mail address is by default defined by e-mail address policy.

Get-Mailbox -id canoe1 -DomainController w2008 | fl *smtp*

PrimarySmtpAddress : canoe1@work.com

Get-Mailbox -id abc1 -DomainController ex20073 | fl *smtp*

PrimarySmtpAddress : abc1@work.com

get-mailbox -id work1 -DomainController paula | fl *smtp*

PrimarySmtpAddress : work1@work.com

MX records domain abc.work.com, work.com, and canoe.com are set to EX20071.work.com hub server.

DNS

Create secondary zones on the forest east.com:

DNS2

On Ex20071.work.com:

Get-AcceptedDomain | format-list DomainName,DomainType

DomainName: work.com
DomainType: Authoritative

After the ABC.work.com domain and canoe.com domain are created in work.com forest, the Authoritative domain is still the work.com, the forest root.

Let me send mail to work1@work.com, abc1@work.com, and canoe1@work.com.

All three users receive the mail.

Conclusion:

The DomainName does not have to match the Active Directory domain name. ABC1 is in ABC Active Domain. Canoe1 is in Canoe Active Domain. Because both ABC1 and Canoe1 have the Primary SMTP suffix work.com (which is authoritative), Ex20071 hub transport server accepts the mail and deliver it.

Further investigation

Set-EmailAddressPolicy -id 'Default Policy' -ForceUpgrade -IncludedRecipients AllRecipients

Get-EmailAddressPolicy 'Default Policy' | fl

RecipientFilter                   : Alias -ne $null
LdapRecipientFilter               : (mailNickname=*)
LastUpdatedRecipientFilter        :
RecipientFilterApplied            : False
IncludedRecipients                : AllRecipients


New-AcceptedDomain -Name 'house.com' -DomainName 'house.com' -DomainType 'Authoritative'

New-EmailAddressPolicy -Name "house.com" -IncludedRecipients AllRecipients -EnabledEmailAddressTemplates SMTP:@house.com –Priority 1

Update-EmailAddressPolicy  -id “house.com”

Get-mailbox | fl Name,*SMTP*

Name               : Tim
PrimarySmtpAddress : Tim@house.com

Name               : Sam
PrimarySmtpAddress : Sam@house.com

Name               : Newton
PrimarySmtpAddress : Newton@house.com

Name               : Olga
PrimarySmtpAddress : Olga@house.com

From east.com domain, a user can send mail to sam@house.com.


You must create a DNS domain house.com at east.com side, as follows:

DNS3

Work at ex20071.work.com:

New-AcceptedDomain -Name 'newton.com' -DomainName 'newton.com' -DomainType 'Authoritative'

$Policy=get-emailAddressPolicy -id 'house.com'
$smtp=$policy.EnabledEmailAddressTemplates
$smtp=$smtp+"smtp:@newton.com"


Set-EmailAddressPolicy 'house.com' -EnabledEmailAddressTemplates $smtp

Get-EmailAddressPolicy -id House.com | fl enabledPrimary*,EnabledEmail*

EnabledPrimarySMTPAddressTemplate : %m@House.com
EnabledEmailAddressTemplates : {smtp:%m@newton.com, SMTP:%m@House.com}

When James@east.com sends e-mail to sam@newton.com and sam@house.com, it actually sends to the same person. DNS domains at east.com side is as follows:

DNS4

One mailbox can have several e-mail addresses defined. Only one e-mail address will be primary. Here is %m@House.com.

CTom@canoe.com sends e-mail to Irene.Will@newton.com.

Irene.Will replies the e-mail.

Primary SMTP 1

When CTom@canoe.com opens the e-mail, it sees the iRene.Will@house.com address.

Primary SMTP 2

By default, the primary SMTP address is defined by E-mail address policy. How about iRene.Will wants to make an exception, which she wants her primary SMTP address to be iRene.Will@newton.com? Accomplish the task as follows:

set-mailbox -id Irene.Will -EmailAddressPolicyEnabled $false -PrimarySmtpAddress iRene.Will@newton.com

new-AcceptedDomain -Name 'East.com' -DomainName 'East.com' -DomainType 'Authoritative'

Set-Mailbox 'James@work.com' -EmailAddresses ((Get-Mailbox 'James@work.com').EmailAddresses +'James@east.com')

$mailbox=get-mailbox -id 'James@work.com'
$mailbox.EmailAddresses

Internal Relay Domain

01

Hub1.Areyou.com receives mail for both Areyou.com and itsme.com organizations. All mail delivered to Internet will go through Hub1.areyou.com. Hub1.areyou.com hosts the internal accessible DNS server.

