Block invalid recipent on Exchange 2010

Is it possible to block email with invalid sender (with same email domain managed by our Exchange server) to come through the server on Exchange 2010 ? We don't have edge server setup in our Exchange organization ?

Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Tomas ValentaIT ManagerCommented:
and how are the bad messages delivered to your Exchange server if you do not have edge server ?
You can create SMTP virtual server responsible only for accepting messages from Internet
and here configure Sender filtering based on wildcard *@your.domain.
AXISHKAuthor Commented:
Incoming email first go to IMSVA (Trend Micro) and then to internal Exchange server.

We receive mails from invalid sender (from our domain) to our internal users. Check with Trend Micro and it seems that there is no way to check valid users within our mail domain. Hence, I start to think whether Exchange can handle it or not.

Tomas ValentaIT ManagerCommented:
I had one solution - GFI MailEssential - and this software had feature to check from: field in header of message and if it is our domain than it started ldap query for this e-mail address. If not found it bounce the message.
another idea is: if you will deliver messages from Exchange server to the Internet directly and not by IMSVA
you can block on IMSVA for inbound whole your domain.
Get Blueprints for Increased Customer Retention

The IT Service Excellence Tool Kit has best practices to keep your clients happy and business booming. Inside, you’ll find everything you need to increase client satisfaction and retention, become more competitive, and increase your overall success.

Simon Butler (Sembee)ConsultantCommented:
Recipient Filtering can be done by Exchange, you have to install the antispam agents.
However if email is delivered to Trend first, then doing recipient filtering at Exchange is too late. You need to do it at Trend. Look in the Trend product for recipient filtering - it might involve an LDAP connection instead. Recipient filtering should be done at the point of entry and no later.
AXISHKAuthor Commented:
Thx, Check with Trend and they told me that we can't do this.

How to install antispam agent ? Is it free with Exchange 2010 ? Thx
Tomas ValentaIT ManagerCommented:
You cannot block *@your.domain on Trend ? If you can than send messages from Exchange directly to
the Internet and it will works. Or in Trend you can block send by *@your.domain and add to the whitelist
your Exchange server - important is order of antispam rules, the whitelisting must be first and sender black list
after. Then you do not need to change message flow on Exchange.
AXISHKAuthor Commented:
Sorry, I can't get your message how to configure it...

Sender with my home address from internet to Exchange should be blocked.

Internal users from Exchange to Internet should be allowed...  Do you use IMSVA, any example for reference ?  

Simon Butler (Sembee)ConsultantCommented:
I have found references going back to 2010 that the Trend Micro IMSVA can do LDAP lookups.
Therefore I would go back to Trend and ask them again. A gateway appliance that doesn't do recipient validation is pointless in my opinion.

Recipient filtering at Exchange is too late. The emails will be rejected between delivery from the appliance and Exchange. Where are they going to go? Spammers use bogus addresses. Most sites that I manage drop between 40 and 60% of ALL email on recipient validation alone.
Tomas ValentaIT ManagerCommented:
here is IMSVA admin guide
page 11-7 - relay control - Reject unknown recipients - based on LDAP query
page 9-7 - Valid recipients/sender - here you can add Block sender list specified by domain
AXISHKAuthor Commented:
Actually, I need to block sender from internet to the gateway with my home domain but not a valid users. Any other domains can pass through providing that they pass the scan successfully.

Hence, the sender from internet can pass through IMSVA if

1. any domain (not my home domain)      AND
2. my home domain + valid users in LDAP.

Still can't identify how to match these 2 criteria in the IMSVA.

Tomas ValentaIT ManagerCommented:
Everything is in Cloud Pre-Filter policy configuration of IMSVA. You have (I suppose) created policy for your domain
and here use these properties (both are described on page 9-9 in the manual):

ad 1) use Block senders list (Step 2 in editing of Policy)
- this list can block IP or domains to relay messages for your
domain - here put your.dom (you need to check the syntax if @your.dom or *@your .dom) -> if SENDER of the message will
be whatever@your.dom it will be rejected

ad 2) use Valid recipient on the same page
 - checkbox Enable Valid Recipient list and Synchronize LDAP server with Cloud Pre-Filter daily - it is necessary to configure LDAP account with permission of query LDAP in your domain and put it in IMSVA config
--> result is when recipient of the message does not exist in your domain (by looking up the LDAP synchronized list in IMSVA)
the message will be rejected
If you want to use your IMSVA also for your Exchange server to relay messages to the Internet here is extract from Admin guide where is explanation of order of both rules:
Approved and Blocked Senders
Messages from Approved Senders are able to bypass the Email Reputation service and
antispam filters, while messages from Blocked Senders are prevented from reaching
Specifying an IP address will block or approve all messages from that IP address.
The approved lists take precedence over the blocked list, the Email Reputation filter,
and the antispam filter. All messages from addresses that match the addresses in the
approved list are not processed by these filters.
So if you add your Exchange IP address to the Approved Sender list you can also send messages via IMSVA even if
your domain is in Blocked Senders list.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
AXISHKAuthor Commented:
For Cloud Pre-Filter policy, do I need to change anything on my MX record. ie point it to Cloud rather than my IMSVA in office ?

Tomas ValentaIT ManagerCommented:
I don't know your real configuration of IMSVA. You MX record is now directed to your IMSVA ?
AXISHKAuthor Commented:
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.