接收连接器Receive connectors

Exchange 服务器使用接收连接器来控制入站 SMTP 连接,如下所示:Exchange servers use Receive connectors to control inbound SMTP connections from:

  • Exchange 组织外部的邮件服务器。Messaging servers that are external to the Exchange organization.

  • 本地 Exchange 服务器或远程 Exchange 服务器上传输管道中的服务。Services in the transport pipeline on the local Exchange server or on remote Exchange servers.

  • 需要使用经身份验证的 SMTP 来发送邮件的电子邮件客户端。Email clients that need to use authenticated SMTP to send messages.

可以在邮箱服务器上的传输服务、邮箱服务器以及边缘传输服务器上的前端传输服务中创建接收连接器。You can create Receive connectors in the Transport service on Mailbox servers, the Front End Transport service on Mailbox servers, and on Edge Transport servers. 默认情况下,在您安装 Exchange 邮箱服务器时,以及在将边缘传输服务器订阅到 Exchange 组织时,会自动创建入站邮件流所需的接收连接器。By default, the Receive connectors that are required for inbound mail flow are created automatically when you install an Exchange Mailbox server, and when you subscribe an Edge Transport server to your Exchange organization.

接收连接器与其所创建位置的邮箱服务器或边缘传输服务器相关联,并确定该特定服务器侦听 SMTP 连接的方式。A Receive connector is associated with the Mailbox server or Edge Transport server where it's created, and determines how that specific server listens for SMTP connections. 在邮箱服务器上,接收连接器作为服务器的子对象存储在 Active Directory 中。On Mailbox servers, the Receive connector is stored in Active Directory as a child object of the server. 在边缘传输服务器上,接收连接器存储在 Active Directory 轻型目录服务(AD LDS)中。On Edge Transport servers, the Receive connector is stored in Active Directory Lightweight Directory Services (AD LDS).

以下是接收连接器的重要设置:These are the important settings on Receive connectors:

  • 本地适配器绑定:配置接收连接器用来接受连接的本地 IP 地址和 TCP 端口的组合。Local adapter bindings: Configure the combination of local IP addresses and TCP ports that the Receive connector uses to accept connections.

  • 远程网络设置:配置接收连接器侦听以进行连接的源 IP 地址。Remote network settings: Configure the source IP addresses that the Receive connector listens to for connections.

  • 使用类型:配置接收连接器的默认权限组和智能主机身份验证机制。Usage type: Configure the default permission groups and smart host authentication mechanisms for the Receive connector.

  • 权限组:配置允许使用接收连接器的用户以及他们收到的权限。Permission groups: Configure who's allowed to use the Receive connector, and the permissions that they receive.

A Receive connector listens for inbound connections that match the configuration settings of the connector.A Receive connector listens for inbound connections that match the configuration settings of the connector. Each Receive connector on the Exchange server uses a unique combination of local IP address bindings, TCP ports, and remote IP address ranges that define if and how connections from SMTP clients or servers are accepted.Each Receive connector on the Exchange server uses a unique combination of local IP address bindings, TCP ports, and remote IP address ranges that define if and how connections from SMTP clients or servers are accepted.

Although the default Receive connectors are adequate in most cases, you can create custom Receive connectors for specific scenarios.Although the default Receive connectors are adequate in most cases, you can create custom Receive connectors for specific scenarios. For example:For example:

  • 将特殊属性应用于电子邮件源,例如,较大的最大邮件大小、每封邮件的更多收件人或更多的同时入站连接。To apply special properties to an email source, for example, a larger maximum message size, more recipients per message or more simultaneous inbound connections.

  • 通过使用特定的 TLS 证书接受加密邮件。To accept encrypted mail by using a specific TLS certificate.

On Mailbox servers, you can create and manage Receive connectors in the Exchange admin center (EAC) or in the Exchange Management Shell.On Mailbox servers, you can create and manage Receive connectors in the Exchange admin center (EAC) or in the Exchange Management Shell. On Edge Transport servers, you can only use the Exchange Management Shell.On Edge Transport servers, you can only use the Exchange Management Shell.

Exchange Server 中的接收连接器更改Receive connector changes in Exchange Server

与 Exchange 2010 相比,Exchange 2016 和 Exchange 2019 中接收连接器的显著变化如下:These are the notable changes to Receive connectors in Exchange 2016 and Exchange 2019 compared to Exchange 2010:

  • _TlsCertificateName_参数允许您指定证书颁发者和证书主题。The TlsCertificateName parameter allows you to specify the certificate issuer and the certificate subject. 这有助于将欺诈证书的风险降到最低。This helps minimize the risk of fraudulent certificates.

  • _TransportRole_参数允许您区分邮箱服务器上的前端(客户端访问)和后端连接器。The TransportRole parameter allows you to distinguish between frontend (Client Access) and backend connectors on Mailbox servers.

安装过程中创建的默认接收连接器Default Receive connectors created during setup

Several different Receive connectors are created by default when you install Exchange.Several different Receive connectors are created by default when you install Exchange. By default, these connectors are enabled, and protocol logging is disabled for most of them.By default, these connectors are enabled, and protocol logging is disabled for most of them. For more information about protocol logging on Receive connectors, see Protocol logging.For more information about protocol logging on Receive connectors, see Protocol logging.

