Home » Exchange Server » Outbound Mail Flow for Exchange Server 2016

Outbound Mail Flow for Exchange Server 2016

When you first install Exchange Server 2016 there is no outbound mail flow configured by setup. If you happen to be installing into an existing Exchange organization then the existing outbound routes for the organization will apply, and mail sent by mailboxes on your new Exchange server to external recipients will likely work. However if you’re installing into a new organization, or want to change your existing outbound mail flow, then you’ll need to create a send connector.

Send connectors control outgoing mail flow from your Exchange server. Every organization that needs to send email message to external recipients will need at least one send connector. In this tutorial we’ll look at creating and testing a new send connector for outbound email from an Exchange Server 2016 server.

Creating a Send Connector for Exchange Server 2016

Log on to your Exchange Admin Center and navigate to mail flow and then send connectors.

exchange-2016-send-connectors-01

Give the new send connector a meaningful name and set the Type to Internet.

exchange-2016-send-connectors-02

Next you’ll need to decide how the outbound emails will be delivered. There are two choices – by MX record, or via smart host. MX record delivery involves your Exchange server looking up the MX records of the recipient’s domain in DNS, and then connecting directly to their email server via SMTP to deliver the email message. Smart host delivery involves your Exchange server sending the messages to a specified IP address or host name for another system (typically an email security appliance or cloud service) that is then responsible for the further delivery of that email message.

exchange-2016-send-connectors

For this example I’m going to use MX records to deliver the message. My server already has outbound firewall access on TCP port 25, and can resolve MX records on the internet using DNS, so at a basic level this should work fine. There are other considerations such as SPF and IP reputation in the real world that may impact the delivery of email messages from your server.

exchange-2016-send-connectors-03

Set the address space for the send connector. An address space of “*” means “any domain” and is suitable if you have one send connector that is used for all outbound mail flow. You can use this address space option if you later need to configure specific send connectors for different domains.

exchange-2016-send-connectors-04

Finally, set the source server for the send connector. If you have multiple servers that you want to be responsible for outbound mail flow you can add more than one server to this list.

exchange-2016-send-connectors-05

Click Finish to complete the wizard.

Testing the Send Connector

A simple test to verify that the send connector is working is to send an email from a mailbox on the server to an external address. If the email message is received by the external mailbox you can then check the message headers by copying them from the message and pasting them into the Message Analyzer at ExRCA.com. This will verify for you that the email message took the intended route (via your new server) instead of some other existing outbound route in your organization.

headers

If the email message was not received check the transport queue on the Exchange 2016 server.

If you see message stuck in the queue for the next hop domain that you’re trying to send to you can see more details about them by piping the command to Get-Message.

In particular look for the LastError attribute of the queued messages, which will often contain a status code that will tell you why the messages are not being delivered.

Since outbound mail flow depends on DNS and firewall access you can also check those items. For example, to verify that MX records can be resolved in DNS by the Exchange server use the Resolve-DnsName cmdlet.

You can also test SMTP connectivity from the server using Telnet. Because the Telnet client is not installed by default on Windows Server you may need to install it first.

From a CMD prompt try to telnet to one of the MX records you resolved earlier.

If you do not see the 220 response and banner you may have an outbound SMTP connectivity issue that you need to look into further on your firewall.

Finally, if SMTP connectivity looks fine but the emails are still not being delivered you can enable protocol logging on your send connector and then use the log data to assist your troubleshooting.

The protocol logs are stored by default in C:Program FilesMicrosoftExchange ServerV15TransportRolesLogsHubProtocolLogSmtpSend and can be opened and read in a text editor such as Notepad. The protocol log will show the SMTP conversation between your server and the external recipient’s server, so any SMTP errors should appear in the log.

protocol-log

Summary

Outbound mail flow from your Exchange 2016 server requires a send connector to be configured. In the article above I demonstrated how to configure a new send connector for a simple scenario, as well as some troubleshooting steps to help you test and validate that the send connector is working.

