[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 113
  • Last Modified:

Block invalid recipent on Exchange 2010

Is it possible to block email with invalid sender (with same email domain managed by our Exchange server) to come through the server on Exchange 2010 ? We don't have edge server setup in our Exchange organization ?

Thx
0
AXISHK
Asked:
AXISHK
  • 6
  • 6
  • 2
2 Solutions
 
Tomas ValentaCommented:
Hello,
and how are the bad messages delivered to your Exchange server if you do not have edge server ?
You can create SMTP virtual server responsible only for accepting messages from Internet
and here configure Sender filtering based on wildcard *@your.domain.
0
 
AXISHKAuthor Commented:
Incoming email first go to IMSVA (Trend Micro) and then to internal Exchange server.

We receive mails from invalid sender (from our domain) to our internal users. Check with Trend Micro and it seems that there is no way to check valid users within our mail domain. Hence, I start to think whether Exchange can handle it or not.

Thx
0
 
Tomas ValentaCommented:
I had one solution - GFI MailEssential - and this software had feature to check from: field in header of message and if it is our domain than it started ldap query for this e-mail address. If not found it bounce the message.
another idea is: if you will deliver messages from Exchange server to the Internet directly and not by IMSVA
you can block on IMSVA for inbound whole your domain.
0
What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

 
Simon Butler (Sembee)ConsultantCommented:
Recipient Filtering can be done by Exchange, you have to install the antispam agents.
However if email is delivered to Trend first, then doing recipient filtering at Exchange is too late. You need to do it at Trend. Look in the Trend product for recipient filtering - it might involve an LDAP connection instead. Recipient filtering should be done at the point of entry and no later.
0
 
AXISHKAuthor Commented:
Thx, Check with Trend and they told me that we can't do this.

How to install antispam agent ? Is it free with Exchange 2010 ? Thx
0
 
Tomas ValentaCommented:
You cannot block *@your.domain on Trend ? If you can than send messages from Exchange directly to
the Internet and it will works. Or in Trend you can block send by *@your.domain and add to the whitelist
your Exchange server - important is order of antispam rules, the whitelisting must be first and sender black list
after. Then you do not need to change message flow on Exchange.
0
 
AXISHKAuthor Commented:
Sorry, I can't get your message how to configure it...

Sender with my home address from internet to Exchange should be blocked.

Internal users from Exchange to Internet should be allowed...  Do you use IMSVA, any example for reference ?  

Thx
0
 
Simon Butler (Sembee)ConsultantCommented:
I have found references going back to 2010 that the Trend Micro IMSVA can do LDAP lookups.
Therefore I would go back to Trend and ask them again. A gateway appliance that doesn't do recipient validation is pointless in my opinion.

Recipient filtering at Exchange is too late. The emails will be rejected between delivery from the appliance and Exchange. Where are they going to go? Spammers use bogus addresses. Most sites that I manage drop between 40 and 60% of ALL email on recipient validation alone.
0
 
Tomas ValentaCommented:
here is IMSVA admin guide
http://docs.trendmicro.com/all/ent/imsva/v9.0/en-us/imsva_9.0_ag.pdf
page 11-7 - relay control - Reject unknown recipients - based on LDAP query
page 9-7 - Valid recipients/sender - here you can add Block sender list specified by domain
0
 
AXISHKAuthor Commented:
Actually, I need to block sender from internet to the gateway with my home domain but not a valid users. Any other domains can pass through providing that they pass the scan successfully.

Hence, the sender from internet can pass through IMSVA if

1. any domain (not my home domain)      AND
2. my home domain + valid users in LDAP.

Still can't identify how to match these 2 criteria in the IMSVA.

Thx
0
 
Tomas ValentaCommented:
Everything is in Cloud Pre-Filter policy configuration of IMSVA. You have (I suppose) created policy for your domain
and here use these properties (both are described on page 9-9 in the manual):

ad 1) use Block senders list (Step 2 in editing of Policy)
- this list can block IP or domains to relay messages for your
domain - here put your.dom (you need to check the syntax if @your.dom or *@your .dom) -> if SENDER of the message will
be whatever@your.dom it will be rejected

ad 2) use Valid recipient on the same page
 - checkbox Enable Valid Recipient list and Synchronize LDAP server with Cloud Pre-Filter daily - it is necessary to configure LDAP account with permission of query LDAP in your domain and put it in IMSVA config
--> result is when recipient of the message does not exist in your domain (by looking up the LDAP synchronized list in IMSVA)
the message will be rejected
If you want to use your IMSVA also for your Exchange server to relay messages to the Internet here is extract from Admin guide where is explanation of order of both rules:
...
Approved and Blocked Senders
Messages from Approved Senders are able to bypass the Email Reputation service and
antispam filters, while messages from Blocked Senders are prevented from reaching
recipients.
Specifying an IP address will block or approve all messages from that IP address.
The approved lists take precedence over the blocked list, the Email Reputation filter,
and the antispam filter. All messages from addresses that match the addresses in the
approved list are not processed by these filters.
So if you add your Exchange IP address to the Approved Sender list you can also send messages via IMSVA even if
your domain is in Blocked Senders list.
0
 
AXISHKAuthor Commented:
For Cloud Pre-Filter policy, do I need to change anything on my MX record. ie point it to Cloud rather than my IMSVA in office ?

Thx
0
 
Tomas ValentaCommented:
I don't know your real configuration of IMSVA. You MX record is now directed to your IMSVA ?
0
 
AXISHKAuthor Commented:
Thx
0

Featured Post

Vote for the Most Valuable Expert

It’s time to recognize experts that go above and beyond with helpful solutions and engagement on site. Choose from the top experts in the Hall of Fame or on the right rail of your favorite topic page. Look for the blue “Nominate” button on their profile to vote.

  • 6
  • 6
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now