Configuring HT as a Internet Facing Server & also antispam functionality
Many Exchange Server administrators know how to use features from Exchange Server 2003 which will not be available by default, if they do not use Exchange Server 2007 Edge Server Role as message hygiene server in the DMZ. This feature is only available within that role by default but can be enabled on each Exchange Server 2007 running Hub Transport Role. In this article we will have a look how to enable and configure this feature.
Activating AntiSpamAgent Feature
Adding this functionality to your Hub Transport servers is a pretty simple process. First, launch the Exchange Management Shell. In the Scripts folder that was created, you will find a PowerShell script to install the Anti-spam agents. After you run this command, you will need to restart your transport service and restart the Exchange Management Console. The script we need to run is called install-AntiSpamAgents.ps1.
Figure 1: Activating AntiSpamAgent Feature
After restarting the Exchange Transport Service, we have a new tab in Exchange Management Console available which will look like this:
Figure 2: The Anti-Spam Tab of Exchange Management Console
We will now take a closer look into each feature of Anti-Spam:
· Content Filtering
· IP Allow List
· IP Allow List Providers
· IP Block List
· IP Block List Providers
· Recipient Filtering
· Sender Filtering
· Sender ID
· Sender Reputation
The Content Filter agents works with spam confidence level rating. This rating is a number from 0-9 for each message; a high SCL will mean that it is most likely spam. You can configure the agent according to the message ratings to:
· Delete the message
· Reject the message
· Quarantine the message
You can also customize this filter using your own custom words and configure exceptions if you wish.
IP Allow List
With this feature you are able to configure which IP addresses are allowed to successfully connect to your Exchange Server. So, if you probably have a dedicated mail relay server in your DMZ, you can add its IP addresses so that your server will not accept connections from other servers anymore.
IP Allow List Providers
In general, you are unable to configure your own “IP Allow Lists” without making mistakes that will lead to problems receiving emails from your customers or any other business partners. Therefore, you should contact a public IP allow list provider which does the work for you. This would mean that you will have more quality in this service and a higher business value.
IP Block Lists
This feature gives you the possibility to configure IP addresses that are not allowed to connect to your server. Contrary to “IP Allow Lists”, this feature provides a black list and not a white one.
IP Block List Providers
“IP Block List Providers” have been known in the past as “Blacklist Providers” too. Their task is to publish lists from servers / IP addresses that are spamming. If you want to read more about this.
If you need to block emails to specific internal users or domains, this feature is the one you will need. You can configure this feature and then add the appropriate addresses or SMTP domains to your black list. Another interesting feature is that it allows you to set up the configuration so that only you will accept emails from recipients that are included in your global address lists.
If you need to block specific domains or external email addresses, you will have to use this feature. You can configure a black list of what sender addresses or domains you will accept or not.
The Sender ID agent relies on the RECEIVED Simple Mail Transfer Protocol (SMTP) header and a query to the sending system's domain name system (DNS) service to determine what action, if any, to take on an inbound message. This feature is relatively new and relies on the need of a specific DNS setting.
Sender ID is intended to combat the impersonation of sender and domain also called spoofing. A spoofed mail is an e-mail message that has a sending address that was modified to appear as if it originates from a sender other than the actual sender of the message. Spoofed mails typically contain a FROM in the header of a message that claims to originate from a dedicated organization.
The Sender ID evaluation process generates a Sender ID status for each message. The Sender ID status is used to evaluate the SCL rating for that message. This status can have one of the following settings:
· Pass - IP address is included the permitted set
· Neutral - Published Sender ID data is explicitly inconclusive.
· Soft fail - IP address may be in the not permitted set.
· Fail - IP address is in the not permitted set.
· None - No published data in DNS.
· TempError - transient error occurred, such as an unavailable DNS server
· PermError - unrecoverable error occurred, such as the record format error
The Sender ID status is added to email metadata and is then converted to a MAPI property. The Junk E-mail filter in Microsoft Office Outlook uses the MAPI property during the generation of the spam confidence level (SCL) value.
You can configure this feature to act as the following:
· Stamp the status
Additional information on how to setup your Sender-ID setting in your public DNS can be found.
Sender Reputation is a new Exchange Server 2007 anti-spam functionality that is intended to block messages based on many characteristics.
The calculation of the Sender Reputation Level is based on the following information:
· HELO/EHLO analysis
· Reverse DNS lookup
· Analysis of SCL
· Sender open proxy test
Sender reputation weighs each of these statistics and calculates an SRL for each sender. The SRL is a number between 0 and 9. You can then configure what to do with the message in one of the following ways:
· Delete and archive
· Accept and mark as blocked sender
Sender Policy Framework (SPF) records
To enable Sender ID filtering, each e-mail sender must create a sender policy framework
(SPF) record and add it to the DNS records of the e-mail sender’s domain. The SPF
record is a single TXT record in the DNS database that identifies each domain’s e-mail
SPF records can use several formats. Two are shown in the table below:
Adatum.com. IN TXT “v=spf1 mx -all” - Indicates that any server identified by san MX
record for the adatum.com domain is allowed to
send e-mail for that domain.
