Just need an aspect of Receive Connectors of Exchange 2010 clarified:

The authentication tab has about 5 to 7 options.
Am I correct in thinking that these authentication methods are offered, if the sending server wants to avail them, but are not required?

In other words, you can check all the boxes and will still be able to receive emails without any authentication if permissions match. Correct?

Finally, I have seen TLS authentication enabled for Internet Receive Connectors, with Annonymous permission. Is not TLS an exception rather than a rule for Internet mail traffic?


asked 12/07/2011 12:48

Akulsh's gravatar image

Akulsh ♦♦

6 Answers:

the authentication methods in the authentication tab will be matched by negotiation "between client and server or between server-server" usually receive connectors are used to authenticate servers between each other unless you are using a client which will use SMTP directly to send e-mails "pop3 or IMAP4 clients".
Because it is based on negotiations, the best matched authentication "the strongest that can be agreed between the server and the other party" will be used. Now I do not recommend you to enable all of them as the last one in the list "Externally Secured" will make your exchange an open relay "something you don not want to happen".

For TLS , yes for internet use is not common, but the Hub Transport servers and the Edge transport servers will be using TLS by default to deliver messages between themselves.


aymanq's gravatar image


Thanks. Your answer is very detailed but I was aware of most of what you said, except the last paragraph..

However, you have not answered my core question:
Irrespective of the number of boxes checked, you will receive emails WITHOUT ANY AUTHENITCATION if permissions match. Correct?

In other words, are all authenitcations optional here?

answered 2011-12-07 at 21:43:07

Akulsh's gravatar image


Use the Authentication tab to configure security options for incoming SMTP connections:

•Transport Layer Security (TLS)   Select this option to offer Transport Layer Security (TLS) transmission for all messages received by this connector. When you select this option, the STARTTLS keyword is advertised in the EHLO response to connecting SMTP servers, and TLS authentication is accepted.

• Enable Domain Security (Mutual Auth TLS)   To instruct this Receive connector to accept a mutual TLS connection from a remote server, select this check box. There are additional configuration steps required before you can enable mutual TLS. For more information about configuring mutual TLS, see Using Domain Security: Configuring Mutual TLS.

•Basic Authentication   Select this option to offer Basic authentication for all mail received by this connector. When you select Basic Authentication, the AUTH keyword is advertised in the EHLO response to connecting SMTP servers, and Basic authentication is accepted. Because the user name and password are sent in plaintext when Basic authentication is used, Basic authentication without encryption isn't recommended.

• Offer Basic Authentication only after starting TLS   When you select this option, the connector starts TLS first, and then after TLS encryption is complete, the connector offers Basic authentication.
Exchange Server authentication   Select this option to authenticate by using an Exchange authentication mechanism, such as TLS direct trust or Kerberos through TLS.

•Integrated Windows authentication   Select this option to use Integrated Windows authentication, which represents NTLM, Kerberos, and Negotiate authentication mechanisms.

•Externally Secured (for example, with IPsec)   Use this option if the incoming connections to this Receive connector are secured by external means. For example, use this option if the connection is physically secured over a private network or by using Internet Protocol security (IPsec). When you select this option, you make an assertion of external security that can't be programmatically verified by Exchange. Before you select this authentication method, you must first select the Exchange servers permissions group on the Permission Groups tab

answered 2011-12-07 at 22:08:30

neotiwary's gravatar image



Thanks for all this info, I appreciate your spending time on this issue. But please read my previous 2 postings to know what I am asking. Thanks.

answered 2011-12-07 at 22:44:38

Akulsh's gravatar image


After many days of research, I concluded:

The sort answer is NO, except in case of Anonymous permission group. For this group, no authentication is needed so it does not matter what you select.

Otherwise Permission Groups and Authentication methods work Only in Certain Combinations. For example,
- Exchange Users setting only works with Basic or Integrated Windows authentication
- Exchange Servers setting only works with Exchange Server & Externally Secured authentications.

Other combinations are very rarely used, it seems.
Finally, TLS authentication is optional and thus can be chosen any time, but it is usually used between Exchange servers.

answered 2011-12-08 at 01:46:36

Akulsh's gravatar image


Other two users can comment on how helpful is my final posting.

(I am little disppointed that on the subject of Exchange 2010, no one else really came up with succinct answer. I would have raised the points since , now I know, this is a rather complex topic.)


answered 2011-12-13 at 22:27:05

Akulsh's gravatar image


Your answer
[hide preview]

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here



Answers and Comments



Asked: 12/07/2011 12:48

Seen: 344 times

Last updated: 12/17/2011 05:21