In my previous article I explained how to install and Exchange 2013 Edge Transport server and how to create and activate the Edge Synchronization process. In this blog post I’d like to explain a bit more how to configure Message Hygiene on the Edge Transport server.
Exchange Management Shell
The only possibility to configure the Exchange 2013 Edge Transport server is by using the Exchange Management Shell (PowerShell). There’s no GUI available for managing the Edge Transport server. The bright side of this is that there’s no IIS anymore on the Edge Transport server and that the attack surface of this server is smaller, something that’s important when connecting a server directly to the Internet.
The Edge Transport Server works with so called Transport Agents.
The following Transport Agents are available on the Edge Transport server:
- Connection Filtering Agent
- Address Rewriting Inbound Agent
- Edge Rule Agent
- Content Filter Agent
- Sender Id Agent
- Sender Filter Agent
- Recipient Filter Agent
- Protocol Analysis Agent
- Attachment Filtering Agent
- Address Rewriting Outbound Agent
You can retrieve the Transport Agents by running the Get-TransportAgent cmdlet in EMS. Please note that all Transport Agents are enabled by default and are configured with default settings.
In this blog I’ll discuss Reverse DNS (not listed above), IP Block List Providers, Content Filtering and SenderID Filtering.
Some SMTP server perform a Reverse DNS lookup when an SMTP server tries to deliver a message. Although not an Exchange feature it still is important to discuss here.
When doing so the receiving server tries to determine whether the source IP address really matches to FQDN being used. For example, the Edge Transport server is using 220.127.116.11 and when a Reverse DNS lookup is performed it should return smtphost.exchangelabs.nl, as shown in the following figure (www.misk.com):
Note. There are mail server that greylist or even block a message when the PTR message doesn’t match or isn’t available!
IP Block List providers
Another important feature is the IP Block List and the IP Block List providers. When a sending SMTP server is on such a Block List the receiving SMTP server will not accept the connection. One well-known Block List provider is SpamHaus (www.spamhaus.org), in particular their ‘zen’ combined Block List. To configure this Block List provider, open the Exchange Management Shell on the Edge Transport server and enter the following command:
Add-IPBlockListProvider -Name ‘SpamHaus’ -LookupDomain ‘zen.spamhaus.org’ -Enabled $true -BitmaskMatch $null -IPAddressesMatch @() -Priority ‘1’ -AnyMatch $true -RejectionResponse ‘Message blocked due to black listing’
IP Allow List
It is also possible to add IP addresses from sending SMTP servers to an IP Allow List, sometimes also referred to as White List. If a connection passes the IP Block List then the IP Allow List is evaluated. If the Send SMTP server is on this IP Allow List, the message is stamped with an SCL (Spam Confidence Level) of “-1” and the message flows ‘freely’ through the Exchange 2010 environment.
For example, I have a script that’s sending status messages from a server in our Datacenter. It passes the Connection Filtering, but is rejected by Content Filtering as spam as shown in the following figure:
The IP Address of the server is added to the IP Allow List of the Edge Transport Server by entering the following command:
Add-IPAllowListEntry –IPAddress <<IP Address>>
Now when the script sends messages Connection Filtering stamps the message and delivers it to the Mailbox. When checking the header of this particular messages this is shown:
Content Filtering is another important feature of the Edge Transport server. Using content filtering it’s possible to filter and delete incoming messages based on certain keywords like ‘online casino’, ‘cheap watches’, ‘viagra’ or whatever word you want to filter on. You can use the Add-ContentFilterPhrase cmdlet to add specific words to the Content Filter:
Add-ContentFilterPhrase -Phrase ‘Online Casino’ -Influence BadWord
Add-ContentFilterPhrase -Phrase ‘V I A G R A’ -Influence BadWord
Add-ContentFilterPhrase -Phrase ‘Nigeria’ -Influence BadWord
Content Filtering also works with an SCL or Spam Confidence Level. This number identifies the likelihood an email message is spam. An SCL rating of “9” means the message is most likely spam, an SCL rating of “1” means the message is a legitimate email message.
