Understanding Exchange 2013 Mail Flow – ExchangeMs.In

With Exchange 2013 now there is no HUB Transport Role in other words it is divided and merged between Client Access & Mailbox Server Role. There are very good reasons and benefits too behind the architectural changes but at the same time Exchange Admins has to update its knowledge with this new mail flow concept.

While going through the TechNet documentation I found it to be interesting and enjoyed going through each topics on mail flow, thought of sharing the knowledge of basic mail flow how it works in an Exchange 2013 via this article.

There are three main services with regards to mail flow in Exchange 2013 as mentioned below:

  • Front End Transport Service – This is runs on CAS Servers and acts as a stateless proxy server. It takes care of all the inbound and outbound external SMTP traffic for Exchange 2013 Organizaiton
  • Transport Service – This service runs on Mailbox Servers and is virtually identical to the HUB Transport role in previous version. This service handles all the mail flow for the organization
  • Mailbox Transport Service – This service runs on Mailbox Server and consist of two separate types: the Mailbox Transport Submission & Mailbox Delivery Transport Service. Since Transport service never communicate directly with mailbox database, the task is now handled by the Mailbox Transport Service.

Below is the mail flow topology diagram of Exchange 2013 Organization @High Level

Mail Flow



Scenario A – User@externaldomain.com sends email to UserA@exchangems.in

  1. Externaldomain.com SMTP Server queries internet domain exchangems.in for MX record and it sees pointed to the firewall listening on port 25
  2. Since we have Smart Host setup in the DMZ network – the email is forwarded to the CAS server behind the DMZ network on port 25
  3. Exchange 2013 CAS accepts the email using receive connector (by default it has anonymous option checked unlike its previous version Exchange 2007/10).
  4. Exchange 2013 being stateless doesn’t hold the email which then proxies the SMTP request using Front End Transport Service to Transport service (Equivalent to MS Transport Service in legacy version – 2007/10) on the Mailbox Server role.
  5. The Transport service on Mailbox Server then categorizes the email, performs message content inspection, etc. Since it doesn’t connects directly to Mailbox database it sends email to the Mailbox Transport Service over port 25
  6. The Mailbox Transport Service is again divided into two service out of which Mailbox Transport Delivery service receives SMTP message from Transport service
  7. The Mailbox Transport Delivery Service using Store Driver would connect to the mailbox database via RPC and deliver the e-mail to the mailbox database

Note: If the mailbox is in different mailbox server DB – The message received at Transport service would route the email to Transport Service on the destination Mailbox Server via SMTP on port 25 and the process continues from Transport service to Mailbox Transport Delivery service as mentioned above.

Scenario B – UserB@exchangems.in sends email to User@externaldomain.com

  1. The Mailbox Transport Submission service using Store Driver would connect to the mailbox database via RPC and pull the e-mail
  2. The Mailbox Transport submission would try to resolve the recipient to its mailbox database and look up for the delivery group
  3. The Transport service on the mailbox server will receive the e-mail sent over SMTP from the Mailbox Transport Submission service using its default receive connector (on port 25)
  4. The categorizer then picks up message from submission queue and since it is external domain (outbound to internet) the message is routed to the Front End transport service on CAS server using the send connector
  5. Since we have configured the Smart Host on the Send Connector, the CAS Server Front End Service would route the email to Smart Host on port 25
  6. Smart Host would then query on the internet for the MX record of externaldomain.com for message delivery

Note: If the recipient was of the same organization(UserA@exchangems.in) but on the other mailbox server database, the transport service instead of forwarding message to CAS server frond end service it would directly connect to other mailbox server transport service on port 25 and the process continues as above mentioned in scenario A delivering message to database.


For the in-depth process and its working please refer TechNet Documentation.

This entry was posted in Exchange Servers. Bookmark the permalink.

29 Responses to Understanding Exchange 2013 Mail Flow – ExchangeMs.In

  1. sajid says:

    great man..after a long long time..i finely understand it..
    can you tell me why we mention mailbox server in our Send connector ? we should mention CAS server because CAS is delivering mail out side..
    plz help.

