Chapter 5. Managing and maintaining mail flow
In Microsoft Exchange 2013, mail flow occurs through a collection of services, connections, components, and queues that work together as part of the transport pipeline. On Client Access servers, the Front End Transport service acts as a stateless proxy for all inbound and outbound external SMTP traffic. On Mailbox servers, the Transport service categorizes messages, inspects their content, and queues them for delivery or submission.
Message delivery is handled by the Mailbox Transport Delivery service. Message submission is handled by the Mailbox Transport Submission service. Both of these are components of the Mailbox Transport service. Although the transport pipeline is critical to mail flow, many other factors also affect mail flow in an Exchange organization, including the configuration of message processing speeds, message throttling, accepted domains, email address policies, journal rules, remote domains, filters, and transport rules.
Managing message pickup, replay, throttling, and back pressure
To support message routing and delivery, Mailbox and Edge Transport servers maintain a few special directories:
Pickup. A folder to which users and applications can manually create and submit new messages for delivery
Replay. A folder for messages bound for or received from non-SMTP mail connectors
The sections that follow discuss how the Pickup and Replay directories are used and configured and also look at the related concepts of message throttling and back pressure.
Understanding message pickup and replay
When a Mailbox or an Edge Transport server receives incoming mail from a server using a non-SMTP connector, it stores the message in the Replay directory and then resubmits it for delivery by using SMTP. When a Mailbox or an Edge Transport server has a message to deliver to a non-SMTP connector, it stores the message in the Replay directory and then resubmits it for delivery to the foreign connector. In this way, messages received from non-SMTP connectors are processed and routed, and messages to non-SMTP connectors are delivered.
Your Transport servers automatically process any correctly formatted .eml message file copied into the Pickup directory. Exchange considers a message file that is copied into the Pickup directory to be correctly formatted if it meets the following conditions:
Is a text file that complies with the basic SMTP message format and can also use Multipurpose Internet Mail Extension (MIME) header fields and content
Has an .eml file name extension, zero or one email address in the Sender field, and one or more email addresses in the From field
Has at least one email address in the To, Cc, or Bcc fields and a blank line between the header fields and the message body
Transport servers check the Pickup directory for new message files every five seconds. Although you can’t modify this polling interval, you can adjust the rate of message file processing by using the –PickupDirectoryMaxMessagesPerMinute parameter on the Set-TransportService cmdlet. The default value is 100 messages per minute. When a transport server picks up a message, it checks the message against the maximum message size, the maximum header size, the maximum number of recipients, and other messaging limits.
For the Pickup directory, the maximum message size is 10 megabytes (MB), the maximum header size is 64 kilobytes (KB), and the maximum number of recipients is 100 by default. As may be necessary to meet the needs of your organization, you can change these limits by using the Set-TransportService cmdlet. If a message file doesn’t exceed any assigned limits, the Transport server renames the message file by using a .tmp extension, and then converts the .tmp file to an email message. After the message is successfully queued for delivery, the Transport server issues a “close” command and deletes the .tmp file from the Pickup directory.
Real World
Header fields are plain text, and each character of text is 1 byte. The size of the header is determined by the total number of header fields and characters in each header field. Organization X-headers, forest X-headers, and routing headers are removed from messages in the Pickup directory. On the other hand routing headers are preserved in the Replay directory, and organization X-headers and forest X-headers also are preserved if an X-CreatedBy header field indicates the headers were created by Exchange 2013 (meaning the field value is set to MSExchange15).
Your Transport servers automatically process any correctly formatted .eml message file copied into the Replay directory. Exchange considers a message file that is copied into the Replay directory to be correctly formatted if it meets the following conditions:
Is a text file that complies with the basic SMTP message format and can also use MIME header fields and content
Has an .eml file name extension, and its X-header fields occur before all regular header fields
Has a blank line between the header fields and the message body
Transport servers check the Replay directory for new message files every five seconds. Although you can’t modify this polling interval, you can adjust the rate of message file processing by using the –PickupDirectoryMaxMessagesPerMinute parameter of the Set-TransportService cmdlet. This parameter controls the rate of processing for both the Pickup directory and the Replay directory. The Transport server renames the message file by using a .tmp extension, and then converts the .tmp file to an email message. After the message is successfully queued for delivery, the server issues a “close” command and deletes the .tmp file from the Replay directory.
Exchange considers any improperly formatted email messages received in the Pickup or Replay directory to be undeliverable and renames them from the standard message name (MessageName.eml) to a bad message name (MessageName.bad). Because this is considered a type of message-processing failure, a related error is also generated in the event logs. In addition, if you restart the Microsoft Exchange Transport service when .tmp files are in the Pickup directory, Replay directory, or both directories, all .tmp files are renamed as .eml files and are reprocessed, which can lead to duplicate message transmissions.
Configuring and moving the Pickup and Replay directories
Because of the way message pickup and replay works, Transport servers do not perform security checks on messages submitted through these directories. This means that if you’ve configured anti-spam, antivirus, sender filtering, or recipient filtering actions on a Send connector, those checks are not performed on the Pickup or Replay directory. To ensure that the Pickup and Replay directories are not compromised by malicious users, specific security permissions that must be tightly controlled are applied.
For the Pickup and Replay directories, you must configure the following permissions:
Full Control for Administrator
Full Control for Local System
Read, Write, and Delete Subfolders and Files for Network Service
When you have a need to balance the load across a server’s disk drives or ensure ample free space for messages, you can move the Pickup and Replay directories to new locations. Move the location of the Pickup directory by using the –PickupDirectoryPath parameter on the Set-TransportServicer cmdlet. Move the location of the Replay directory by using the –ReplayDirectoryPath parameter on the Set-TransportService cmdlet. With either parameter, successfully changing the directory location depends on the rights that are granted to the Network Service account on the new directory location and whether the new directory already exists. Keep the following in mind:
If the new directory does not already exist and the Network Service account has the rights to create folders and apply permissions at the new location, the new directory is created and the correct permissions are applied to it.
If the new directory already exists, the existing folder permissions are not checked or changed. Exchange assumes you’ve already set the appropriate permissions.
Changing the Pickup directory provides the syntax and usage for moving the Pickup and Replay directories. If you want to move both the Pickup and Replay directories, you should do so in two separate commands to ensure that both directories get moved as appropriate.
Changing the message processing speed
By default, Transport servers simultaneously and separately process the Pickup and Replay directories. Transport servers scan the Pickup and Replay directories for new message files once every five seconds (or 12 times per minute), and they process messages copied to either directory at a rate of 100 messages per minute, per directory. Because the polling interval is not configurable, the maximum number of messages that can be processed in either the Pickup or Replay directory during each polling interval, by default, is approximately 8 (100 messages per minute divided by 12 messages processed per minute).
Although the polling interval is not configurable, the maximum number of messages that can be processed during each polling interval is configurable. You assign the desired processing rate by using the –PickupDirectoryMaxMessagesPerMinute parameter, because this processing speed is used with both the Pickup and Replay directories.
You might want to adjust the message processing rate in these situations:
If the server is unable to keep up with message processing, you might want to decrease the number of messages processed per minute to reduce processor and memory use.
If the server is handling message transport for a large organization and you are seeing delays in message transport because of an abundance of messages in the Pickup directory, Replay directory, or both directories, you might want to increase the number of messages processed per minute, as long as the server can handle the additional workload.
You assign the desired processing rate by using the –PickupDirectoryMaxMessagesPerMinute parameter of the Set-TransportService cmdlet, as shown in Changing the message processing speed, and this processing speed is used with both the Pickup and Replay directories. Your Transport server then attempts to process messages in each directory independently at the rate specified. You can use a per-minute message processing value between 1 and 20,000.
Configuring messaging limits for the Pickup directory
The Pickup directory is used by administrators to test mail flow and by applications that create and submit their own messages. If applications are generating messages with expanded headers, such as when there are many recipients in To:, Cc:, and Bcc: header fields, you may need to modify the messaging limits for the Pickup directory.
