Mailbox Delivery Queue

rjbarlow · 06-06-2009, 11:25 AM

Exchange Server 2007.
From a well known book:
"The Mailbox Delivery queues hold messages that are being delivered to a mailbox server by using encrypted Exchange RPC.
Mailbox Delivery queues exist on Hub Transport servers only.
The Mailbox Delivery queue holds messages that are being delivered to mailbox recipients whose mailbox data is stored on a Mailbox server not located in the same site as the Hub Transport server."

That makes me wondering, because from what I learned until now, HUb servers do not communicate ever with RPC encrypted if the recipient is on a different site then him.
Any helps appreciated.

royal · 06-06-2009, 02:27 PM

Hub Transport servers don't send data to each other using encrypted RPC. Instead, they use TLS.

Users always send messages which are stored in the mailbox store. The mailbox store has a mailbox submission service that will round robin requests to the hub transport. That hub transport server will use its store driver to grab that message out of the outbox and place a new message in the sent items and then put that message in the submission queue to get categorized for delivery.

Part of that categorization process is determining where this mail needs to be sent. If it needs to be sent to a user in another site (or even in the same site), that Hub Transport Server will use the certificates that are selected for SMTP and use TLS to send the data. You can see the TLS selection process by looking here:
Selection of Outbound Anonymous TLS Certificates

You can also see what paths in Exchange use RPC encryption vs TLS encryption here:
Exchange 2007 Security Guide

rjbarlow · 06-06-2009, 02:57 PM

Thanks much Royal for your help,
there was a mistake in my previuos post though, due to that in Italian two negatives do not make a positive, so that should have to be:
"That makes me wondering, because from what I learned until now, HUb servers do not communicate with RPC encrypted if the recipient is on a different site than him."

Sorry.
So I must suppose ther's a mistake in the text I reported from that book?
I'll try it on my lab next too, as soon as I can.

royal · 06-06-2009, 05:41 PM

Well, depends on how you look at it. I posted the wrong security article. The correct one is:
Data Path Security Reference

So when you send something, again, it goes from mailbox submission service to a hub transport server. This uses RPC encryption. If a mail user is local, it goes from hub transport server right back to mailbox server which uses RPC encryption. So in that sense, everything uses RPC encryption as there's no need for Hub to Hub.

Now if a user is in another site, a hub transport will never send directly to a mailbox server in another site. Because of this, you always need a minimum of hub/cas/mailbox in a given site. So since this user is in a different site, the local hub will send to a hub in another site which uses tls for the hub to hub communications and encryption. That remote hub server will then use rpc encryption to send that email to the mailbox user for the person the e-mail was destined to.

That should clear it up for you.

rjbarlow · 06-06-2009, 05:50 PM

Perfect.
Thanks sir.