Subject: Forum: Forefront Security for Exchange Server: Forefront 'whitelist' failing

Tuesday, October 20, 2009 7:35 AMFulco Stiva

0
Sign In to Vote
I am currently using Exchange 2007 with Forefront.

In the 'Forefront Server Security Administrator'. I defined a 'Sender List' for filtering 'Allowed Senders' (Transport Scan Job).
The list contains entries like: "*@domain.com" and "email@domain.com".
List State: enabled and checked 'skip scanning for keyword filtering'.
Still emails from both entries in the list are put into Quarantine.

Fulco
- Reply
- Quote

All Replies

Tuesday, October 20, 2009 9:22 AMChristian Groebner [MVP]MVP

0
Sign In to Vote
Hi Fulco,

in the quarantine by which incident is the email filtered?

Greetings

Christian
Christian Groebner MVP Forefront
- Reply
- Quote
Thursday, October 22, 2009 8:03 PMFulco Stiva

0
Sign In to Vote
Hi Christian,

I think the 'Content Filtering' moves the messages to the Junk Folder (Quarantaine).
The SCL values are:
X-MS-Exchange-Organization-SCL: -1
X-MS-Exchange-Organization-Original-SCL: 5

Fulco
- Reply
- Quote
Thursday, October 22, 2009 9:26 PMChristian Groebner [MVP]MVP

0
Sign In to Vote
Hi,

are the emails put into junk folder of Outlook or quarantine of Forefront? These are two different things!

The Content-Filtering of Exchange 2007 comes first and stamps the email with a SCL rate. You can select at which SCL level emails should be deleted/blocked. After all antispam agents from Exchange are finished the email goes to Forefront and there it will be processed again against the settings made in Forefront. So if the email is put into junk email folder of outlook it's due to SCL.

You can look at the agent log in the directory C:\Program Files\Microsoft\Exchange Server\TransportRoles\Logs\AgentLog what the contentfilter of Exchange 2007 made with the email.

Greetings

Christian
Christian Groebner MVP Forefront
- Proposed As Answer byNick Gu - MSFTMSFT, ModeratorWednesday, October 28, 2009 7:01 AM
- Reply
- Quote
Friday, October 23, 2009 1:12 PMAndrew Schiano

0
Sign In to Vote
Is it possible they are being quarantined on your MB server, and not your transport server? If so, you will need to add the same Allowed Senders to your MB server.
- Reply
- Quote
Tuesday, October 27, 2009 10:42 AMFulco Stiva

0
Sign In to Vote
I get lines like:

Received-SPF: Pass (SERVER.DOMAIN.COM: domain of MAIL@DOMAIN.NL
designates IP.IP.IP.IP as permitted sender)
receiver=SERVER.DOMAIN.COM; client-ip=IP.IP.IP.IP;
helo=xxx.DOMAIN.NL;

So mail@domain.nl is recognized and, in the permitted sender list.
Still the message is quarantined.

Andrew: what do you mean with 'MB server'?

Fulco
- Reply
- Quote
Tuesday, October 27, 2009 11:03 AMChristian Groebner [MVP]MVP

0
Sign In to Vote
Hi Fulco,

Sender-ID check is only one of the Antispam machanisms that Exchange provides.

Look at my last post and check out if antispam signatures of Exchange cause this behavior.

MB Server = mailbox server

Greetings

Christian
Christian Groebner MVP Forefront
- Proposed As Answer byNick Gu - MSFTMSFT, ModeratorWednesday, October 28, 2009 7:02 AM
- Reply
- Quote