    • If CAS / MBX installed on different box they talk via connectors, outgoing emails via MBX servers connects to CAS. There is a receive connector named Outbound Proxy Frontend on CAS that listens on this port(717)

      This is not deep dive mailflow explaination as there are few more ports like 717/587/465/2525 where transport services talks to each other and what I recommend is to see Ross Smith’s TechEd 2013 Transport Architecture video for thorough understanding of the mail flow.

      • sajid says:

        As you said
        “If CAS / MBX installed on different box they talk via connectors, outgoing emails via MBX servers connects to CAS.”
        so its means that outgoing mail come from hub transport service on mailbox to Frontend CAS services thats why we select mailbox server when creating Send connectors right ?

      • You are partially right – There is nothing called HUB transport service.

        CAS – Front End Transport Service
        MBX – Transport Service / Mailbox Transport Service(Mailbox Submission Transport Service + Mailbox Delivery Transport Service)

        E.g. When outlook user tries to send email to external recipient.

        1. Mailbox Submission service picks the mail from mailbox’s outbox and submits to Mailbox Transport service
        2. Since Mailbox Transport Service is statleless(it proxies you can say) via SMTP submits to Transport Service(which is statefull which queues and categorizes the emails)
        3. Since the email is external it will connect to the CAS on 717 port and CAS server sends out to internet on Port 25.
        4. Lets say if the recipient was another user’s mailbox on different database on another mailbox server in the same site or another the Transport Service on Mailbox server would connect to the Transport Service of the Mailbox server where the user’s mailbox database resides.
        5. Mailbox Transport service can only talk to the local Transport service on the same mailbox server
        6. Transport service on the local mailbox server can directly talk to transport service on the other mailbox server which it did on Step 4. as mentioned above.

        I hope you learned mail flow routing in details with me – Enjoy 🙂

      • sajid says:

        thanks man…you will make me MVP.. hahaha joke a part..i have few other question i will ask when you will get free.. as i took most of your time.. thanks again..

  2. Sure – Email me if you have any 🙂

    • sajid says:

      i have a question for incoming mail load balancing. for example we have a arry of Cas servers which we load balance with windows NLB (for this example) which give us a virtual ip of NLB by which our client connect to CAS Arry on port 443 right.
      (1) can we use that ip for incoming mail load balancing mean for port 25 when mail come to our office/domain/site it hit that ip and then NLB decide which CAS server will handle that incoming mail (because of front-end transport service) or in other words can we mention that virtual IP on our smart host/spam filters ?
      (2) or we have to mention all actual ip addresses of CAS servers who are in arry for incoming mail ? mean no load balancing for incoming mail ?
      or in other words how to load balance incoming mail for exchange 2013 ?
      (3) now for outgoing mail can we use the same NLB ip of CAS servers on our smart host/spam filter ?


      • You can use SMTP in CAS load balancing

        1. You can configure your SMTP relay behind the firewall to use NLB IP of internal CAS load balancing.
        2. You can also configure multiple CAS server on your Antispam behind the firewall.
        3. Mailbox server connects CAS and then from CAS if you have load balancing solution for outgoing you can use NLB virtual IP if you have any.

      • sajid says:

        i have a lab.
        1 domain controller (
        2 CAS Server ( (NLB IP
        2 Mailbox Server (
        1 Broadband router on which i opened port 443 for (CAS NLB IP which do load balancing for Client connections.
        on same broadband i open port 25 for one of the CAS server ( to receive incoming mail from internet.
        But when i try to open port 25 for another CAS server ( to receive mail from internet the broadband router dont let me for that and it make sense also. mean it only allow me to open port 25 for one CAS server to receive mail.
        MY Question is if i mention (NLB IP on broadband router firewall will i able to load balance and receive incoming mail ?

      • Perfectly fine you can do so – rule to forward to NLB IP instead individual CAS server.

    • sajid says:

      thanks man..
      now i understand if i have spam filter i will redirect traffic of port 25 to spam filter device ip so e-mail get scan and on spam filter i will mention send that mail to NLB ip of CAS, one of the CAS frond-end transport service will take and send it to transport service on mailbox and so on..
      and for client connection i will just mention the NLB ip of CAS NLB on my router so user will directly connect to CAS NLB.
      i had seen the video you recommend and its very helpful.

      now i have another question i setup A and MX record out side on godaddy.com
      but when i am send mail out side to Big domain like gmail/yahoo/ and hotmail they dont accept it what else i have to do on External DNS,? by the way i have dynamic ip on router.

