How do I reject incoming email for unknown users in MS Exchange 2013, 2016 and above
Solution:
Recipient filters work differently in MS Exchange 2013 compared to previous version. As you can see from the session below the reject is done after the DATA is processed.
mail from:<me@example.com> 250 2.1.0 Sender OK rcpt to:<nouser@domain.com> 250 2.1.5 Recipient OK data 354 Start mail input; end with Write some Text Here. . 550 5.1.1 User unknown
The below example shows you how to setup a recipient filter for MS Exchange to reject unknown users.
This solution is for Exchange Servers 2013 and using the anti-spam agent for exchange. This is an available feature in the Edge Transport Server. However if you don't have Edge Transport Server it is possible to install the anti-spam agent in the Hub Transport Server.
First let's verify the Anti-Spam Functionality is enabled
- Start the Exchange Management Shell (EMS)
- Type the following:
Get-TransportAgent
Make sure the recipient filter agent is available and enabled. If it's not available, run the following command to install it.$prompt:ExchangeInstallPath\Scripts\Install-AntiSpamAgents.ps1
If is available but disabled you can enable it by the below command
Enable-TransportAgent "Recipient Filter Agent"
Restart the Exchange Transport service after making the above changes.
The next step is to ensure your accepted domains are using the AddressBook for checking for valid recipients. By default, this should be enabled when you set up Exchange as an authoritative Mailbox Server for your domain.
- To check your server is going the AddressBook for validation do the following
Get-AcceptedDomain | Format-List Name,AddressBookEnabled
It should provide you with a list of all accepted domains and if the AddressBook is enable or not. If by any chance Exchange is not Authoritative and the AddressBook is disabled then enable it with:
Set-AcceptedDomain <name of accepted domain> -AddressBookEnabled $true
Or, to enable for all domains (caution, make sure you are not relaying any domains before running this)
Exchange 2013Get-AcceptedDomain | Set-AcceptedDomain -AddressBookEnabled $true
Exchange 2016Get-AcceptedDomain | ? {$_.AddressBookEnabled -ne "True"} | Set-AcceptedDomain -AddressBookEnabled $true
Now you should have Recipient Filter enabled on your Mailbox Server and AddressBook enabled on you domain. But, if you test this now, it probably still won't work. That's because validation is still disabled.
- To check the status of validation run the following
Get-RecipientFilterConfig | FL Enabled,RecipientValidationEnabled
It should return that Recipient Filter is enable, but validation is not
Enabled : True RecipientValidationEnabled : False
- To enable validation run the following
Set-RecipientFilterConfig -RecipientValidationEnabled $true
- Restart the Exchange Transport service
If we now test we should see a reject on the unknown user, which can be tested using telnet
telnet yourExchangeServerHost 2525
mail from:<me@example.com> 250 2.1.0 Sender OK rcpt to:<real-user@domain.com> 250 2.1.5 Recipient OK rcpt to:<invaliduser@domain.com> 550 5.1.1 Address Unknown
Configuring for port 2525 in Xeams
The steps mentioned above will modify the Default Hub Transport connector in Exchange, which listens on port 2525 and not 25. This creates a problem because emails are sent to port 25. Using the following method you can force Xeams to validate the recipient on port 2525 but send the actual email to port 25.- Login as admin to the web interface
- Select SMTP Configuration under Server Configuration
- Click the link for Dynamic Recipient Verification, which is inside a green box on the left.
- Click Enable DRV and Save
- Add a new SMTP Server for DRV. This is done by entering your domain name, IP/host name of your Exchange Server and 2525 for port.
- Click Add Server to save.
Optional Step Disable Anti-Spam Agents
You may want to disable the other Anti-Spam Agents so that ONLY recipient verification is enabled. This will prevent issues such as your Exchange server blocking the Daily Quarantine Report, which will contain subjects of messages that are quarantined and Exchange may treat it as spam.Set-SenderFilterConfig -Enabled $false Set-SenderIDConfig -Enabled $false Set-ContentFilterConfig -Enabled $false Set-SenderReputationConfig -Enabled $falseFollowing commands will prompt for confirmation. Therefore, run them one at time.
Disable-TransportAgent "Sender Filter Agent" Disable-TransportAgent "Sender ID Agent" Disable-TransportAgent "Content Filter Agent" Disable-TransportAgent "Protocol Analysis Agent"