To return to part 1 click here

Setting Connector Limits in Exchange 2007

Below are the 5 different types of connectors that we can modify the limits on for Exchange 2007 and the ways to do it using the Exchange Management Shell (EMS). The default settings are listed in the brackets.

Set-ForeignConnector 
  –MaxMessageSize <Unlimited>

Set-ReceiveConnector
  -MaxHeaderSize <64KB>
  -MaxMessageSize <10MB>
  -MaxReceipientsPerMessage <200>

Set-SendConnector
  -MaxMessageSize <10MB>

Set-AdSiteLink
  -MaxMessageSize <Unlimited>

Set-RoutingGroupConnector
  -MaxMessageSize <Unlimited>

To modify the Receive connectors we can do this via the Exchange Management Console (EMC) as well.

And these are the results of using Get-ReceiveConnector

Setting User Limits in Exchange 2007

You can also set limits on the users as well. Below are the 5 different types that you can modify as well as their default settings in brackets. As you can see, by default, we don’t limit the send or receive size at all at the user scope.

Set-DistributionGroup
  -MaxReceiveSize, -MaxSendSize <Unlimited>

Set-DynamicDistributionGroup
  -MaxReceiveSize, -MaxSendSize <Unlimited>

Set-Mailbox
  -MaxReceiveSize, -MaxSendSize, -MaxRecipientPerMessage <Unlimited>

Set-MailPublicFolder
  -MaxReceiveSize, -MaxSendSize <Unlimited>

Set-MailUser
  -MaxReceiveSize, –MaxSendSize <Unlimited>

You can also view this configuration in the console. Isn’t it nice that we can do this without having to open up the ADU&C anymore?

Next: Part 8 - Setting Recipient Policies

To return to part 1 click here

Message size restrictions

In Exchange 2003, you would customize the message size restrictions for the organization, a specific connector, a specific virtual server, and an individual user.

For the organization, you would modify the size limits at the properties Message Delivery section under the Organization container in the Exchange System Manager (ESM).  Below you see the defaults for the sending and receiving size limits and the recipient limits.

For a specific connector, you would use the ESM to view the properties on the connector.  Below you can see the default for allowed message size is not set.  This is usually a good idea.

At the server level this is set at the virtual server at the SMTP level.  Again, below are the defaults.

And then you can also make limits at the user level as well.  This could be done from the Active Directory Users and Computers (ADU&C).

Now lets talk about Exchange 2007…

In Exchange 2007, the size limits that are available for individual messages can be divided into the following basic categories:

Message header size limits

These limits apply to the total size of all message header fields that are present in a message. The size of the message body or attachments is not considered. Because the header fields are plain text, the size of the header is determined by the number of characters in each header field, and by the total number of header fields. Each character of text consumes 1 byte.

Some third-party firewalls or proxy servers apply their own message header size limits. These third-party firewalls or proxy servers may have difficulty processing messages that contain attachment file names that are greater than 50 characters, or attachment file names that contain non-US-ASCII characters.

Message size limits

These limits apply to the total size of a message. This includes the message header, the message body, and any attachments. Message size limits may be imposed on incoming messages or outgoing messages. For internal message flow, Exchange 2007 uses the custom X-MS-Exchange-Organization-OriginalSize: message header to record the original message size of the message as it enters the Exchange 2007 organization. Whenever the message is checked against the specified message size limits, the lower value of either the current message size or the original message size header is used. The size of the message can change because of content conversion, encoding, and agent processing.

Attachment size limits

These limits apply to the maximum allowed size of a single attachment within a message. The message may contain many attachments that greatly increase the overall size of the message. However, an attachment size limit would apply to the size of an individual attachment only.

Recipient limits

These limits apply to the total number of message recipients. When a message is first composed, the recipients exist in the To:, Cc:, and Bcc: header fields. When the message is submitted for delivery, the message recipients are converted into RCPT TO: entries in the message envelope. A distribution group is counted as a single recipient during message submission.

In Exchange 2007, the scope of the limits that are available for individual messages can be divided into the following basic categories:

Organizational limits

These limits apply to all Hub Transport servers that exist in the organization.

These limits apply to all Exchange 2007 servers that exist in the organization. The specified message limits apply to all Exchange 2007 servers that have the Hub Transport server role installed. On an Edge Transport server, the specified limits apply to the specific server.

Global Limits

These limits apply to all Exchange 2007 and Exchange Server 2003 servers that exist in the organization. The global message limits are stored in the Active Directory directory service.
In the release to manufacturing (RTM) version of Microsoft Exchange Server 2007, it is common for the organization limits and the global limits to conflict. When the organizational limits and the global message limits conflict, the lowest value takes precedence. In Exchange 2007 RTM, you must use Exchange System Manager on an Exchange 2003 server or the Active Directory Service Interfaces (ADSI) Edit tool to modify global message limits. For more information, see How to Modify Exchange 2003 Global Message Size Limits in Exchange 2007 RTM.

In Microsoft Exchange Server 2007 Service Pack 1 (SP1), the condition that cause the organization limits and the global limits to conflict has been eliminated. Changes that you make to the organizational limits are automatically copied to the corresponding global limits. In Exchange 2007 SP1, you can modify the organizational limits by using the Set-TransportConfig cmdlet in the Exchange Management Shell, or by configuring the Hub Transport server organization configuration properties in the Exchange Management Console.