Paul is a Microsoft MVP for Office Servers and Services. He works as a consultant, writer, and trainer specializing in Office 365 and Exchange Server. Paul is a co-author of Office 365 for IT Pros and several other books, and is also a Pluralsight author.
Category: Exchange Server

68 comments

  1. Marin says:

    Hello,

    I’m deploying Exchange 2016 , it is a new environment and I’m replacing an email appliance that was able to route all the email to a smart host, even the email for clients hosted in the same database.
    Is it possible to do something similar en exchange? To route all the email or at least the email from OWA users to a smart host even for users in the same database? or at least send the email to the smart host and to the exchange mailbox as well?
    This sounds weird but is what the costumer wants 🙂

      • Marin says:

        there are a lot of statistics that are pulled for different people from the smart host reports, and also most of the rules are set in the smart host for email delivery restrictions and so on.
        So it would be easier to route all emails to the smart host and keep the reports as they are now than changing the reporting to exchange and changing the whole process.
        Thats the main reason

  2. Nicholas says:

    I am getting stuck on the last part “setting source server” when I select the server and click ok the page doesn’t go any where. The ok button turns blue and just sticks there. I have tried in IE and Chrome and it happens in both browsers. Suggestions?

  3. Shimon Adimor says:

    Hi,
    I wonder if I should choose both Exchange servers as source servers when I have a DAG of two Exchange 2016 servers (and a witness server).

  4. Anatoly says:

    Hi Paul
    I set SPF record for my domain to make sure just sent from my mx rocord
    but now I can send email from another exchange server with that domain
    this is my spf record
    v=spf1 mx -all
    please help me what should I do
    Thank you

      • What are you expecting to happen? SPF doesn’t stop someone from using your domain name. It only provides the *receiving* server with information to help it decide whether or not to treat the email as spam. No matter what your SPF record says, it’s up to the *receiving* server to decide whether to block, allow, or junk the email.

        • Anatoly says:

          So Can’t we stop using our domain with some one else?
          You mean if I don’t set SPF record any one can send email to and all of email goes to Inbox and if I set a complex SPF record I prevent from receiving some email and move bad mail to Junk?
          So what is the Anti SPAM job?

          • Anatoly says:

            until now I used SPF record for making sure my emails goes to inbox for who I send email to and to prevent abuse of my domain
            But most of my mail that sent to Gmail & Yahoo & Outlook go to SPAM and I receive some Suspicious mail from my domain (That I sure I dont sent it)
            I read some article that told SPF record must be config and DKIM
            Now my question is how to make sure my sent email go to Inbox not to SPAM and how Can I prevent abuse of my domain

            Thank you Paul

  5. Tom says:

    Hi Paul,

    I installed the Exchange 2016 successfully, as I configured the Send Connector, I’m stuck at adding the source server window(I selected my source server and clicked on add) it won’t go to the next window by pressing the OK or Cancel button, any ideas?

  6. BW says:

    Is it possible to prioritise sending email from an Edge server (using EdgeSync) over IPv6 rather than IPv4?

  7. Ahmadi says:

    Hi,

    I Install Exchange 2016, configure Accepted Domain, External URL , Internal URL , …

    but in sending email to our local user or External user got error.

    outlook and OWA say “You don’t have permission to do this action”

    i got this error in several test deployment of Exchange. some time after a while error gone. but some time not. some time after update Exchange with update rollup 1 or 2 erroe gone but some time not. its a strange problem.

      • No, too many unknowns. You need to describe the problem. Where does the error appear, in Outlook/OWA itself or as an NDR? Is that the full error text? Are you logged on as the mailbox owner when the error occurs?

        • Ahmadi says:

          Hi Paul,

          Error appear in both (Outlook and OWA) , Also Email stuck in drafts folder.

          I log on with owner of Mailbox, also all of recipient have this error.

          • Check the DNS settings configured on the network interface of the Exchange server. It should only be configured to use your domain controller(s) for DNS, not any public DNS servers.

          • Ahmadi says:

            I Check the DNS Setting of Exchange Server. It Configured to our Internal DNS Server (Our local DC) and have no problem.

            I check MSExchange Management Section in Event Log, it show several errors with Event ID 6: “Cmdlet failed. Cmdlet Get-InboxRule, parameters”

            is this error related to stuck email in drafts and “You don’t have permission to do this action” error?

  8. Wes Shupp says:

    I want to thank you a TON for all this work you do for us!

    I need your help. My first 2016 deployment and I have some issues and coming down to the wire!

    When I log into OWA and try to send an email. The Email goes directly into the draft folder. Never sends nor do I see it hit the queue

    Do know why ?

  9. Scott Nace says:

    I have blocked NDR’s and stopped blank senders on my exchange server 2016. I am still getting a lot of message in the queue viewer sometimes hundreds of them to a ton of different domains. Everyone is trying to be delivered to an address that doesn’t exist on the server. My question is that should I do anything else when my scripts run at night they are always red in the transport queue. It doesn’t look like these messages are getting out but how can I stop them all together.