邮箱服务器上的前端传输服务中的默认接收连接器Default Receive connectors in the Front End Transport service on Mailbox servers

前端传输服务中接收连接器的主要功能是接受匿名和经身份验证的 SMTP 连接到你的 Exchange 组织。The primary function of Receive connectors in the Front End Transport service is to accept anonymous and authenticated SMTP connections into your Exchange organization. 这些连接器的TransportRole属性值为 FrontendTransportThe TransportRole property value for these connectors is FrontendTransport. 前端传输服务将这些连接中继或代理到传输服务,以进行分类并路由到最终目标。The Front End Transport service relays or proxies these connections to the Transport service for categorization and routing to the final destination.

下表介绍了在邮箱服务器上的前端传输服务中创建的默认接收连接器。The default Receive connectors that are created in the Front End Transport service on Mailbox servers are described in the following table.

名称Name 说明Description 协议日志记录Protocol logging TCP 端口TCP Port 本地 IP 地址绑定Local IP address bindings 远程 IP 地址范围Remote IP address ranges 身份验证机制Authentication mechanisms 权限组Permission groups
客户端前端_<ServerName>_Client Frontend <ServerName> 接受来自经身份验证的 SMTP 客户端的连接。Accepts connections from authenticated SMTP clients. None 587587 所有可用的 IPv4 和 IPv6 地址( 0.0.0.0[::]:All available IPv4 and IPv6 addresses (0.0.0.0 and [::]:) {::-ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff, 0.0.0.0-255.255.255.255}(所有 IPv4 和 IPv6 地址){::-ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff, 0.0.0.0-255.255.255.255} (all IPv4 and IPv6 addresses) TLS
BasicAuth
BasicAuthRequireTLS
Integrated
ExchangeUsers
默认前端_<ServerName>_Default Frontend <ServerName> Accepts anonymous connections from external SMTP servers.Accepts anonymous connections from external SMTP servers. This is the common messaging entry point into your Exchange organization.This is the common messaging entry point into your Exchange organization. VerboseVerbose word25 所有可用的 IPv4 和 IPv6 地址( 0.0.0.0[::]:All available IPv4 and IPv6 addresses (0.0.0.0 and [::]:) {::-ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff, 0.0.0.0-255.255.255.255}(所有 IPv4 和 IPv6 地址){::-ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff, 0.0.0.0-255.255.255.255} (all IPv4 and IPv6 addresses) TLS
BasicAuth
BasicAuthRequireTLS
ExchangeServer
Integrated
AnonymousUsers
ExchangeLegacyServers
ExchangeServers
出站代理前端_<ServerName>_Outbound Proxy Frontend <ServerName> Accepts authenticated connections from the Transport service on Mailbox servers.Accepts authenticated connections from the Transport service on Mailbox servers. The connections are encrypted with the Exchange server's self-signed certificate.The connections are encrypted with the Exchange server's self-signed certificate.
This connector is used only if the Send connector is configured to use outbound proxy.This connector is used only if the Send connector is configured to use outbound proxy. For more information, see Configure Send connectors to proxy outbound mail.For more information, see Configure Send connectors to proxy outbound mail.
None 717717 所有可用的 IPv4 和 IPv6 地址( 0.0.0.0[::]:All available IPv4 and IPv6 addresses (0.0.0.0 and [::]:) {::-ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff, 0.0.0.0-255.255.255.255}(所有 IPv4 和 IPv6 地址){::-ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff, 0.0.0.0-255.255.255.255} (all IPv4 and IPv6 addresses) TLS
BasicAuth
BasicAuthRequireTLS
ExchangeServer
Integrated
ExchangeServers

邮箱服务器上的传输服务中的默认接收连接器Default Receive connectors in the Transport service on Mailbox servers

传输服务中接收连接器的主要功能是接受来自组织中本地邮箱服务器或远程邮箱服务器上其他传输服务的经身份验证和加密的 SMTP 连接。The primary function of Receive connectors in the Transport service is to accept authenticated and encrypted SMTP connections from other transport services on the local Mailbox server or remote Mailbox servers in your organization. 这些连接器上的TransportRole属性值为 HubTransportThe TransportRole property value on theses connectors is HubTransport. 客户端不直接连接到这些连接器。Clients don't directly connect to these connectors.

下表介绍了在邮箱服务器上的传输服务中创建的默认接收连接器。The default Receive connectors that are created in the Transport service on Mailbox servers are described in the following table.

名称Name 说明Description 协议日志记录Protocol logging TCP 端口TCP Port 本地 IP 地址绑定Local IP address bindings 远程 IP 地址范围Remote IP address ranges 身份验证机制Authentication mechanisms 权限组Permission groups
客户端代理_<ServerName>_Client Proxy <ServerName> 接受从前端传输服务代理的经身份验证的客户端连接。Accepts authenticated client connections that are proxied from the Front End Transport service. None 465465 所有可用的 IPv4 和 IPv6 地址( 0.0.0.0[::]:All available IPv4 and IPv6 addresses (0.0.0.0 and [::]:) {::-ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff, 0.0.0.0-255.255.255.255}(所有 IPv4 和 IPv6 地址){::-ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff, 0.0.0.0-255.255.255.255} (all IPv4 and IPv6 addresses) TLS
BasicAuth
BasicAuthRequireTLS
ExchangeServer
Integrated
ExchangeServers
ExchangeUsers
设置_<ServerName>_Default <ServerName> 接受来自以下服务的经身份验证的连接:Accepts authenticated connections from:
•本地或远程邮箱服务器上的前端传输服务• The Front End Transport service on the local or remote Mailbox servers
•远程邮箱服务器上的传输服务• The Transport service on remote Mailbox servers
•本地或远程邮箱服务器上的邮箱传输服务• The Mailbox Transport service on the local or remote Mailbox servers
•边缘传输服务器• Edge Transport servers
连接使用 Exchange 服务器的自签名证书进行加密。The connections are encrypted with the Exchange server's self-signed certificate.
None 25252525 所有可用的 IPv4 和 IPv6 地址( 0.0.0.0[::]:All available IPv4 and IPv6 addresses (0.0.0.0 and [::]:) {::-ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff, 0.0.0.0-255.255.255.255}(所有 IPv4 和 IPv6 地址){::-ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff, 0.0.0.0-255.255.255.255} (all IPv4 and IPv6 addresses) TLS
BasicAuth
ExchangeServer
Integrated
ExchangeLegacyServers
ExchangeServers
ExchangeUsers