Based on the SCL rating you can block messages, reject messages (and NDR is returned to the sender) or send the email message to a Quarantaine mailbox. My personal preference are “9” to block messages, “8” to reject messages and “7” to forward them to a Quarantaine mailbox. These settings are set using the Set-ContentFilterConfig cmdlet on the Edge Transport Server:
Set-ContentFilterConfig -QuarantineMailbox ‘email@example.com’ -SCLQuarantineEnabled $true -SCLQuarantineThreshold ‘7’
Set-ContentFilterConfig –SCLDeleteEnabled:$true –SCLDeleteThreshold ‘9’
Set-ContentFilterConfig –SCLRejectEnabled:$true –SCLRejectThreshold ‘8’
It is also possible to bypass certain recipient from content filtering. A common candidate for this is the email address firstname.lastname@example.org or email@example.com. These settings are also made using the Set-ContentFilterConfig cmdlet:
Set-ContentFilterConfig -BypassedRecipients ‘firstname.lastname@example.org’, ‘email@example.com’
For a full overview of all ant-spam and anti-malware cmdlets please visit the Microsoft documentation on http://bit.ly/AntiSpamCmdlets
Sender ID Filtering
Sender ID Filtering is a DNS based filtering technique where the receiving SMTP server (in our case this is our Exchange 2013 Edge Transport server) checks for certain DNS records (called SPF records) of the sending organization.
Depending on this results the receiving server rejects the message, stamps it with an additional message header or just forwards it to the Mailbox.
The SPF record (a TXT record can be used as well) is registered in public DNS of the sending organization, and this is checked by the receiving mail server. If other parties want to implement Sender ID, we have to enter an SPF record in public DNS as well. This record contains a reference to the IP addresses of the servers that are allowed to send messages from our domain name. For example, my Edge Transport Server is sending SMTP messages from the ‘exchangelabs.nl’ domain and this is the only server that’s allowed to send messages from this domain. If other SMTP servers are sending messages using this domain it is most likely spam.
To create an SPF record Microsoft has a wizard available on their website that you can find on http://bit.ly/SenderIDWizard.
This wizard contains of four steps:
- Identify the SMTP domain, i.e. exchangelabs.nl;
- The wizard then determines there’s no SPF record and retrieves the IP address for the domain (exchangelabs.nl) and its MX record:
- The third step is to enter details about the sending SMTP server that the wizard uses to create the actual SPF record. In my example the only server allowed to send mail is the smtphost.exchangelabs.nl server and this option is checked in the wizard. Since I also have a valid PTR record for my Edge Transport Server I can check the All PTR records resolve to outbound email servers option under Reverse DNS Lookup.
- In the last step the value for the SPF record is shown.
This value should be entered in public DNS. Once entered you can check its availability using the NSLookup utility.
When you’ve configured all this and send a new email message for example to your Hotmail mailbox you can check the message header. You’ll find something like this:
Authentication-Results: hotmail.com; spf=pass (sender IP is 18.104.22.168) smtp.mailfrom=john@Exchangelabs.nl; dkim=none header.d=Exchangelabs.nl; x-hmca=pass header.id=john@Exchangelabs.nl
Thus far I’ve shown you how to configure the SPF record you have to use in your public DNS for your SMTP domain. The next step is to configure SPF on our Edge Transport Server.
When you open the EMS and enter the Get-SenderIDConfig cmdlet you’ll see the default settings for the SenderID Transport Agent. In this example I’d like to change the SpoofedDomainAction setting. This setting determines what the Transport Agent needs to do when the SenderID check returns an error (wrong IP on sending SMTP server and thus a spoofed domain). There are multiple options:
- StampStatus – this is the default settings. It stamps an additional header on the message and the server continues processing.
- Reject – This option returns an NDR to the sender, notifying him or her that something is wrong.
- Delete – This option deletes the message without returning an NDR to the sender. In this case when it is a legitimate sender he never knows the message got lost.
It is also possible to bypass certain sending SMTP domains using the BypassedSenderDomains parameter. To change the SenderID setting to Reject and add the Microsoft.com SMTP domain to the bypassed sender domains you can use the following command:
Set-SenderIDConfig –SpoofedDomainAction Reject –BypassedSenderDomains “Microsoft.com”
Testing the Edge Transport server
The easiest way to test your Edge Transport server is to start sending email. You can also use the Remote Connectivity Analyzer (www.testexchangeconnectivity.com) to test the environment. Open RCA in your browser and under Internet Email Tests select the Outbound SMTP Email option.
Enter the IP address of the outbound SMTP server, select the options you want to check and enter your email address as shown in the following figure:
When all is well you see the results in seconds and all options should show the green balls with the white checkmark:
At this point we have installed and configured the Exchange 2013 SP1 (well, actually it was CU5) Edge Transport Server and configured the most interesting features like Reverse DNS, IP Block List providers, Content Filtering with a Quarantaine mailbox and Sender ID filtering.
If you want more information regarding the Exchange 2013 SP1 Edge Transport Server I recommend you check the Microsoft website on http://bit.ly/2013EdgeTransport