Home » Exchange Server » Exchange Server 2013 Mail Flow and Transport Services

Exchange Server 2013 Mail Flow and Transport Services

As people learn about the new features of Exchange Server 2013 one of the first surprises is often the reduction in server roles to just three; the Client Access server, Mailbox server, and Edge Transport server.

The question that follows is usually asking how does the mail flow work without a Hub Transport server?

Exchange Server 2013 Transport Services

The Hub Transport server role from Exchange 2007 and 2010 has been replaced with a series of services running on the remaining server roles.

The Client Access server role hosts the Front End Transport service, which acts only as a proxy for SMTP connectivity.

The Mailbox server role hosts two additional services:

  • Transport service – performs email routing within the organization, and between the Front End transport service and the Mailbox Transport service
  • Mailbox Transport service – passes email messages between the Transport service and the mailbox database

There are some additional scenarios for the Mailbox server's Transport services when Database Availability Groups are deployed, but for the moment we'll just consider non-DAG scenarios.

Microsoft has published this diagram that gives a good visual representation of how these components all fit together. But if you find it a little confusing simply read on for a few practical examples.


Internal Mail Flow Example

Let's take a look at an internal mail flow example for Exchange Server 2013. In this case the sender and recipient are both on the same mailbox database on the same server, MB2.exchange2013demo.com.

The message headers look like this (I've truncated the data that is not relevant to this topic):

Running the header through the MX Toolbox header analyzer gives us this visual representation.

Exchange Server 2013 Internal Mail Flow Example

What we see are three hops all on the same Mailbox server MB2.exchange2013demo.com, as the message travels through each of the services involved.

Exchange 2013 Internal Mail Flow Hops

Now compare that to an email sent between two Exchange Server 2010 recipients on the same mailbox database.

Exchange Server 2010 Internal Mail Flow Example

This time we only see two hops in the message headers.

Exchange Server 2010 Internal Mail Flow Hops

The best way I can think to describe this difference is that instead of message submission occurring directly via RPC/MAPI between the mailbox database and a Hub Transport server in Exchange 2010, it now traverses the intermediary Mailbox Transport service adding at the very least one additional SMTP hop in the message headers.

You will also note that the example for Exchange Server 2013 demonstrated that the Client Access server's Front End Transport service was not involved for internal mail flow.

External Mail Flow Example

Now let's take a look at an external mail flow example, specifically an email from the internet to a mailbox on an Exchange Server 2013 server.

Exchange Server 2013 External Mail Flow Example

The first three hops relate belong to Google, and the two that are obscured are another SMTP service involved in this particular mail flow path but not relevant to the Exchange behaviour.

The first Exchange server is an Exchange 2010 Edge Transport, which is configured to route the email to the Exchange 2013 Client Access server CA1.exchange2013demo.com, which then routes it on to the Mailbox server MB1.exchange2013demo.com.

Exchange Server 2013 External Mail Flow Hops

As you can see the Client Access server role in Exchange 2013 performs mail routing for external emails, but not internal emails. And once again we can see in the final hop MB1 -> MB1 as the message is passed between the Hub Transport service and the Mailbox Transport service on that server.

Default Receive Connector for Incoming Internet Email

Unlike Exchange 2007 and 2010 Hub Transport servers which were not configured by default to accept incoming email from the internet, when an Exchange 2013 Client Access server is installed it is pre-configured with a Receive Connector named “Default Frontend <servername>” that allows “Anonymous Users” to connect.

Exchange Server 2013 Frontend Receive Connector

So where Exchange 2007/2010 were secured by default and required the administrator to either deploy Edge Transport servers, or reconfigure the Hub Transport to perform the internet-facing role, Exchange Server 2013 Client Access servers are configured by default for the internet-facing role.

Exchange Server 2013 Message Queues

One of the interesting things about the three transport services in Exchange Server 2013 is that only one of them will actually queue messages locally.