边缘传输服务器上传输服务中的默认接收连接器Default Receive connectors in the Transport service on Edge Transport servers

The primary function of the Receive connector on Edge Transport servers is to accept mail from the Internet.The primary function of the Receive connector on Edge Transport servers is to accept mail from the Internet. Subscribing the Edge Transport server to your Exchange organization automatically configures the connector permissions and authentication mechanisms that are required for Internet mail flow to and from your organization.Subscribing the Edge Transport server to your Exchange organization automatically configures the connector permissions and authentication mechanisms that are required for Internet mail flow to and from your organization. For more information, see Edge Transport servers.For more information, see Edge Transport servers.

下表介绍了在边缘传输服务器上的传输服务中创建的默认接收连接器。The default Receive connector that's created in the Transport service on Edge Transport servers is described in the following table.

名称Name 说明Description 协议日志记录Protocol logging TCP 端口TCP Port 本地 IP 地址绑定Local IP address bindings 远程 IP 地址范围Remote IP address ranges 身份验证机制Authentication mechanisms 权限组Permission groups
默认内部接收连接器_<ServerName>_Default internal receive connector <ServerName> 接受来自外部 SMTP 服务器的匿名连接。Accepts anonymous connections from external SMTP servers. None word25 所有可用的 IPv4 地址( 0.0.0.0All available IPv4 addresses (0.0.0.0) {0.0.0.0-255.255.255.255}(所有 IPv4 地址){0.0.0.0-255.255.255.255} (all IPv4 addresses) TLS
ExchangeServer
AnonymousUsers
ExchangeServers
Partners

邮箱服务器上邮箱传输传递服务中的隐式接收服务器Implicit Receive connectors in the Mailbox Transport Delivery service on Mailbox servers

除了在 Exchange 服务器安装期间创建的接收连接器之外,邮箱服务器上的邮箱传输传递服务中有一个特殊的隐式接收连接器In addition to the Receive connectors are created during the installation of Exchange servers, there's a special implicit Receive connector in the Mailbox Transport Delivery service on Mailbox servers. 此隐式接收连接器是自动提供的,它不可见且无需管理。This implicit Receive connector is automatically available, invisible, and requires no management. 此连接器的主要功能是接受来自组织中本地邮箱服务器或远程邮箱服务器上的传输服务的邮件。The primary function of this connector is to accept mail from the Transport service on the local Mailbox server or remote Mailbox servers in your organization.

下表介绍了邮箱服务器上邮箱传输传递服务中存在的隐式接收连接器。The implicit Receive connector that exists in the Mailbox Transport Delivery service on Mailbox servers is described in the following table.

名称Name 说明Description 协议日志记录Protocol logging TCP 端口TCP Port 本地 IP 地址绑定Local IP address bindings 远程 IP 地址范围Remote IP address ranges 身份验证机制Authentication mechanisms 权限组Permission groups
邮箱传递接收连接器Mailbox delivery Receive connector 接受来自本地或远程邮箱服务器上传输服务的经身份验证的连接。Accepts authenticated connections from the Transport service on the local or remote Mailbox servers. None 475475 所有可用的 IPv4 和 IPv6 地址( 0.0.0.0[::]:All available IPv4 and IPv6 addresses (0.0.0.0 and [::]:) {::-ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff, 0.0.0.0-255.255.255.255}(所有 IPv4 和 IPv6 地址){::-ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff, 0.0.0.0-255.255.255.255} (all IPv4 and IPv6 addresses) ExchangeServer ExchangeServers

接收连接器本地地址绑定Receive connector local address bindings

Local address bindings restrict the Receive connector to listen for SMTP connections on a specific local IP address (network adapter) and TCP port.Local address bindings restrict the Receive connector to listen for SMTP connections on a specific local IP address (network adapter) and TCP port. Typically, the combination of local IP address and TCP port is unique for every Receive connector on a server.Typically, the combination of local IP address and TCP port is unique for every Receive connector on a server. However, multiple Receive connectors on a server can have the same local IP addresses and TCP ports if the remote IP address ranges are different.However, multiple Receive connectors on a server can have the same local IP addresses and TCP ports if the remote IP address ranges are different. For more information, see the Receive connector remote addresses section.For more information, see the Receive connector remote addresses section.