You can set messaging limits for the Pickup directory for message header sizes and maximum recipients per message. The default message header size is 64 KB, which allows for 65,536 characters in the header. To change this setting, you can set the –PickupDirectoryMaxHeaderSize parameter of the Set-TransportService cmdlet to the desired size. The valid input range for this parameter is 32,768 to 2,147,483,647 bytes. When you specify a value, you should qualify the units for that value by ending with one of the following suffixes:
B for bytes (Default)
KB for kilobytes
MB for megabytes
GB for gigabytes
The following example sets the maximum header size to 256 KB:
Set-TransportService –Identity MailServer48 –PickupDirectoryMaxHeaderSize "256KB"
The default maximum recipients per message is 100. To change this setting, you can set the –PickupDirectoryMaxRecipientsPerMessage parameter of the Set-TransportService cmdlet to the desired size. The valid input range for this parameter is 1 to 10,000. The following example sets the maximum recipients to 500:
Set-TransportService –Identity MailServer48 –PickupDirectoryMaxRecipientsPerMessage "500"
Configuring message throttling
Message throttling sets limits on the number of messages and connections that can be processed by a Mailbox or an Edge Transport server. These limits are designed to prevent the accidental or intentional inundation of transport servers and help ensure that transport servers can process messages and connections in an orderly and timely manner. Throttling works in conjunction with size limits on messages that apply to header sizes, attachment sizes, and number of recipients. Although the default throttling settings work in a typical messaging environment, you may need to modify these settings as your organization grows, especially if users or applications create and send a lot of email messages.
On Mailbox and Edge Transport servers, you can set some message throttling options in the Exchange Admin Center by using the options on the Transport Limits page in the transport server’s Properties dialog box. In the Exchange Management Shell, you can configure all message throttling options by using Set-TransportService and related parameters.
MaxConcurrentMailboxDeliveries. Sets the maximum number of delivery threads that can be open at the same time to deliver messages to mailboxes. The default value is 20.
MaxConcurrentMailboxSubmissions. Sets the maximum number of delivery threads that can be open at the same time to accept messages from mailboxes. The default value is 20.
MaxConnectionRatePerMinute. Sets the maximum rate at which new inbound connections can be opened to any Receive connectors that exist on the server. The default value is 1,200 connections per minute.
MaxOutboundConnections. Sets the maximum number of concurrent outbound connections that can be open at the same time for Send connectors. The default value is 1,000.
MaxPerDomainOutboundConnections. Sets the maximum number of connections that can be open to any single remote domain for any available Send connectors. The default value is 20.
With Set-SendConnector, you can configure throttling by using ConnectionInactivityTimeOut. This parameter sets the maximum idle time before an open SMTP connection is closed. The default value is 10 minutes.
With Set-ReceiveConnector, you can configure throttling by using the following parameters:
ConnectionInactivityTimeout. Sets the maximum idle time before an open SMTP connection is closed. The default value is 5 minutes for a Mailbox and 1 minute for an Edge Transport.
ConnectionTimeOut. Sets the maximum time that an SMTP connection can remain open, even if it is active. The default value is 10 minutes for a Mailbox and 5 minutes for an Edge Transport. ConnectionTimeout must be longer than ConnectionInactivityTimeout.
MaxInboundConnection. Sets the maximum number of simultaneous inbound SMTP connections. The default value is 5,000.
MaxInboundConnectionPercentagePerSource. Sets the maximum number of simultaneous inbound SMTP connections from a single source server. The value is expressed as the percentage of available remaining connections on a Receive connector (as defined by the –MaxInboundConnection parameter). With most Receive connectors the default value is 2 percent.
MaxInboundConnectionPerSource. Sets the maximum number of simultaneous inbound SMTP connections from a single source messaging server. With most Receive connectors the default value is 20.
MaxProtocolErrors. Sets the maximum number of SMTP protocol errors allowed before a Receive connector closes a connection with a source messaging server. The default value is 5.
TarpitInterval. Sets artificial delay in SMTP responses in cases in which unwelcome messages are being received from anonymous connections. The default value is 5 seconds.
Understanding back pressure
Back pressure limits overuse of system resources on a Mailbox or an Edge Transport server. Transport servers monitor key system resources to determine usage levels. If usage levels exceed a specified limit, the server stops accepting new connections and messages to prevent server resources from being completely overwhelmed and to enable the server to deliver the existing messages. When usage of system resources returns to a normal level, the server accepts new connections and messages. Resources monitored as part of the back pressure feature include:
Free space on hard disk drives that store the message queue database transaction logs.
Free space on the hard disk drives that store the message queue database.
The amount of memory used by all processes.
The amount of memory used by the Edgetransport.exe process.
The number of uncommitted message queue database transactions that exist in memory.
Levels of usage are defined as normal, medium, or high. With the normal level, the resource is not overused, and the server accepts new connections and messages. With the medium level, the resource is slightly overused, and limited back pressure is applied, allowing mail from senders in the authoritative domain to continue being sent while the server rejects new connections and messages from other sources. With the high level, the resource is severely overused and full back pressure is applied, meaning message flow stops and the server rejects all new connections and messages.
You have limited control over how back pressure is applied. Some related settings can be configured in the Edgetransport.exe.config file on Edge Transport servers; however, Microsoft recommends that you don’t change the default settings.
Creating and managing accepted domains
An accepted domain is any SMTP namespace for which an Exchange organization sends or receives email. Accepted domains include domains for which the Exchange organization is authoritative, in addition to domains for which the Exchange organization relays mail.
Understanding accepted domains, authoritative domains, and relay domains
An organization can have more than one SMTP domain, and the set of email domains your organization uses are its authoritative domains. An accepted domain is considered authoritative when the Exchange organization hosts mailboxes for recipients in this SMTP domain. Transport servers should always accept email that is addressed to any of the organization’s authoritative domains. By default, when you install the first Mailbox server, one accepted domain is configured as authoritative for the Exchange organization, and this default accepted domain is based on the FQDN of your forest root domain.
In many cases, an organization’s internal domain name might differ from its external domain name. You must create an accepted domain to match your external domain name. You must also create an email address policy that assigns your external domain name to user email addresses. For example, your internal domain name might be cpandl.local, whereas your external domain name is cpandl.com. When you configure DNS, the DNS MX records for your organization will reference cpandl.com, and you will want to assign this SMTP namespace to users by creating an email address policy.
When email is received from the Internet by a Transport server and the recipient of the message is not a part of your organization’s authoritative domains, the sending server is trying to relay messages through your Transport servers. To prevent abuse of your servers, Transport servers reject all email that is not addressed to a recipient in your organization’s authoritative domains. However, at times you might need to relay email messages from another domain, such as messages from a partner or subsidiary, in which case, you can configure accepted domains as relay domains. When your Transport servers receive the email messages for a configured relay domain, they will relay the messages to an email server in that domain.
You can configure a relay domain as an internal or an external relay domain. You configure an internal relay domain when there are contacts from the relay domain in the global address list. If your organization contains more than one forest and has configured global address list synchronization, the SMTP domain for one forest can be configured as an internal relay domain in a second forest. Messages from the Internet that are addressed to recipients in internal relay domains are received and processed by your Edge Transport servers. These messages are then relayed to your Mailbox servers, which, in turn, route the messages to the Mailbox servers in the recipient forest. Configuring an SMTP domain as an internal relay domain ensures that all email addressed to the relay domain are accepted by your Exchange organization.
You configure an external relay domain when you want to relay messages to an email server that is both outside your Exchange organization and outside the boundaries of your organization’s network perimeter. For this configuration to work, your DNS servers must have an MX record for the external relay domain that references a public IP address for the relaying Exchange organization. When your Edge Transport servers receive the messages for recipients in the external relay domain, they route the messages to the mail server for the external relay domain. You must also configure a Send connector from the Edge Transport server to the external relay domain. The external relay domain can also be using your organization’s Edge Transport server as a smart host for outgoing mail.
You also can configure accepted domains for Microsoft Exchange Online. In this case, accepted domains can either be authoritative or internal relay domains. Although you manage previously defined domains in Exchange Admin Center under Mail Flow > Accepted Domains, you must initially define domains in Office 365 Admin Center by using the Domains > Add A Domain option.
If you are working in a hybrid organization, you’ll find that the Hybrid Configuration Wizard adds an accepted domain to the on-premises organization to enable hybrid mail flow. This domain, called the coexistence domain, is added as a secondary proxy domain to any email address policies that have primary SMTP address templates for domains selected in the wizard. By default, the coexistence domain is YourDomain.mail.onmicrosoft.com.
Viewing accepted domains
You can view the accepted domains configured for your organization by completing the following steps:
In the Exchange Admin Center, select Mail Flow in the Feature pane, and then select Accepted Domains.
