Test Altospam’s solutions!
Thousands of companies, CTOs, CIOs, CISOs and IT managers already trust us to protect their e-mail against phishing, spear phishing, ransomware, …
Setting up recipient filtering on Exchange 2013 and 2016 with EDGE
by Stephane
Recipient filtering on Microsoft Exchange 2013
This procedure describes how to set up recipient filtering on Microsoft Exchange 2013 and Exchange 2016 servers with an EDGE server. By default, recipient filtering on Exchange 2013-2016 is performed after DATA. If it is not performed at RCPT TO level, the function is not correctly configured. The benefits of this filtering are described in the article: Mail server configuration and recipient filtering.
> If you don’t have an EDGE server in front of your Microsoft Exchange 2013 or Exchange 2016 server, use the following procedure: https://www.altospam.com/actualite/2016/12/configuration-filtrage-destinataires-exchange-2013-2016-serveur-edge/
Here’s the detailed procedure for modifying this behavior and ensuring that destination filtering is carried out after RCPT TO.
1) Install and activate the Antispam feature on Exchange
Get-TransportAgent
Must return “Recipient Filter Agent True”. If this is not the case, run the following commands:
& $env:ExchangeInstallPathScriptsInstall-AntiSpamAgents.ps1 Enable-TransportAgent "Recipient Filter Agent" Restart-Service "MSExchangeTransport"
All other services can be disabled by executing the commands below:
Set-SenderFilterConfig -Enabled $false Set-SenderIDConfig -Enabled $false Set-ContentFilterConfig -Enabled $false Set-SenderReputationConfig -Enabled $false
Then, one by one, the following commands:
Disable-TransportAgent "Sender Filter Agent" Disable-TransportAgent "Sender ID Agent" Disable-TransportAgent "Content Filter Agent" Disable-TransportAgent "Protocol Analysis Agent"
The result of the “Get-TransportAgent” command will then be :
2) AcceptedDomains must use Exchange addresses
The command below should show all domains with “AdressBookEnabled” set to “True”:
Get-AcceptedDomain | select Name,DomainType,AddressBookEnabled
If your domains do not appear, run the command below for each of them:
Set-AcceptedDomain <domaine_name> -AddressBookEnabled $true
3) Activate recipient filtering
All that remains is to activate recipient filtering with the command below:
Get-RecipientFilterConfig | FL Enabled,RecipientValidationEnabled
The return must be of the following form: “Enabled: True” and “RecipientValidationEnabled: True”, otherwise execute the following commands:
Set-RecipientFilterConfig -Enabled $true Set-RecipientFilterConfig -RecipientValidationEnabled $true
Once this last step has been completed, the mail server will reply that the user is unknown as of the “RCPT TO” phase.
Update – Important addition:
If you’re using an Exchange 2013 or 2016 mail server alone (without an Edge server), it’s possible that after the configurations below, recipient filtering still doesn’t work. Refusal is made after the data rather than after the RCPT TO! This is a problem linked to the presence of 2 reception connectors on the mail server. In this case, prefer the procedure described in this article: https://www.altospam.com/actualite/2016/12/configuration-filtrage-destinataires-exchange-2013-2016-serveur-edge/
The procedure under Exchange 2003 is different, and is described in our article: Recipient filtering under Exchange 2003. The one for Microsoft Exchange 2007 and Microsoft Exchange 2010 servers is described in the article: Configuring Exchange 2007 and 2010 for recipient filtering.