  • Front End Transport service – no local queuing
  • Transport service – local queuing
  • Mailbox Transport service – no local queuing

To test this out I simply stopped the Hub Transport service on my Exchange 2013 server, and then used Telnet to send a test email message via the Front End Transport service.

After completing my commands in the Telnet session I received this error:

If another email server was sending the email message it would likely queue on that server until it was able to retry and successfully submit the message. However I would anticipate that some mail-enabled devices and applications will not handle this situation very well and it may lead to message failure if there is no high availability and load balancing deployed.

Exchange Server 2013 Edge Transport Server

The Edge Transport role was shipped in Exchange Server 2013 Service Pack 1. Ready more about installing and configuring Exchange 2013 Edge Transport here.

It is also possible to use Exchange Server 2013 with Exchange 2007/2010 Edge Transport servers.


As you can see the mail flow for Exchange Server 2013 is not that different to that in previous versions of Exchange once you shift your mindset from the server roles in previous versions to the specific services involved in Exchange Server 2013 mail flow.

Additional reading:

Paul is a Microsoft MVP for Office Servers and Services. He works as a consultant, writer, and trainer specializing in Office 365 and Exchange Server. Paul is a co-author of Office 365 for IT Pros and several other books, and is also a Pluralsight author.
Category: Exchange Server


  1. How did you manage to get Exchange 2010 SP3 as its a pre-requisite to coexist with Exchange 2013…I didn’t test with edge but I guess so…?

    I believe its not out from MS…?

  2. Dais says:

    Hi Exchange Experts, I want to establish our exchange server but I have a question about exchange, and the question is….
    (How can I find details about companies targeted earlier or not)

    If we have 250 outlook users, and they are mailing to companies a.com, b.com and so on. you@mydomain.com target to both companies but I@mydomain.com don’t know that you@domain.com already target to both or not.

    I want to know that how can I set or get details that someone targeted those companies or not ?

  3. TUAN says:

    Hi Paul.!
    Help me.
    My computer setup new system Exchange 2013 yet.
    There are two system setup windows server 2012.. / 1 setup DC, AD, CAS / 1 setup Exchange 2013
    EX Joined domain with AD and setup successful.! and I not add config.
    . Then I created 2 user on ex user domain Local.
    But I test by send 1 mail user1 to user2.
    I see mail user1 can’t send to user2 and else. It Move to Tab “Drafts”. I am very Crazy with them
    Can you .Help me !
    Thank so much.!

  4. ali says:

    it means CAS server is receiving mail from internet so we have to open port 25 on our firewall/router towards CAS server because it receive mail from anonymous users right ?
    and mailbox server is just sending and receiving mail inside the orginization ?
    just say yes or no or small explanation if require.

  5. Vishal Kayangude says:

    Hey Paul,

    I am currently having CAS and MBX servers on two different servers. I configure my Mailfilerting (ThirdParty) for incoming and outgoing. My outgoing is working fine, but while incoming getting below error :

    Delivery of the test email message failed.

    Additional Details
    The server returned status code 550 – Mailbox unavailable. The server response was: no mailbox by that name is currently available
    Exception details:
    Message: Mailbox unavailable. The server response was: no mailbox by that name is currently available
    Type: System.Net.Mail.SmtpFailedRecipientException
    Stack trace:
    at System.Net.Mail.SmtpTransport.SendMail(MailAddress sender, MailAddressCollection recipients, String deliveryNotify, Boolean allowUnicode, SmtpFailedRecipientException& exception)
    at System.Net.Mail.SmtpClient.Send(MailMessage message)
    at Microsoft.Exchange.Tools.ExRca.Tests.SmtpMessageTest.PerformTestReally()

  6. sunil says:

    Any Idea on the below event.

    In Exchange 2010 HT internet facing server

    Receive connector *** requires Transport Layer Security (TLS) before the MailFrom command can be run, but the server can’t achieve it. Check this connector’s authentication setting.

  7. Jack Cristi says:

    Hi Sir Paul,

    Remember me?
    my domain is now registered. i already configure A host, Mail exchanger and CNAME… i already received emails from yahoo, gmail and other domain but when i’m trying to send a reply or even a new message it goes to drafts and it is stuck there… and my role DNS server says x (error). where should be the problem? please help me out…

    thank you sir paul.

