Exchange 2013 Recipient Validation
I needed this so that Exchange 2013 would report bad email addresses back to my Scrollout Spam Filter.
Source info can be found here. I’m reposting it so I can find it later.
Although verification with AD indeed works fine with Exchange 2013, is possible to get callout working also. It involves tweking Exchange 2013 RecipientFIlterConfig. I’ll lay down what I just did to get this working.
First of all, make sure you have Anti-Spam Functionality enabled on your Mailbox Server. To do so, check with Exchange Management Shell:
| Get-TransportAgent |
This show provide you with all Transport Agents avaliable on you system. Make sure you have this displayed:
| Recipient Filter Agent True |
If Recipient Filter Agent is not listed, then Anti-Spam Functionality was not enabled during setup. You can enable it by running this on the shell:
| & $env:ExchangeInstallPathScriptsInstall-AntiSpamAgents.ps1 |
After enabling Anti-Spam Functionality, run Get-TransportAgent again and make sure Recipient Filter Agent is available and enabled. If it’s available but disabled, run this to enable it:
| Enable-TransportAgent “Recipient Filter Agent” |
Restart Exchange Transport service after making any modification mentioned above.
Now let’s make sure your accepted domains are using AddressBook for cheching valid recipients. By default, this should be enabled when you set Exchange as an authoritative Mailbox Server for your domain. To chek it, run this on the shell:
Get-AcceptedDomain | Format-List Name,AddressBookEnabled
It should provide you with a list oif all accepted domains and if AdressBook is enable or not. If ny any chance Exchange is Authoritative and AddressBook is disabled for some reason, enable it with:
| Set-AcceptedDomain <name of accepted domain> -AddressBookEnabled $true |
Or, to enable for all domains (caution, make sure you are not relaying any domains before runing this)
| Get-AcceptedDomain | Set-AcceptedDomain -AddressBookEnabled $true |
Just to be safe, restart Exchange Transport service again after making any of the changes mentioned above.
Now you should have Recipient Filter enabled on you Mailbox Server and AddressBook enabled on you domain. But, if you test this now, it probably still won’t work. That’s because Validation is still disabled. There’s one more step to take to get this working. To make sure it’s disabled, run
| Get-RecipientFilterConfig | FL Enabled,RecipientValidationEnabled |
It should return that Recipient Filter is enable, but validation is not:
| Enabled : True RecipientValidationEnabled : False |
To enable it, run:
Set-RecipientFilterConfig -RecipientValidationEnabled $true
And now you shoud get Recipient Validation enabled:
| Get-RecipientFilterConfig | FL Enabled,RecipientValidationEnabled
Enabled : True |
Restart Exchange Transport service and test it. Callout should work now, at least id did for me (domains are removed for obvious reasons):
| 220 utm… ESMTP ready. EHLO main…250-utm… Hello … [192.168.1.121] 250-SIZE 52428800 250-PIPELINING 250-STARTTLS 250 HELP MAIL FROM:<giovani@…com.br>250 OK RCPT TO:<ti@….com.br>250 Accepted RCPT TO:<ti49@….com.br>550 Address unknown quit221 utm….com.br closing connection |
As you can see, it accepted the valid address and denied the invalid one. To make sure callout was used:
| 2013:10:03-09:27:25 utm-1 exim-in[17340]: 2013-10-03 09:27:25 [192.168.1.121] F=<giovani@….com.br> R=<ti49@….com.br> Verifying recipient address with callout 2013:10:03-09:27:25 utm-1 exim-in[17340]: 2013-10-03 09:27:25 id=”1003″ severity=”info” sys=”SecureMail” sub=”smtp” name=”email rejected” srcip=”192.168.1.121″ from=”giovani@….com.br” to=”ti49@….com.br” size=”-1″ reason=”address_verification” extra=”Address unknown” |
And that’s it for Recipient Verification with Exchange 2013. Just to tune things up, disable any AntiSpam feature on Exchange that could hurt UTM-Exchange communication. Here’s what I did:
| Set-SenderFilterConfig -Enabled $false Disable-TransportAgent “Sender Filter Agent” Set-SenderIDConfig -Enabled $false Disable-TransportAgent “Sender ID Agent” Set-ContentFilterConfig -Enabled $false Disable-TransportAgent “Content Filter Agent” Set-SenderReputationConfig -Enabled $false Disable-TransportAgent “Protocol Analysis Agent” |
You should endup with only Recipient Filter enabled on the Transport Agent:
| Get-TransportAgent
Identity Enabled Priority |
Since Scrollout should handle all AntiSpam checks, it makes sense to disable them at Exchange.