Solved

Block invalid recipent on Exchange 2010

Posted on 2016-09-12
14
49 Views
Last Modified: 2016-09-18
Is it possible to block email with invalid sender (with same email domain managed by our Exchange server) to come through the server on Exchange 2010 ? We don't have edge server setup in our Exchange organization ?

Thx
0
Comment
Question by:AXISHK
  • 6
  • 6
  • 2
14 Comments
 
LVL 9

Expert Comment

by:Tomas Valenta
ID: 41795765
Hello,
and how are the bad messages delivered to your Exchange server if you do not have edge server ?
You can create SMTP virtual server responsible only for accepting messages from Internet
and here configure Sender filtering based on wildcard *@your.domain.
0
 

Author Comment

by:AXISHK
ID: 41797154
Incoming email first go to IMSVA (Trend Micro) and then to internal Exchange server.

We receive mails from invalid sender (from our domain) to our internal users. Check with Trend Micro and it seems that there is no way to check valid users within our mail domain. Hence, I start to think whether Exchange can handle it or not.

Thx
0
 
LVL 9

Expert Comment

by:Tomas Valenta
ID: 41797348
I had one solution - GFI MailEssential - and this software had feature to check from: field in header of message and if it is our domain than it started ldap query for this e-mail address. If not found it bounce the message.
another idea is: if you will deliver messages from Exchange server to the Internet directly and not by IMSVA
you can block on IMSVA for inbound whole your domain.
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 41798842
Recipient Filtering can be done by Exchange, you have to install the antispam agents.
However if email is delivered to Trend first, then doing recipient filtering at Exchange is too late. You need to do it at Trend. Look in the Trend product for recipient filtering - it might involve an LDAP connection instead. Recipient filtering should be done at the point of entry and no later.
0
 

Author Comment

by:AXISHK
ID: 41799001
Thx, Check with Trend and they told me that we can't do this.

How to install antispam agent ? Is it free with Exchange 2010 ? Thx
0
 
LVL 9

Expert Comment

by:Tomas Valenta
ID: 41799228
You cannot block *@your.domain on Trend ? If you can than send messages from Exchange directly to
the Internet and it will works. Or in Trend you can block send by *@your.domain and add to the whitelist
your Exchange server - important is order of antispam rules, the whitelisting must be first and sender black list
after. Then you do not need to change message flow on Exchange.
0
 

Author Comment

by:AXISHK
ID: 41799232
Sorry, I can't get your message how to configure it...

Sender with my home address from internet to Exchange should be blocked.

Internal users from Exchange to Internet should be allowed...  Do you use IMSVA, any example for reference ?  

Thx
0
Free book by J.Peter Bruzzese, Microsoft MVP

Are you using Office 365? Trying to set up email signatures but you’re struggling with transport rules and connectors? Let renowned Microsoft MVP J.Peter Bruzzese show you how in this exclusive e-book on Office 365 email signatures. Better yet, it’s free!

 
LVL 63

Assisted Solution

by:Simon Butler (Sembee)
Simon Butler (Sembee) earned 250 total points
ID: 41799373
I have found references going back to 2010 that the Trend Micro IMSVA can do LDAP lookups.
Therefore I would go back to Trend and ask them again. A gateway appliance that doesn't do recipient validation is pointless in my opinion.

Recipient filtering at Exchange is too late. The emails will be rejected between delivery from the appliance and Exchange. Where are they going to go? Spammers use bogus addresses. Most sites that I manage drop between 40 and 60% of ALL email on recipient validation alone.
0
 
LVL 9

Expert Comment

by:Tomas Valenta
ID: 41799395
here is IMSVA admin guide
http://docs.trendmicro.com/all/ent/imsva/v9.0/en-us/imsva_9.0_ag.pdf
page 11-7 - relay control - Reject unknown recipients - based on LDAP query
page 9-7 - Valid recipients/sender - here you can add Block sender list specified by domain
0
 

Author Comment

by:AXISHK
ID: 41800021
Actually, I need to block sender from internet to the gateway with my home domain but not a valid users. Any other domains can pass through providing that they pass the scan successfully.

Hence, the sender from internet can pass through IMSVA if

1. any domain (not my home domain)      AND
2. my home domain + valid users in LDAP.

Still can't identify how to match these 2 criteria in the IMSVA.

Thx
0
 
LVL 9

Accepted Solution

by:
Tomas Valenta earned 250 total points
ID: 41801046
Everything is in Cloud Pre-Filter policy configuration of IMSVA. You have (I suppose) created policy for your domain
and here use these properties (both are described on page 9-9 in the manual):

ad 1) use Block senders list (Step 2 in editing of Policy)
- this list can block IP or domains to relay messages for your
domain - here put your.dom (you need to check the syntax if @your.dom or *@your .dom) -> if SENDER of the message will
be whatever@your.dom it will be rejected

ad 2) use Valid recipient on the same page
 - checkbox Enable Valid Recipient list and Synchronize LDAP server with Cloud Pre-Filter daily - it is necessary to configure LDAP account with permission of query LDAP in your domain and put it in IMSVA config
--> result is when recipient of the message does not exist in your domain (by looking up the LDAP synchronized list in IMSVA)
the message will be rejected
If you want to use your IMSVA also for your Exchange server to relay messages to the Internet here is extract from Admin guide where is explanation of order of both rules:
...
Approved and Blocked Senders
Messages from Approved Senders are able to bypass the Email Reputation service and
antispam filters, while messages from Blocked Senders are prevented from reaching
recipients.
Specifying an IP address will block or approve all messages from that IP address.
The approved lists take precedence over the blocked list, the Email Reputation filter,
and the antispam filter. All messages from addresses that match the addresses in the
approved list are not processed by these filters.
So if you add your Exchange IP address to the Approved Sender list you can also send messages via IMSVA even if
your domain is in Blocked Senders list.
0
 

Author Comment

by:AXISHK
ID: 41801203
For Cloud Pre-Filter policy, do I need to change anything on my MX record. ie point it to Cloud rather than my IMSVA in office ?

Thx
0
 
LVL 9

Expert Comment

by:Tomas Valenta
ID: 41801213
I don't know your real configuration of IMSVA. You MX record is now directed to your IMSVA ?
0
 

Author Closing Comment

by:AXISHK
ID: 41804191
Thx
0

Featured Post

Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Suggested Solutions

ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
Follow this checklist to learn more about the 15 things you should never include in an email signature from personal quotes, animated gifs and out-of-date marketing content.
In this video we show how to create a Distribution Group in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >>…
In this video we show how to create a mailbox database in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Servers >> Data…

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now