In the main pane, accepted domains are listed by name, SMTP domain name, and domain type. The domain type is listed as Authoritative, External Relay, or Internal Relay as shown in Figure 5-1.
You can use the Get-AcceptedDomain cmdlet to list accepted domains or to get information on a particular accepted domain as well. If you do not provide an identity with this cmdlet, configuration information for all accepted domains is displayed. Get-AcceptedDomain cmdlet syntax and usage provides the syntax and usage, in addition to sample output, for the Get-AcceptedDomain cmdlet.
Creating accepted domains
You can create accepted domains for your organization by completing the following steps:
In the Exchange Admin Center, select Mail Flow in the Feature pane, and then select Accepted Domains.
In the main pane, tap or click Add to open the New Accepted Domain dialog box, as shown in Figure 5-2.
Use the Name text box to identify the accepted domain. You can use a descriptive name that identifies the purpose of the accepted domain or simply enter the actual SMTP domain name.
In the Accepted Domain text box, type the SMTP domain name for which the Exchange organization will accept email messages. If you want to accept email for the specified domain only, enter the full domain name, such as adatum.com. If you want to accept email for the specified domain and child domains, type * (a wildcard character), then a period, and then the domain name, such as *.adatum.com.
Note
Only domain names you specify can be used as part of an email address policy. Because of this, if you want to use a subdomain as part of an email address policy, you must either explicitly configure the subdomain as an accepted domain or use a wildcard character to include the parent domain and all related subdomains.
Select one of the following options to set the accepted domain type:
Authoritative Domain. Email is delivered to a recipient in this exchange organization.
Internal Relay Domain. Email is relayed to an email server in another Active Directory forest in the organization.
External Relay Domain. Email is relayed to an email server outside the organization by the Edge Transport server.
Tap or click Save to create the accepted domain.
In the Exchange Management Shell, you can use the New-AcceptedDomain cmdlet to create accepted domains. New-AcceptedDomain cmdlet syntax and usage provides the syntax and usage.
Changing the accepted domain type and identifier
You can change an accepted domain’s type and identifier by completing the following steps:
In the Exchange Admin Center, select Mail Flow in the Feature pane, and then select Accepted Domains.
On the Accepted Domains tab, select the accepted domain you want to change, and then select Edit. Or simply double-tap or double-click the accepted domain.
In the Properties dialog box, shown in Figure 5-3, enter a new identifier, and use the options provided to change the accepted domain type as necessary.
Select the Make This The Default Domain check box to make the currently selected domain the default for the Exchange organization. The default accepted domain is used in the external postmaster email address and in encapsulated non-SMTP email addresses.
Tap or click Save.
In the Exchange Management Shell, you can use the Set-AcceptedDomain cmdlet to modify accepted domains. Set-AcceptedDomain cmdlet syntax and usage provides the syntax and usage. Use the –AddressBookEnabled parameter to enable recipient filtering for this accepted domain. You should set this parameter to $true only if all the recipients in this accepted domain are replicated to the AD LDS database on the Edge Transport servers. For authoritative domains and internal relay domains, the default value is $true. For external relay domains, the default value is $false.
Removing accepted domains
You can remove an accepted domain that’s no longer needed by completing the following steps:
In the Exchange Admin Center, select Mail Flow in the Feature pane, and then select Accepted Domains.
In the main pane, select the accepted domain you want to delete, and then select Delete.
When prompted to confirm, tap or click Yes.
In the Exchange Management Shell, you can use the Remove-AcceptedDomain cmdlet to remove accepted domains. Remove-AcceptedDomain cmdlet syntax and usage provides the syntax and usage.
Creating and managing email address policies
Email address policies allow you to generate or rewrite email addresses automatically for each recipient in your organization based on specific criteria you set. Microsoft Exchange Server uses email address policies in two key ways:
Whenever you create a new recipient, Exchange Server sets the recipient’s default email address based on the applicable email address policy.
Whenever you apply an email address policy, Exchange Server automatically rewrites the email addresses for recipients to which the policy applies.
Every Exchange organization has a default email address policy, which is required to create email addresses for recipients. You can create additional email address policies as well. For example, if your organization’s internal domain name is different from its external domain name, you would need to create an accepted domain to match your external domain name and an email address policy that assigns your external domain name to user email addresses.
Viewing email address policies
You can view the email address policies configured for your organization by completing the following steps:
In the Exchange Admin Center, select Mail Flow in the Feature pane, and then select Email Address Policies.
In the main pane, email address policies are listed by name, priority, and status as shown in Figure 5-4. The status is listed as Applied for a policy that has been applied to recipients and Unapplied for a policy that has not been applied to recipients.
You can use the Get-EmailAddressPolicy cmdlet to list email address policies or to get information on a particular email address policy. If you don’t provide an identity with this cmdlet, configuration information for all email address policies is displayed. Get-EmailAddressPolicy cmdlet syntax and usage provides the syntax and usage, in addition to sample output, for the Get-EmailAddressPolicy cmdlet.
Creating email address policies
You can create email address policies for your organization by completing the following steps:
In the Exchange Admin Center, select Mail Flow in the Feature pane, and then select Email Address Policies.
In the main pane, tap or click New to open the New Email Address Policy dialog box, as shown in Figure 5-5.
Use the Name text box to identify the email address policy. You can use a descriptive name that identifies the purpose of the email address policy or simply enter the actual SMTP domain name to which it applies.
Under Email Address Format, tap or click the Add button. The Email Address Format dialog box appears, as shown in Figure 5-6.
Use the Email Address Format options to specify how to generate or rewrite email addresses automatically for each recipient to which the policy applies. You can use the Exchange alias or parts of the user name in various orders.
Use the Select An Accepted Domain drop-down list to select the email address domain. Only authoritative accepted domains are available for selection.
Although users can have multiple email addresses associated with their mailbox, only one email address, the default email address, is used for any sent messages. If you want the email address applied with this policy to be the default, select Make This Format The Reply Email Address.
Close the Email Address Format dialog box by tapping or clicking Save.
Specify the types of recipients to include in the policy. Select All Recipient Types, or select Only The Following Recipient Types, and then select the check boxes for the types of recipients to which you want to apply the policy.
If you’ve previously created other email address policies, set the relative priority of this policy. Policies are run in priority order. A policy with a priority of one has the highest priority and runs before a policy with a priority of 2, and so on.
You can create rules that further filter recipients. Each rule acts as a condition that must be met. If you set more than one rule, each condition must be met for there to be a match. To define a rule, tap or click Add Rule. You can now set the filter conditions. The following types of conditions are available, in addition to conditions for custom attributes:
State Or Province. Filters recipients based on the value of the State/Province text box on the Contact Information page in the related Properties dialog box. In the Specify Words Or Phrases dialog box, type a state or province identifier to use as a filter condition, and then press Enter or tap or click Add. Repeat as necessary, and then tap or click OK.
Department. Filters recipients based on the value of the Department text box on the Organization page in the related Properties dialog box. In the Specify Words Or Phrases dialog box, type a department name to use as a filter condition, and then press Enter or tap or click Add. Repeat as necessary, and then tap or click OK.
Company. Filters recipients based on the value of the Company text box on the Organization page in the related Properties dialog box. In the Specify Words Or Phrases dialog box, type a company name to use as a filter condition. If you are entering multiple values, press Enter or tap or click Add, repeat as necessary, and then tap or click OK.
Important
Although each rule acts as an OR condition for matches on specified values, the rules are aggregated as AND conditions. This means that a user that matches one of the values in a rule passes that filter but must be a match for all the rules to be included in the group. For example, if you were to define a state rule for Oregon, California, or Washington and a department rule for Technology, only users who are in Oregon, California, or Washington and in the Technology department match the filter.
Get a complete list of the recipients to which this policy will be applied by tapping or clicking Preview Recipients The Policy Applies To. If the policy applies to the expected recipients, tap or click Save to create the email address policy. Otherwise, repeat steps 4 – 11 and ensure you configure options and rules to appropriately define the recipients to which the policy should apply.
The policy is not applied automatically. To apply the policy, select the policy Exchange Admin Center’s main pane, and then tap or click Apply in the details pane.
