How do I reject incoming email for unknown users in MS Exchange 2013, 2016 and above

Solution:

Recipient filters work differently in MS Exchange 2013 compared to previous version. As you can see from the session below the reject is done after the DATA is processed.

mail from:<me@example.com>
250 2.1.0 Sender OK
rcpt to:<nouser@domain.com>
250 2.1.5 Recipient OK
data
354 Start mail input; end with 
Write some Text Here.
.
550 5.1.1 User unknown

The below example shows you how to setup a recipient filter for MS Exchange to reject unknown users.

This solution is for Exchange Servers 2013 and using the anti-spam agent for exchange. This is an available feature in the Edge Transport Server. However if you don't have Edge Transport Server it is possible to install the anti-spam agent in the Hub Transport Server.

First let's verify the Anti-Spam Functionality is enabled

  1. Start the Exchange Management Shell (EMS)
  2. Type the following:

    Get-TransportAgent

    Make sure the recipient filter agent is available and enabled. If it's not available, run the following command to install it.
    $prompt:ExchangeInstallPath\Scripts\Install-AntiSpamAgents.ps1
    If is available but disabled you can enable it by the below command

    Enable-TransportAgent "Recipient Filter Agent"

Restart the Exchange Transport service after making the above changes.

The next step is to ensure your accepted domains are using the AddressBook for checking for valid recipients. By default, this should be enabled when you set up Exchange as an authoritative Mailbox Server for your domain.

  1. To check your server is going the AddressBook for validation do the following

    Get-AcceptedDomain | Format-List Name,AddressBookEnabled

    It should provide you with a list of all accepted domains and if the AddressBook is enable or not. If by any chance Exchange is not Authoritative and the AddressBook is disabled then enable it with:

    Set-AcceptedDomain <name of accepted domain> -AddressBookEnabled $true

    Or, to enable for all domains (caution, make sure you are not relaying any domains before running this)

    Exchange 2013 Get-AcceptedDomain | Set-AcceptedDomain -AddressBookEnabled $true

    Exchange 2016 Get-AcceptedDomain | ? {$_.AddressBookEnabled -ne "True"} | Set-AcceptedDomain -AddressBookEnabled $true

Now you should have Recipient Filter enabled on your Mailbox Server and AddressBook enabled on you domain. But, if you test this now, it probably still won't work. That's because validation is still disabled.

  1. To check the status of validation run the following

    Get-RecipientFilterConfig | FL Enabled,RecipientValidationEnabled

    It should return that Recipient Filter is enable, but validation is not

    Enabled : True
    RecipientValidationEnabled : False
    
  1. To enable validation run the following

    Set-RecipientFilterConfig -RecipientValidationEnabled $true

  2. Restart the Exchange Transport service

If we now test we should see a reject on the unknown user, which can be tested using telnet

telnet yourExchangeServerHost 2525

mail from:<me@example.com>
250 2.1.0 Sender OK
rcpt to:<real-user@domain.com>
250 2.1.5 Recipient OK
rcpt to:<invaliduser@domain.com>
550 5.1.1 Address Unknown

Configuring for port 2525 in Xeams

The steps mentioned above will modify the Default Hub Transport connector in Exchange, which listens on port 2525 and not 25. This creates a problem because emails are sent to port 25. Using the following method you can force Xeams to validate the recipient on port 2525 but send the actual email to port 25.

  • Login as admin to the web interface
  • Select SMTP Configuration under Server Configuration
  • Click the link for Dynamic Recipient Verification, which is inside a green box on the left.
  • Click Enable DRV and Save
  • Add a new SMTP Server for DRV. This is done by entering your domain name, IP/host name of your Exchange Server and 2525 for port.
  • Click Add Server to save.

Optional Step Disable Anti-Spam Agents

You may want to disable the other Anti-Spam Agents so that ONLY recipient verification is enabled. This will prevent issues such as your Exchange server blocking the Daily Quarantine Report, which will contain subjects of messages that are quarantined and Exchange may treat it as spam.
Set-SenderFilterConfig -Enabled $false
Set-SenderIDConfig -Enabled $false
Set-ContentFilterConfig -Enabled $false
Set-SenderReputationConfig -Enabled $false
Following commands will prompt for confirmation. Therefore, run them one at time.
Disable-TransportAgent "Sender Filter Agent"
Disable-TransportAgent "Sender ID Agent"
Disable-TransportAgent "Content Filter Agent"
Disable-TransportAgent "Protocol Analysis Agent"