默认情况下,接收连接器会侦听所有可用的本地 IPv4 和 IPv6 地址(和)上的连接 0.0.0.0 [::]:By default, a Receive connector listens for connections on all available local IPv4 and IPv6 addresses (0.0.0.0 and [::]:). 如果服务器具有多个网络适配器,可以将接收配置为仅接受为特定网络适配器配置的 IP 地址中的连接。If the server has multiple network adapters, you can configure Receive connectors to accept connections only from IP addresses that are configured for a specific network adapter. 例如,在面向 Internet 的 Exchange 服务器上,可以使绑定到外部网络适配器 IP 地址的接收连接器侦听匿名 Internet 连接。For example, on an Internet-facing Exchange server, you can have a Receive connector that's bound to the IP address of the external network adapter to listen for anonymous Internet connections. 可以使绑定到内部网络适配器的 IP 地址的单独接收连接器侦听来自内部 Exchange 服务器的经身份验证的连接。You can have a separate Receive connector that's bound to the IP address of the internal network adapter to listen for authenticated connections from internal Exchange servers.

备注

If you bind a Receive connector to a specific IP address, make sure that the address is configured on a local network adapter.If you bind a Receive connector to a specific IP address, make sure that the address is configured on a local network adapter. If you specify an invalid local IP address, the Microsoft Exchange Transport service may fail to start when the server or service is restarted.If you specify an invalid local IP address, the Microsoft Exchange Transport service may fail to start when the server or service is restarted.

在 EAC 中,使用" 网络适配器绑定"字段在新的接收连接器向导中,或在现有接收连接器属性中的" 作用域"选项卡上配置本地地址绑定。In the EAC, you use the Network adapter bindings field to configure the local address bindings in the new Receive connector wizard, or on the Scoping tab in the properties of existing Receive connectors. 在 Exchange 命令行管理程序中,您可以使用set-receiveconnectorset-receiveconnector cmdlet 上的_绑定_参数。In the Exchange Management Shell, you use the Bindings parameter on the New-ReceiveConnector and Set-ReceiveConnector cmdlets. 根据选择的使用类型,你可能无法在创建接收连接器时配置本地地址绑定,但可以在创建接收连接器后对其进行修改。Depending on the usage type that you select, you might not be able to configure the local address bindings when you create the Receive connector, but you can modify them after you create the Receive connector. 接收连接器使用类型部分中标识受影响的使用类型。The affected usage types are identified in the Receive connector usage types section.

接收连接器的远程地址Receive connector remote addresses

Remote addresses define from where the Receive connector receives SMTP connections.Remote addresses define from where the Receive connector receives SMTP connections. By default, Receive connectors listen for connections from all IPv4 and IPv6 addresses (0.0.0.0-255.255.255.255 and ::-ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff).By default, Receive connectors listen for connections from all IPv4 and IPv6 addresses (0.0.0.0-255.255.255.255 and ::-ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff). If you create a custom Receive connector to receive mail from a specific source, configure the connector to listen for connections only from the specific IP address or address ranges.If you create a custom Receive connector to receive mail from a specific source, configure the connector to listen for connections only from the specific IP address or address ranges.

Multiple Receive connectors on the server can have overlapping remote IP address ranges as long as one range is completely overlapped by another.Multiple Receive connectors on the server can have overlapping remote IP address ranges as long as one range is completely overlapped by another. When remote IP address ranges overlap, the remote IP address range that has the most specific match to the connecting server's IP address is used.When remote IP address ranges overlap, the remote IP address range that has the most specific match to the connecting server's IP address is used.

例如,请考虑以下名为 Exchange01 服务器上前端传输服务中的接收连接器:For example, consider the following Receive connectors in the Front End Transport service on the server named Exchange01:

  • 连接器名称:客户端前端 Exchange01Connector name: Client Frontend Exchange01

    • 网络适配器绑定:端口25上的所有可用 IPv4。Network adapter bindings: All available IPv4 on port 25.

    • 远程网络设置: 0.0.0.0-255.255.255.255Remote network settings: 0.0.0.0-255.255.255.255

  • 连接器名称:自定义连接器 AConnector name: Custom Connector A

    • 网络适配器绑定:端口25上的所有可用 IPv4。Network adapter bindings: All available IPv4 on port 25.

    • 远程网络设置: 192.168.1.0-192.168.1.255Remote network settings: 192.168.1.0-192.168.1.255

  • 连接器名称:自定义连接器 BConnector name: Custom Connector B

    • 网络适配器绑定:端口25上的所有可用 IPv4。Network adapter bindings: All available IPv4 on port 25.

    • 远程网络设置:192.168.1.75Remote network settings: 192.168.1.75

自定义连接器 B 接受来自 192.168.1.75 的 SMTP 连接,因为该连接器具有最匹配的 IP 地址。SMTP connections from 192.168.1.75 are accepted by Custom Connector B, because that connector has the most specific IP address match.

自定义连接器 A 接受来自 192.168.1.100 的 SMTP 连接,因为该连接器具有最匹配的 IP 地址。SMTP connections from 192.168.1.100 are accepted by Custom Connector A, because that connector has the most specific IP address match.

在 EAC 中,使用 远程网络设置字段在新的接收连接器向导中,或在现有接收连接器属性中的" 作用域"选项卡上配置远程 IP 地址。In the EAC, you use the Remote network settings field to configure the remote IP addresses in the new Receive connector wizard, or on the Scoping tab in the properties of existing Receive connectors. 在 Exchange 命令行管理程序中,您可以使用set-receiveconnectorset-receiveconnector cmdlet 上的_RemoteIPRanges_参数。In the Exchange Management Shell, you use the RemoteIPRanges parameter on the New-ReceiveConnector and Set-ReceiveConnector cmdlets.

接收连接器使用类型Receive connector usage types

The usage type determines the default security settings for the Receive connector.The usage type determines the default security settings for the Receive connector. The usage type specifies who is authorized to use the connector, the permissions they get, and the authentication methods that are supported.The usage type specifies who is authorized to use the connector, the permissions they get, and the authentication methods that are supported.