  8. Steve says:

    For email filtering appliances to work with Exchange 2013, do you need to configure them to accept mail from the Exchange Mailbox server or the CAS servers? I have a single Send Connector that is sending mail to a smart host. In my mind I’d think the CAS since they are proxying all incoming/outgoing mail traffic but not sure if it would bypass CAS and go straight to smart host or not. Can you clarify?

    • Unless you tick the box to proxy through the front end, then the Mailbox server is the role that sends the outbound mail via the Send Connector. If the servers are multi-role then it doesn’t matter either way.

  9. J-W says:

    Fellow Exchange 2013 admins. Let me make all of you confussed 🙂
    I’ve got a problem that I cannot find anything about.
    In the logfile (Hub/Protocollog/smtprecieve) I can see email come in that is send to a bunch of users in our organisation. That email WON’T be delivered to any mailbox if one or more e-mailadresses are wrong.
    You’ll get a Delivery Status Notification that delivery to the following recipients failed and then you’ll see the list of all the recipients! Even the correct ones. How is this possible? If all addresses are correct then it will be delivered to all without problems. We use Exchange 2013 SP1 and we do not use 3th party anti spamm solutions. If some ones to see a piece a log, just ask.
    Many thanks.

    • J-W says:

      Oke weird… it’s my old Exchangeserver again with his recipient filter. Clearly that does not work well together.
      I find it weird that the Exchange 2003 server still does this much when it actually does not do anything. Would this kind of problems be gone when I uninstall Exchange 2003?

    • I’m a little confused about the exact details of your situation, but I have seen this type of dropped SMTP connection when the sending server/application doesn’t handle the invalid recipient response properly and just drops the entire connection.

  10. Chris A says:

    We have a multi role exchange 2013 server. So according to the technetium article on recipient filtering, we should not do recipient filtering. What are our options? We currently need to stop the queue from jamming up with spam from user@ourdomain to some unknown user/domain. Here is a link to a ms forum pic of the queue:

    h t t p : / /social.technet.microsoft.com/Forums/exchange/en-US/d4ab4e03-700c-44bb-a6f1-faacedea1820/queue-question?forum=exchangesvrgeneral

  11. Rob Shinwell says:

    ok so…. MS guidance is to combine Exchange 2007/2010 Edge role with EX2013. For a new 2013 deployment you wouldn’t want to introduce a version older that the one you’re deploying. The proper placement for an Edge server would be in the DMZ filtering email before it enters the internal network.

    Without the Edge role now and obviously not wanting to burden the front-end transport service dealing with junk mail, in this scenario what would you recommend placing in the DMZ to replace the Edge role?


    • I don’t know if that is really their “guidance”… Exchange 2007/2010 Edge is *supported* with Exchange 2013. But the concern about mismatched versions is irrelevant since there is an Exchange 2013 Edge Transport role available in SP1 and later anyway.

  12. Pooriya says:

    Hello Guys,

    I have just set up an exchange 2013 organization. I have two servers both of which run MB and CAS roles in a DAG. I have both of these server connected to another server running edge transport role. I have already synced the two servers with the edge server. I am able to send and receive emails internally, but I can send any emails outside. Could you please assist me with this? Thanks a lot.


  13. Ravi Thacker says:

    Hi Paul,

    Can we have Exchange 2013 Edge Transport Servers to work with Exchange 2010 Mailbox Servers?

    We are trying to migrate a client from Exchange 2003 to 2010 and then to 2013 Exchange platform.

    Please advise.

    • Install Exchange 2010 Edge while you’re doing the first phase of the migration. Exchange 2010 Edge can then work with Exchange 2013 (you just need to redo the subscription when the new Ex2013 servers are installed). When Exchange 2010 is fully removed you can replace the Edge with Exchange 2013 version then if you like.