    Here is one of the messages from my queue.

    Identity: Server NameShadow37189775253543
    Subject: Tracking number
    Internet Message ID:
    From Address: Mcclure.452@shekinaproductions.com
    Status: Ready
    Size (KB): 20
    Message Source Name: SMTP:Default Server Name
    Source IP:
    SCL: 0
    Date Received: 9/19/2016 9:31:20 PM
    Expiration Time: 9/21/2016 9:31:20 PM
    Last Error:
    Queue ID: Server NameShadow3
    Recipients: email address@domain.com;2;0;[{LRT=};{LED=};{FQDN=};{IP=}];0;;0

  10. Scott says:

    I am deploying an Exchange 2016 server in my domain with an existing 2010 server. I can send and receive external email on the 2016 test mailbox. I can send emails from a 2010 mailbox to the 2016 mailbox. I cannot send an email from the 2016 box to a 2010 mailbox. It sits in the 2016 queue.

    • The problem is usually a custom receive connector on the 2010 server that uses a remote IP range that overlaps with the 2016 server’s IP address. That will cause server-to-server mail flow to fail.

      • Scott says:

        Anyway to correct it or should i just go forward with the roll out… I did notice on the 2016 connector it is port 2525 and on the 2010 its 25. Also i do have a custom connector on the 2010 box to receive email internally. I added the IP of the new 2016 server in the network tab of the receive mail section. Under authentication should i check off exchange server authentication. Under permission i have anonymous and exchange server checked.

        • “I added the IP of the new 2016 server in the network tab of the receive mail section.”

          Then that is causing the problem. There’s no need to add the IP to a relay connector, nor is there any need to create any type of connector for internal server-to-server mail flow. Do so will break mail flow. Exchange knows how to route email to other Exchange servers in the org without you needing to do anything.

          http://practical365.com/no-need-create-connectors-internal-exchange-server-mail-flow/

          • Scott says:

            Ok took the IP out of the connector restarted the transport service… still sitting in the 2016 queue… I get an error now of 451 5.7.3 cannot achieve exchange server authentication. I can telnet from each server to them and get the helo response.

    • What is “the receive connector”? There’s multiple receive connectors on each server.

      Also, read that link I posted above. It has tips for how to troubleshoot (such as setting SMTP banners on connectors, using protocol logs…)

  11. Scott says:

    The connector i am referring to is on the 2010 server…. it is named internal. It does not have exchange authentication checked… i am thinking that is why i am getting the error i stated above.

    • No connector by that name on my 2010 server. I’d say it’s a custom connector that someone has created.

      But you need to verify that is the connector that is even handling the connections, and the way to do that is to use protocol logging.

  12. Scott says:

    Turned logging on… on the 2016 transport connectivity log

    Failed connection to 2001:db8:a0b:12f0::1:25 (NetworkUnreachable:00002743)[TargetIPAddress:2001:db8:a0b:12f0::1:25|MarkedUnhealthy|FailureCount:8|NextRetryTime:2016-09-26T15:08:22.401Z]
    2016-09-26T15:03:22.401Z,08D3E61B99D4F254,SMTP,site:default-first-site-name; version:14,-,Messages: 0 Bytes: 0 (Attempting next target)
    2016-09-26T15:03:22.401Z,08D3E61B99D4F255,SMTP,site:default-first-site-name; version:14,*,Session Failover; previous session id = 08D3E61B99D4F254; reason = SocketError

  13. Scott says:

    I figured it out…. odd thing is i am able to send a message from 2016 to a 2010 mailbox via telnet.
    On my exchange 2010 sever the ehlo response is correct when going to the 2016 box… but going from 2016 to 2010 the response is the external domain not the internal. so 2016 is not getting the correct response.

  14. elisa says:

    hi
    would you help me with this problem: I can send email to internet by OWA but it’s not working with outlook! I get this error: “Server error: ‘550 5.7.54 SMTP; Unable to relay recipient in non-accepted domain'”
    I have already an accepted domain (DomainB) configured,assuming my AD is DomainA.

  15. Gary says:

    Thanks… great article.