在使用 EAC 创建接收连接器时,向导会提示你选择连接器的 Type 值。When you use the EAC to create Receive connectors, the wizard prompts you to select the Type value for the connector. 在 Exchange 命令行管理程序中使用 set-receiveconnector cmdlet 时,可将_usage_参数与一个可用的值(例如, -Usage Custom )或指定的使用类型的开关(例如,)一起使用 -CustomWhen you use the New-ReceiveConnector cmdlet in the Exchange Management Shell, you use the Usage parameter with one of the available values (for example, -Usage Custom), or the designated switch for the usage type (for example, -Custom).

You can specify the connector usage type only when you create Receive connectors.You can specify the connector usage type only when you create Receive connectors. After you create a connector, you can modify the available authentication mechanisms and permission groups in the EAC, or by using the Set-ReceiveConnector cmdlet in the Exchange Management Shell.After you create a connector, you can modify the available authentication mechanisms and permission groups in the EAC, or by using the Set-ReceiveConnector cmdlet in the Exchange Management Shell.

下表介绍了可用的使用类型。The available usage types are described in the following table.

使用类型Usage type 已分配的权限组Permission groups assigned 可用的身份验证机制Authentication mechanisms available 说明Comments
客户端Client Exchange 用户ExchangeUsersExchange users (ExchangeUsers) 传输层安全性TLSTransport Layer Security (TLS)
基本身份验证BasicAuthBasic authentication (BasicAuth)
仅在启动 TLS 后提供基本身份验证BasicAuthRequireTLSOffer basic authentication only after starting TLS (BasicAuthRequireTLS)
集成 Windows 身份验证IntegratedIntegrated Windows authentication (Integrated)
由需要通过经身份验证的 SMTP 提交电子邮件的 POP3 和 IMAP4 客户端使用。Used by POP3 and IMAP4 clients that need to submit email messages by using authenticated SMTP.
When you create a Receive connector of this usage type in the EAC or in the Exchange Management Shell, you can't select the local IP address bindings or TCP port.When you create a Receive connector of this usage type in the EAC or in the Exchange Management Shell, you can't select the local IP address bindings or TCP port. By default, this usage type is bound to all local IPv4 and IPv6 addresses on TCP port 587.By default, this usage type is bound to all local IPv4 and IPv6 addresses on TCP port 587. You can change these bindings after you create the connector.You can change these bindings after you create the connector.
此使用类型在边缘传输服务器上不可用。This usage type isn't available on Edge Transport servers.
自定义Custom 未选择( NoneNone selected (None) 传输层安全性TLSTransport Layer Security (TLS) 在跨林方案中使用,用于从第三方邮件服务器接收邮件和执行外部中继。Used in cross-forest scenarios, for receiving mail from third-party messaging servers, and for external relay.
在创建此使用类型的接收连接器后,需要在 EAC 或 Exchange 命令行管理程序中添加权限组。After you create a Receive connector of this usage type, you need to add permissions groups in the EAC or in the Exchange Management Shell.
内部Internal 旧版 Exchange 服务器ExchangeLegacyServersLegacy Exchange servers (ExchangeLegacyServers)
Exchange 服务器ExchangeServersExchange servers (ExchangeServers)
传输层安全性TLSTransport Layer Security (TLS)
Exchange Server 身份验证ExchangeServersExchange Server authentication (ExchangeServers)
用于跨林方案,以便从早期版本的 Exchange 中接收邮件,从第三方邮件服务器接收邮件,或在边缘传输服务器上接收来自内部 Exchange 组织的出站邮件。Used in cross-forest scenarios, for receiving mail from previous versions of Exchange, for receiving mail from third-party messaging servers, or on Edge Transport servers to receive outbound mail from the internal Exchange organization.
When you create a Receive connector of this usage type in the EAC or in the Exchange Management Shell, you can't select the local IP address bindings or TCP port.When you create a Receive connector of this usage type in the EAC or in the Exchange Management Shell, you can't select the local IP address bindings or TCP port. By default, the connector is bound to all local IPv4 and IPv6 addresses on TCP port 25.By default, the connector is bound to all local IPv4 and IPv6 addresses on TCP port 25. You can change these bindings after you create the connector.You can change these bindings after you create the connector.
ExchangeLegacyServers权限组在边缘传输服务器上不可用。The ExchangeLegacyServers permission group isn't available on Edge Transport servers.
InternetInternet 匿名用户AnonymousUsersAnonymous users (AnonymousUsers) 传输层安全性TLSTransport Layer Security (TLS) 用于从 Internet 接收邮件。Used to receive mail from the Internet.
When you create a Receive connector of this usage type in the EAC or in the Exchange Management Shell, you can't select the remote IP addresses.When you create a Receive connector of this usage type in the EAC or in the Exchange Management Shell, you can't select the remote IP addresses. By default, the connector accepts remote connections from all IPv4 addresses (0.0.0.0-255.255.255.255).By default, the connector accepts remote connections from all IPv4 addresses (0.0.0.0-255.255.255.255). You can change these bindings after you create the connector.You can change these bindings after you create the connector.
合作伙伴Partner 合作伙伴PartnersPartners (Partners) 传输层安全性TLSTransport Layer Security (TLS) 用于配置与外部合作伙伴的安全通信(相互 TLS 身份验证,也称为域安全)。Used to configure secure communication with an external partner (mutual TLS authentication, also known as domain secure).

