Mailprotector – How to control Address-Discovery ...

Category Archives: Blog

Mailprotector – How to control Address-Discovery with on-premise Exchange

One of the challenges of mail filters is managing users.    Mailprotector gives you 4 ways to create user accounts:

  1.  Manual creation –  Whenever you have a new email user, alias, or distribution group, you need to sign into the console and add the user.   This is a 5 minute process, but you have to remember to do it!   You also have to be sure to review your account each month before billing, and REMOVE any users that may be gone.  This is a solid way to control your expense, because nothing will be added to your bill, unless you do something.
  2. Import from CSV –  if you can export your users from your Exchange server (See PowerShell command at the end), you can import them into Mailprotector pretty easily.  This is a great solution for the initial setup, but doesn’t really solve the adds/changes that naturally occur.  Eventually you will need to use one of the other options. You can read more about how to do this on the Mailprotector support site.
  3. LDAP – LDAP setup allows Mailprotector to grab all active users, aliases, distribution lists, etc and it will automatically add and delete any addresses that it finds.   If you can set this up, this is the easiest way to manage names, however it does require a little knowledge of Active Directory, and a port open on your firewall to access LDAP on your server.   Most importantly, it requires you to keep your Active Directory clean, or you will adding (and paying for!)  accounts that do not receive mail.   You can read more about how to do this on the Mailprotector support site.
  4. Address-Discovery – This is a new feature that was added in the last 6 months.   It is a great addition, however it has a tendency to create accounts for addresses that should have been rejected.   This is not really Mailprotector’s fault, it is a limitation of the way Exchange works.
    Let me try to explain what happens:When an email is sent to Mailprotector with Address-Discovery enabled, it goes through all the standard filtering, and if it passes that filtering, it is delivered to the Exchange server, and here is where the problem begins.   The last few releases of Microsoft Exchange accept everything.  This was done to eliminate “directory harvesting”, where a hacker could simply keep trying names until one was accepted.  Exchange just accepts them all, then passes them to the next layer, which then does the actual address look up, and when it can’t find it, sends a NDR receipt to the sender.  Unfortunately this makes it impossible to keep Address Discovery turned on permanently, since Mailprotector is simply looking for a “250” code that the user is valid, which is always provided.

    So what do you do?
    Solving this for an on-premise Exchange server is possible.  The solution is that you have to by-pass the “Front End Transport” service, and deliver the mail directly to the “Transport Service“.   To do this we need to turn on a bunch of things.   Here are some steps we have tested:

    1. Check to see if the Exchange Anti-Spam Agents are installed:
      (these are all PowerShell commands run in the Exchange PowerShell interface)

      Get-TransportAgent

      If “Recipient Filter Agent” is not listed, issue the following command to install the Exchange Anti-Spam Agents:& $env:ExchangeInstallPath\Scripts\Install-AntiSpamAgents.ps1
    2. Ensure the “Recipient Filtering Agent” is enabled:

      Get-TransportAgentIf it is not enabled run the following command to enable the Recipient Filtering Agent:Enable-TransportAgent “Recipient Filter Agent”
    3. Ensure AddressBook is enabled:

      Get-AcceptedDomain | Format-List Name,AddressBookEnabledIf any addressbook is not enabled, use the following command per the version of exchange installed:Exchange 2013:
      Get-AcceptedDomain | Set-AcceptedDomain -AddressBookEnabled $true

      Exchange 2016:
      Get-AcceptedDomain | ? {$_.AddressBookEnabled -ne “True”} | Set-AcceptedDomain -AddressBookEnabled $true

      RESTART the “Microsoft Exchange Transport” Service

    4. Ensure Recipient Validation is enabled:Get-RecipientFilterConfig | FL Enabled,RecipientValidationEnabled

      If this command returns it as DISABLED, use the command below to enable itSet-RecipientFilterConfig -RecipientValidationEnabled $true

      RESTART the “Microsoft Exchange Transport” Service

    5. Allow access to the Default receive connector:
      Edit the “Default <servername> connector” (which is the Hub Transport, NOT Frontend Transport) settings, by checking the ANONYMOUS USERS check box in the SECURITY section
    6. By default, this connector accepts messages on 2525. Leave port as-is, however you will need to modify your firewall to allow this port into your Exchange server (ideally only from Mailprotector’s IPs) and you need to MODIFY your Mailprotector Inbound SMTP Host address to add “:2525” to the IP .
    7. Test to make sure unknown email addresses are now getting rejected with the “550 5.1.1 Unknown user” error
      (these commands would be typed in a command prompt window.  You will likely need to enable Telnet in the Control Panel) Telnet Test:
      telnet <mailserver> 2525
      mail from: <email@external.com>
      250 2.1.0 Sender OK
      rcpt to: <fakeuser@your_domain.com>
      550 5.1.1 User unknownPS.  If you haven’t typed in Telnet before, you can’t backspace.  If you fat-finger something, you pretty much have to start over!
    8. Optional, but recommended) Disable the other Anti-Spam Agents:Set-SenderFilterConfig -Enabled $false
      Set-SenderIDConfig -Enabled $false
      Set-ContentFilterConfig -Enabled $false
      Set-SenderReputationConfig -Enabled $false
  5. Once this is finished, if you are in clean-up mode, you can dump a list of all of your Exchange users by running this PowerShell command on your Exchange Server:    Get-Mailbox | select name -ExpandProperty EmailAddresses | select name, smtpaddress | Export-csv c:\temp\AllEmailAddress.csv

    You would then compare this list against the list that is in Mailprotector, and either delete or re-classify them as Mailing lists, or delete them and make them an alias of an existing user.

Please let us know if we can improve on any of these steps, or if you discover any discrepancies.   I hope this helps you tame user creation in Mailprotector.  If your clients are hosted with O365, stay tuned for another blog on how to resolve this there.

Special thanks to Benjamin M. at our parent company Network Depot (http://networkdepot.com) for the testing and documentation.

 

Slow/Inaccurate Kaseya Patch Scans with Windows 7 SP1

To avoid problems with patching Windows 7 SP1 machines,  Virtual Administrator is recommending running both of these agent procedures on all Windows 7 SP1 machines that have older versions of the Windows Update Client.   Those of you that are on VA’s on-prem KServers, can locate the scripts in the VA Scripts-> Patch Deployment folder.  Everyone…Continue Reading

[Webinar Replay] How to run a successful Workspace as a Service (WaaS) program

Scott Bechtold from CloudJumper was willing to spend some time with our partners and do a Q&A style webinar where he answers all kinds of questions related to running a Workspace as a Service program. Learn Scott’s experience pricing the workspaces, finding new clients, selling the benefits of a service such as this, and more.…Continue Reading

Managing Java updates through Kaseya

Have you been struggling to keep Java up to date?   What about removing old, vulnerable versions?    This has been a big pain for us, but I am pleased to announce our new 2016 Java Install/Update script for Kaseya. We have spent over 150 hours struggling to deal with this issue.   The old installers we had…Continue Reading

Virtual Administrator’s February 2016 Patch Recommendations

13 Security Bulletins were released – 6 Critical, 7 Important, and 0 Moderate This Month In Brief We have not uncovered any widespread problems with any of this month’s Security Bulletins and are releasing all of them. Denied Non-Security Bulletin Updates: KB3123862 has been denied MS16-009, MS16-011, MS16-012, MS16-013, MS16-015 and MS16-022 are rated Critical.…Continue Reading

Copyright © 2007-2017 Network Depot LLC DBA Virtual Administrator. All Rights Reserved.