Exchange 中客户端和邮件流的网络端口Network ports for clients and mail flow in Exchange

本主题提供有关 Exchange Server 2016 和 Exchange Server 2019 用于与电子邮件客户端、Internet 邮件服务器以及本地 Exchange 组织外部的其他服务通信的网络端口的信息。This topic provides information about the network ports that are used by Exchange Server 2016 and Exchange Server 2019 for communication with email clients, internet mail servers, and other services that are external to your local Exchange organization. 在深入介绍之前,请了解以下基本规则:Before we get into that, understand the following ground rules:

  • 我们不支持限制或更改内部 Exchange 服务器之间或内部 Exchange 服务器与内部 Lync 或 Skype for Business 服务器之间或所有类型的拓扑中的内部 Exchange 服务器与内部 Active Directory 域控制器之间的网络通信。We do not support restricting or altering network traffic between internal Exchange servers, between internal Exchange servers and internal Lync or Skype for Business servers, or between internal Exchange servers and internal Active Directory domain controllers in any and all types of topologies. 如果您的防火墙或网络设备可能会限制或改变此类内部网络流量,则需要配置允许这些服务器之间自由且不受限制的通信的规则:允许任何端口 (包括随机 RPC 端口) 的传入和传出网络流量的规则,以及任何永远不会改变线路上的位的协议。If you have firewalls or network devices that could potentially restrict or alter this kind of internal network traffic, you need to configure rules that allow free and unrestricted communication between these servers: rules that allow incoming and outgoing network traffic on any port (including random RPC ports) and any protocol that never alter bits on the wire.

  • 边缘传输服务器几乎始终位于外围网络中,因此预期您将限制边缘传输服务器和 Internet 之间以及边缘传输服务器和内部 Exchange 组织之间的网络流量。Edge Transport servers are almost always located in a perimeter network, so it's expected that you'll restrict network traffic between the Edge Transport server and the internet, and between the Edge Transport server and your internal Exchange organization. 本主题介绍了这些网络端口。These network ports are described in this topic.

  • 您可以限制外部客户端和服务与内部 Exchange 组织之间的网络流量。您也可以决定限制内部客户端和内部 Exchange 服务器之间的网络流量。本主题介绍了这些网络端口。It's expected that you'll restrict network traffic between external clients and services and your internal Exchange organization. It's also OK if you decide to restrict network traffic between internal clients and internal Exchange servers. These network ports are described in this topic.

客户端和服务所需的网络端口Network ports required for clients and services

下列图表中介绍了电子邮件客户端访问邮箱和 Exchange 组织中其他服务所需的网络端口。The network ports that are required for email clients to access mailboxes and other services in the Exchange organization are described in the following diagram and table.

说明:Notes:

  • 这些客户端和服务的目标为邮箱服务器上客户端访问服务。The destination for these clients and services is the Client Access services on a Mailbox server. 在 Exchange 2016 和 Exchange 2019 中,客户端访问 (前端) 和后端服务一起安装在同一邮箱服务器上。In Exchange 2016 and Exchange 2019, Client Access (frontend) and backend services are installed together on the same Mailbox server. 有关详细信息,请参阅客户端 访问协议体系结构For more information, see Client Access protocol architecture.

  • 尽管图中显示了来自 Internet 的客户端和服务,但内部客户端的概念是相同的 (例如,帐户林中的客户端访问资源林中的 Exchange 服务器) 。Although the diagram shows clients and services from the internet, the concepts are the same for internal clients (for example, clients in an accounts forest accessing Exchange servers in a resource forest). 同样,该表没有源列,因为源可以是 Exchange 组织外部的任何位置 (例如,Internet 或帐户林) 。Similarly, the table doesn't have a source column because the source could be any location that's external to the Exchange organization (for example, the internet or an accounts forest).

  • 边缘传输服务器不涉及与这些客户端和服务相关的网络流量。Edge Transport servers have no involvement in the network traffic that's associated with these clients and services.

