Configuration of recipient filtering on Exchange 2013 and 2016 without EDGE server

by Altospam
Image-Par-Défaut-Site-Actualités

Recipient filtering on Exchange 2013 and 2016

We always make sure that Altospam is optimally configured to guarantee a high-performance service. Recipient filtering must be correctly configured, as it is important not to generate unnecessary traffic. As 2016 draws to a close, we’re offering a configuration of Exchange 2013 and 2016 servers without an EDGE server. To fully understand the benefits of setting up recipient filtering, please consult this article.

> Configuring recipient filtering on Exchange 2013 or 2016 with an EDGE relay server

Quick Setup (for those in a hurry)

This quick setup can be used if your Exchange mail server uses a default configuration. Start by opening Exchange Management Shell, symbolized by the logo opposite. Then enter the following commands:

Step 1:

& $env:ExchangeInstallPathScriptsInstall-AntiSpamAgents.ps1
Enable-TransportAgent "Recipient Filter Agent"
Set-RecipientFilterConfig -RecipientValidationEnabled $true
Set-RecipientFilterConfig -Enabled $true

Step 2:

Get-AcceptedDomain | ? {$_.AddressBookEnabled -ne "True"} | Set-AcceptedDomain -AddressBookEnabled $true

Step 3:

Set-SenderFilterConfig -Enabled $false
Set-SenderIDConfig -Enabled $false
Set-ContentFilterConfig -Enabled $false
Set-SenderReputationConfig -Enabled $false

Then execute the following commands one by one (requires confirmation):

Disable-TransportAgent "Sender Filter Agent"
Disable-TransportAgent "Sender ID Agent"
Disable-TransportAgent "Content Filter Agent"
Disable-TransportAgent "Protocol Analysis Agent"

Step 4:

Get-ReceiveConnector "Default $env:computername" | Set-ReceiveConnector -PermissionGroups AnonymousUsers, ExchangeUsers, ExchangeServers, ExchangeLegacyServers
Restart-Service "MSExchangeTransport"

Step 5:

Modify the NAT translation on your firewall to redirect the incoming TCP/25 port to your mail server’s TCP/2525 (see details in step 6 of the next chapter below).

Detailed configuration (explanations)

In this section, we’ll describe the configuration to be set up. Start by opening Exchange Management Shell, symbolized by the logo opposite. Then enter the following commands:

Step 1: Installing the Exchange anti-spam agent

To do this, issue the following command:

Get-TransportAgent

It displays a summary list of all transport agents installed on all Exchange servers in your organization.

You should get this result:

The ” Recipient Filter Agent ” item must appear in the list and be set to ” True “. If not, enter the following commands to install the Exchange antispam module and enable recipient filtering:

& $env:ExchangeInstallPathScriptsInstall-AntiSpamAgents.ps1
Enable-TransportAgent "Recipient Filter Agent"
Set-RecipientFilterConfig -RecipientValidationEnabled $true
Set-RecipientFilterConfig -Enabled $true

Step 2: Activate recipient filtering

Enter the command :

Get-AcceptedDomain | Format-List Name,AddressBookEnabled

This command displays the name(s) of your organization’s domain(s), but also shows whether recipient filtering is enabled.

The AdressBook element must be set to ” True “. If this is not the case, you must activate it (ONLY on the authoritative domain(s)):

Set-AcceptedDomain nom_du_domaine -AddressBookEnabled $true

If all domains are authoritative, you can run this command to activate them all at once:

Get-AcceptedDomain | ? {$_.AddressBookEnabled -ne "True"} | Set-AcceptedDomain -AddressBookEnabled $true

Step 3: Deactivate other filters

The aim of this step is to disable Exchange’s other anti-spam services to avoid serializing anti-spam and generating false positives. Enter these 4 commands:

Set-SenderFilterConfig -Enabled $false
Set-SenderIDConfig -Enabled $false
Set-ContentFilterConfig -Enabled $false
Set-SenderReputationConfig -Enabled $false

Then one by one, the following commands (Requires confirmation):

Disable-TransportAgent "Sender Filter Agent"
Disable-TransportAgent "Sender ID Agent"
Disable-TransportAgent "Content Filter Agent"
Disable-TransportAgent "Protocol Analysis Agent"

Then enter the command :

Get-TransportAgent

You should get this result:

Step 4: Changing the default receive connector

The command below allows you to authorize anonymous users, which is necessary to be able to send you emails on this connector.

Get-ReceiveConnector "Default $env:computername" | Set-ReceiveConnector -PermissionGroups AnonymousUsers, ExchangeUsers, ExchangeServers, ExchangeLegacyServers

At the end of these 5 steps, you need to restart the :

Restart-Service "MSExchangeTransport"

In some cases, this command may display an error due to certain dependencies on the Exchange transport service. In this case, you’ll need to restart the service manually.

This configuration is also possible via the graphical user interface, which can be used to check that the configuration has been applied correctly. To do this, proceed as follows:

Go to the Exchange Administration Center, go to the Mail Flow section (1), then to the Inbox Connectors tab (2), and double-click on “Default Server_Name” (3).

Go to the security section (4), check the Anonymous users box (5) and save the change (6).

Step 5: Port 2525 redirection

The configured Exchange connector listens on port TCP/2525, so traffic must be sent to this port.

You must therefore redirect port 25 to port 2525. In the firewall: modify NAT to redirect port 25 to 2525 and authorize it in the firewall. If you don’t want to do the translation on your firewall, contact us so that we can forward your flow to port TCP/2525. Remember also to filter the SMTP flow only from ALTOSPAM addresses.

Check that recipient filtering is working: Once logged into your customer administration interface, click on the “Technical” menu, then on the logo, named “Test mail server”. Once you’re on the page, you can launch the test directly, which will not only check access to your server, but also test your recipient filtering.

Setting up recipient filtering is very important to avoid generating bounces, for example. If you have Exchange 2003, the procedure is different, as described in our article: Recipient filtering on Exchange 2003. The one for Microsoft Exchange 2007 and Microsoft Exchange 2010 servers is described in the article: Configuring Exchange 2007 and 2010 for recipient filtering. If you use other types of mail servers such as Lotus, Postfix, Exim, Qmail… don’t hesitate to contact Altospam support.

Test Altospam’s solutions!

Thousands of companies, CTOs, CIOs, CISOs and IT managers already trust us to protect their e-mail against phishing, spear phishing, ransomware, …