  14. Edwin says:

    I recently installed Exchange server 2013( CAS and MAS roles installed) on Hyper V Server 2012 R2 with 8 GB of RAM.

    I’ve added internet connectivity on the Server and the Exchange server is running well. ( Exchange installed on DC.)

    Although the mailbox’s have been created and I can send emails between two random mailbox accounts internally but can’t sent or receive emails outside of the Exchange environment.

    must I purchase a Google cloud DNS to add MX and a host name DNS records on a public DNS?

    or there is something I should know regarding email internet infrastructure.

  15. wagdi says:

    Dear Paul
    Exchange server 2013, installed on win 2012 with SAN certificate , send and receive connectors are configured as Microsoft said. This server has some problems with outgoing messages. At first sent messages are stuck in OWA drafts folder, but after modifying the DNS lookup in ECP all messages are disappeared from drafts folder and I can send message to internal user. My problem now is that I can not send to outside. . (the server is connected to internet )

    Please advise me as always do

    • Perhaps something wrong with your send connector, your firewall, or perhaps the other mail servers you’re trying to send to are rejecting your connections.

      I suggest checking the messages in the queue to see why they are stuck, perform some testing with telnet, and check your protocol logs on the send connector.

  16. wagdi says:

    using exchange 2013 (owa), I can send and receive email from outside.
    But there is something strange , If I send you a message you can reply to this message in one case that you must only press on reply button and do not add any thing to the message and send it as it is. because if you try to write anything in your reply then your message will not deliver to me. (Delivery to the following recipients failed.)
    you can send new email to me and you can reply to my message without adding anything to the original message. this my problem

    • When there is a delivery failure the NDR (non-delivery report) includes a reason and some diagnostic information that almost always explains why the delivery failed. That is what you should start looking at.

  17. CR says:


    You mention in the post about devices that use SMTP to send email that they should “continue pointing to the Mailbox server’s Hub Transport service […] not the Client Access server as you might assume from its default Receive Connector configuration.”

    Can you expand on this a bit? Currently we use an internal DNS entry of smtp.domain.org that we put on all of our devices that need email relay access (MFP’s, applications, etc.). Should I point this to my CAS servers or my MBX servers (they’re running on separate machines)? Should I create a new receive connector on the MBX servers to support this? I’ve disabled the “Anonymous” permission on the Default Frontend receive connector since all inbound email needs to go through a spam filter first and I do not want to have an open relay for internal users.


  18. Mohd Siddiqui says:

    Sir, Can you please help me out I have a problem I can able to send the mails from my server or clients but I can’t able to receive mails from outside and I can able to send and receive mails locally but I can’t able to receive mails from any site like example – GMAIL,YAHOO,HOTMAIL any other sites my mail server is EXCHANGE SERVER 2010 version please reply as early as possible thanks and I am not getting any error message too


    Mohd Siddiqui

  19. James Slack says:

    I have Exchange 2010 and 2013 in coexistence and it seems to be working fine. Users on both versions can send and receive emails OK.

    However, every 15 minutes I can see the following error in the logs: 1040

    The SMTP availability of the Receive connector Default Mailbox Delivery was low (0 percent) in the last 15 minutes.

    I have had a look at the connectors on 2013 and they look normal.

    Client Frontend 587
    Client Proxy 465
    Default Frontend 25
    Default Mailbox 2525
    Outbound Proxy Frontend 717

    Aside from these events, I am also seeing Unhealthy status in HubTransport and MailboxTransport, which are probably due to this error.

    My guess is that this is something to do with the coexistence, but not sure.

    How do I confirm what is causing this? All the errors say something is not working, but none of them actually point the finger to what is causing the alert on this system that seems to be working.

  20. MG says:

    Hi James,

    Have you ever found a solution to this problem? We are experiencing exactly the same problem, and would really like to find a solution to the problem.


    • PK says:

      I have Exchange 2010 and 2013 in coexistence and it seems to be working fine. Users on both versions can send and receive emails OK.

