Transport Service: Basic authentication

Kaiming

Network Layout: 3 forests

Transport1

External Authoritative –Cross Forest

Win20081 and win20082 are physically secured.

Completing Basic with TLS first;

Win20081.work.com

Set-SendConnector To-Canoe.com -SmartHostAuthMechanism ExternalAuthoritative
Set-ReceiveConnector From-canoe.com -AuthMechanism TLS,ExternalAuthoritative -PermissionGroups ExchangeServers

Win20082.canoe.com

Set-SendConnector To-work.com -SmartHostAuthMechanism ExternalAuthoritative
Set-ReceiveConnector From-work.com -AuthMechanism TLS,ExternalAuthoritative -PermissionGroups ExchangeServers

Test-mailflow -TargetEmailAddress Robin.Williams@work.com

From Win20082.canoe.com

Received: from WIN20082.canoe.com (191.121.111.200) by Win20081.work.com
(191.121.0.200) with Microsoft SMTP Server (TLS) id 8.1.240.5; Sat, 20 Dec
2008 09:02:07 -0800
Received: from WIN20082.canoe.com ([fe80::1c59:6d45:b9a8:246b]) by
WIN20082.canoe.com ([fe80::1c59:6d45:b9a8:246b%10]) with mapi; Sat, 20 Dec
2008 09:02:06 -0800
Content-Type: multipart/mixed;
boundary="_000_F84A637F1F64AF4CB9680A542E67AADA055A6C5347WIN20082canoe_"
From: SystemMailbox{DD02EB11-ABEA-44B7-8B9B-8A7DE8AFE975}
<SystemMailbox{DD02EB11-ABEA-44B7-8B9B-8A7DE8AFE975}@canoe.com>
To: SystemMailbox{DD02EB11-ABEA-44B7-8B9B-8A7DE8AFE975}
<robin.williams@work.com>
Date: Sat, 20 Dec 2008 09:02:05 -0800
Subject: Test-Mailflow d0a314ae-f9b7-45cc-a3a5-4edcd98013e2
66c7004a-6860-44b2-983a-327aa3c9cfec
Thread-Topic: Test-Mailflow d0a314ae-f9b7-45cc-a3a5-4edcd98013e2
66c7004a-6860-44b2-983a-327aa3c9cfec
Thread-Index: AclixK9Puaoqg1itRneq4RSOag5AOQ==
Message-ID: <F84A637F1F64AF4CB9680A542E67AADA055A6C5347@WIN20082.canoe.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator: <F84A637F1F64AF4CB9680A542E67AADA055A6C5347@WIN20082.canoe.com>
acceptlanguage: en-US
MIME-Version: 1.0
Return-Path: SystemMailbox{DD02EB11-ABEA-44B7-8B9B-8A7DE8AFE975}@canoe.com
X-MS-Exchange-Organization-SCL: -1

Pay attention to X-MS-Exchange-Organization-SCL:-1. Two forests trust each other because the network is physically secured.. The X-head information is transmitted to the other organization.

I couldn’t implement the ExchangeServers authentication for smarthosts. I could not implement the TLS Direct Trust or TLS\Kerberos, which is needed for ExchangeServers authentication.

However, the authentication between Edge Transport server and Hub Transport server uses the ExchangeServers authentication with TLS Direct Trust. EdgeSync Service publishes the certificate of Hub transport server to Edge Transport server. The subscription process publishes the certificate of Edge transport server to Active Directory.

Home