If you tap or click More Options in the Email Address Format dialog box, you’ll be able to specify a custom SMTP email address. With custom addresses, you use the following variables to specify how the email address should be formatted in addition to manually entered text:
%d. Inserts the recipient’s display name
%g. Inserts the recipient’s given name (first name)
%i. Inserts the recipient’s middle initial
%m. Inserts the recipient’s Exchange alias
%s. Inserts the recipient’s surname (last name)
%ng. Inserts the first N letters of the given name
%ns. Inserts the first N letters of the surname
For example, you could enter %g.%[email protected] to specify that email addresses should be formatted with the given name first, followed by a period (.) and the surname.
In the Exchange Management Shell, you create and apply email address policies by using separate tasks. You can create email address policies by using the New-EmailAddressPolicy cmdlet. After you create a policy, apply it using the Update-EmailAddressPolicy cmdlet. New-EmailAddressPolicy cmdlet syntax and usage and Update-EmailAddressPolicy cmdlet syntax and usage provide the syntax and usage for these cmdlets. Use the -EnabledPrimarySMTPAddressTemplate parameter to specify the custom format for email addresses. Although the syntax for custom email addresses is the same as when you are working with Exchange Admin Center, you must use the SMTP: prefix before specifying the format, as shown in the example.
Editing and applying email address policies
You can manage email address policies in several different ways. You can edit their properties or apply them to rewrite email addresses automatically for each recipient to which the policy applies. You can also change their priority to determine the precedence order for application in case there are conflicts between policies. When multiple policies apply to a recipient, the policy with the highest priority is the one that applies.
You can change the way email address policies work by completing the following steps:
In the Exchange Admin Center, select Mail Flow in the Feature pane, and then select Email Address Policies.
In the main window, select the email address policy you want to change, and then select Edit. This opens the properties dialog box for the policy.
Use the options on the General page to set the policy name and relative priority.
On the Email Address Format page, you can use the options provided to specify how to generate or rewrite email addresses automatically for each recipient to which the policy applies. You can use the Exchange alias or parts of the user name in various orders as described in steps 4 through 8 in the Creating email address policies section of this chapter.
On the Apply To page, you can use the options provided to specify the recipients to which the policy will apply. After you configure options, preview the recipients to which the policy applies to ensure you’ve configured the settings appropriately, as described in steps 9 through 12 in the Creating email address policies section of this chapter.
The modified policy is not applied automatically. To apply the policy, select the policy Exchange Admin Center’s main pane, and then tap or click Apply in the details pane.
You can change priority in the Exchange Admin Center by selecting the policy, and then using the Increase Priority and Decrease Priority buttons to change the priority of the policy. The valid range for priorities depends on the number of policies you’ve configured. The Default Policy always has the lowest priority.
You can apply an email address policy by selecting the policy Exchange Admin Center’s main pane, and then tapping or clicking Apply in the details pane.
In the Exchange Management Shell, you can use the Set-EmailAddressPolicy cmdlet to modify email address policies, as shown in Set-EmailAddressPolicy cmdlet syntax and usage. The Update-EmailAddressPolicy cmdlet, used to apply policies, was discussed previously.
Removing email address policies
You can remove an email address policy that is no longer needed by completing the following steps:
In the Exchange Admin Center, select Mail Flow in the Feature pane, and then select Email Address Policies.
In the main window, select the email address policy you want to delete, and then select Remove.
When prompted to confirm, tap or click Yes.
In the Exchange Management Shell, you can use the Remove-EmailAddressPolicy cmdlet to remove email address policies. Remove-EmailAddressPolicy cmdlet syntax and usage provides the syntax and usage.
Configuring journal rules
Journaling allows you to forward copies of messaging items and related reports automatically to an alternate location. You can use journaling to verify compliance with policies implemented in your organization and to help ensure that your organization can meet its legal and regulatory requirements. Enable journaling for the entire organization by using journal rules.
Working with journal rules
Exchange 2013 Setup creates a separate container in Active Directory Domain Services to store Exchange 2013 journal rules. If you are installing Exchange 2013 in an existing Microsoft Exchange 2010 or Exchange 2007 organization, Setup copies any existing journal rules to this container so they will be applied to Exchange 2013. If you subsequently make changes to the journal rule configuration on your Exchange 2010 or Exchange 2007 servers, you must make the same changes on Exchange 2013 to ensure the journal rules are consistent across the organization (and vice versa). You can also export journal rules from Exchange 2010 or Exchange 2007 and import them to Exchange 2013.
Both Exchange Online and on-premises Exchange support a full set of compliance options for in-place eDiscovery and hold, auditing, retention policies, retention tags, and journal rules. These compliance options are configured in much the same way whether you are working with Exchange Online or Exchange 2013. If you are working in a hybrid configuration and have specific compliance requirements, you can ensure your on-premises compliance settings are applied to Exchange Online.
In a hybrid environment, inbound and outbound messages have separate routing configurations. If you enable centralized mail transport for inbound, outbound, or both types of messages in the hybrid configuration, messages sent by or to recipients in the online organization are set through the on-premises organization to ensure that compliance rules and any other processes or messaging requirements configured in the on-premises organization are applied. However, there is a noteworthy exception: Outbound messages sent from Exchange Online to other recipients in the same Exchange Online organization are delivered directly.
Setting the NDR journaling mailbox
When you first configure journaling, you’ll need to specify an email address to receive any journal reports that are otherwise undeliverable. Typically, you’ll want to create a new, dedicated mailbox to receive these reports so that the mailbox will not be journaled and also won’t be subject to any transport rules or mailbox rule settings.
To specify the NDR journaling mailbox, complete the following steps:
In the Exchange Admin Center, select Compliance Management in the Feature pane, and then select Journal Rules.
If the journaling mailbox has already been specified, the email address is listed; otherwise, tap or click Select Address.
In the NDRs For Undeliverable Journal Reports dialog box, tap or click Browse, select a destination mailbox, and then tap or click OK.
Tap or click Save.
Creating journal rules
You create journal rules to record messages in your organization in support of email retention and compliance requirements. You can target journal rules for the following:
Internal messaging items. Tracks messaging items sent and received by recipients inside your Exchange organization.
External messaging items. Tracks messaging items sent to recipients or from senders outside your Exchange organization.
All messaging items. Tracks all messaging items, including those already processed by journal rules that track only internal or external messaging items.
When you enable journal rules for one or more of these scopes, the rules are executed on your organization’s Mailbox servers. Journal rules can be targeted to all recipients or to specific recipients. For example, you can create a rule to journal all messages sent to the AllEmployees distribution group.
You can create a journal rule by completing the following steps:
In the Exchange Admin Center, select Compliance Management in the Feature pane, and then select Journal Rules.
On the main pane, tap or click New to open the New Journal Rule dialog box (shown in Figure 5-7).
In the Send Journal Reports To, provide the journal email address. This is the recipient to which Exchange should forward journal reports for this rule.
Use the If The Message Is Send To Or Received From selection list to specify whether the rule should be applied to messages sent to or received from a specific user or group, or to all messages. For a specific user or group, you’ll then need to select the user or group.
Use the Journal The Following Messages selection list to specify the scope of the rule as either All Messages, Internal Messages Only, or External Messages Only.
Tap or click Save.
Managing journal rules
When you are working with the Compliance Management area and select Journal Rules, the currently defined journal rules are listed in the main pane by status, name, user journaled, and journal report recipient. You can easily enable or disable a rule by setting or clearing the corresponding check box in the On column. If you select a rule and then select Edit, you can modify the rule settings. If you select a rule and then select Remove, you can delete the rule.
In the Exchange Management Shell, you can manage journal rules by using the following cmdlets: New-JournalRule, Set-JournalRule, Get-JournalRule, and Remove-JournalRule.
Creating and managing remote domains
In on-premises Exchange organizations, remote domain settings help you manage mail flow for most types of automated messages, including out-of-office messages, automatic replies, automatic forwarding, delivery reports, and nondelivery reports. Remote domain settings also control some automated message-formatting options, such as whether to display a sender’s name on a message or only the sender’s email address. Your Exchange organization has a default remote domain policy that sets the global defaults. You can create additional policies to create managed connections for specific remote domains as well.
Viewing remote domains
You can use the Get-RemoteDomain cmdlet to list remote domains or to get information on a particular remote domain. Remote domains are listed by name and the domain to which they apply. The Default remote domain applies to all remote domains, unless you override it with specific settings.