      However, every 15 minutes I can see the following error in the logs: 1040

      The SMTP availability of the Receive connector Default Mailbox Delivery was low (0 percent) in the last 15 minutes

      Exchange 2010 version: 14.3 (123.4)
      Exchange 2013 Version: 15.0(1104.5)

  21. Brian says:

    I love you stuff, it always informative. Can you point me in the right direction. My problem is I have some Linux servers that send emails through my 2013 exchange and I need to be able to track them. But they aren’t in any sent email box so I cant figure out how to track them. Can a linux environment send a email that gets treated like its sent from outlook?

  22. Eric says:

    Hello Paul,

    I am running Exchange 2013 on a Windows server 2012 machine. We have a fixed IP address. Lately, all emails sent to google-hosted mail servers were bouncing back with an error message making reference to reverse-DNS lookup. I have had my ISP change the reverse-DNS address to match our outgoing record. Which solved the situation for a certain amount of time.

    Since last week, a similar issue is happening with the following error message:
    Remote Server returned ‘550-5.7.1 [2002:1825:637a:0:e17e:5ad4:7a3a:439c] Our system has detected that 550-5.7.1 this message does not meet IPv6 sending guidelines regarding PTR 550-5.7.1 records and authentication. Please review 550-5.7.1 https://support.google.com/mail/?p=ipv6_authentication_error for more 550 5.7.1 information. c73si5414604qka.13 – gsmtp’

    I read multiple MSExchange blogs and tried one of the suggested solutions which was to restart the MSExchange Transport service.
    This seems to solve the problem momentarily but later in the day, other messages bounce and I have to restart the service again.

    Can you tell me what is wrong and what needs to be done here?

    Thank you very much.

      • Eric says:

        I have and we do. What boggles my mind is that as soon as I restart the Exchange Transport Service, our emails are going through. When they start bouncing again… I restart the service and they flow!
        What does the Exchange Transport Service “reset” in our config?
        Or, what is automatically resetted until I restart the service?

        • It reloads the config from AD but shouldn’t be changing anything. Does your network and internet connection support IPv6? Maybe after the reset it uses IPv4 for a while then later it hits a Google server that supports IPv6 and tries that. You need to have a discussion with your network team if that’s separate to your team. Or log a MS support case.

  23. Vaseem Mohammed says:

    Need your help Paul 🙂

    I am trying to find article on Ex2010-2013 co-existence Mail Flow.
    SMTP traffic is still on Ex2010.
    I need to understand how Mail flow from
    1. Ex2010 mailbox to Ex2013 mailbox
    2. Which Connectors are involved on both sides
    3. The permissions involved in this

    As it will help to troubleshoot issues like
    1. No mail flow between versions
    2. No mail flow from external to migrated user on 2013 (SMTP on 2010).
    3. No mail flow from external to Ex2010 user (SMTP on 2013).

    Please provide me some pointers.


  24. Jimson says:

    Hi Pual,
    I need your help i use to be able to send email by using telnet smtp but for some reason the after a week i am not able to send anymore and keep getting unable to relay error.

  25. Mike says:

    Paul, I have an issue with inbound email on an Exchange 2013.. I did not touch any of the default receive connectors, but I created a new receive connector to allow mails only from an external spam appliance – bindings set to the four external IPs which the spam appliance sends mail. But every mail that comes in goes through the Default EXNAME connector (confirmed via MessageTracking). Do I have to disable Anynomous on the default connector? Thanks

    • If by “bindings” you mean the “Network adapter bindings” settings on the connector, that is supposed to be for the network adapter/IP of the Exchange server that you want to bind the connector (ie the IP it should “listen” on). Normally you don’t need to touch that at all.

      Keep in mind that the frontend connector on the server is already configured in a way that is would accept email from your spam appliances that is addressed to internal recipients.

      • Mike says:

        Sorry yes, bindings is set to the IP address of the server and the remote ip ranges are set to the external IPs of the spam service. Ok I understand. So the easiest way is to set the IPs of the spam service to the Default Frontend Servername Connector. I just don’t get why I don’t see the custom receive connector in the tracking logs. Neither the Default Frontend Connector.

