Welcome to TechNet Blogs Sign in | Join | Help

Configure Exchange 2003 to check recipients in SMTP protocol

For years, people have been asking me, "how can I make Exchange work just like sendmail, where it rejects invalid recipients during the SMTP protocol?"  Sendmail has historically not had a directory, and so checking if a recipient was valid was just a getpwnam() call, which is quick.  Of course, when Exchange accepts a user who is not in the directory, it will issue a non-delivery report later once it has done a directory lookup, so Exchange is not actually open for relay as some people might think. Accepting mail for nonexistant users in a local domain does not meet my definition for "open for relay".   For three major reasons, Exchange has not had this feature:

  1. Because Exchange has a distributed directory, it's possible that one machine doesn't know about users added elsewhere in the system, so you don't want one server to deny those users just because the user hasn't replicated to that location
  2. For performance: At one point, we thought that we didn't want to do a directory lookup during the SMTP protocol conversation.  The risk is that MUAs that are connecting to us might not appreciate needing to hang on for a second or two while we do a directory lookup.
  3. (perhaps most importantly nowadays) Because doing this allows a spammer to harvest known good recipient addresses by doing a brute-force dictionary attack.  Some systems solve this today by "tarpitting", where say the 20th RCPT command and higher all add a sleep (1) after each one.  This can slow down legitimate mail traffic so it is best done with care.

Well enough people asked for this that we actually put this recipient lookup feature into Exchange 2003.  Enough people have asked me about it, and I don't see a KB article that explains it (I'm going to mail the right people to get that solved as well), so I wanted to quickly describe how to enable it.

Enable directory lookup for recipients in the recipient filter

  1. Open Exchange System Manager. 
  2. Open Global Settings, right-click on Message Delivery, choose Properties
  3. Choose the "Recipient Filtering" tab
  4. Check the box "Filter recipients who are not in the Directory"
  5. Click OK to close.

Enable the recipient filter on the SMTP protocol binding that accepts mail from the Internet

  1. Navigate to the SMTP Virtual Server that listens on the Internet (repeat all of these steps if you have more than one)
  2. Right-click on the SMTP Virtual Server, choose Properties
  3. On the "General" tab (already open), click the "Advanced..." button next to IP address
  4. Choose the IP/port binding that corresponds to the one that listens on the Internet.  Either double-click or click the "Edit..." button.
  5. Click the checkbox next to "Apply Recipient Filter"
  6. Click OK three times to close this.

Now, when someone does a RCPT TO: invaliduser@localdomain, they will get a:

550 5.5.1 User unknown

Keep the questions about Exchange 2003 coming, I'll post the answers here so everyone can see them.

Published Friday, October 17, 2003 8:54 PM by dlemson
Filed under:

Comments

# RE: Configure Exchange 2003 to check recipients in SMTP protocol

Great tip David! Will you post back when this is put in a KB article. Also, any plans by the exchange group to look at implementing SPF records for use with Exchange? http://spf.pobox.com/ Thanks, Todd
Thursday, October 23, 2003 3:59 PM by Todd Booher

# RE: Configure Exchange 2003 to check recipients in SMTP protocol

We have been involved in a number of groups, both internet-focused and industry-focused, that are looking at how to reduce spam and spoofing on the Internet. The short answer is: yes, we are looking at implementing things like SPF to help stop spoofing.
Friday, October 24, 2003 2:31 PM by David Lemson

# RE: Configure Exchange 2003 to check recipients in SMTP protocol

David, Does Exchange 2003 support the "tarpitting" with the recipient filtering? If so, how would it be configured?
Thursday, October 30, 2003 1:19 PM by Karan Mavai

# RE: Configure Exchange 2003 to check recipients in SMTP protocol

If we have message journalling to an external SMTP address enabled. Will the forwarded emails be scanned before going out, by an Anti Virus software like Scan Mail etc..(we dont have SMTP level scanners). Do the forwarded email enter the information store and then sent out? Thanks, Madura
Friday, October 31, 2003 12:10 AM by Madura

# RE: Configure Exchange 2003 to check recipients in SMTP protocol

<body xmlns="http://www.w3.org/1999/xhtml"> Todd: there is a quote from one of my co-workers in <a href="http://www.msnbc.com/news/986879.asp">this MSNBC story</a> that talks about spf.pobox.com as well as some other things. </body>
Monday, November 03, 2003 1:23 PM by David Lemson

# RE: Configure Exchange 2003 to check recipients in SMTP protocol

Oops, I forgot not to post comments within WinBlogX... sorry :-) Karan: No that feature is not built in. We are considering it for the future. Madura: It depends on your topology. I would say that in most cases, forwarded mails do not enter the information store to be scanned for viruses by store-based virus scanners. Many virus scanners do not have SMTP-based virus scanners, in Exchange 2003 we added a new interface to make it super-easy for them to adapt their store-based virus scanners to work on SMTP.
Monday, November 03, 2003 1:35 PM by David Lemson