DNS at Hub1.areyou.com:

areyou.com zone

15.90.90.90 MX hub1.areyou.com

itsme.com zone

15.90.90.90 MX hub2.itsme.com

Define accepted domains

Hub1.areyou.com

new-AcceptedDomain -Name 'Areyou.com' -DomainName 'areyou.com' -DomainType 'Authoritative'

new-AcceptedDomain -Name 'TOitsme.com' -DomainName 'itsme.com' -DomainType 'InternalRelay'

new-AcceptedDomain -Name 'TOTelus.com' -DomainName 'Telus.com' -DomainType 'ExternalRelay'

Hub2.itsme.com

new-AcceptedDomain -Name 'itsme.com' -DomainName 'itsme.com' -DomainType 'Authoritative'

Define send and receive connectors

Physically-Secured Network

HUB1.areyou.com

new-SendConnector -Name 'TOitsme.com' -Usage 'Internal' -AddressSpaces 'SMTP:itsme.com;1' -IsScopedConnector $false -DNSRoutingEnabled $false -SmartHosts 'hub2.itsme.com' -SmartHostAuthMechanism 'ExternalAuthoritative' -UseExternalDNSServersEnabled $false -SourceTransportServers 'HUB1'

Set-SendConnector -id 'TOitsme.com' -Port 26

New-ReceiveConnector FromITSME.COM -Usage Internal -RemoteIPRanges 15.80.80.80/32

Get-ReceiveConnector 'FromITSME.COM' | fl auth*,binding*,remote*,permission*

AuthMechanism : Tls, ExchangeServer
Bindings : {0.0.0.0:25}
RemoteIPRanges : {15.80.80.80/32}
PermissionGroups : ExchangeServers, ExchangeLegacyServers

Set-ReceiveConnector FromITSME.com -AuthMechanism TLS,ExternalAuthoritative -PermissionGroups ExchangeServers -bindings '0.0.0.0:26'

Hub2.itsme.com


new-SendConnector -Name 'TOareyou.com' -Usage 'Internal' -AddressSpaces 'SMTP:*;1' -IsScopedConnector $false -DNSRoutingEnabled $false -SmartHosts 'hub1.areyou.com' -SmartHostAuthMechanism 'ExternalAuthoritative' -UseExternalDNSServersEnabled $false -SourceTransportServers 'Hub2'

Set-SendConnector -id 'TOareyou.com' -Port 26

New-ReceiveConnector FromAREYOU.COM -Usage Internal -RemoteIPRanges 15.90.90.90/32

Get-ReceiveConnector 'FromAREYOU.COM' | fl auth*,binding*,remote*,permission*

AuthMechanism : Tls, ExchangeServer
Bindings : {0.0.0.0:25}
RemoteIPRanges : {15.90.90.90/32}
PermissionGroups : ExchangeServers, ExchangeLegacyServers

Set-ReceiveConnector FromAREYOU.com -AuthMechanism TLS,ExternalAuthoritative -PermissionGroups ExchangeServers -bindings '0.0.0.0:26'

An Internet user sends messages to Tim@itsme.com. Hub1.areyou.com processes it as follows:

Because the Tim@itsme.com recipient is not found in areyou.com organization, the message is routed to the send connector that has the closest address space match (itsme.com). The sendconnector TOitsme.com has the address space:itsme.com.

If the accepted domain with InternalRelay type for itsme.com is not defined, the hub1.areyou.com rejects the mail immediately.

All Internet mail from itsme.com will pass by the hub1.areyou.com transport server.

With the two forests, for a user:Tim@itsme.com, you should create a contact in areyou.com. For a user: Joe@areyou.com, you should create a contact in itsme.com.

In the following scenario, the Exchange 2007 organization shares the same name space (areyou.com) as UNIX sendmail. As shown, jim@areyou.com is in Exchange 2007 and Sam@areyou.com is in sendmail. You must configure the accepted domain areyou.com as Internal Relay domain. If not, sam@areyou.com cannot receive messages from Internet even though the send connectors are correctly created. After the Internal Relay domain areyou.com is configured, when Internet user sends mail to Sam@areyou.com, the Exchange organization first checks its own domain for the recipient. Because sam@areyou.com is not there, the mail is routed to the Send Connector that has the closest address space match (areyou.com).

02

External Relay domain: telus.com

external

Send and Receive Connectors

Exchange 2007 does a little different. When Internet user sends mail to the external domain, e.g. fardin@telus.com, the Hub1.areyou.com transport server directly relays it to the itsme.com without checking its own organization.


Another observation:
When you create an e-mail address policy, e-mail addresses from Authoritative domain and Internal relay domain can be selected but not external domain.

03

04

For an ISP provider, the External Relay Domain might be often used.

For huge organization, the Internal Relay Domain maybe configured.

Home