Starting with Exchange 2013, Microsoft have altered the behavior of the Exchange FrontEnd Transport service so that it no longer rejects invalid recipients after they are specified.  Instead the rejection is performed after the DATA command has ben issued.  This breaks Dynamic Recipient Verification in SpamTitan.  To work around this access has to be given to the Default HubTransport connector which is still SMTP compliant, and rejects invalid recipients after they are specified using the RCPT TO command.  By default the Default HubTransport connector is accessed on port 2525.



Step1: Check to see if the Exchange Anti-Spam Agents are installed


This can be checked via the Exchange Management Shell (EMS).  Open EMS.  Issue the following command: 

 

Get-TransportAgent

 

It should return results like this if the Anti-Spam Agents are installed:



Check to see if "Recipient Filter Agent" is listed.

If "Recipient Filter Agent" is not listed, issue the following command to install the Exchange Anti-Spam Agents:

 

& $env:ExchangeInstallPath\Scripts\Install-AntiSpamAgents.ps1

 


Step 2: Ensure the "Recipient Filtering Agent" is enabled


After installing the Anti-Spam Agents issue the following command to verify that the Recipient Filter Agent has been installed and is enabled

  

Get-TransportAgent

  

If it is not enabled run the following command to enable the Recipient Filtering Agent:

 

Enable-TransportAgent “Recipient Filter Agent”

 


At this point you need to restart the "Microsoft Exchange Transport" service



Step 3: Ensure AddressBook is enabled


Now let's make sure your accepted domains are using Address Book to check for valid recipients. By default, this should be enabled when you set Exchange as an authoritative Mailbox Server for your domain.


To check it, run this from the shell:


Get-AcceptedDomain | Format-List Name,AddressBookEnabled

 

It should provide you with a list of all accepted domains and if Address Book is enabled or not. If your Exchange is Authoritative and Address Book is disabled for some reason, enable it with:


 

Set-AcceptedDomain <name of accepted domain> -AddressBookEnabled $true

 

 

Or, to enable for all domains (caution, make sure you are not relaying any domains before running this)


For Exchange 2013 use:

Get-AcceptedDomain | Set-AcceptedDomain -AddressBookEnabled $true

 

For Exchange 2016 use:

Get-AcceptedDomain | ? {$_.AddressBookEnabled -ne "True"} | Set-AcceptedDomain -AddressBookEnabled $true

  


At this point you need to restart the "Microsoft Exchange Transport" service



Step 4: Ensure Recipient Validation is enabled


Now you should have Recipient Filter enabled on your Mailbox Server and Address Book enabled on your domain. But, if you test this now, it probably still won't work. That's because Validation could still be disabled. There's one more step to take to get this working.


To check if it is  disabled, run:

 

Get-RecipientFilterConfig | FL Enabled,RecipientValidationEnabled

 


It should return that Recipient Filter is enabled, but if validation is not run this command:

 

Set-RecipientFilterConfig -RecipientValidationEnabled $true

 


At this point you need to restart the "Microsoft Exchange Transport" service



Step 5: Allow access to the Default receive connector


Now go to the Exchange Administrative Cente, go to Mail Flow -> Receive Connectors.  Edit your ”Default <servername>” connector’, go to the Security tab and ensure that Anonymous users are allowed.  This will allow connections to this Receive connector so it can be used for Dynamic Recipient Verification, but mail cannot be delivered directly via this connector.  By default this connector can be accessed on port 2525.  


If your SpamTitan server accesses your mail server via your firewall, go to your firewall and open and forward port 2525 to your Exchange server.  Access to this port can be restricted to the IP addresses/s of your SpamTitan server/s.



Step 6: Test Recipient Filtering


Test Recipient Verification through the additional port by telnetting to that port – For Example: telnet mail.domain.com 2525


Note: By default telnet is no longer installed in Windows, you can install it via Programs & Features in the Windows Control Panel or use a 3rd party client such as Putty.


The commands you have to enter are highlighted in bold.  Replace the text highlight in red with a domain hosted by your mail server.

Your test should look like this:


220 ex2013.domain.com Microsoft ESMTP MAIL Service ready at Tue, 18 Mar 2014 20:39:41 +0100

ehlo server.com

250-ex2013.domain.com Hello [192.168.***.***]

mail from: <email@external.com>

250 2.1.0 Sender OK

rcpt to: <fakeuser@your_domain.com>

550 5.1.1 User unknown



Step 7: Configure SpamTitan to use port 2525 for Dynamic Recipient Verification


Go to System Setup > Mail Relay > Domains.  Edit the domain, select Dynamic Recipient Verification from the drop down menu and enter your mail server IP or host name followed by :2525, for example:


  • 192.168.0.1:2525
  • mail.domain.com:2525



Step 8: (Optional, but recommended)  Disable the other Anti-Spam Agents


You may want to disable the other Anti-Spam Agents so that ONLY recipient verification is enabled.  This will prevent issues such as your Exchange server blocking the SpamTitan Quarantine Report (this report will contain a list of Subject lines from spam mails and may be blocked as spam by the Content Filter Agent):


 

Set-SenderFilterConfig -Enabled $false
Set-SenderIDConfig -Enabled $false
Set-ContentFilterConfig -Enabled $false
Set-SenderReputationConfig -Enabled $false

 

 

Do these one at a time since they require an answer of “Y”:


 

Disable-TransportAgent "Sender Filter Agent"
Disable-TransportAgent "Sender ID Agent"
Disable-TransportAgent "Content Filter Agent"
Disable-TransportAgent "Protocol Analysis Agent"