      • IP needs to be static and available to listen on SMTP(25) from Internet till your Mailbox server.

        Sending out – is the email then in mail queue or any NDR you get…Your IP needs to be white listed, check at http://mxtoolbox.com website if your outgoing IP is black listed and the remote domain is rejecting the message….also research on RDNS record…?

  3. sajid says:

    ok thanks man
    who will make RDNS record we or our ISP if we have only one static ip ?
    also who will make SPF record we on godaddy or our ISP ?

  4. All record needs to be created and updated on external DNS hosting – Godaddy which we will do.

    • sajid says:

      there is a confusion because the ip belongs to local ISP which mean they can only create the Reverse dns entry for ip address. am i wrong ? spf record we can create i checked that on godaddy..
      thanks man..you clear many things about exchange 2013 mail flow..

      • Yep you are right check with respective owners to create & update 🙂

      • sajid says:

        i have a question in exchange 2010 after configuring the NLB for CAS we create array for CAS to load balance rpc traffic for outlook. do we need that if we create CAS 2013 NLB array ? i mean do we need to set RPCClientAccessServer attribute for mailbox database so that it connect to CAS arry NLB name not with the individual CAS server for HA ?

      • There is no CAS array concept.

        Since it connects using 443 – clients connect outlook anywhere name of the CAS. If you have more than one CAS then on each CAS server you need to update the OA FQDN to common so that clients connects to any one of the CAS server with unique name.

        Bydefault the OA FQDN is the name of the individual CAS server name like CAS01.Domain.Com, CAS02.Domain.com so you create a CName in your DNS to OWA.Domain.com to point to all CAS server as HA or point it to Load Balance virtual IP.

        You may want to learn Get-OutlookAnywhere | Set-OutlookAnywhere (For Exchange 2013) Enjoy:)

      • sajid says:

        you mean like if we have 2 CAS server and we load balance it through NLB which give us a common host name like mail.domain.com and then that name we provide to clients so they connect to it to access exchange.(they dont connect exchange by server FQDN but by that NLB name)
        same we have to do it for outlook anywhere so that client dont connect to individual CAS OA FQDN but by CNAME which we will create for both CAS server. (in other words its like NLB for outlook anywhere )
        i will contact you for future discussion on this topic.

      • You are right on that.

      • ali says:

        After login to Exchange ECP i went to Server>>2k13>>double click on CAS and outlook anywhere
        here its mention External url/internal url and authentication is mention if i change the internal part to CAS NLB name like mail.domain.com which is the internal NLB also will it works for me ?
        or if you can show me the exact command about how to set QA FQDN name on both CAS server i will be thankful to you.
        will this command work for me if i use it (Get-OutlookAnywhere –Server 2k13 | Set-OutlookAnywhere -InternalHostname “mail.domain.com” -InternalClientAuthenticationMethod Ntlm -InternalClientsRequireSsl $true) or its not what you are talking about.
        my point of interest is (High Availability for Exchange 2010 Client Access Server Arrays) of this page (http://exchangeserverpro.com/exchange-server-2010-cas-array) but i want to apply it on exchange 2013 , i mean the idea will be the same.
        once again thanks for help

      • You are going right and thats the command to set.

        Exchange 2010 & 2013 the configuration is different and the HA concept is same but again I would not rather compare.

      • ali says:

        thanks man..
        i got this web page which also clear my idea.
        thanks for your help.

      • sajid says:

        Do we need to add OA FQDN in Certificate ?

      • Yes – If you configure to use SSL which is default on port 443.

      • ali says:

        Thanks man i got the job in a very big organization and you are one of the factor.

      • Congratulations 🙂

      • ali says:

        one of our junior admin install exchange 2013 on wrong ip..i changed it to the original ip that we planed and also we change the dns record for that… things are working fine, mail flow is ok.. its a multi role exchange server 2013 with Mailbox and CAS. is there any problem we can face in future ?
        your urgent respond is require like before

  5. I cannot tell you about the future problems but for sure MS recommends to have multirole Exchange 2013 setup if you can.

    Make sure you have proactive monitoring in place as an proactive approach.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s