SpamTitan will do Recipient Verification to automatically bounce incoming messages addressed to invalid recipients, which can cut down on the amount of spam quite a bit; it also uses Recipient Verification for licensing.
That last piece is important if you only pay for say, 1000 users, but the appliance sees 1,500 recipients.
Dynamic Recipient Verification (DRV) is the easiest to manage - there are other options like LDAP and manual import, but no one wants to mess with that.
To use DRV, we need to enable Recipient Filtering on our Exchange environment. SpamTitan will then check with Exchange to verify if a recipient is valid or not, and either pass it through or bounce it.
SpamTitan has the following guide to enable DRV, but it only applies to Mailbox Servers, it doesn't cover if you're running an Edge Server.
https://helpdesk.spamtitan.com/support/solutions/articles/4000003763-dynamic-recipient-verification-using-exchange-2013-and-2016
The guide requires your Mailbox Servers to be internet-facing and involves allowing anonymous authentication on the Default Hub Transport connector on port 2525.
Edge Servers don't have a Default Hub Transport Connector, so there's no way to allow connections on port 2525.
I'll show you how to enable Dynamic Recipient Verification when you have an Edge in play.
First, enable Recipient Filtering:
On your Edge Server, in the Exchange Management Shell (EMS), run the following cmdlet to check our Recipient Filtering settings:
Get-RecipientFilterConfig
This should show the default settings, if you've never enabled any recipient filtering. The main thing to look for will be:
Name : RecipientFilterConfig
RecipientValidationEnabled : False
Enabled : True
We'll enable Recipient Filtering with the following cmdlet:
Set-RecipientFilterConfig -RecipientValidationEnabled $true
Now, run the first cmdlet, and you'll see it enabled and ready:
Name : RecipientFilterConfig
RecipientValidationEnabled : True
Enabled : True
Next, we'll enable our Accepted Domain(s) for Address Book recipient lookup:
Run the following cmdlet to check if Address Book is enabled:
Get-AcceptedDomain | FL Name,AddressBookEnabled
If it isn't enabled, run the following for each Authoritative Accepted Domain:
Set-AcceptedDomain "name of accepted domain" -AddressBookEnabled $true
Click Save, and you'll see that DRV is enabled for your domains:
**Note** When Recipient Verification is not enabled, you'll get a warning that you have exceeded your recipient count. If that happens, you can reset the count (up to 3 times) and then wait a day or so and DRV will show the correct count.
Now you can test by sending an external message to a bunk internal email address and watch it bounce:
The response from the remote server was:
550 5.1.1 <stace@exchangeitup.com>: Recipient address rejected: undeliverable address: host 66.66.66.66[66.66.66.66] said: 550 5.1.10 RESOLVER.ADR.RecipientNotFound; Recipient not found by SMTP address lookup (in reply to RCPT TO command)
As you can, we got a bounce from SpamTitan, and an explanation from our Edge server saying the address is invalid.
**Note** You can test by using telnet, but a lot of organizations don't allow telnet to port 25, so we're using just a regular email test.
Now w're all set! License count looks good, and dirty spammers will be bounced when they try to guess recipients.
RecipientValidationEnabled : True
Enabled : True
Next, we'll enable our Accepted Domain(s) for Address Book recipient lookup:
Run the following cmdlet to check if Address Book is enabled:
Get-AcceptedDomain | FL Name,AddressBookEnabled
If it isn't enabled, run the following for each Authoritative Accepted Domain:
Set-AcceptedDomain "name of accepted domain" -AddressBookEnabled $true
**Note** Change "name of accepted domain" to your Accepted Domain.
**Note** You only want to set this on Authoritative Domains, not Relay domains.
Next, configure Dynamic Recipient Verification on the SpamTitan:
Browse to Setup > Mail Relay > Domains.
Edit your domain(s) by clicking the "Pencil" icon, and select Dynamic Recipient Verification from the drop-down menu.
Enter your Edge Server IP or host name (this will usually match your Destination Server):
Edit your domain(s) by clicking the "Pencil" icon, and select Dynamic Recipient Verification from the drop-down menu.
Enter your Edge Server IP or host name (this will usually match your Destination Server):
And lastly, your license will reflect the correct recipient count:
Now you can test by sending an external message to a bunk internal email address and watch it bounce:
The response from the remote server was:
550 5.1.1 <stace@exchangeitup.com>: Recipient address rejected: undeliverable address: host 66.66.66.66[66.66.66.66] said: 550 5.1.10 RESOLVER.ADR.RecipientNotFound; Recipient not found by SMTP address lookup (in reply to RCPT TO command)
As you can, we got a bounce from SpamTitan, and an explanation from our Edge server saying the address is invalid.
**Note** You can test by using telnet, but a lot of organizations don't allow telnet to port 25, so we're using just a regular email test.
Now w're all set! License count looks good, and dirty spammers will be bounced when they try to guess recipients.
No comments:
Post a Comment