Exchange admins are used to working with connectors -- SMTP connectors, X.400 connectors, and Routing Group connectors, plus other connector types that can be added to interface with specific foreign mail systems. Each of these connector types offers a myriad of settings that give you the ability to control the behavior of incoming and outgoing mail.
In Exchange 2007, Microsoft has further split connectors into receive connectors and send connectors. There are actually some very good reasons for this, but the simplest one is that it helps reduce complexity in your configuration tasks. If you stop and think about it for a moment, any SMTP mail server actually has to act as both an SMTP server (when it is receiving messages from other systems) and as an SMTP client (when it is sending messages to other systems). Moving to a separate send/recieve configuration scheme makes it a lot easier to tell Exchange precisely how you want it to behave, while minimzining the chances that you're going to change a parameter and cause unintended consequences.
In another stroke of brilliance, send connectors and receive connectors have different scopes. That is, they apply to different levels of object in your Exchange organization. Receive connectors apply to the specific transport server (hub and Edge) they are configured on. Send connectors, as I mentioned previously, apply to the entire organization. Again, if you stop and think about this for a minute, you can see the logic. Not only does this scope change again give you much more granular control over your organization, it allows for the easy implemention of a current best practice I previously mentioned: the authenticated SMTP submission port on TCP 587.
By default, when you install the Exchange hub transport role, it creates two default receive connectors out of the box. Since Microsoft's recommended deployment includes the Edge transport role (which must always be on a separate physical server from any other roles, not joined to the same Active Directory forest), they assume that you will have one or more Edge servers in your topology and these these servers will be taking care of transferring messages to and from anonymous hosts on the Internet. Therefore, the two default receive connectors are configured for authenticated SMTP transactions only:
- Internal receive connectors are intended to receive connections from other Exchange servers (2007, 2003, and 2000) within your organization. They are configured to require the Exchange server authentication mechanism.
- Client receive connectors are intended to server as a safe submisson port for clients using mailbox access protocols -- POP3, IMAP, and NNTP. They are configured to use TLS, Basic + TLS, or Windows authentication. These connectors are not available on Edge transport servers by design. I would guess this is because Edge transport servers cannot be part of the same AD forest as the Exchange organization and thsu don't have the necessary AD access to authenticate user accounts.
Looking at this more closely, it looks like Client receive connectors are intended to be published to the Internet via a proxy like ISA. I've poked around a little bit in the documentation and not seen what the recommendation here is, but I'll dig into it and see what I can find. I find it very heartening that Exchange 2007 is coming with support for the SMTP submission port standard.