If you do not provide an identity with the Get-RemoteDomain cmdlet, configuration information for all remote domains is displayed. Get-RemoteDomain cmdlet syntax and usage provides the syntax and usage, in addition to sample output, for the Get-RemoteDomain cmdlet.
Creating remote domains
In the Exchange Management Shell, you can use the New-RemoteDomain cmdlet to create remote domains. Use the -Name parameter to specify a descriptive name that identifies the purpose of the remote domain or simply enter the actual SMTP domain name.
New-RemoteDomain cmdlet syntax and usage provides the syntax and usage. The way you set the –DomainName parameter determines whether the remote domain includes subdomains. To manage connections for a specific domain, you simply provide the fully qualified name of the domain. You insert an asterisk and a period before the domain name to include the domain and all child domains of the domain.
Configuring messaging options for remote domains
Remote domains are used to control how automated messages are used and to specify some types of messaging format options. In the Exchange Management Shell, you can use the Set-RemoteDomain cmdlet to configure remote domains. Set-RemoteDomain cmdlet syntax and usage provides the syntax and usage.
Use the -AllowedOOFType parameter to specify whether and how out-of-office messages are sent to the remote domain. The options are as follows:
None. Blocks all out-of-office messages.
External. Allows out-of-office messages to be received by the Exchange organization, but does not allow the organization’s out-of-office messages to be sent.
ExternalLegacy. Allows out-of-office messages to be received by the Exchange organization and receipt of out-of-office messages generated by Microsoft Outlook 2003, Exchange 2003, or earlier.
InternalLegacy. Allows out-of-office messages to be sent from the Exchange organization and the sending of out-of-office messages generated by Outlook 2003, Exchange 2003, or earlier.
You also can specify how Exchange should format messages. Allow messaging options by setting the related parameters to $true, or disallow messaging options by setting the related parameters to $false. The options available are as follows:
-AutoReplyEnabled. Allows the sender to be notified that the message was received.
-AutoForwardEnabled. Allows Exchange Server to forward or deliver a duplicate message to a new recipient.
-DeliveryReportEnabled. Allows Exchange Server to return delivery confirmation reports to the sender.
-MeetingForwardNotificationEnabled. Allows Exchange Server to forward or deliver a meeting notification to a new recipient.
-NDREnabled. Allows Exchange Server to return nondelivery confirmation reports to the sender.
-DisplaySenderName. Allows both the sender’s name and email address to appear on outbound email messages.
By default, text word-wrapping is disabled, which means that Exchange does not enforce a maximum line length. If you’d like message text to wrap at a specific line length, you can set the -LineWrapSize parameter to the specific column position at which text wrapping should start, such as at 72 characters.
Use the -ContentType parameter to set the outbound message content type and formatting. The options are as follows:
MimeHtml. Converts messages to MIME messages with HTML formatting.
MimeText. Converts messages to MIME messages with text formatting.
MimeHtmlText. Converts messages to MIME messages with HTML formatting, except when the original message is a text message. Text messages are converted to MIME messages with text formatting.
If you want to send Transport Neutral Encapsulation Format (TNEF) message data to the remote domain rather than Exchange Rich Text Format, set -TNEFEnabled to $true. TNEF is a Microsoft format for encapsulating MAPI message properties. Though this format is used by Outlook, it may not be recognized by other email clients. When you enable TNEF for remote domains, all messages sent to that domain are normally converted to TNEF format, except when overridden by Outlook client or mailbox user settings.
Removing remote domains
In the Exchange Management Shell, you can use the Remove-RemoteDomain cmdlet to remove remote domains. Remove-RemoteDomain cmdlet syntax and usage provides the syntax and usage.
Configuring anti-spam and message filtering options
Every minute users spend dealing with unsolicited commercial email (spam) or other unwanted email is a minute they cannot do their work and address other issues. To try to deter spammers and other unwanted senders, you can use message filtering to block these senders from directing messages to your organization. Not only can you filter messages that claim to be from a particular sender or that are sent to a particular receiver, you can also establish connection filtering rules based on IP block lists. The sections that follow discuss these and other anti-spam options.
As you configure message filtering, keep in mind that although Exchange Server is designed to combat most spammer techniques, no system can block all of them. Like the techniques of those who create viruses, the techniques of those who send spam frequently change, and you won’t be able to prevent all unwanted email from going through. You should, however, be able to substantially reduce the flow of spam into your organization.
If your organization is using legacy Edge Transports, you can configure message filtering through the use of Exchange Management Console. Because Exchange Server 2013 doesn’t have a graphical interface for configuring message filtering, you must use Exchange Management Shell.
Filtering spam and other unwanted mail by sender
Sometimes, when you are filtering spam or other unwanted email, you’ll know specific email addresses or email domains from which you don’t want to accept messages. In this case, you can block messages from these senders or email domains by configuring sender filtering. Another sender from which you probably don’t want to accept messages is a blank sender. If the sender is blank, it means the From field of the email message wasn’t filled in and the message is probably from a spammer.
Sender filtering is enabled by default and is designed to filter inbound messages from non-authenticated Internet sources. You can view the current configuration of sender filtering by using Get-SenderFilterConfig. Use the -Enabled parameter of Set-SenderFilterConfig to enable or disable sender filtering. The following example disables sender filtering:
Set-SenderFilterConfig -Enabled $false
To configure filtering according to the sender of a message on a legacy Edge Transport server running Exchange 2010, follow these steps:
In Exchange Management Console, select Edge Transport, tap or click the server you want to work with, and then tap or click the Anti-Spam tab in the details pane.
Press and hold or right-click Sender Filtering, and then select Properties. The Sender Filtering Properties dialog box appears.
On the Blocked Senders tab (shown in Figure 5-8), the Senders list box shows the current sender filters, if any.
You can add a sender filter by tapping or clicking Add. In the Add Blocked Senders dialog box, select Individual Email Address if the filter is for a specific email address, or select Domain if you want to filter all email sent from a particular domain. Type the email address or domain name, as appropriate, and then tap or click OK.
You can remove a filter by selecting it, and then tapping or clicking Remove.
To edit a filter, double-tap or double-click the filter entry, enter a new value, and then tap or click OK.
On the Blocked Senders tab, you can also filter messages that don’t have an email address in the From field. To do this, select the Block Messages That Don’t Have Sender Information check box.
On the Action tab, specify how messages from blocked senders are to be handled. If you want to ensure that Exchange doesn’t waste processing power and other resources dealing with messages from filtered senders, select the Reject Message option. If you want to mark messages as being from a blocked sender and continue processing them, select Stamp Message With Blocked Sender And Continue Processing. Tap or click OK.
In the Exchange Management Shell, you can use the Set-SenderFilterConfig cmdlet to configure sender filtering. Set-SenderFilterConfig cmdlet syntax and usage provides the syntax and usage. By default, sender filtering rejects messages from blocked domains and senders. If you set the -Action parameter to StampStatus instead, a message header stamp will be added to the message and the message will be processed by other anti-spam agents. This stamp and any other issues found will then be used to set the spam confidence level as part of content filtering. A message that exceeds a spam confidence level is rejected, quarantined, deleted, or marked as junk mail. Set the -BlankSenderBlockingEnabled parameter to $true to block blank senders.
As shown in the examples, you can easily define the initial set of blocked domains and senders. If you want to modify these values, however, you must either enter the complete set of blocked domains or senders, or you must use a special shorthand to insert into or remove values from these multivalued properties. The shorthand for adding values is:
@{Add="<ValuetoAdd1>","<ValuetoAdd2>"...}Such as:
Set-SenderFilterConfig -BlockedDomains @{Add="adatum.com","fabrikam.com"}The shorthand for removing values is:
@{Remove="<ValuetoRemove1>","<ValuetoRemove2>"...}Such as:
Set-SenderFilterConfig -BlockedDomains
@{Remove="adatum.com","fabrikam.com"}If you want to add values and remove others, you can do this as well by using the following shorthand:
@{Add="<ValuetoAdd1>","<ValuetoAdd2>"...;
Remove="<ValuetoRemove1>","<ValuetoRemove1>"...}You can confirm that values were added or removed as expected by using Get-SenderFilterConfig. In this example, you view the currently blocked domains:
Get-SenderFilterConfig | fl BlockedDomains
By default, -InternalMailEnabled is set to $false and -ExternalMailEnabled is set to true, which means authenticated internal email messages aren’t processed by the Sender Filter whereas unauthenticated external email messages are processed by the Sender filter. An unauthenticated external email messages is one from an untrusted or anonymous source rather than a trusted partner.