客户端和服务所需的网络端口

用途Purpose 端口Ports 注释Comments
下列客户端和服务使用加密的 Web 连接:Encrypted web connections are used by the following clients and services:
• 自动发现服务• Autodiscover service
• Exchange ActiveSync• Exchange ActiveSync
• Exchange Web 服务 (EWS) • Exchange Web Services (EWS)
• 脱机通讯簿 (OAB) 分发• Offline address book (OAB) distribution
• Outlook Anywhere (HTTP RPC) • Outlook Anywhere (RPC over HTTP)
• Outlook MAPI over HTTP• Outlook MAPI over HTTP
• Outlook 网页 (以前称为 Outlook Web App) • Outlook on the web (formerly known as Outlook Web App)
443/TCP (HTTPS)443/TCP (HTTPS) 有关这些客户端和服务的详细信息,请参阅下列主题:For more information about these clients and services, see the following topics:
自动发现服务Exchange ServerAutodiscover service in Exchange Server
Exchange ActiveSyncExchange ActiveSync
Exchange 的 EWS 参考EWS reference for Exchange
脱机通讯簿Exchange ServerOffline address books in Exchange Server
Outlook AnywhereOutlook Anywhere
MAPI over HTTP in Exchange ServerMAPI over HTTP in Exchange Server
下列客户端和服务使用未加密的 Web 连接:Unencrypted web connections are used by the following clients and services:
• Internet 日历发布• Internet calendar publishing
• Outlook 网页版 (重定向到 443/TCP) • Outlook on the web (redirect to 443/TCP)
• 自动发现 (443/TCP 不可用时进行回退) • Autodiscover (fallback when 443/TCP isn't available)
80/TCP (HTTP)80/TCP (HTTP) 如果可能,建议对 443/TCP 使用加密的 Web 连接以帮助保护数据和凭据。Whenever possible, we recommend using encrypted web connections on 443/TCP to help protect data and credentials. 但是,您可能会发现某些服务必须配置为在 80/TCP 上使用未加密的 Web 连接连接到邮箱服务器上客户端访问服务。However, you may find that some services must be configured to use unencrypted web connections on 80/TCP to the Client Access services on Mailbox servers.

有关这些客户端和服务的详细信息,请参阅下列主题:For more information about these clients and services, see the following topics:
启用 Internet 日历发布Enable Internet Calendar Publishing
自动发现服务Exchange ServerAutodiscover service in Exchange Server
IMAP4 客户端IMAP4 clients 143/TCP (IMAP)、993/TCP(安全 IMAP)143/TCP (IMAP), 993/TCP (secure IMAP) 默认情况下 IMAP4 处于禁用状态。IMAP4 is disabled by default. 有关详细信息,请参阅 POP3 and IMAP4 in Exchange ServerFor more information, see POP3 and IMAP4 in Exchange Server.

邮箱服务器上客户端访问服务中的 IMAP4 服务代理与邮箱服务器上 IMAP4 后端服务的连接。The IMAP4 service in the Client Access services on the Mailbox server proxies connections to the IMAP4 Backend service on a Mailbox server.
POP3 客户端POP3 clients 110/TCP (POP3)、995/TCP(安全 POP3)110/TCP (POP3), 995/TCP (secure POP3) 默认情况下 POP3 处于禁用状态。POP3 is disabled by default. 有关详细信息,请参阅 POP3 and IMAP4 in Exchange ServerFor more information, see POP3 and IMAP4 in Exchange Server.

邮箱服务器上客户端访问服务中的 POP3 服务代理与邮箱服务器上 POP3 后端服务的连接。The POP3 service in the Client Access services on the Mailbox server proxies connections to the POP3 Backend service on a Mailbox server.
SMTP 客户端(已经过身份验证)SMTP clients (authenticated) 587/TCP(通过身份验证的 SMTP)587/TCP (authenticated SMTP) 前端传输服务中名为"客户端前端"的默认接收连接器侦听端口 587 上经过身份验证的 <Server name> SMTP 客户端提交。The default Received connector named "Client Frontend <Server name>" in the Front End Transport service listens for authenticated SMTP client submissions on port 587.

注意:如果您的电子邮件客户端只能在端口 25 上提交已验证的 SMTP 电子邮件,您可以修改客户端接收连接器的网络适配器绑定,以同时侦听端口 25 上经过身份验证的 SMTP 电子邮件提交。Note: If you have email clients that are only able to submit authenticated SMTP email on port 25, you can modify the network adapter bindings of the client Receive connector to also listen for authenticated SMTP email submissions on port 25.

邮件流所需的网络端口Network ports required for mail flow

邮件传入和传出您的 Exchange 组织的方式取决于您的 Exchange 拓扑。最重要的因素是您是否已在外围网络中部署订阅的边缘传输服务器。How mail is delivered to and from your Exchange organization depends on your Exchange topology. The most important factor is whether you have a subscribed Edge Transport server deployed in your perimeter network.

邮件流所需的网络端口(没有边缘传输服务器)Network ports required for mail flow (no Edge Transport servers)

在只有邮箱服务器的 Exchange 组织中,邮件流所需的网络端口如下图和表所述。The network ports that are required for mail flow in an Exchange organization that has only Mailbox servers are described in the following diagram and table.