Mail IN TXT “v=spf1 a -all”- Indicates that the host Mail is allowed to send
Adatum.com IN TXT “v=spf1 ip4:10.10.0.20 –all” - Indicates that a server with the IP address
10.10.0.20 is allowed to send mail for the adatum.com domain.
For more information: Microsoft provides a wizard to create the SPF records for
your organization. The wizard is accessible on the Sender ID Framework Record
Wizard page on the Microsoft Web site
How Sender ID Filtering Works
The following steps show at a high-level how Server ID filtering works:
1. The message is sent to the recipient organization.
2. The recipient SMTP gateway server queries DNS for the SPF record.
3. If the SPF record matches the sending SMTP server, the SMTP gateway server
forwards the message.
4. If the SPF record does not match, the SMTP gateway server may drop the message or
forward it with additional header information.
Note: When the Content Filter agent rejects a message, it uses the default
response of 550 5.7.1 Message rejected due to content restrictions. Customize this
message using the Set-ContentFilterConfig command in the Exchange
Configuring the Quarantine Mailbox
When the SCL value for a specific message exceeds the SCL quarantine threshold, the
Content Filter agent sends the message to a quarantine mailbox. Before you can configure
this option on the Edge Transport server, you must configure a mailbox as the quarantine
mailbox by using the Set-ContentFilterConfig –QuarantineMailbox command. As a
messaging administrator, you should regularly check the quarantine mailbox to ensure
that the content filter is not filtering legitimate e-mail messages.
Note: Messages are sent to the quarantine mailbox only when the SCL threshold
exceeds the configured value on the content filter. The Get-AgentLog command
produces a raw listing of all actions performed by transport agents. To see details
on all actions that transport agents perform on an Edge Server, use the scripts
located in the C:\Program Files\Microsoft\Exchange Server\Scripts folder. The
folder contains several scripts that produce formatted reports listing information
such as the top blocked sender domains, the top blocked senders, and the top
blocked recipients. By default, the transport agent logs are located at C:\Program
How Safelist Aggregation Works
The safelist collection is stored on the user's Mailbox server. The user configures the
safelist collection by adding contacts to the Safe Recipients Lists or Safe Senders Lists in
Office Outlook or through Microsoft Outlook Web Access. A user can have up to 1,024
unique entries in a safelist collection.
Tip: You can bypass all spam filtering for a specific recipient by setting the
AntispamBypassEnabled property on the user’s mailbox. When you set it to True,
all the filtering is bypassed and the message is delivered directly to the recipient’s
mailbox. To configure this setting, use the Set-Mailbox –Identity mailboxname
-AntispamBypassEnabled $true command.
Adding a New Attachment Filter Entry
Exchange 2007 lets you configure multiple attachment filters on each Edge Transport server. If you have more than one Edge Transport server that accepts e-mail that you want to filter, you must configure the same attachment filter on each Edge Transport server.
To add a new attachment filter that filters e-mail attachments that have a specific MIME content type, use the following command:
For example, if you want to filter all JPEG images by using an attachment filter, run the following command on each Edge Transport server:
To add a new attachment filter that filters e-mail attachments based on a file name or file name extension, run the following command:
For example, if you want to filter all e-mail attachments that have the file name extension EXE, run the following command:
If you want to filter e-mail attachments that have a specific file name, you can specify that file name in the Name parameter when you specify the FileName value in the Type parameter. You must enclose the file name in double quotation marks if the file name contains a space.
You configure attachment filtering for each Edge Transport server role. All attachment filter entries that run on an Edge Transport server role use the same attachment filtering behavior. The following parameters are available on each Edge Transport server role to configure attachment filtering behavior:
- RejectResponse This parameter specifies the string response that is included in the non-delivery report (NDR) message if an e-mail message that has a filtered e-mail attachment is returned to the sender.
- Action This parameter specifies how attachment filtering handles an attachment that matches an attachment filter entry. The default value is Strip. Valid values include the following values:
· Reject Use this value to prevent both the e-mail message and attachment from being delivered to the recipient and to issue a NDR failure message to the sender.
· Strip Use this value to remove the attachment from the e-mail message. This value allows the message and other attachments that do not match an entry on the attachment block list to be delivered to the recipient. A notification that the attachment was blocked is added to the e-mail message.
· SilentDelete Use this value to prevent both the e-mail message and attachment from being delivered to the recipient. A notification that the e-mail message and attachment were blocked is not returned to the sender.
To configure attachment filtering on an Edge Transport server role, use the Set-AttachmentFilterListConfig cmdlet. For example, the following command configures the RejectResponse parameter:
To perform this procedure on a computer that has the Edge Transport server role installed, you must log on by using an account that is a member of the local Administrators group on that computer.
- Run the following command to create a new attachment filter entry:
- Run the following command to configure the behavior of attachment filter entries on a specific Edge Transport server role:
To use the Exchange Management Shell to create a new Receive connector
- Run the following command to create a Receive connector on the local server that has the default settings for the Internal usage type, and accepts connections from the specified remote IP address range:
· To create a new Send connector named "Subsidiary Send Connector" that has these settings, run the following command: