Exchange 2007 and 2010 configuration for recipient matching

by Altospam

Recipient filtering on Exchange 2007 and 2010

This article describes how to configure Microsoft Exchange 2007 and 2010 servers to filter on recipients rather than accept all emails. The benefits of this filtering are described in the article: Mail server configuration and recipient filtering. Today we’re going to describe exactly how to configure Micorosoft Exchange.

To set up recipient filtering in Exchange organizations, you need to install the antispam function. Since Exchange 2007, anti-spam has been integrated into the Edge server by default. In the case of an architecture without an Edge server, it is not activated by default, but can be installed within a Hub server.

Activating the antispam function on Exchange

The procedure for installing the Antispam function is as follows:

– Close EMC Exchange Management Console

– Type the following lines into Exchange’s powershell:
C:Program FilesMicrosoftExchange ServerV14Scripts
./install-AntispamAgents.ps1

– Restart the Microsoft Exchange Transport service :
Restart-Service MSExchangeTransport

– Close powershell

When opening the EMC, the “Antispam” tab is now present in the “Transport Hub” role in “Organization configuration”. By default, all antispam agents are enabled. You should leave only recipient filtering enabled, and disable all other agents. To do this, open a powershell session and type the following lines:
set-RecipientFilterConfig -Enabled $true
set-SenderFilterConfig -Enabled $false
set-SenderIDConfig -Enabled $false
set-SenderReputationConfig -Enabled $false
set-IPAllowListConfig -Enabled $false
set-IPAllowListProvidersConfig -Enabled $false
set-IPBlockListConfig -Enabled $false
set-IPBlockListProvidersConfig -Enabled $false
set-ContentFilterConfig -Enabled $false

Finally, to set up filtering for recipients not present in the organization, type :

set-RecipientFilterConfig -RecipientValidationEnabled $True

This feature will force the SMTP router to respond immediately with a 550 RFC message about the non-existence of a recipient email address in the Exchange server database, rather than accepting the mail in SMTP and then sending an error mail back: Remote user management and call-out.

 

Graphic interface

You can also activate and check recipient filtering in graphical mode in the EMC. On the “Antispam” tab, click on one of the antispam agents and in the right-hand column choose the “Disable” action. Do this for all agents except “Recipient filtering”, which you leave “Enabled”.

Finally, double-click on the recipient filtering agent and in the “Blocked recipients” tab check the following option:


Other useful commands

Before using command lines to manage antispam agents, you need to know how the agent name corresponds to the powershell identity. The list below shows this correspondence:

Recipient filtering: RecipientFilterConfig
sender filtering: SenderFilterConfig
sender identity: SenderIDConfig
sender reputation: SenderReputationConfig
content filtering: ContentFilterConfig
authorized connection filtering: IPAllowListConfig or IPAllowListProvider
blocked connection filtering: IPBlockListConfig or IPBlockListProvider

Here are some important actions that can be carried out using command lines.

To check whether the anti-spam function has been installed correctly

get-TransportAgent displays a summary list of all transport agents installed on a Hub transport server, some of which are shared with anti-spam agents such as the Recipient Filter Agent.

To check whether one of the anti-spam agents is installed

get-X replacing X with the identity of the corresponding powershell agent.

For example: get-RecipientFilterConfig

To enable or disable other antispam agents

set-X -Enabled $true pour activer
set-X -Enabled $false pour désactiver

replacing X with the identity of the corresponding powershell agent.

For example: set-RecipientFilterConfig -Enabled $true

To block a specific user from recipient filtering

set-RecipientFilterConfig -BlockedRecipients utilisateur@votredomaine.tld

For information on the configuration status of recipient filtering

get-RecipientFilterConfig | fl en* ,re* ,ext* ,is*
Enabled :True Enable “Recipient filtering” agent
RecipientValidationEnabled:True Enable recipient filtering
ExternalMailEnabled :True The filtering agent processes messages from unauthenticated servers outside the organization.
IsValid : True Indicates correct agent configuration

Check that all these fields are true.

To check whether recipient filtering is present in the Hub role

get-TransportAgent -Identity Recip* | fl E*
Enabled : True

If not, type : enable-TransportAgent “Recipient Filter Agent”

Then restart the transport service: Restart-Service MSExchangeTransport

To check the availability of the address list of accepted domains

get-AcceptedDomain | ft id* ,add*
Identity AddressBookEnabled
yourdomain.tld True

If the address book is not available (False instead of True), type :

set-AcceptedDomain votredomaine.tld -AddressBookEnabled $true

or to generalize to all accepted domains, type :

get-AcceptedDomain | set-AcceptedDomain -AddressBookEnabled $true
For the anti-spam uninstall procedure, you’ll need to repeat the previous installation steps and replace the ./install-AntispamAgents.ps1 script with ./uninstall-AntispamAgents.ps1.

In this article, we’ve tried to be as comprehensive as possible, so that you can deal with every possible case. As a reminder, the procedure under Exchange 2003 is different, and is described in our article: Recipient filtering under Exchange 2003.

Test Altospam’s solutions!

Thousands of companies, CTOs, CIOs, CISOs and IT managers already trust us to protect their e-mail against phishing, spear phishing, ransomware, …