Test Altospam’s solutions!
Thousands of companies, CTOs, CIOs, CISOs and IT managers already trust us to protect their e-mail against phishing, spear phishing, ransomware, …
This article describes how to configure Microsoft Exchange 2007 and 2010 servers to filter on recipients rather than accept all emails. The benefits of this filtering are described in the article: Mail server configuration and recipient filtering. Today we’re going to describe exactly how to configure Micorosoft Exchange.
To set up recipient filtering in Exchange organizations, you need to install the antispam function. Since Exchange 2007, anti-spam has been integrated into the Edge server by default. In the case of an architecture without an Edge server, it is not activated by default, but can be installed within a Hub server.
The procedure for installing the Antispam function is as follows:
– Close EMC Exchange Management Console
– Type the following lines into Exchange’s powershell:
C:Program FilesMicrosoftExchange ServerV14Scripts
./install-AntispamAgents.ps1
– Restart the Microsoft Exchange Transport service :
Restart-Service MSExchangeTransport
– Close powershell
When opening the EMC, the “Antispam” tab is now present in the “Transport Hub” role in “Organization configuration”. By default, all antispam agents are enabled. You should leave only recipient filtering enabled, and disable all other agents. To do this, open a powershell session and type the following lines:
set-RecipientFilterConfig -Enabled $true
set-SenderFilterConfig -Enabled $false
set-SenderIDConfig -Enabled $false
set-SenderReputationConfig -Enabled $false
set-IPAllowListConfig -Enabled $false
set-IPAllowListProvidersConfig -Enabled $false
set-IPBlockListConfig -Enabled $false
set-IPBlockListProvidersConfig -Enabled $false
set-ContentFilterConfig -Enabled $false
Finally, to set up filtering for recipients not present in the organization, type :
set-RecipientFilterConfig -RecipientValidationEnabled $True
This feature will force the SMTP router to respond immediately with a 550 RFC message about the non-existence of a recipient email address in the Exchange server database, rather than accepting the mail in SMTP and then sending an error mail back: Remote user management and call-out.
You can also activate and check recipient filtering in graphical mode in the EMC. On the “Antispam” tab, click on one of the antispam agents and in the right-hand column choose the “Disable” action. Do this for all agents except “Recipient filtering”, which you leave “Enabled”.
Finally, double-click on the recipient filtering agent and in the “Blocked recipients” tab check the following option:
Before using command lines to manage antispam agents, you need to know how the agent name corresponds to the powershell identity. The list below shows this correspondence:
Recipient filtering: RecipientFilterConfig
sender filtering: SenderFilterConfig
sender identity: SenderIDConfig
sender reputation: SenderReputationConfig
content filtering: ContentFilterConfig
authorized connection filtering: IPAllowListConfig or IPAllowListProvider
blocked connection filtering: IPBlockListConfig or IPBlockListProvider
Here are some important actions that can be carried out using command lines.
get-TransportAgent
displays a summary list of all transport agents installed on a Hub transport server, some of which are shared with anti-spam agents such as the Recipient Filter Agent.
get-X
replacing X with the identity of the corresponding powershell agent.
For example: get-RecipientFilterConfig
set-X -Enabled $true pour activer
set-X -Enabled $false pour désactiver
replacing X with the identity of the corresponding powershell agent.
For example: set-RecipientFilterConfig -Enabled $true
set-RecipientFilterConfig -BlockedRecipients utilisateur@votredomaine.tld
get-RecipientFilterConfig | fl en* ,re* ,ext* ,is*
Enabled :True Enable “Recipient filtering” agent
RecipientValidationEnabled:True Enable recipient filtering
ExternalMailEnabled :True The filtering agent processes messages from unauthenticated servers outside the organization.
IsValid : True Indicates correct agent configuration
Check that all these fields are true.
get-TransportAgent -Identity Recip* | fl E*
Enabled : True
If not, type : enable-TransportAgent “Recipient Filter Agent”
Then restart the transport service: Restart-Service MSExchangeTransport
get-AcceptedDomain | ft id* ,add*
Identity AddressBookEnabled
yourdomain.tld True
If the address book is not available (False instead of True), type :
set-AcceptedDomain votredomaine.tld -AddressBookEnabled $true
or to generalize to all accepted domains, type :
get-AcceptedDomain | set-AcceptedDomain -AddressBookEnabled $true
For the anti-spam uninstall procedure, you’ll need to repeat the previous installation steps and replace the ./install-AntispamAgents.ps1
script with ./uninstall-AntispamAgents.ps1
.
In this article, we’ve tried to be as comprehensive as possible, so that you can deal with every possible case. As a reminder, the procedure under Exchange 2003 is different, and is described in our article: Recipient filtering under Exchange 2003.
Test Altospam’s solutions!
Thousands of companies, CTOs, CIOs, CISOs and IT managers already trust us to protect their e-mail against phishing, spear phishing, ransomware, …