Friday, October 25, 2019

Exchange SpamTitan Dynamic Recipient Verification With Edge Server

You may be reading the title of this post and wonder "why would you have an Edge Server and a spam filter?". Funny story: Well, not so funny. Back during planning of my Exchange environment, it was suggested by a Lotus Notes admin (who knows nothing about Exchange) that we should have an Edge. I (the Exchange admin) said "no, that's overkill". Well, my advice wasn't taken and we installed the Edge. The "funny" part: 3 years later I was asked "can we remove the Edge?" Come on! Of course not, it's there, it's staying put!

SpamTitan will do Recipient Verification to automatically bounce incoming messages addressed to invalid recipients, which can cut down on the amount of spam quite a bit; it also uses Recipient Verification for licensing. 
That last piece is important if you only pay for say, 1000 users, but the appliance sees 1,500 recipients.

Dynamic Recipient Verification (DRV) is the easiest to manage - there are other options like LDAP and manual import, but no one wants to mess with that. 
To use DRV, we need to enable Recipient Filtering on our Exchange environment. SpamTitan will then check with Exchange to verify if a recipient is valid or not, and either pass it through or bounce it.

SpamTitan has the following guide to enable DRV, but it only applies to Mailbox Servers, it doesn't cover if you're running an Edge Server.


The guide requires your Mailbox Servers to be internet-facing and involves allowing anonymous authentication on the Default Hub Transport connector on port 2525.
Edge Servers don't have a Default Hub Transport Connector, so there's no way to allow connections on port 2525.

I'll show you how to enable Dynamic Recipient Verification when you have an Edge in play.

First, enable Recipient Filtering:

On your Edge Server, in the Exchange Management Shell (EMS), run the following cmdlet to check our Recipient Filtering settings:


This should show the default settings, if you've never enabled any recipient filtering. The main thing to look for will be:

Name                                      : RecipientFilterConfig
RecipientValidationEnabled  : False
Enabled                                  : True

We'll enable Recipient Filtering with the following cmdlet:

Set-RecipientFilterConfig -RecipientValidationEnabled $true

Now, run the first cmdlet, and you'll see it enabled and ready:

Name                                    : RecipientFilterConfig
RecipientValidationEnabled  : True
Enabled                                 : True

Next, we'll enable our Accepted Domain(s) for Address Book recipient lookup:

Run the following cmdlet to check if Address Book is enabled:

Get-AcceptedDomain | FL Name,AddressBookEnabled

If it isn't enabled, run the following for each Authoritative Accepted Domain:

Set-AcceptedDomain "name of accepted domain" -AddressBookEnabled $true
**Note** Change "name of accepted domain" to your Accepted Domain.

**Note** You only want to set this on Authoritative Domains, not Relay domains.

Next, configure Dynamic Recipient Verification on the SpamTitan:

Browse to Setup > Mail Relay > Domains.  

Edit your domain(s) by clicking the "Pencil" icon, and select Dynamic Recipient Verification from the drop-down menu. 

Enter your Edge Server IP or host name (this will usually match your Destination Server):

SpamTitan Edit Domain

Click Save, and you'll see that DRV is enabled for your domains:

SpamTitan DRV Enabled

And lastly, your license will reflect the correct recipient count:

SpamTitan License Count

**Note** When Recipient Verification is not enabled, you'll get a warning that you have exceeded your recipient count. If that happens, you can reset the count (up to 3 times) and then wait a day or so and DRV will show the correct count.

Now you can test by sending an external message to a bunk internal email address and watch it bounce:

SpamTitan Bounce

The response from the remote server was:

550 5.1.1 <stace@exchangeitup.com>: Recipient address rejected: undeliverable address: host[] said: 550 5.1.10 RESOLVER.ADR.RecipientNotFound; Recipient not found by SMTP address lookup (in reply to RCPT TO command)

As you can, we got a bounce from SpamTitan, and an explanation from our Edge server saying the address is invalid.

**Note** You can test by using telnet, but a lot of organizations don't allow telnet to port 25, so we're using just a regular email test.

Now w're all set! License count looks good, and dirty spammers will be bounced when they try to guess recipients.

No comments:

Post a Comment