        • a) I don’t recommend you make any changes to the default connectors at all.

          b) if you want to know which connector is handling connections for an IP address, use protocol logging not message tracking.

  26. Tony says:

    we are testing ex2010 to 2013 migration.
    everything seems to be ok except this
    mails from 2013 to 2010 have a delay of 10 minutes, the mail stays in the ex 2013 queue for 10 minutes and every ten minutes the mail queue is cleared.
    where are mails from 2010 to 2013 is reaching without any delay.
    what could be wrong

  27. Tiago Geada says:

    Hello Paul,

    When exchange online mailflow connector tries my on premisses server, and it won’t work (service being down deliberately for instance), a NDR is sent back to the sender and the message fails.

    Is there a way to make it queue for retrial?

  28. Timm says:

    Hello all,
    How would mail flow in a large org with multiple sites when AD sites & services is only set up with a hub-and-spoke for inter-site links? (assuming each site has it’s own 2013 server)
    For example, if the AD sites and services were set up with inter-site links of
    Site A – Site B
    Site A – Site C
    (Site B and Site C have direct IP connectivity but there is no inter-site link setup in AD sites & services)
    Would mail from an MDB in Site B with a destination of an MDB in Site C route through Site A or would Site B deliver directly to Site C?
    I’m confused about this because articles I’ve read state that 2013 calculates the route based on the cost of the IP site links. This would indicate to me that mail would route from Site B, through Site A, to reach Site C. However, looking at a message header tells me the message went right from Site B to Site C. I’m more apt to believe the message header than the article but I’m obviously misunderstanding something.

    • The server calculates the least cost route, but will then connect directly to the other server, unless

      1) One of the sites along the least cost route has been enabled as a hub site, in which case it will send to a server in the hub site
      2) Direct connection fails (e.g. server down), in which case it will attempt to queue at a site closest to the destination

      There’s other factors at play such as DAGs (closest DAG member is used) and DG expansion servers as well.

  29. yoel says:

    there is a way exchange block conections that does not repond to specified helo reponse, much spam realyer trye to conect with helo o helo masscan, or pc1 or asdsds the idea is that exchange verify the given ip addres againt helo response and if does not match it block the conections.

  30. saeed says:


    when we configure “set-transportconfig -maxsendsize 20mb -maxreceivesize 20mb”
    even by configuring default receive conector “maxrecievemessage to 200MB”, it is not possible to send messege over 20mb!

    how can i solve that?

  31. Kapil K says:

    Hi Paul,

    Need your help, I am having Exchange 2013 environment. 2 MBX and 2 CAS servers. I am having Symantec gateway for sending and receiving emails from internet.
    My gateway is configured to send the emails directly to my MBX servers.
    I need to change the “Default Frontend” receive connector on my CAS server because any of the user/IP in my internal network can telnet to my CAS VIP or name over port 25 and send emails through SMTP commands. I want to stop this behavior and allow only selected IPs to send emails.
    I also created relay connectors on MBX servers and added application server IPs and it is working fine but need to stop all others from doing so.

    So can I remove anonymous users and / ::-ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff from “Default Frontend” and only allow my Symantec gateway IP address?

    Regards, Kapil K

  32. Richard P. says:

    Since in Exchange 2013/2016 also internal mail (from one mailbox to another mailbox) on the same server is delivered via SMTP – is it possible (and supported) to put a spam/malware filter in front of the “SMTP Receive” of Mailbox Transport Service (port 475) or in front of the “SMTP Receive” of Transport Service (ports 2525 and 465)?
    I found no wa to change port 475, is the port number hardcoded?

    This would enable spam/malware filtering also on internal mails.

    • Changing the ports will break your mail flow.

      No it is not supported to place other servers or devices in the mail flow between two Exchange servers. If you want internal mail scanned you will need to install an Exchange-integrated antispam solution that can do that job the way you’re expecting.

Leave a Reply

Your email address will not be published. Required fields are marked *