Finally, when users in your organization add senders to their blocked sender list, the SafeList aggregation feature in Exchange 2013 adds these senders to the Blocked Senders List in Exchange 2013. By default, messages from these users are rejected rather than deleted. To delete these messages, set -RecipientBlockedSenderAction to Delete.
Filtering spam and other unwanted email by recipient
In any organization, you’ll have users whose email addresses change, perhaps because they request it, leave the company, or change office locations. Although you might be able to forward email to these users for a time, you probably won’t want to forward email indefinitely. At some point, you, or someone else in the organization, will decide it’s time to delete the user’s account, mailbox, or both. If the user is subscribed to mailing lists or other services that deliver automated email, the automated messages continue to come in, unless you manually unsubscribe the user or reply to each email that you don’t want to receive the messages. Unfortunately, some Exchange administrators find themselves going through this inefficient process. It’s much easier to add the old or invalid email address to a recipient filter list and specify that Exchange shouldn’t accept messages for users who aren’t in the Exchange directory. After you do this, Exchange won’t attempt to deliver messages for filtered or invalid recipients, and you won’t see related nondelivery reports (NDRs).
Recipient filtering is enabled by default. To configure filtering according to the message recipient on a legacy Edge Transport server running Exchange 2010, follow these steps:
In Exchange Management Console, select Edge Transport, tap or click the server you want to work with, and then tap or click the Anti-Spam tab in the details pane.
Press and hold or right-click Recipient Filtering, and then select Properties. The Recipient Filtering Properties dialog box appears.
On the Blocked Recipients tab (shown in Figure 5-9), the Recipients list box shows the current recipient filters, if any.
You can filter messages that are sent to recipients who don’t have email addresses and aren’t listed as recipients in your Exchange organization. To do this, select the Block Messages Sent To Recipients That Do Not Exist In The Directory check box.
Before you can add other recipient filters, you must select the Block Messages Sent To The Following Recipients check box. You can then add a recipient filter by typing the address you’d like to filter, and then tapping or clicking Add. Addresses can refer to a specific email address, such as [email protected], or a group of email addresses designated with the wildcard character (*), such as *@blueyonderairlines.com to filter all email addresses from blueyonderairlines.com, or *@*.blueyonderairlines.com, to filter all email addresses from child domains of blueyonderairlines.com.
You can remove a filter by selecting it, and then tapping or clicking Remove.
To edit a filter, double-tap or double-click the filter entry, enter a new value, and then press Enter. Tap or click OK.
In the Exchange Management Shell, you can use the Set-RecipientFilterConfig cmdlet to configure recipient filtering. Set-RecipientFilterConfig cmdlet syntax and usage provides the syntax and usage. By default, recipient filtering rejects messages from blocked recipients but doesn’t block users from sending messages to blocked recipients. If you set -BlockListEnabled to $true, users won’t be able to send messages to blocked recipients. You also can specify whether Exchange 2013 validates recipients and then blocks messages sent to recipients who don’t exist. Although it doesn’t validate recipients by default, you can have it validate recipients by setting -RecipientValidationEnabled to $true.
If you want to modify the blocked recipients, you must either enter the complete set of blocked recipients, or you use a special shorthand to insert into or remove values from this multivalued property. The shorthand for adding values is:
@{Add="<ValuetoAdd1>","<ValuetoAdd2>"...}Such as:
Set-RecipientFilterConfig –BlockedRecipients
@{Add="[email protected]","[email protected]"}The shorthand for removing values is:
@{Remove="<ValuetoRemove1>","<ValuetoRemove2>"...}Such as:
Set-RecipientFilterConfig -BlockedRecipients
@{Remove="[email protected]","[email protected]"}If you want to add values and remove others, you can do this as well by using the following shorthand:
@{Add="<ValuetoAdd1>","<ValuetoAdd2>"...;
Remove="<ValuetoRemove1>","<ValuetoRemove1>"...}You can confirm that values were added or removed as expected by using Get-RecipientFilterConfig. In this example, you view the currently blocked domains:
Get-RecipientFilterConfig | fl BlockedRecipients
Filtering connections with IP block lists
If you find that sender and recipient filtering isn’t enough to stem the flow of spam into your organization, you might want to consider subscribing to an IP block list service. Here’s how this service works:
You subscribe to an IP block list service. Although there are free services available, you might have to pay a monthly service fee. In return, the service lets you query its servers for known sources of unsolicited email and known relay servers.
The service provides you with domains you can use for validation and a list of status codes to watch for. You configure Exchange to use the specified domains and enter connection filtering rules to match the return codes, and then you configure any exceptions for recipient email addresses or sender IP addresses.
Each time an incoming connection is made, Exchange performs a lookup of the source IP address in the block list domain. A “host not found” error is returned to indicate the IP address is not on the block list and no match was found. If there is a match, the block list service returns a status code that indicates the suspected activity. For example, a status code of 127.0.0.3 might mean that the IP address is from a known source of unsolicited email.
If there is a match between the status code returned and the filtering rules you’ve configured, Exchange returns an error message to the user or server attempting to make the connection. The default error message says that the IP address has been blocked by a connection filter rule, but you can specify a custom error message to return instead.
The sections that follow discuss applying IP block lists, setting provider priority, defining custom error messages to return, and configuring block list exceptions. These tasks will need to be performed when you work with IP block lists.
Applying IP block lists
Before you get started, you need to know the domain of the block list service provider, and you should also consider how you want to handle the status codes the provider returns. Exchange allows you to specify that any return status code is a match that only a specific code matched to a bit mask is a match, or that any of several status codes that you designate can match.
Table 5-1 shows a list of typical status codes that might be returned by a provider service. Rather than filter all return codes, in most cases, you’ll want to be as specific as possible about the types of status codes that match to help ensure that you don’t accidentally filter valid email. For example, based on the list of status codes of the provider, you might decide that you want to filter known sources of unsolicited email and known relay servers, but not filter known sources of dial-up user accounts, which might or might not be sources of unsolicited email.
RETURN STATUS CODE | CODE DESCRIPTION | CODE BIT MASK |
127.0.0.1 | Trusted nonspam (on the “white” list) | 0.0.0.1 |
127.0.0.2 | Known source of unsolicited email/spam (on the “black” list) | 0.0.0.2 |
127.0.0.3 | Possible spam, like a mix of spam and nonspam (on the “yellow” list) | 0.0.0.3 |
127.0.0.4 | Known source of unsolicited email/spam, but not yet blocked (on the “brown” list) | 0.0.0.4 |
127.0.0.5 | Not a spam-only source, and not on the “black” list | 0.0.0.5 |
You can filter connections by using IP block lists on a legacy Edge Transport server running Exchange 2010 by completing the following steps:
In Exchange Management Console, select Edge Transport, tap or click the server you want to work with, and then tap or click the Anti-Spam tab in the details pane.
Press and hold or right-click IP Block List Providers, and then select Properties. The IP Block List Providers Properties dialog box appears.
Tap or click the Providers tab. The Block List Providers list box shows the current Block List providers, if any.
Tap or click Add to add a Block List provider. The Add IP Block List Provider dialog box appears, as shown in Figure 5-10.
Type the name of the provider in the Provider Name text box.
In the Lookup Domain text box, type the domain name of the block list provider service, such as proseware.com.
Under Return Status Codes, select Match Any Return Code to match any return code (other than an error) received from the provider service, or select one or more of the following options:
Match Specific Mask And Responses. Select this option to match a specific mask and return codes from the provider service.
Match To The Following Mask. Select this option to match a specific return code from the provider service. For example, if the return code for a known relay server is 127.0.0.4 and you want to match this specific code, you type the mask 0.0.0.4.
Match Any Of The Following Responses. Select this option to match specific values in the return status codes. Type a return status code to match, and then tap or click Add. Repeat as necessary for each return code that you want to add.
Tap or click OK to start using IP block lists from the block list provider.
Exchange 2013 allows you to configure multiple IP block list providers, with a relative priority assigned to a provider determining the order in which providers are checked. In the Exchange Management Shell, you manage IP block list providers and their settings by using the following:
Add-IPBlockListProvider. Adds an IP block list provider.