邮件流所需的网络端口(没有边缘传输服务器)

用途Purpose 端口Ports Source 目标Destination 注释Comments
入站邮件Inbound mail 25/TCP (SMTP)25/TCP (SMTP) Internet(任何)Internet (any) 邮箱服务器Mailbox server 前端传输服务中名为"默认前端"的默认接收连接器侦听端口 <Mailbox server name> 25 上的匿名入站 SMTP 邮件。The default Receive connector named "Default Frontend <Mailbox server name>" in the Front End Transport service listens for anonymous inbound SMTP mail on port 25.
邮件使用隐式和不可见的组织间发送连接器从前端传输服务中继到邮箱服务器上传输服务,该连接器可在同一组织的 Exchange 服务器之间自动路由邮件。Mail is relayed from the Front End Transport service to the Transport service on a Mailbox server using the implicit and invisible intra-organization Send connector that automatically routes mail between Exchange servers in the same organization. 有关详细信息,请参阅 隐式发送连接器For more information, see Implicit Send connectors.
出站邮件Outbound mail 25/TCP (SMTP)25/TCP (SMTP) 邮箱服务器Mailbox server Internet(任何)Internet (any) 默认情况下,Exchange 不会创建任何允许您将邮件发送到 Internet 的发送连接器。By default, Exchange doesn't create any Send connectors that allow you to send mail to the internet. 您必须手动创建发送连接器。You have to create Send connectors manually. 有关详细信息,请参阅创建发送连接器以将邮件发送到 Internet。For more information, see Create a Send connector to send mail to the internet.
出站邮件 (通过前端传输服务进行代理时) Outbound mail (if proxied through the Front End transport service) 25/TCP (SMTP)25/TCP (SMTP) 邮箱服务器Mailbox server Internet(任何)Internet (any) 只有在 Exchange 管理中心或 Exchange 命令行管理程序 中通过客户端访问服务器配置发送连接器时,出站邮件才通过 -FrontEndProxyEnabled $true 前端传输服务进行代理。Outbound mail is proxied through the Front End Transport service only when a Send connector is configured with Proxy through Client Access server in the Exchange admin center or -FrontEndProxyEnabled $true in the Exchange Management Shell.
在这种情况下,前端传输服务中名为"出站代理前端"的默认接收连接器侦听来自邮箱服务器上 <Mailbox server name> 传输服务的出站邮件。In this case, the default Receive connector named "Outbound Proxy Frontend <Mailbox server name>" in the Front End Transport service listens for outbound mail from the Transport service on a Mailbox server. 有关详细信息,请参阅Configure Send connectors to proxy outbound mailFor more information, see Configure Send connectors to proxy outbound mail.
用于下一个邮件跃点的名称解析的 DNS(未显示在图中)DNS for name resolution of the next mail hop (not pictured) 53/UDP、53/TCP (DNS)53/UDP,53/TCP (DNS) 邮箱服务器Mailbox server DNS 服务器DNS server 请参阅 本主题中的名称 解析部分。See the Name resolution section in this topic.

邮件流所需的网络端口(具有边缘传输服务器)Network ports required for mail flow with Edge Transport servers

安装在外围网络中订阅的边缘传输服务器以下列方式影响邮件流:A subscribed Edge Transport server that's installed in your perimeter network affects mail flow in the following ways:

  • 来自 Exchange 组织的出站邮件永远不会流经邮箱服务器的前端传输服务。Outbound mail from the Exchange organization never flows through the Front End Transport service on Mailbox servers. 邮件始终从订阅的 Active Directory 站点中邮箱服务器的传输服务流到边缘传输服务器 (无论边缘传输服务器上 Exchange 的版本如何) 。Mail always flows from the Transport service on a Mailbox server in the subscribed Active Directory site to the Edge Transport server (regardless of the version of Exchange on the Edge Transport server).

  • 入站邮件从边缘传输服务器流向订阅的 Active Directory 站点中的邮箱服务器。Inbound mail flows from the Edge Transport server to a Mailbox server in the subscribed Active Directory site. 具体来说:Specifically:

    • 来自 Exchange 2013 或更高版本的边缘传输服务器的邮件首先到达前端传输服务,然后再流向 Exchange 2016 或 Exchange 2019 邮箱服务器的传输服务。Mail from an Exchange 2013 or later Edge Transport server first arrives at the Front End Transport service before it flows to the Transport service on an Exchange 2016 or Exchange 2019 Mailbox server.