# RE: Configure Exchange 2003 to check recipients in SMTP protocol

Thursday, November 13, 2003 10:55 AM by manirron

# RE: Configure Exchange 2003 to check recipients in SMTP protocol

Thursday, November 13, 2003 10:55 AM by imdoe39

# RE: Configure Exchange 2003 to check recipients in SMTP protocol

hello: is there any anti-spoofing in exchange 2000?..in other words can I tell it not to accept any emails claiming to be from local mailboxes if the source IP address is not one we specify ?
Thursday, November 13, 2003 10:58 AM by imdoe39

# RE: Configure Exchange 2003 to check recipients in SMTP protocol

Thanks for the previouse reply. I have another question on journaling. I need to journal all the emails on an Exchange 2000 server to an external smtp address and it should be 100% reliable. I have enabled journaling and it works.. But If the remote server fails (external journaled smtp address is unreachable) I dont receive any NDRs for the journaled emails. How can we avoid this situation. I need to know if an email is not journaled and I need to journal it back somehow when the remote server is up again. How can we achieve this? Thanks, Madura
Friday, January 02, 2004 11:50 AM by Madura

# re: Configure Exchange 2003 to check recipients in SMTP protocol

I am in the process of migrating from Exchange 5.5 to Exchange 2003 for a company that has multiple small (less than 5 users) branch offices.

They want to migrate slowly, so here's my dilemma: The current Exchange 5.5 will still be active for a while. I'm using the Exchange Migration Wizard in Exchange 2003 to migrate the mailbox data over.

All incoming mail needs to be split between the two servers, as the new Exchange 2003 server will be gradually hosting more & more of the users.

Can you point me in the right direction where I can learn to write an SMTP event sink to route some recipients to one server, & others to the other? Thanks!

I can't join the Exchange 2003 server to the same Exchange 5.5 site, as it's in a different domain.
Wednesday, March 03, 2004 8:48 AM by Luke Edson

# re: Configure Exchange 2003 to check recipients in SMTP protocol

Is there any way to track the IP address of systems recieving the 550 5.5.1 errors? I have SMTP logging turned on, but I don't see anything obvious in the logs that show that the connection was rejected for this reason. I'd like to be able to keep an eye out and if a system is brute forcing I'd like to notify abuse. Anywhere that I could get this info to extract out in an automated way? I.e. can it be logged to the event log?
Tuesday, April 27, 2004 5:12 AM by Troy

# re: Configure Exchange 2003 to check recipients in SMTP protocol

What about us poor guys who are still on NT 4.0 Domain and Exchange 5.5? We are getting hammered with Invalid Recepients with an originator of <> I am getting about 10,000 a day.... I need a solution....

Thanks,
Scott Hart...
Tuesday, June 08, 2004 1:13 PM by Scott Hart

# re: Configure Exchange 2003 to check recipients in SMTP protocol

Is there a hack to make Exchange Server 2000 or earlier check recipients in the SMTP protocol or is this only possible in 2003?
Wednesday, June 09, 2004 2:26 AM by Christer Hasse

# re: Configure Exchange 2003 to check recipients in SMTP protocol

It's only built-in to Exchange 2003. It's certainly possible to write code to do it on Exchange 2000 (though not 5.5, sorry Scott, this may be your reason to start planning your upgrade to 2003!), and I believe that some of the "content management" products listed at http://www.microsoft.com/exchange/partners/emailcontent.asp do this. But if you want it built in to Exchange, you need to have Exchange 2003.
Wednesday, June 09, 2004 8:35 AM by David Lemson

# re: Configure Exchange 2003 to check recipients in SMTP protocol

Does anybody know the code for Exchange 2000 so that it checks SMTP recipients.
Thursday, June 24, 2004 6:26 AM by Sanoop

# No Exchanges or Refunds

Thursday, June 24, 2004 7:53 PM by a tech-centric blog from the left

# re: Configure Exchange 2003 to check recipients in SMTP protocol

Is there a way to accept a message for an invlaid recipient and then delete it without generating an NDR to the (usually fake) sender? I still want to generate an NDR for my internal users when mail cannot be delivered to an external recipient. -Thanks.
Friday, July 02, 2004 3:17 PM by Mark Hicks

# re: Configure Exchange 2003 to check recipients in SMTP protocol

Hi Dave,

Great article! I have another question: how can I prevent a "fake domain user" from sending e-mail to real domain users? E.g.: I would like to see an error message after a
MAIL FROM: fakeuser@ourdomain.com

Thanks!!
Friday, August 06, 2004 4:18 AM by Pablo Melchor

# re: Configure Exchange 2003 to check recipients in SMTP protocol

I've tried filtering the recepients mail as it was discrubed here, but it didn't work.
I have 2003 SBS.
Can anyone help me? Is there anything I should check?

Thanks,
Karen.
Monday, August 09, 2004 6:14 PM by Karen

# Averiguar IP para evitar NDR | hilpers

PingBack from http://www.hilpers-esp.com/294672-averiguar-ip-para-evitar-ndr

Tuesday, January 20, 2009 2:08 PM by Averiguar IP para evitar NDR | hilpers
Anonymous comments are disabled
 
Page view tracker