edge server 2016 not receiving email, blocked ports?

I am trying to setup a new Exchange 2016 implementation. I can send emails but I cannot receive them. So far, the emails don't get rejected though I suspect in a few days, they will start to bounce back as they are probably queued somewhere.

This is the first time I've tried to setup exchange, so I'm probably doing something wrong or not understanding the setup. Here is a high level topology:

The edge server is a VPS running at a hosting site. I have successfully created an edge subscription between the host and my internal network. When I do a "Test-EdgeSynchronization -FullCompareMode", it comes back with a status of "normal" and everything shows "synchronized". So I think all is good there.

Where I think the problem resides is on the edge server when it's trying to connect to my internal lan for mail delivery on port 25. My hosting site blocks outgoing port 25 traffic, hence the use of the hosting site SMTP relay for outgoing mail. I have verified with telnet that outgoing port 25 is indeed blocked but incoming port 25 is open. So at least getting the mail to the edge server is not an issue. (I think but I don't know how to tell if it's queued there. EDIT: A "delay" message just got bounced back, so the Edge server has it)

So a couple of questions:

  1. Does the Edge Server use port 25 to connect to the exchange server (or hub transport or whatever it's called)? From what I can find, it seems like it does but I can't find a definitive answer.
  2. How do I tell if the mail is queued on the edge server?
  3. If it does use port 25, how can I configure it to use a different port? I can use NAT translation on my router to put it "back" to port 25, but I can't find how to setup the edge server to connect to a different port.

In my send connector named "EdgeSync - Inbound to Default-First-Site-Name" I have the following setup:

Any help is greatly appreciated.


Solution 1:

About the Question you had above:

  1. Definitely yes. Edge Roles Uses SMTP for inbound and outbound connections on port 25. Edge Server has only to do with SMTP Communication and nothing else (no client communication - many people confuse this).

  2. I don't have a Edge Handy these days but you can try Get-Queue on the Exchange management Shell. Additionally you can doublecheck with Get-AcceptedDomain and Get-SendConnector if there is configuration on the Edge Server.

  3. I haven't seen it changed so I am not sure if this is possible, probably not as is a security hardened role. I will see if I can fine an Edge Transport and let you know on this. The best solution in your case maybe will be to use a vpn to bypass the hosting restriction.

Other things about taking in serious consideration:

a. The Edge Server Role must be able to resolve the Mailbox server names inside the organization.

b. The Mailbox Servers must be able to resolve the Edge Transport server names (manually add A Records to internal dns zone)

c. Edge Transport must be able to perform public lookups for MX Records.

d. Bi-directional SMTP Access (TCP port 25)

e. Outbound EdgeSync access from Mailbox server to Edge Transport (TCP port 50636)

Hope this will help.