    • 在 Exchange 2016 中,来自 Exchange 2010 边缘传输服务器的邮件始终将邮件直接发送到 Exchange 2016 邮箱服务器的传输服务。In Exchange 2016, mail from an Exchange 2010 Edge Transport server always delivers mail directly to the Transport service on an Exchange 2016 Mailbox server. 请注意,Exchange 2019 不支持与 Exchange 2010 共存。Note that coexistance with Exchange 2010 isn't supported in Exchange 2019.

有关详细信息,请参阅Mail flow and the transport pipelineFor more information, see Mail flow and the transport pipeline.

对于具有边缘传输服务器的 Exchange 组织,邮件流所需的网络端口如下列图表中所示。The network ports that are required for mail flow in Exchange organizations that have Edge Transport servers are described in the following diagram and table.

邮件流所需的网络端口(具有边缘传输服务器)

用途Purpose 端口Ports Source 目标Destination 注释Comments
入站邮件 - 从 Internet 到边缘传输服务器Inbound mail - Internet to Edge Transport server 25/TCP (SMTP)25/TCP (SMTP) Internet(任何)Internet (any) 边缘传输服务器Edge Transport server 边缘传输服务器上名为"默认内部接收连接器"的默认接收连接器侦听端口 25 上的匿名 <Edge Transport server name> SMTP 邮件。The default Receive connector named "Default internal Receive connector <Edge Transport server name>" on the Edge Transport server listens for anonymous SMTP mail on port 25.
入站邮件 - 从边缘传输服务器到内部 Exchange 组织Inbound mail - Edge Transport server to internal Exchange organization 25/TCP (SMTP)25/TCP (SMTP) 边缘传输服务器Edge Transport server 订阅的 Active Directory 站点中的邮箱服务器Mailbox servers in the subscribed Active Directory site 名为"EdgeSync - 入站到"的默认发送连接器将端口 25 上的入站邮件中继到订阅的 Active Directory 站点中的任意邮箱 <Active Directory site name> 服务器。The default Send connector named "EdgeSync - Inbound to <Active Directory site name>" relays inbound mail on port 25 to any Mailbox server in the subscribed Active Directory site. 有关详细信息,请参阅边缘订阅 自动创建的发送连接器For more information, see Send connectors created automatically by the Edge Subscription.
邮箱服务器上前端传输服务中名为"默认前端"的默认接收连接器侦听所有入站邮件 (包括来自端口 25 上的 Exchange 2013 或更高版本边缘传输) <Mailbox server name> 的邮件。The default Receive connector named "Default Frontend <Mailbox server name>" in the Front End Transport service on the Mailbox server listens for all inbound mail (including mail from Exchange 2013 or later Edge Transport servers) on port 25.
出站邮件 - 从内部 Exchange 组织到边缘传输服务器Outbound mail - Internal Exchange organization to Edge Transport server 25/TCP (SMTP)25/TCP (SMTP) 订阅的 Active Directory 站点中的邮箱服务器Mailbox servers in the subscribed Active Directory site 边缘传输服务器Edge Transport servers 出站邮件始终绕过邮箱服务器的前端传输服务。Outbound mail always bypasses the Front End Transport service on Mailbox servers.
邮件使用隐式和不可见的组织间发送连接器从订阅的 Active Directory 站点中任何邮箱服务器的传输服务中继到边缘传输服务器,该连接器可在同一组织的 Exchange 服务器之间自动路由邮件。Mail is relayed from the Transport service on any Mailbox server in the subscribed Active Directory site to an Edge Transport server using the implicit and invisible intra-organization Send connector that automatically routes mail between Exchange servers in the same organization.
边缘传输服务器上名为"默认内部接收连接器"的默认接收连接器侦听端口 25 上的 SMTP 邮件,该邮件来自订阅的 Active Directory 站点中任何邮箱服务器的传输 <Edge Transport server name> 服务。The default Receive connector named "Default internal Receive connector <Edge Transport server name>" on the Edge Transport server listens for SMTP mail on port 25 from the Transport service on any Mailbox server in the subscribed Active Directory site.
出站邮件 - 边缘传输服务器到 InternetOutbound mail - Edge Transport server to internet 25/TCP (SMTP)25/TCP (SMTP) 边缘传输服务器Edge Transport server Internet(任何)Internet (any) 名为"EdgeSync - 到 Internet"的默认发送连接器将端口 25 上的出站邮件从边缘传输服务器 <Active Directory site name> 中继到 Internet。The default Send connector named "EdgeSync - <Active Directory site name> to Internet" relays outbound mail on port 25 from the Edge Transport server to the internet.
EdgeSync 同步EdgeSync synchronization 50636/TCP(安全 LDAP)50636/TCP (secure LDAP) 订阅的 Active Directory 站点中参与 EdgeSync 同步的邮箱服务器Mailbox servers in the subscribed Active Directory site that participate in EdgeSync synchronization 边缘传输服务器Edge Transport servers 在将边缘传输服务器订阅到 Active Directory 站点时,站点中当时存在的所有邮箱服务器都参与EdgeSync同步。When the Edge Transport server is subscribed to the Active Directory site, all Mailbox servers that exist in the site at the time participate in EdgeSync synchronization. 但是,您稍后添加的任何邮箱 服务器不会自动参与 EdgeSync同步。However, any Mailbox servers that you add later don't automatically participate in EdgeSync synchronization.
用于下一个邮件跃点的名称解析的 DNS(未显示在图中)DNS for name resolution of the next mail hop (not pictured) 53/UDP、53/TCP (DNS)53/UDP,53/TCP (DNS) 边缘传输服务器Edge Transport server DNS 服务器DNS server 请参阅 本主题稍后介绍 的名称解析部分。See the Name resolution section later in this topic.
发件人信誉中的开放代理服务器检测 (未) Open proxy server detection in sender reputation (not pictured) 查看注释see comments 边缘传输服务器Edge Transport server InternetInternet 默认情况下, (分析代理) 的发件人信誉使用开放代理服务器检测作为条件之一来计算源邮件服务器的发件人信誉级别 (SRL) 。By default, sender reputation (the Protocol Analysis agent) uses open proxy server detection as one of the criteria to calculate the sender reputation level (SRL) of the source messaging server. 有关详细信息,请参阅 发件人信誉和协议分析代理For more information, see Sender reputation and the Protocol Analysis agent.
开放代理服务器检测使用下列协议和 TCP 端口来测试开放代理的源消息服务器:Open proxy server detection uses the following protocols and TCP ports to test source messaging servers for open proxy:
• SOCKS4、SOCKS5:1081、1080• SOCKS4, SOCKS5: 1081, 1080
• Wingate、Telnet、Cisco:23• Wingate, Telnet, Cisco: 23
• HTTP CONNECT、HTTP POST:6588、3128、80• HTTP CONNECT, HTTP POST: 6588, 3128, 80
此外,如果组织使用代理服务器控制出站 Internet 流量,则需要定义代理服务器名称、类型和发件人信誉访问 Internet 进行开放代理服务器检测所需的 TCP 端口。Also, if your organization uses a proxy server to control outbound internet traffic, you need to define the proxy server name, type, and TCP port that sender reputation requires to access the internet for open proxy server detection.
或者,可以在发件人信誉中禁用开放代理服务器检测。Alternatively, you can disable open proxy server detection in sender reputation.
有关详细信息,请参阅发件人 信誉过程For more information, see Sender reputation procedures.