接收连接器身份验证机制Receive connector authentication mechanisms

身份验证机制指定用于传入 SMTP 连接的登录和加密设置。Authentication mechanisms specify the logon and encryption settings that are used for incoming SMTP connections. 可以为一个接收连接器配置多种身份验证机制。You can configure multiple authentication mechanisms for a Receive connector. 在 EAC 中,接收连接器属性的" 安全"选项卡中提供身份验证机制。In the EAC, authentication mechanisms are available in the Security tab in the properties of the Receive connector. 在 Exchange 命令行管理程序中,权限组在set-receiveconnectorSet-receiveconnector cmdlet 的_AuthMechanisms_参数中可用。In the Exchange Management Shell, permission groups are available in the AuthMechanisms parameter on the New-ReceiveConnector and Set-ReceiveConnector cmdlets.

下表介绍了可用的身份验证机制。The available authentication mechanisms are described in the following table.

身份验证机制Authentication mechanism 说明Description
未选择( NoneNone selected (None) 无需身份验证。No authentication.
传输层安全性(TLS)TLSTransport Layer Security (TLS) (TLS) 在 EHLO 响应中播发 STARTTLSAdvertise STARTTLS in the EHLO response. TLS 加密连接要求包含 EHLO 响应中播发的名称的服务器证书。TLS encrypted connections require a server certificate that includes the name that the Receive connector advertises in the EHLO response. 有关详细信息,请参阅修改接收连接器上的 SMTP 标题For more information, see Modify the SMTP banner on Receive connectors. 组织中的其他 Exchange 服务器信任服务器的自签名证书,但客户端与外部服务器通常使用受信任的第三方证书。Other Exchange servers in your organization trust the server's self-signed certificate, but clients and external servers typically use a trusted third-party certificate.
基本身份验证BasicAuthBasic authentication (BasicAuth) 基本身份验证(明文)。Basic authentication (clear text).
仅在启动 TLS 后提供基本身份验证BasicAuthRequireTLSOffer basic authentication only after starting TLS (BasicAuthRequireTLS) 使用 TLS 加密的基本身份验证。Basic authentication that's encrypted with TLS.
集成 Windows 身份验证IntegratedIntegrated Windows authentication (Integrated) NTLM 和 Kerberos 身份验证。NTLM and Kerberos authentication.
Exchange Server 身份验证ExchangeServerExchange Server authentication (ExchangeServer) 通用安全服务应用程序编程接口 (GSSAPI) 和相互 GSSAPI 身份验证。Generic Security Services application programming interface (GSSAPI) and Mutual GSSAPI authentication.
外部保护ExternalAuthoritativeExternally secured (ExternalAuthoritative) The connection is presumed to be secured by using a security mechanism that's external to Exchange.The connection is presumed to be secured by using a security mechanism that's external to Exchange. The connection may be an Internet Protocol security (IPsec) association or a virtual private network (VPN).The connection may be an Internet Protocol security (IPsec) association or a virtual private network (VPN). Alternatively, the servers may reside in a trusted, physically controlled network.Alternatively, the servers may reside in a trusted, physically controlled network.
此身份验证机制需要 ExchangeServers 权限组。This authentication mechanism requires the ExchangeServers permission group. 这种将身份验证机制与安全组结合使用的做法,允许对通过该连接器接收的邮件的匿名发件人电子邮件地址进行解析。This combination of authentication mechanism and security group permits the resolution of anonymous sender email addresses for messages that are received through the connector.

接收连接器权限组Receive connector permission groups

权限组是预定义的权限集,将其授予常用的安全主体并分配给接收连接器。A permission group is a predefined set of permissions that's granted to well-known security principals and assigned to a Receive connector. 安全主体包括用户帐户、计算机帐户和安全组(可通过安全标识符或具有向其分配权限的 SID 来标识的对象)。Security principals include user accounts, computer accounts, and security groups (objects that are identifiable by a security identifier or SID that can have permissions assigned to them). 权限组定义谁可以使用接收连接器以及他们获得的权限。Permission groups define who can use the Receive connector, and the permissions that they get. 不能创建权限组,也不能修改权限组成员或权限组的默认权限。You can't create permission groups, nor can you modify the permission group members or the default permissions of the permission group.

在 EAC 中,接收连接器属性中的" 安全"选项卡中提供有权限组。In the EAC, permission groups are available in the Security tab in the properties of the Receive connector. 在 Exchange 命令行管理程序中,权限组在set-receiveconnectorSet-receiveconnector cmdlet 的_PermissionGroups_参数中可用。In the Exchange Management Shell, permission groups are available in the PermissionGroups parameter in the New-ReceiveConnector and Set-ReceiveConnector cmdlets.

下表介绍了可用的权限组。The available permission groups are described in the following table.

