FET ports

FET == Front End Transport service in Exchange 2013. Is a part of the Client Access Server (CAS) role, it accepts emails. Receives emails, Sends emails. Stateless, no inspection, queueing etc. Just a simple dude!

Here are the default receive connectors on an Exchange server. 3 belong to FET, 2 to HT (Hub Transport).

NewImage 

HubTransport is the Transport service on the Mailbox server role. 

Here are the ports these various connectors listen on:

These connectors are stored in AD under the configuration partition. 

Screen Shot 2019 01 01 at 1 37 27 PM

FET listens on various ports:

  • Port 25 – for receiving emails from other servers. The receive connector for this is called Default Frontend <servername>. It accepts anonymous connections from external SMTP servers for the accepted domains of this server.
    • You can create additional receive connectors on port 25 if you want to accept anonymous connections for non-accepted domains too (i.e. setup an anonymous relay). See this and this for more info on how to do that. Basically you setup a new receive connector on port 25, restrict it to certain source IPs (the IPs from which you want to accept anonymous connections), and then you modify the AD security properties of the connector to allow NT AUTHORITY\ANONYMOUS LOGON to accept any recipient when sending emails. (An alternate way detailed in the same article is to set the receive connector as Externally secured). I didn’t know the receive connectors were AD objects and you could assign ACLs to it so was pleased to learn that today. :)
  •  Port 587 – for receiving emails from clients (such as IMAP4 & POP3 clients that expect an SMTP server where they can submit emails to). The receive connector for this is called Client Frontend <servername>. This port does not accept anonymous connections, clients have to authenticate.
    • To clarify for myself because I have forgotten this from my past: port 465 is for mail submission where a TLS handshake begins immediately (implicit TLS) while port 587 is where TLS starts only after the clients sends a STARTTLS verb. What this means for Exchange is that port 587 can accept TLS connections but chances are you will get a certificate error when trying to use TLS. You must therefore assign a certificate to this receive connector if you want TLS. Thanks to RFC 8314 for reminding me of port 465 vs 587 and this FastMail page for some history. 
  • Port 717 – for receiving emails from the mailbox server role. The receive connector for this is called Outbound Proxy Frontend <servername>. This is only used it a send connector has the “proxy through client access server” ticked. If this option is not ticked the Mailbox server can send external emails directly to external SMTP hosts. (Reason for doing this is that then all outgoing emails appears to come from the CAS server rather than the Mailbox Server – better from a security point of view as the CAS is what is usually Internet exposed). 

As you can see the FET is for emails from other servers or SMTP clients. It is not used when someone sends an email via Outlook MAPI for instance. This picture from the Microsoft docs on the Exchange 2013 mail flow is worth putting here for future reference. As you can see, when Outlook MAPI is used to send an email it is stored in the mailbox database and the Mailbox Transport service picks it from there. Outlook doesn’t send an email via SMTP to Exchange. 

NewImage

The Mailbox server has two “mail flow” services running on it. 

  • The first of these is what we saw as HubTransport in the screenshots above. This is known as the Transport service in Exchange 2013 (though confusingly referred to by its Exchange 2010 name of Hub Transport in the GUI!) and is a stateful SMTP server – i.e. does things like categorizing etc. as in the immediate screenshot above.
  • The second of these in the Mailbox Transport service (which in turn can be thought of as two components but I am going to ignore that here) and this one’s stateless like the FET. Its role is to take mail from the mailbox database and/ or inject mail into the mailbox database. It also interfaces with the Transport service to send & receive emails. 

At this point it’s worth pointing to this older post of mine with some screenshots of these components to get a better picture of the components and flow. One more screenshot I’d like to add here is this one from the Mastering Exchange 2013 book.

NewImage

The Transport service (aka HubTransport) on the Mailbox server is pretty important (not that Mailbox Transport service is any less important). The Transport service does content inspection etc and has two connectors of its own. It listens on these ports:

  • Port 2525 (if the Mailbox & CAS roles are on the same server – in this case CAS has already taken port 25 for itself) or Port 25 (if the Mailbox & CAS are on separate servers) – for many things (read on). The receive connector for this is called Default <servername>
    • This port is used to receive emails from the FET for internal mailboxes, from the Transport service of other Mailbox servers, and from the Mailbox Transport service on itself or other servers.
    • Looking at the diagram from earlier (repeated below), the three incoming arrows are what it accepts emails from.  The yellow “SMTP Receive” is the Transport listening on port 2525 or 25. It accepts emails from the FET (arrow from top), the Transport or Mailbox Transport of other servers (arrow from left), and Mailbox Transport from itself (arrow from down). 

Screen Shot 2019 01 01 at 5 40 07 PM

  • Port 465 – this is used to proxy client connections (IMAP4 & POP3 email clients) to port 587 of the FET. The receive connector for this is called Client Proxy <servername>.

To summarize, the important receive connectors to keep in mind for a typical Outlook/ Exchange environment are the 1) FET receive connector on port 25, the 2) HubTransport receive connector on port 2525 or 25. If you have IMAP4 & POP3 clients then the 3) FET receive connector on port 587 and 4) HubTransport receive connector on port 465 to matter. And lastly, if you proxy outbound connections via the CAS then the 5) outbound proxy connector on port 717 also matters.