Exchange 2013 disabled NDR and now unknown users get no bounce back

In the past I understand that NDR can be generated from either sender or recipient server. To fight backscattering we used to disable NDR for the recipient's server and leave this to the sending server to do that with a smtp error reports from recipient's server. But with Exchange 2013 I am confused.... When I didn't NDR, the server neither reject the unknown user nor generate NDR (as configured).... since there's no error from the recipient server, sender server treats it delivered. Am I missing something here? Thanks in advance.
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Simon Butler (Sembee)ConsultantCommented:
Do you have the antispam agents installed?
If not, that is what you are missing.

Install the agents via the script in the Scripts directory within Program files, then run this command:

Set-RecipientFilterConfig -RecipientValidationEnabled $true

That will cause Exchange to reject the email at the point of delivery for non-valid users.

Before, you were accepting the email then NDR it. That causes backscatter and can get you blacklisted as you have found. The setting above will stop that problem allowing you to reverse the setting change you made to disable NDRs.

Of course, that is presuming that Exchange is what accepts email from the internet. If you have something in front of Exchange then you need to do recipient filtering there.


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
BBQPMAuthor Commented:
Hi Simon,

Thanks for your comment.

I have that disabled because once it's enabled, although it does reject invalid email address, it also reject the entire email if it has multiple recipients. Let me elaborate... When recipient filter is enabled, and sender is trying to send an email to two or more email addresses, one valid, the other not, exchange rejects the entire email and reports unknown user for both valid and invalid email address therefore the sender will receive NDR for both email address with reason "unknown user".
Simon Butler (Sembee)ConsultantCommented:
If you are regularly getting messages where the recipients are mixed like that, then you will need to use something else to do recipient filtering.
The behaviour you have observed is by design - as Microsoft presume that most implementations will use an Edge server or other boundary filter. A mailbox server is considered an internal server and that is felt to be too late.

Something that can do LDAP lookups will do the job fine.

Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

BBQPMAuthor Commented:
Thanks. I read about Exchange 2013 Sp1 edge transport role on a separate server, will this fix the problem? I've never configure this before.
Simon Butler (Sembee)ConsultantCommented:
I never deploy an Edge server. Waste of money in my opinion.

You need an additional Windows and Exchange licence. The filtering it does is garbage. If you have the budget for the additional licences, I would look at another product that can do LDAP lookups for you instead. That could be a spam filtering appliance or a product that you install on the Exchange server.

In almost all cases I can find a product with more filtering features and techniques than Exchange, for less money than the additional licences.

To answer your specific question, an Edge server would resolve the issue. Whether it is the correct solution though, I would argue it is not - particularly for the expense involved.

Edge as a spam filtering service is awful - probably on purpose to get you to use their hosted solution.

BBQPMAuthor Commented:
Hi Simon,

I know this is a old thread, I've been trying to figure out a proper way. So I deployed an edge spam filter Xeams. It does a very good job including the ability to do LDAP (although it only query the first email address, if the recipient has multiple email address it will not pick it up and therefore treat the incoming email with the secondary email address as unknow). But another problem arise when LDAP enable with user lookup, directory harvesting... what's your take?
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.