权限组Permission group 关联的安全主体Associated security principals 授予的权限Permissions granted
匿名用户AnonymousAnonymous users (Anonymous) NT AUTHORITY\ANONYMOUS LOGON ms-Exch-Accept-Headers-Routing
ms-Exch-SMTP-Accept-Any-Sender
ms-Exch-SMTP-Accept-Authoritative-Domain-Sender
ms-Exch-SMTP-Submit
Exchange 用户ExchangeUsersExchange users (ExchangeUsers) NT AUTHORITY\Authenticated Users ms-Exch-Accept-Headers-Routing
ms-Exch-Bypass-Anti-Spam
ms-Exch-SMTP-Accept-Any-Recipient
ms-Exch-SMTP-Submit
Exchange 服务器ExchangeServersExchange servers (ExchangeServers) <Domain>\Exchange Servers
MS Exchange\Edge Transport Servers
MS Exchange\Hub Transport Servers
注意: 这些安全主体也有分配给它们的其他内部权限。Note: These security principals also have other internal permissions assigned to them. 有关详细信息,请参阅接收连接器权限部分末尾。For more information, see the end of the Receive connector permissions section.
ms-Exch-Accept-Headers-Forest
ms-Exch-Accept-Headers-Organization
ms-Exch-Accept-Headers-Routing
ms-Exch-Bypass-Anti-Spam
ms-Exch-Bypass-Message-Size-Limit
ms-Exch-SMTP-Accept-Any-Recipient
ms-Exch-SMTP-Accept-Any-Sender
ms-Exch-SMTP-Accept-Authentication-Flag
ms-Exch-SMTP-Accept-Authoritative-Domain-Sender
ms-Exch-SMTP-Accept-Exch50
ms-Exch-SMTP-Submit
Exchange 服务器ExchangeServersExchange servers (ExchangeServers) MS Exchange\Externally Secured Servers ms-Exch-Accept-Headers-Routing
ms-Exch-Bypass-Anti-Spam
ms-Exch-Bypass-Message-Size-Limit
s-Exch-SMTP-Accept-Any-Recipient
ms-Exch-SMTP-Accept-Any-Sender
ms-Exch-SMTP-Accept-Authentication-Flag
ms-Exch-SMTP-Accept-Authoritative-Domain-Sender
ms-Exch-SMTP-Accept-Exch50
ms-Exch-SMTP-Submit
旧版 Exchange 服务器ExchangeLegacyServersLegacy Exchange servers (ExchangeLegacyServers) <Domain>\ExchangeLegacyInterop ms-Exch-Accept-Headers-Routing
ms-Exch-Bypass-Anti-Spam
ms-Exch-Bypass-Message-Size-Limit
ms-Exch-SMTP-Accept-Any-Recipient
ms-Exch-SMTP-Accept-Any-Sender
ms-Exch-SMTP-Accept-Authentication-Flag
ms-Exch-SMTP-Accept-Authoritative-Domain-Sender
ms-Exch-SMTP-Accept-Exch50
ms-Exch-SMTP-Submit
合作伙伴PartnerPartners (Partner) MS Exchange\Partner Servers ms-Exch-Accept-Headers-Routing
ms-Exch-SMTP-Submit

稍后将在本主题的接收连接器权限部分介绍权限。The permissions are explained in the Receive connector permissions section later in this topic.

接收连接器权限Receive connector permissions

Typically, you apply permissions to Receive connectors by using permission groups.Typically, you apply permissions to Receive connectors by using permission groups. However, you can configure granular permissions on a Receive connector by using the Add-ADPermission and Remove-ADPermission cmdlets.However, you can configure granular permissions on a Receive connector by using the Add-ADPermission and Remove-ADPermission cmdlets.

Receive connector permissions are assigned to security principals by the permission groups for the connector.Receive connector permissions are assigned to security principals by the permission groups for the connector. When an SMTP server or client establishes a connection to a Receive connector, the Receive connector permissions determine whether the connection is accepted, and how messages are processed.When an SMTP server or client establishes a connection to a Receive connector, the Receive connector permissions determine whether the connection is accepted, and how messages are processed.

可用的接收连接器权限如下表所述。The available Receive connector permissions are described in the following table.