Connector limits

These limits apply to any messages that use the specified Send connector, Receive connector, or Foreign connector for message delivery. Connectors are defined on Hub Transport servers or Edge Transport servers.
In Exchange 2007 SP1, you can also set message size limits on the following types of connections:  AD Sitelinks and RGCs.

Server limits  

These limits apply to a specific Hub Transport server.

These limits apply to a specific Hub Transport server or Edge Transport server. The specified message limits are not stored in the Active Directory directory service. You can set the specified message limits independently on each Hub Transport server or Edge Transport server.
Message size limits can also be apply to Microsoft Office Outlook Web Access on a Client Access server.

User limits

These limits apply to a specific user object, such as a mailbox, contact, distribution group, or public folder.

Setting the limits

So let’s talk about setting the Organizational settings on Exchange 2007.

To set the configuration of the limits for the organization you can do this in the shell or the console

By default the settings for the Receive and Send limits are 10MB, the max recipient limit is 5000 and there is no limit on the attachment size.

Using Set-TransportConfig we see:

–-MaxReceiveSize <10MB>

–-MaxSendSize <10MB>

–-MaxRecipientEnvelopeLimit <5000>

–-AttachmentSizeOver <none>

Let see the Setting in the console. Notice that to do this we go to the global settings of the hub transport.

And here are the settings from the shell using Get-TransportConfig

As I said earlier, the distinction between the global and organizational settings are gone now in SP1, and I will show this to you.

Here I did a Set-TransportConfig and changed the max receive size to 20 MB.

Looking at the change in the console…

Now in order for this change to work in 2003 we need this to be written to the AD for the 2003 attribute as well. And here we see that it has.

And here it shows up in the 2003 ESM as well.

So, the Global and Organizational scope are now the same in Exchange 2007 SP1.

Next: Part 7 – Setting Connector Limits and User Limits.

To return to part 1 click here

More Anti-spam tasks

Now that we have looked at how to configure Attachment filtering, lets look at how to configure Connection Filtering in Exchange 2007. 

Using the Exchange Management Console (EMC) against a Edge server, we can enable or disable filters by looking at the Anti-spam tab on the server, and right clicking on the filter.

To do this via the Exchange Management Shell use Set-IPAllowListConfig.

Now it shows up in the EMC as disabled.

That is how you disable and enable the lists.  To configure them you can do this by choosing properties after right clicking on the particular one you want to do it on.

To do this in EMS use Set-IPBlockListConfig, Set-IPAllowListConfig, etc.

You can install the anti-spam agents on the Hub Transport server role by using the Install-AntiSpamAgents.ps1 script and restarting the MSExchangeTransport Service. This script is located in the %system drive%/Program Files/Microsoft/Exchange Server/Scripts folder.

After you run this script, the following anti-spam agents are installed and enabled:

–Connection filtering

–Content filtering

–Sender ID

–Sender filtering

–Recipient filtering

–Sender reputation

Notice anything missing?  Attachment Filtering is only available on Edge.  But, Forefront can do this as well on a Hub Server.

Also, after running the script, the Anti-spam tab is available in the Exchange Management Console for Hub Transport servers. We recommend that you install the anti-spam agents if you select a topology that does not include an Edge Transport server so that the Hub Transport server can provide anti-spam protection for the Exchange organization.

More information can be found here: http://msexchangeteam.com/archive/2008/06/23/449070.aspx

Next: Part 6 - Message size restrictions.

To return to part 1 click here

Anti-spam tasks

In Exchange 2003 we had many tools provided to help eliminate spam.  Some are Intelligent Message Filtering, Connection Filtering, and Sender ID.  As you can see below they are all configurable in the ESM on the Message Delivery Properties.

In Exchange 2007 these tools are still there as well as new ones like Anti-Spam Stamps.  These are viewable in Outlook 2007 by looking at the message options.  The lien X-MS-Exchange-Organization-Antispam-Report is the line that you want.

Attachment filtering is something new in Exchange 2007.  This is one of the few things that can not be managed via the Exchange Management Console (EMC) and can only be done via the Exchange Management Shell (EMS).  It is enabled by default on servers that have the Edge role installed.  You can determine this by using the Get-TransportAgent cmdlet.

In order to see the current settings you would use Get-AttachmentFilterEntry.  You would use the Type and Name fields if you wanted to make a change to those as we will see later.

To add a new attachment filter that filters e-mail attachments that have a specific MIME content type, use the following command:

Add-AttachmentFilterEntry -Name <MIMEContentType> -Type ContentType

In the example below we are filtering all JPEG images.

In the next example we are filtering all files by File name (using type FILENAME) and blocking all files that have the extension “.mov”.

And in the 3rd example we are blocking a particular file by name. In this case a file named “virus.ppt”.

To remove the filters, we use Remove-AttachmentFilterEntry and the type:name. Here we are getting rid of the filter for “virus.ppt”.

Now what we do when we match the filter is called the action. Below we used Get-AttachmentFilterListConfig to see the settings. Our action here is to Reject the message and issue an NDR to the user with a reject message: “Message rejected due to unacceptable attachments.”

You could set an action to strip the attachment or to silently delete it. 

Using the Set-AttachmentFilterListConfig command we are setting the action to strip the attachment.

Next:  Part 5 – More Anti-Spam Configuration in 2007