How to Setup Anti-Spam in Exchange 2007 When Using a Mail Hosting Company

How to Setup Anti-Spam in Exchange 2007 When Using a Mail Hosting Company

  • Comments 5
  • Likes

[Today's post comes to us courtesy of Shawn Sullivan]

Exchange 2007 introduces a built-in feature called Sender Reputation for both the Edge and Hub Transport server roles. The purpose of Sender Reputation is to record the legitimacy, through a number of tests, of each external SMTP server that sends email to Exchange. For detailed information on how Sender Reputation works, please visit the following link: http://technet.microsoft.com/en-us/library/bb124512.aspx

By default, SBS 2008 is aggressive in blocking suspicious senders, and since all inbound e-mail is coming from the same sending server, there is a risk that the hosting company server could be incorrectly blocked. This feature will eventually block an offending host for 24 hours.

Furthermore, you need to also consider Sender ID Filtering, also enabled by default on SBS, since all e-mail is coming from a series of hosts that are most likely not the designated approved senders (as they are your hosting companies servers), this will cause the SPF check to fail and raise the probability of the sender reputation to fail among other things. This can cause an issue for those using a 3rd party mail hosting service to deliver incoming email.  Based on the nature of their operation, these SMTP servers will likely fail some of the criteria used by Exchange once they connect, ending up in denied connections and broken inbound email flow.

The other scenario you need to consider is if you have a non-Exchange mail server in your organization that is accepting inbound e-mails, performing messaging hygiene functions and then forwarding the e-mails to the Exchange server running on the SBS server. On that case, you should add the IP of this server to your InternalSMTPServers. If you have a firewall doing SMTP Proxy and the connections appear to come from the Internal IP, you will potentially have to also add that internal IP, however, you should not do this unless the firewall is performing messaging hygiene.

To resolve this problem, you will need to add the IP address ranges of the hosting SMTP servers to a list trusted by Exchange. Open the Exchange Management Shell as Administrator and type the following:

Set-TransportConfig –InternalSMTPServers <IP>

For example, if we were using Exchange Hosted Service message hygiene and compliance, then we would run:

Set-TransportConfig –InternalSMTPServers 127.0.0.1, 12.129.20.0/24, 63.241.222.0/24, 207.46.51.64/26, 207.46.163.0/24, 213.199.154.0/24, 213.244.175.0/24, 216.32.180.0/24, 216.32.181.0/24, 12.129.199.61, 12.129.219.155, 206.16.57.70

To verify that these have been added correctly, you can run the following cmdlet to display the entries:

Get-TransportConfig | ft “InternalSMTPServers”

Once added, connections from these IP addresses will have bypass-anti-spam access rights on each receive connector in your organization; so take caution and make sure you are truly adding trusted IPs only.

IMPORTANT:  If you are using one of our partner registrars to host your external DNS information while using a mail hosting company to accept your email, you will need to either set or create the following registry key on your SBS 2008 server:

HKLM\Software\Microsoft\SmallBusinessServer\networking\Services
Value: SkipMXConfig
Type: REG_DWORD
Data: 1

This prevents the dynamic DNS service on the SBS 2008 server from incorrectly changing the IP address on your MX to point to your router’s public IP instead of your mail host. The DDNS service checks this every 5 minutes by default when you choose to host your DNS at a partner registry when you run the Internet Management Address Wizard (IAMW).

You do not need to set this if you have chosen the option to manage your domain name yourself using the IAMW.

Additional Information:

IP address range information for Exchange Defender and Postini can be found in the following links:

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment
Comments
  • In some small organizations, it may make sense to run Microsoft Exchange Server 2007 anti-spam features on Hub Transport servers. For example, some small organizations may not have enough e-mail volume to justify the cost of installing and maintaining a full perimeter network together with an Edge Transport server. This article describes how to enable <a href="http://www.apps4rent.com">Microsoft Exchange</a> anti-spam functionality on Hub Transport servers.

    The Install-AntispamAgents.ps1 script installs and enables the following anti-spam features:

       * Connection filtering

       * Content filtering

       * Sender ID

       * Sender filtering

       * Recipient filtering

       * Sender reputation

  • PingBack from http://www.ditii.com/2008/11/24/sbs-how-to-setup-anti-spam-in-exchange-2007-when-using-a-mail-hosting-company/

  • 203 Microsoft Team blogs searched, 66 blogs have new articles in the past 7 days. 120 new articles found

  • I have a new SBS 2008 server and the anti-spam agents are preinstalled on the hub transport. My question is this. I have setup IP Block List Providers, works no problem, but when I try to access the IP Allow List or the IP Block List, they do not have a "Properties" so I can configure a trusted IP for example to bypass the IP Block List Providers.

  • Does this apply if I am using POP on Exchange?  If I have GoDaddy as a host and the mail POP's to my Exchange do I need to list the ip's from GoDaddy's server's?

    Thanks