接收连接器权限Receive connector permission 说明Description
ms-Exch-Accept-Headers-Forest Controls the preservation of Exchange forest headers in messages.Controls the preservation of Exchange forest headers in messages. Forest header names start with X-MS-Exchange-Forest-.Forest header names start with X-MS-Exchange-Forest-. If this permission isn't granted, all forest headers are removed from messages.If this permission isn't granted, all forest headers are removed from messages.
ms-Exch-Accept-Headers-Organization Controls the preservation of Exchange organization headers in messages.Controls the preservation of Exchange organization headers in messages. Organization header names start with X-MS-Exchange-Organization-.Organization header names start with X-MS-Exchange-Organization-. If this permission isn't granted, all organization headers are removed from messages.If this permission isn't granted, all organization headers are removed from messages.
ms-Exch-Accept-Headers-Routing Controls the preservation of Received and Resent-* headers in messages.Controls the preservation of Received and Resent-* headers in messages. If this permission isn't granted, all of these headers are removed from messages.If this permission isn't granted, all of these headers are removed from messages.
ms-Exch-Bypass-Anti-Spam 允许 SMTP 客户端或服务器绕过反垃圾邮件筛选。Allows SMTP clients or servers to bypass antispam filtering.
ms-Exch-Bypass-Message-Size-Limit 允许 SMTP 客户端或服务器提交为接收连接器配置的超过最大邮件大小的邮件。Allows SMTP clients or servers to submit messages that exceed the maximum message size that's configured for the Receive connector.
ms-Exch-SMTP-Accept-Any-Recipient Allows SMTP clients or servers to relay messages through the Receive connector.Allows SMTP clients or servers to relay messages through the Receive connector. If this permission isn't granted, only messages that are sent to recipients in accepted domains that are configured for the Exchange organization are accepted by the Receive connector.If this permission isn't granted, only messages that are sent to recipients in accepted domains that are configured for the Exchange organization are accepted by the Receive connector.
ms-Exch-SMTP-Accept-Any-Sender 允许 SMTP 客户端或服务器绕过发件人地址欺骗检查,该检查通常要求发件人电子邮件地址在为 Exchange 组织配置的接受域中。Allows SMTP clients or servers to bypass the sender address spoofing check that normally requires the sender's email address to be in an accepted domain that's configured for Exchange organization.
ms-Exch-SMTP-Accept-Authentication-Flag 控制来自 SMTP 客户端或服务器的邮件是否被视为已经过身份验证。Controls whether messages from SMTP clients or servers are treated as authenticated. 如果没有授予此权限,来自这些源的邮件将被标识为外部(未经身份验证)。If this permission isn't granted, messages from theses sources are identified as external (unauthenticated). 对于配置为仅接受来自内部收件人的邮件的通讯组(例如,组的_RequireSenderAuthenticationEnabled_参数值),此设置非常重要 $trueThis setting is important for distribution groups that are configured to accept mail only from internal recipients (for example, the RequireSenderAuthenticationEnabled parameter value for the group is $true).
ms-Exch-SMTP-Accept-Authoritative-Domain-Sender 允许具有为 Exchange 组织配置的权威域中的电子邮件地址的发件人访问接收连接器。Allows access to the Receive connector by senders that have email addresses in authoritative domains that are configured for the Exchange organization.
ms-Exch-SMTP-Accept-Exch50 Allows SMTP clients or servers to submit XEXCH50 commands on the Receive connector.Allows SMTP clients or servers to submit XEXCH50 commands on the Receive connector. The X-EXCH50 binary large object (BLOB) was used by older versions of Exchange (Exchange 2003 and earlier) to store Exchange data in messages (for example, the spam confidence level or SCL).The X-EXCH50 binary large object (BLOB) was used by older versions of Exchange (Exchange 2003 and earlier) to store Exchange data in messages (for example, the spam confidence level or SCL).
ms-Exch-SMTP-Submit This permission is required to submit messages to Receive connectors.This permission is required to submit messages to Receive connectors. If this permission isn't granted, the MAIL FROM and AUTH commands will fail.If this permission isn't granted, the MAIL FROM and AUTH commands will fail.

注意Notes:

  • 除了记录的权限之外,还有一些分配给Exchange servers ()权限组中的所有安全主体的权限( ExchangeServers 除除外) MS Exchange\Externally Secured ServersIn addition to the documented permissions, there are permissions that are assigned to all of the security principals in the Exchange servers (ExchangeServers) permission group except MS Exchange\Externally Secured Servers. 这些权限仅供内部 Microsoft 使用,在此处仅供参考。These permissions are reserved for internal Microsoft use, and are presented here for reference purposes only.

    • ms-Exch-SMTP-Accept-Xattr

    • ms-Exch-SMTP-Accept-XProxyFrom

    • ms-Exch-SMTP-Accept-XSessionParams

    • ms-Exch-SMTP-Accept-XShadow

    • ms-Exch-SMTP-Accept-XSysProbe

    • ms-Exch-SMTP-Send-XMessageContext-ADRecipientCache

    • ms-Exch-SMTP-Send-XMessageContext-ExtendedProperties

    • ms-Exch-SMTP-Send-XMessageContext-FastIndex

  • 包含的权限名称 ms-Exch-Accept-Headers-标头防火墙功能的一部分。Permissions names that contain ms-Exch-Accept-Headers- are part of the header firewall feature. 有关详细信息,请参阅邮件头防火墙For more information, see Header firewall.

接收连接器权限程序Receive connector permission procedures

若要查看分配给接收连接器中的安全主体的权限,请使用 Exchange 命令行管理程序 中的以下语法:To see the permissions that are assigned to security principals on a Receive connector, use the following syntax in the Exchange Management Shell:

Get-ADPermission -Identity <ReceiveConnector> [-User <SecurityPrincipal>] | where {($_.Deny -eq $false) -and ($_.IsInherited -eq $false)} | Format-Table User,ExtendedRights

例如,若要查看分配给名为客户端前端 Mailbox01 的接收连接器上的所有安全主体的权限,请运行以下命令:For example, to see the permissions that are assigned to all security principals on the Receive connector named Client Frontend Mailbox01, run the following command:

Get-ADPermission -Identity "Client Frontend Mailbox01" | where {($_.Deny -eq $false) -and ($_.IsInherited -eq $false)} | Format-Table User,ExtendedRights

若要查看仅分配给 NT AUTHORITY\Authenticated Users 名为 "默认 Mailbox01" 的接收连接器上的安全主体的权限,请运行以下命令:To see the permissions that are assigned only to the security principal NT AUTHORITY\Authenticated Users on the Receive connector named Default Mailbox01, run the following command:

Get-ADPermission -Identity "Default Mailbox01" -User "NT AUTHORITY\Authenticated Users" | where {($_.Deny -eq $false) -and ($_.IsInherited -eq $false)} | Format-Table User,ExtendedRights

若要将权限添加到接收连接器上的安全主体,请使用以下语法:To add permissions to a security principal on a Receive connector, use the following syntax:

Add-ADPermission -Identity <ReceiveConnector> -User <SecurityPrincipal> -ExtendedRights "<Permission1>","<Permission2>"...

若要从接收连接器上的安全主体中删除权限,请使用以下语法:To remove permissions from a security principal on a Receive connector, use the following syntax:

Remove-ADPermission -Identity <ReceiveConnector> -User <SecurityPrincipal> -ExtendedRights "<Permission1>","<Permission2>"...