Add-IPBlockListProvider -LookupDomain SmtpDomain -Name ProviderName [-AnyMatch <$true | $false>] [-BitmaskMatch IPAddressBitMask] [-DomainController DCName] [-Enabled <$true | $false>] [-IPAddressesMatch IpAddress1,IpAddress2...IpAddressN] [-Priority Priority] [-RejectionResponse Response]
Get-IPBlockListProvider. Displays the settings of a specific or all IP block list providers.
Get-IPBlockListProvider [-Identity SmtpDomain] [-DomainController DCName]
Set-IPBlockListProvider. Modifies the settings associated with the specified IP block list provider.
Set-IPBlockListProvider -Identity SmtpDomain [-AnyMatch <$true | $false>] [-BitmaskMatch IPAddressBitMask] [-DomainController DCName] [-Enabled <$true | $false>] [-IPAddressesMatch IpAddress1,IpAddress2...IpAddressN] [-Priority Priority] [-RejectionResponse Response]
Remove-IPBlockListProvider. Removes an IP block list provider.
Remove-IPBlockListProvider -Identity SmtpDomain [-DomainController DCName]
When you add a block list provider, you use the -Name parameter to set a descriptive name for the provider and the -LookupDomain to specify the domain name of the block list provider service, such as proseware.com. You can then specify whether to match any return code (other than an error) received from the provider service or to match a specific mask and return codes from the provider service. As shown in the following example, set -AnyMatch to $true to match any return code:
Add-IPBlockListProvider -Name Proseware -LookupDomain proseware.com -AnyMatch $true
If you want to match a specific mask, use -BitmaskMatch to specify the bitmask to match, such as:
Add-IPBlockListProvider -Name Proseware -LookupDomain proseware.com -BitmaskMatch 0.0.0.4
Alternatively, you can match specific values in the return status codes by using -IPAddressesMatch, such as:
Add-IPBlockListProvider -Name Proseware -LookupDomain proseware.com -IPAddressesMatch 127.0.0.4, 127.0.0.5, 127.0.0.6, 127.0.0.7
Other commands you can use to manage and work with block lists include:
Get-IPBlockListConfig. Displays information about the configuration of the Connection Filter agent.
Get-IPBlockListConfig [-DomainController DCName]Set-IPBlockListConfig. Modifies the configuration of the Connection Filter agent.
Set-IPBlockListConfig [-DomainController DCName] [-Enabled <$true | $false>] [-ExternalMailEnabled <$true | $false>] [-InternalMailEnabled <$true | $false>] [-MachineEntryRejectionResponse Response] [-StaticEntryRejectionResponse Response]
Set-IPBlockListProvidersConfig. Modifies the block list provider configuration used by Connection Filter agent.
Set-IPBlockListProvidersConfig [-DomainController DCName] [-BypassedRecipients <email1,email2...emailN>] [-Enabled <$true | $false>] [-ExternalMailEnabled <$true | $false>] [-InternalMailEnabled <$true | $false>]
Test-IPBlockListProvider. Checks connectivity to the specified block list provider and then issues a lookup request for an IP address to verify.
Test-IPBlockListProvider -Identity SmtpName -IPAddress IPAddress [-DomainController DCName] [-Server ServerID]
Setting priority and enabling block list providers
You can configure multiple block list providers. Each provider is listed in priority order, and if Exchange makes a match by using a particular provider, the other providers are not checked for possible matches. In addition to being prioritized, providers can also be enabled or disabled. If you disable a provider, it’s ignored when looking for possible status code matches.
You can set block list provider priority and enable or disable providers on a legacy Edge Transport server running Exchange 2010 by completing the following steps:
In Exchange Management Console, select Edge Transport, tap or click the server with which you want to work, and then tap or click the Anti-Spam tab in the details pane.
Press and hold or right-click IP Block List Providers, and then select Properties. The IP Block List Providers Properties dialog box appears.
Tap or click the Providers tab. The Block List Providers list box shows the current block list providers in priority order.
To change the priority of a provider, select it and then tap or click the Move Up or Move Down button to change its order in the list.
To disable a provider, select it and then tap or click Disable.
To enable a provider, select it and then tap or click Enable. Tap or click OK to close the Properties dialog box.
In Exchange Management Shell, you can use Add-IPBlockListProvider and Set-IPBlockListProvider to manage provider priority and to enable or disable providers. If you don’t specify a priority when you add a provider using Add-IPBlockListProvider, the order providers are added sets the priority, with the first provider added having a priority of 1, the second a priority of 2, and so on. Use the -Priority parameter to set the relative priority of a provider and the -Enabled parameter to enable or disable a provider. In this example, you set the priority of Proseware.com to 2:
Add-IPBlockListProvider -LookupDomain Proseware.com -Priority 2
Specifying custom error messages to return
When a match is made between the status code returned and the filtering rules you’ve configured for block list providers, Exchange returns an error message to the user or server attempting to make the connection. The default error message says that the IP address has been blocked by a connection filter rule. If you want to override the default error message, you can specify a custom error message to return on a per-rule basis. The error message can contain the following substitution values:
%0 to insert the connecting IP address
%1 to insert the name of the connection filter rule
%2 to insert the domain name of the block list provider service
Some examples of custom error messages include the following:
The IP address (%0) was blocked and not allowed to connect.
%0 was rejected by %2 as a potential source of unsolicited email.
The custom error message can’t be more than 240 characters.
Using the substitution values, you can create a custom error message for each block list provider on a legacy Edge Transport server running Exchange 2010 by following these steps:
In Exchange Management Console, select Edge Transport, tap or click the server with which you want to work, and then tap or click the Anti-Spam tab in the details pane.
Press and hold or right-click IP Block List Providers, and then select Properties. The IP Block List Providers Properties dialog box appears.
On the Providers tab, the Block List Providers list box shows the current Block List providers in priority order. Select the block list provider for which you want to create a custom error message, and then tap or click Edit.
In the Edit IP Block List Provider dialog box, tap or click Error Messages.
In the IP Block List Provider Error Message dialog box, select Custom Error Message, and then type the error message to return. Tap or click OK twice.
In Exchange Management Shell, you use the -RejectionResponse parameter of Add-IPBlockListProvider and Set-IPBlockListProvider to set a custom error message on a per-provider basis. The Set-ContentFilterConfig cmdlet also has a -RejectionResponse parameter that sets the default custom response.
Defining block list exceptions and global allow/block lists
Sometimes, you’ll find that an IP address, a network, or an email address shows up incorrectly on a block list. The easiest way to correct this problem is to create a block list exception that indicates that the specific IP address, network, or email address shouldn’t be filtered.
Creating or removing connection filter exceptions for email addresses
You can define connection filter exceptions for email addresses on a legacy Edge Transport server running Exchange 2010 by completing the following steps:
In Exchange Management Console, select Edge Transport, tap or click the server with which you want to work, and then tap or click the Anti-Spam tab in the details pane.
Press and hold or right-click IP Block List Providers, and then select Properties. The IP Block List Providers Properties dialog box appears.
On the Exceptions tab, any current exceptions are listed by email address. Type the email address to add as an exception, such as [email protected], and then tap or click Add.
To delete an exception, select an existing email address, and then tap or click Remove.
Tap or click OK to save your settings.
In Exchange Management Shell, you can add exceptions by using the -BypassedRecipients parameter of the Set-IPBlockListProvidersConfig cmdlet. You can define the initial set of exceptions simply by entering the email addresses in a comma-separated list, such as:
Set-IPBlockListProvidersConfig -BypassedRecipients [email protected], [email protected]
If you want to modify the exceptions, however, you must either enter the complete set of exceptions, or use a special shorthand to insert into or remove values from this multivalued property. The shorthand for working with multivalued properties is:
@{Add="<ValuetoAdd1>","<ValuetoAdd2>"...}
@{Remove="<ValuetoRemove1>","<ValuetoRemove2>"...}
@{Add="<ValuetoAdd1>","<ValuetoAdd2>"...;
Remove="<ValuetoRemove1>","<ValuetoRemove1>"...}Such as:
Set-IPBlockListProvidersConfig -BypassedRecipients
@{Add="[email protected]","[email protected]";
Remove="[email protected]"}Creating or removing global allowed lists for IP addresses and networks
Exchange will accept email from any IP address or network on the global allowed list. Before you can define allowed entries for IP addresses and networks you must be sure that the IP Allow List is enabled. To view or change the IP Allow List status on a legacy Edge Transport server running Exchange 2010, complete the following steps:
In Exchange Management Console, select Edge Transport, tap or click the server with which you want to work, and then tap or click the Anti-Spam tab in the details pane.
