SpamTitan

Dynamic Recipient Verification using MS Exchange 2013 and 2016

Since the release of Exchange 2013, Microsoft has altered the behavior of the Exchange FrontEnd Transport service so that it no longer rejects invalid recipients after they are specified. Instead, the rejection is performed after the DATA command has been issued which breaks Dynamic Recipient Verification in SpamTitan.

As a workaround, access must be given to the Default HubTransport connector which is still SMTP compliant, and rejects invalid recipients after they are specified using the RCPT TO command. By default, the Default HubTransport connector is accessed on port 2525.

Notice

The instructions below include information about tools that are not owned or managed by TitanHQ and are only intended as a guideline to help you. As such, the information may be subject to change without us knowing.

If you notice anything incorrect, please email docs@titanhq.com and let us know.

  1. Check if Exchange Anti-Spam Agents are installed.

    This check can be performed using the Exchange Management Shell (EMS). Open EMS and issue the following command:

    Get-TransportAgent

    Results similar to these should return if the Anti-Spam Agents are installed - check if Recipient Filter Agent is listed:

    STG-FD-DRV-solution.jpg

    If Recipient Filter Agent is not listed, issue the following command to install the Exchange Anti-Spam Agents:

    & $env:ExchangeInstallPath\Scripts\Install-AntiSpamAgents.ps1

  2. Ensure the Recipient Filtering Agent is enabled.

    Issue the following command again to verify that Recipient Filter Agent has been installed and is enabled:

    Get-TransportAgent

    If Recipient Filtering Agent is not enabled (true), run the following command to enable:

    Enable-TransportAgent “Recipient Filter Agent”

    Restart the Microsoft Exchange Transport service.

  3. Ensure AddressBook is enabled.

    You need to verify that your accepted domains are using Address Book to check for valid recipients. By default, this is enabled when you set Exchange as an authoritative Mailbox Server for your domain. To check, run the following from the shell:

    Get-AcceptedDomain | Format-List Name,AddressBookEnabled

    You will get a list of all accepted domains and whether Address Book is enabled or not. If Exchange is authoritative, but Address Book is disabled, enable it with the following:

    Set-AcceptedDomain <name of accepted domain> -AddressBookEnabled $true

    To enable for all domains:

    Caution

    Ensure sure you are not relaying any domains before running these scripts.

    • For Exchange 2013 use:

      Get-AcceptedDomain | Set-AcceptedDomain -AddressBookEnabled $true

    • For Exchange 2016 use:

      Get-AcceptedDomain | ? {$_.AddressBookEnabled -ne "True"} | Set-AcceptedDomain -AddressBookEnabled $true

    Restart the Microsoft Exchange Transport service.

  4. Ensure Recipient Validation is enabled.

    Recipient Filter should now be enabled on your mailbox server and Address Book should be enabled on your domain. However, if you test this it may not be working if Validation is still disabled. To check, run:

    Get-RecipientFilterConfig | FL Enabled,RecipientValidationEnabled

    It should return that Recipient Filter is enabled, but if validation is not enabled, run this command:

    Set-RecipientFilterConfig -RecipientValidationEnabled $true

    Restart the Microsoft Exchange Transport service.

  5. Allow access to the Default receive connector.

    From the Exchange Administrative Cente go to Mail Flow > Receive Connectors.

    Edit the "Default <servername> connector", go to the Security tab and ensure that Anonymous users are allowed. This allows connections to this Receive connector so it can be used for Dynamic Recipient Verification, but mail cannot be delivered directly via this connector. By default, this connector can be accessed on port 2525.

    If SpamTitan accesses your mail server via a firewall, open your firewall and forward port 2525 to your Exchange server. Access to this port can be restricted to your SpamTitan IP addresses(es).

  6. Test Recipient Filtering.

    You can test Recipient Verification through the additional port by telnetting to that port. For example, telnet mail.domain.com 2525.

    Note

    Telnet is no longer installed in Windows by default. You can install it in Windows Control Panel > Programs & Features, or use a third-party client such as PuTTY icons8-external-link-32.png.

    Below is a sample test, with the commands you have to enter in bold. Replace @your_domain.com with a domain hosted by your mail server.

    220 ex2013.domain.com Microsoft ESMTP MAIL Service ready at Tue, 18 Mar 2020 20:39:41 +0100

    ehlo server.com

    250-ex2013.domain.com Hello [192.168.***.***]

    mail from: <email@external.com>

    250 2.1.0 Sender OK

    rcpt to: <fakeuser@your_domain.com>

    550 5.1.1 User unknown

  7. Configure SpamTitan to use port 2525 for dynamic recipient verification.

    Go to System Setup > Mail Relay > Domains and edit ST-701-edit-button.jpg the domain.

    Select Dynamic Recipient Verification from the drop-down menu and enter your mail server IP or hostname followed by :2525. For example, 192.168.0.1:2525 or mail.domain.com:2525.

    Note

    If you are running multiple exchange servers behind an Exchange Edge or Transport server, you need to ensure that the antispam agents are installed on all of them. Therefore, Step 1 needs to be carried out on all mailbox servers, not just the Edge server.

  8. Disable the other Anti-Spam Agents (optional, but recommended).

    You may want to disable the other Anti-Spam Agents so that ONLY recipient verification is enabled. This prevents issues such as your Exchange server blocking the SpamTitan Quarantine Report. This report contains a list of subject lines from spam emails and may be blocked as spam by the Content Filter Agent:

    Set-SenderFilterConfig -Enabled $false

    Set-SenderIDConfig -Enabled $false

    Set-ContentFilterConfig -Enabled $false

    Set-SenderReputationConfig -Enabled $false

    Perform these one at a time since they each require an answer of “Y”:

    Disable-TransportAgent "Sender Filter Agent"

    Disable-TransportAgent "Sender ID Agent"

    Disable-TransportAgent "Content Filter Agent"

    Disable-TransportAgent "Protocol Analysis Agent"