名称解析Name resolution

在任何 Exchange 组织中,下一个邮件跃点的 DNS 解析都是邮件流的基本组成部分。负责接收入站邮件或传递出站邮件的 Exchange 服务器必须能够解析内部和外部主机名,以确保正确的邮件路由。所有内部 Exchange 服务器都必须能够解析内部主机名,以确保正确的邮件路由。有很多不同设计 DNS 基础结构的方法,但重要的结果是确保下一个跃点的名称解析对您的所有 Exchange 服务器均运行正常。DNS resolution of the next mail hop is a fundamental part of mail flow in any Exchange organization. Exchange servers that are responsible for receiving inbound mail or delivering outbound mail must be able to resolve both internal and external host names for proper mail routing. And all internal Exchange servers must be able to resolve internal host names for proper mail routing. There are many different ways to design a DNS infrastructure, but the important result is to ensure name resolution for the next hop is working properly for all of your Exchange servers.

混合部署所需的网络端口Network ports required for hybrid deployments

混合部署协议、端口和终结点中涵盖同时使用内部部署 Exchange 和 Microsoft 365 或 Office 365 的组织所需的 网络端口The network ports that are required for an organization that uses both on-premises Exchange and Microsoft 365 or Office 365 are covered in Hybrid deployment protocols, ports, and endpoints.

Exchange 2016 中统一消息所需的网络端口Network ports required for Unified Messaging in Exchange 2016

统一消息在 Exchange 2013 和 Exchange 2016 中所需的网络端口在主题 UM 协议、端口 和服务中介绍The network ports that are required for Unified Messaging in Exchange 2013 and Exchange 2016 are covered in the topic UM protocols, ports, and services.