Check the status of IP Allow List. If the feature is not enabled, press and hold or right-click IP Allow List, and then select Enabled.
You use Add-IPAllowListEntry to add an IP address or IP address range to the IP Allow list. Add-IPAllowListEntry cmdlet syntax and usage provides the syntax and usage.
You use Get-IPAllowListEntry to list IP Allow List entries and Remove-IPAllowListEntry to remove IP Allow List entries. Get-IPAllowListEntry cmdlet syntax and usage and Remove-IPAllowListEntry cmdlet syntax and usage provide the syntax and usage.
Creating or removing global block lists for IP addresses and networks
Exchange will reject email from any IP address or network on the block list. Before you can define blocked entries for IP addresses and networks, you must ensure that the IP block list is enabled. To view or change the IP block list status on a legacy Edge Transport server running Exchange 2010, complete the following steps:
In Exchange Management Console, select Edge Transport, tap or click the server with which you want to work, and then tap or click the Anti-Spam tab in the details pane.
Check the status of the IP block list. If the feature is not enabled, press and hold or right-click IP Block List, and then tap or click Enabled.
You use Add-IPBlockListEntry to add an IP address or IP address range to the IP block list. Add-IPBlockListEntry cmdlet syntax and usage provides the syntax and usage.
You use Get-IPBlockListEntry to list IP block list entries and Remove-IPBlockListEntry to remove IP block list entries. Get-IPBlockListEntry cmdlet syntax and usage and Remove-IPBlockListEntry cmdlet syntax and usage provide the syntax and usage.
Preventing internal servers from being filtered
Typically, you don’t want Exchange to apply Sender ID, content, or connection filters to servers on your organization’s network or to internal SMTP servers deployed in a perimeter zone. One way to ensure a filter is not applied is to configure message delivery options for your organization’s transport servers so that they don’t apply filters to IP addresses from internal servers and your perimeter network.
In Exchange Management Shell, you prevent internal servers from being filtered by the Sender ID, content or connection filters by using the -InternalMailEnabled parameter of Set-SenderIdConfig, Set-ContentFilterConfig, and Set-IPBlockListProvider. By default, -InternalMailEnabled is set to $false for Set-SenderIdConfig and Set-ContentFilterConfig, which means authenticated internal email messages aren’t processed by the Send ID filter or the content filter.
Configuring transport rules
You can use transport rules in on-premises and online Exchange organizations. Transport rules allow you to screen messaging items and apply actions to those items that meet specific conditions. When you enable transport rules, all Mailbox servers in your Exchange organization screen messages according to the rules you’ve defined.
Understanding transport rules
Transport rules have conditions, actions, and exceptions that you can apply. Conditions you can screen for include the following:
The sender is…. Allows you to screen messages from specific senders according to their email address, group membership, account properties and more.
The recipient is…. Allows you to screen messages being sent to specific recipients according to their email address, group membership, account properties, and so forth.
The subject or body…. Allows you to screen messages that have specific words in their subject line or message body.
Any attachment… Allows you to screen messages with attachments for specific content, file names, file extensions, and password protection, in addition to when the attachment size is greater than or equal to the size limit that you set.
The message…. Allows you to screen messages sent to or copied to specific recipients or specific groups, in addition to when the message size is greater than or equal to a size limit that you set.
The send and recipient…. Allows you to screen messages sent between members of specific groups, messages sent by subordinates of a specific manager, and messages sent to a recipient who is a manager or direct report of the sender.
The message properties…. Allows you to screen messages that have a spam confidence level (SCL) rating that is greater than or equal to a limit that you set. Also allows you to screen messages by classification, type, and importance level.
A message header…. Allows you to screen messages that have a header field that includes specific words or matches specific patterns.
When a message meets all of the conditions you specify in a transport rule, the message is handled according to the actions you’ve defined. Actions you can apply to messages that meet your transport rule conditions include the following:
Forwarding the message for approval to specific people or to the sender’s manager
Redirecting the message to specific recipients, host quarantine or a specific outbound connector
Blocking the message by rejecting it with a specific return message and explanation or by deleting the message without notifying anyone
Adding recipients to the Bcc, To, or Cc fields or simply adding the sender’s manager as a recipient
Applying a disclaimer to the beginning or end of the message
Modifying the message by removing a message header, adding a message header, adding a message classification, or setting the spam confidence level
Securing the message with rights protection or TLS encryption
Prepending the subject of the message with a specified text value
Generating an incident report and sending it to specific recipients
Transport rules can also have exceptions. Exception criteria are similar to condition criteria. For example, you can exclude messages from certain people or from certain members of distribution lists. You can also exclude messages sent to certain people or to particular members of a distribution list.
Creating transport rules
You can create a transport rule by completing the following steps:
In the Exchange Admin Center, select Mail Flow in the Feature area, and then select Rules.
In the main pane, tap or click New, and then select Create A New Rule to open the New Rule dialog box. Tap or click More Options to display all rule configuration options as shown in Figure 5-11.
In the Name text box, type a descriptive name for the rule and optionally enter a descriptive comment.
By default, transport rules are audited and enforced. If you don’t want the rule to be audited, clear the Audit This Rule check box. If you want to test the rule rather than enforce it, select Test With Policy Tips or Test Without Policy Tips instead of Enforce. It’s a good idea to test a rule before enforcing it so that you can ensure the rule works the way you think it will. If you test with Policy Tips, you will get more detailed information to help you fine-tune the rule.
Next you need to specify the conditions for the rule by using the options under Apply This Rule If.… Tap or click in the selection list. Next, choose what part of the message to examine and then choose how the condition should be matched. Finally, in the selection dialog box, set the condition parameters by selecting an option or typing a value or values to match. For example, choose “The sender” and then choose “is this person.” Finally, in the Select Members dialog box, select the sender to match in the rule and then tap or click OK.
If you want to add another condition, tap or click Add Condition and then tap or click in the new selection list provided. Next, choose what part of the message to examine, and then choose how the condition should be matched. Finally, in the selection dialog box, set the condition parameters by selecting an option or typing a value or values to match. Repeat this step to add other conditions.
Use the options under Do The Following… to define the actions to take when a message meets the condition or conditions you specified. Tap or click in the selection list. Next, choose the action, and then choose how the action should be performed. Finally, in the selection dialog box, set the action parameters by selecting an option or typing a value or values to match. For example, choose “Add recipients” and then choose “to the Bcc box.” Finally, in the Select Members dialog box, select the sender that should be added to the Bcc field of matching messages and then tap or click OK.
If you want to add another action, tap or click Add Action, and then tap or click in the new selection list provided. Next, choose the action, and then choose how the action should be performed. Finally, in the selection dialog box, set the action parameters by selecting an option or typing a value or values to match. Repeat this step to add other actions.
You now need to specify any exceptions by using the options under Except If…. Tap or click Add Exception, and then tap or click in the new selection list provided. Next, choose the exception and then choose how the exception should be matched. Finally, in the selection dialog box, set the exception parameters by selecting an option or typing a value or values to match. For example, choose “The sender” and then choose “is this person.” Finally, in the Select Members dialog box, select the sender to add as an exception to the rule, and then tap or click OK. Repeat this step to add other exceptions.
Tap or click Save to create the rule. If an error occurs during rule creation, note the error and then correct the issue before trying to create the rule again.
Managing transport rules
You can manage transport rules in several different ways including editing their properties or disabling them. When you’ve created multiple rules, you can also change their priority to determine the precedence order for application in case there are conflicts between rules. When multiple rules apply to a message, the rule with the highest priority is the one that your Mailbox server applies.
When you select a transport rule in Exchange Admin Center, you can manage the rule in the following ways:
Change Priority. Use the Move Up or Move Down buttons to increase or decrease the relative priority of the rule. Rules are processed in priority order, with the rule listed first being the first one processed, the rule listed second being the second processed, and so on.
Disable Rule. Use the check box in the On column to enable or disable the rule.
Remove. Select Remove to remove the rule.
Edit Rule. Select Edit to edit the properties of the transport rule.
In the Exchange Management Shell, you can manage transport rules by using the following cmdlets: New-TransportRule, Set-TransportRule, Get-TransportRule, and Remove-TransportRule.