    I’m having one issue with outbound email. The destination mail server is rejecting my email due to what looks like an invalid source mail server name that is not resolvable externally. I have only set up the mailbox server and have not added any edge servers at this point.

    eu-smtp-1.mimecast.com gave this error:
    Local CT IP Reputation Policy (Reject) – https://community.mimecast.com/docs/DOC-1369#550

    Received: from exchange.internaldomainname.local (192.168.67.14) by
    exchange.alguire.local (192.168.67.14) with Microsoft SMTP Server
    (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id
    15.1.544.27; Wed, 7 Dec 2016 18:28:39 -0800
    Received: from exchange.internaldomainname.local ([::1]) by exchange.internaldomainname.local

    I set the FQDN on the Send Connector scoping tab to my legitimate hostname, but that didn’t seem to have any affect.

    Any thoughts appreciated and thanks,
    Gary

  16. Naveen says:

    Hello Friends i have a big problem i have configured Microsoft Exchange Server 2016 i am not able to send the email all emails are going in Draft Folder while sending from OWA
    Please help me

  17. UMA GANESH says:

    Hi,

    After installing edge transport server mail flow got stopped. Mails are stucking up in the queue. Could you please help me out resolve this case.

    Exchange 2016. 2 Mailbox servers (Single DAG). 1 Edge server.

    Thanks in advance.

    • Which queue are they stuck in? The most likely cause is that you haven’t opened the firewall ports that an Edge server requires for communications in/out with your Mailbox servers. But you’ll need to look closer at your queues and the errors on them to determine what’s wrong.

  18. UMA GANESH says:

    Hi Paul,

    Thanks for the response. Mails are stuck up in the mailbox server submission queue. We have routed emails from edge to Symantec gateway. Firewall is in disabled on all exchange server. Please help.

    • You should not turn off the Windows Firewall on the Exchange servers. Exchange setup adds the necessary firewall rules for Exchange to function correctly. However you will need to to make sure any network firewalls between the servers are allowing the required ports.

      You should verify that SMTP connectivity between the servers is working. You can use telnet for that.

      You will need to look closer at your queue that the messages are stuck in. Use the Get-Queue cmdlet to look for the last error or the reason that the queued messages aren’t processing. You can also check the event log for any signs of an error.

  19. UMA GANESH says:

    Hi Paul,

    Thanks again, I have tried telnet to edge server but unable to relay external domain. Please let me know where is the setting to be changed.

    Send Connector Configuration:
    Edgesync to Internet: Delivery : Route email to smart host: Edge Server IP specified.
    Authentication: None
    Scoping: *
    Source Server: Edge Server IP address specified.

    Please let me know any change to be adjusted according to the delivery.

    • If telnet worked then SMTP connectivity is probably okay. There’s no need to make changes to the EdgeSync connectors, those are created automatically for you when you set up the Edge subscription.

      You should look closer at the queue that is holding the stuck messages, as I suggested already. Use Get-Queue to look at the last error (the property is named “LastError”). That usually provides clues as to what is going wrong. You should also check the event logs if you have not checked them already.

  20. UMA GANESH says:

    Hi Paul,

    Thanks for your valuable inputs, We have fixed the issue. Mails were stuck up in the Gateway queue . We have release the queue from mail gateway. Now its works.

    Thanks again.

  21. behdad bibak says:

    hi
    i have a exchange edge server that have a problem
    it receives email from internal servers but doesn’t send them to the local destination.

  22. Tomás Crespo says:

    Hi Paul! My smarthost need authentication, but the authentication has to be DIFFERENT for each exchange account. I can set the same password for every single user in the smarthost, so the password in the Exchange SMTP connector would be always the same.

    The problem is the username. If the exchange user is paul@contoso.com it has to authenticate as paul@contoso.com/pass1 against the smarthost. If the exchante user is tomas@contoso.com it has to authenticate as tomas@contoso.com/pass1.

    My smarthost (my ISP) does NOT allow me to use one single account for every sender.

    Is there any posibility to set up different credentials against the smarthost for every exchange user? Perhaps creating one connector for every exchange user? Perhaps using some varible like $EXCHANGE_USRNAME$@contoso.com/pass1???

    Thanks

  23. Kevin says:

    For a server that has multiple IPs, IPv4 and IPv6 (but specically for IPv6) is there a way to set an IP used for outgoing emails, so that it will always be used?

    IPv6 auto-generates different IPs on each boot, and usually uses those to attempt to send, rather than the static IPv6 address I have set..

    There should be a way to do this, but I haven’t been able to find it yet.

  24. I haven’t encountered any problems with it, so I’m not sure what you’re seeing or how to go about fixing it. Do you allow outbound IPv6 connections through your firewall?

Leave a Reply

Your email address will not be published. Required fields are marked *