Starting with Exchange 2013, Microsoft have altered the behavior of the Exchange FrontEnd Transport service so that it no longer rejects invalid recipients after they are specified.  Instead the rejection is performed after the DATA command has ben issued.  This breaks Dynamic Recipient Verification in SpamTitan.  To work around this access has to be given to the Default HubTransport connector which is still SMTP compliant, and rejects invalid recipients after they are specified using the RCPT TO command.  By default the Default HubTransport connector is accessed on port 2525.

Step1: Check to see if the Exchange Anti-Spam Agents are installed

This can be checked via the Exchange Management Shell (EMS).  Open EMS.  Issue the following command: 




It should return results like this if the Anti-Spam Agents are installed:

Check to see if "Recipient Filter Agent" is listed.

If "Recipient Filter Agent" is not listed, issue the following command to install the Exchange Anti-Spam Agents:


& $env:ExchangeInstallPath\Scripts\Install-AntiSpamAgents.ps1


Step 2: Ensure the "Recipient Filtering Agent" is enabled

After installing the Anti-Spam Agents issue the following command to verify that the Recipient Filter Agent has been installed and is enabled




If it is not enabled run the following command to enable the Recipient Filtering Agent:


Enable-TransportAgent “Recipient Filter Agent”


At this point you need to restart the "Microsoft Exchange Transport" service

Step 3: Ensure AddressBook is enabled

Now let's make sure your accepted domains are using Address Book to check for valid recipients. By default, this should be enabled when you set Exchange as an authoritative Mailbox Server for your domain.

To check it, run this from the shell:

Get-AcceptedDomain | Format-List Name,AddressBookEnabled


It should provide you with a list of all accepted domains and if Address Book is enabled or not. If your Exchange is Authoritative and Address Book is disabled for some reason, enable it with:


Set-AcceptedDomain <name of accepted domain> -AddressBookEnabled $true



Or, to enable for all domains (caution, make sure you are not relaying any domains before running this)

For Exchange 2013 use:

Get-AcceptedDomain | Set-AcceptedDomain -AddressBookEnabled $true


For Exchange 2016 use:

Get-AcceptedDomain | ? {$_.AddressBookEnabled -ne "True"} | Set-AcceptedDomain -AddressBookEnabled $true


At this point you need to restart the "Microsoft Exchange Transport" service

Step 4: Ensure Recipient Validation is enabled

Now you should have Recipient Filter enabled on your Mailbox Server and Address Book enabled on your domain. But, if you test this now, it probably still won't work. That's because Validation could still be disabled. There's one more step to take to get this working.

To check if it is  disabled, run:


Get-RecipientFilterConfig | FL Enabled,RecipientValidationEnabled


It should return that Recipient Filter is enabled, but if validation is not run this command:


Set-RecipientFilterConfig -RecipientValidationEnabled $true


At this point you need to restart the "Microsoft Exchange Transport" service

Step 5: Allow access to the Default receive connector

Now go to the Exchange Administrative Cente, go to Mail Flow -> Receive Connectors.  Edit your ”Default <servername>” connector’, go to the Security tab and ensure that Anonymous users are allowed.  This will allow connections to this Receive connector so it can be used for Dynamic Recipient Verification, but mail cannot be delivered directly via this connector.  By default this connector can be accessed on port 2525.  

If your SpamTitan server accesses your mail server via your firewall, go to your firewall and open and forward port 2525 to your Exchange server.  Access to this port can be restricted to the IP addresses/s of your SpamTitan server/s.

Step 6: Test Recipient Filtering

Test Recipient Verification through the additional port by telnetting to that port – For Example: telnet 2525

Note: By default telnet is no longer installed in Windows, you can install it via Programs & Features in the Windows Control Panel or use a 3rd party client such as Putty.

The commands you have to enter are highlighted in bold.  Replace the text highlight in red with a domain hosted by your mail server.

Your test should look like this:

220 Microsoft ESMTP MAIL Service ready at Tue, 18 Mar 2014 20:39:41 +0100

ehlo Hello [192.168.***.***]

mail from: <>

250 2.1.0 Sender OK

rcpt to: <>

550 5.1.1 User unknown

Step 7: Configure SpamTitan to use port 2525 for Dynamic Recipient Verification

Go to System Setup > Mail Relay > Domains.  Edit the domain, select Dynamic Recipient Verification from the drop down menu and enter your mail server IP or host name followed by :2525, for example:


Step 8: (Optional, but recommended)  Disable the other Anti-Spam Agents

You may want to disable the other Anti-Spam Agents so that ONLY recipient verification is enabled.  This will prevent issues such as your Exchange server blocking the SpamTitan Quarantine Report (this report will contain a list of Subject lines from spam mails and may be blocked as spam by the Content Filter Agent):


Set-SenderFilterConfig -Enabled $false
Set-SenderIDConfig -Enabled $false
Set-ContentFilterConfig -Enabled $false
Set-SenderReputationConfig -Enabled $false



Do these one at a time since they require an answer of “Y”:


Disable-TransportAgent "Sender Filter Agent"
Disable-TransportAgent "Sender ID Agent"
Disable-TransportAgent "Content Filter Agent"
Disable-TransportAgent "Protocol Analysis Agent"