none
exchange 2013 recipient filtering

    Question

  • I went through all the steps to enable recipient filtering in Exchange 2013 so that users who are not in the directory are outright rejected however using telnet, i can still relay mail to users that do not exist.

    Set-RecipientFilterConfig -Enabled $true

    Set-RecipientFilterConfig -BlockListEnabled $true

    Set-RecipientFilterConfig -RecipientValidationEnabled $true

    however:

    telnet exchange.domain.com 25
    Trying xxxxxxxx...
    Connected to xxxxxxxxx.
    Escape character is '^]'.
    220 xxxxxxxxx Microsoft ESMTP MAIL Service ready at Tue, 5 Mar 2013 08:02:40 -0500
    helo joe 250 xxxxxxx Hello [xxxxxxx]
    mail from:<xxxxxxxx>
    250 2.1.0 Sender OK
    rcpt to:<nouser@domain.com>
    250 2.1.5 Recipient OK

    • Edited by jalabert Tuesday, March 05, 2013 1:08 PM
    Tuesday, March 05, 2013 1:02 PM

Answers

  • Hi,
    I have also noticed that Recipientfiltering doesn't work exactly the same way as in EX07/EX10.
    When enabled, you should get an 550 5.1.1 User unknown after the ending period (see below)


    mail from:<xxxx@xxxx.xx>
    250 2.1.0 Sender OK
    rcpt to:<nouser@domain.com>
    250 2.1.5 Recipient OK
    data
    354 Start mail input; end with <CRLF>.<CRLF>
    Write some Text Here
    .
    550 5.1.1 User unknown

    Martina Miskovic

    Wednesday, March 06, 2013 9:33 AM

All replies

  • Do you have any user in the "blocked list"?

    What are you trying to achieve, block emails to users who are not in AD?


    Rajith Enchiparambil | http://www.howexchangeworks.com |

    HowExchangeWorks.Com

    Tuesday, March 05, 2013 1:39 PM
  • Yes that is exactly what i am trying to achieve. However when enabled on previous version of Exchange i was not able to telnet afterwords

    Tuesday, March 05, 2013 1:44 PM
  • Hi,
    After making the changes to the transport service, have you restarted the 'Microsoft Exchange Transport Service'?

    Regards from ExchangeOnline Windows Administrator's Area

    Tuesday, March 05, 2013 1:44 PM
  • yes indeed.
    Tuesday, March 05, 2013 1:57 PM
  • Hello

    Thank you for your question.

    I am trying to involve someone familiar with this topic to further look at this issue.


    Terence Yu

    TechNet Community Support

    Wednesday, March 06, 2013 2:36 AM
    Moderator
  • Hi,

    What is the incoming mail flow of your organization? Is it

    internet -> gateway /anti-spam -> exchange server ?

    or

    internet -> exchange server ?

    In the first senario, the gateway would not perform the recipient check and the configurations you made would not work if you try to telnet the gateway. But actually after the gateway receive the message, the Exchange server would check the recipient.

    In the second senario, if we use the accounts of your authoritative domain to telnet and send the message, the recipient filter would not apply.

    And did you enable the anonymous relay on your receive connector? If we temporarily create a new one, could we reproduce this issue with this new connector?

    Thanks,

    Andy

    Wednesday, March 06, 2013 6:26 AM
    Moderator
  • Hi,
    I have also noticed that Recipientfiltering doesn't work exactly the same way as in EX07/EX10.
    When enabled, you should get an 550 5.1.1 User unknown after the ending period (see below)


    mail from:<xxxx@xxxx.xx>
    250 2.1.0 Sender OK
    rcpt to:<nouser@domain.com>
    250 2.1.5 Recipient OK
    data
    354 Start mail input; end with <CRLF>.<CRLF>
    Write some Text Here
    .
    550 5.1.1 User unknown

    Martina Miskovic

    Wednesday, March 06, 2013 9:33 AM
  • Hello,

    The second scenario is what I am using. I was using telnet to a user that does not exist in my authoritative domain, ie : nouser@domain.com and got the 250 2.1.5 Recipient OK. In Exchange 2010 or 2003 with recipient filtering enabled I would have received  550 5.1.1 User unknown.

    Anonymous relay is enabled on my receive connector just as it was in 2010 or 2003

    Wednesday, March 06, 2013 1:22 PM
  • Hi,

    Is this normal then?

    I get this with EX10

    mail from:<xxx@xxx.xx>
    250 2.1.0 Sender OK
    rcpt to:<nouser@domain.com>
    550 5.1.1 User unknown

    Wednesday, March 06, 2013 1:27 PM
  • Hi,

    Is this normal then?

    I get this with EX10

    mail from:<xxx@xxx.xx>
    250 2.1.0 Sender OK
    rcpt to:<nouser@domain.com>
    550 5.1.1 User unknown


    That is my understanding, yes.

    Note that the message is never submitted to the queue and that the Recipient Filter Agent logs this with the reason "RecipientDoesNotExist" (just as in EX10) in the Agent Logs.

    Martina Miskovic

    Wednesday, March 06, 2013 1:39 PM
  • That's too late.  Should reject before "data". Is there a way around this? Thanks.
    Wednesday, March 06, 2013 2:46 PM
  • Hi,

    Encountered a similar scenario in the TechNet Italian community- as of now the thread is still open, and we could repro this behavior so far.

    I am sharing here the direct link to the repro - just sorry that it's in Italian (automated Bing translation of the entire thread can be consulted here).

    Hope that helps,


    Anca Popa Follow ForumTechNetIt on Twitter

    Microsoft offre questo servizio gratuitamente, per aiutare gli utenti e aumentare il database dei prodotti e delle tecnologie. Il contenuto viene fornito “così come è” e non comporta alcuna responsabilità da parte dell'azienda. 

    Saturday, March 09, 2013 9:10 PM
  • That's too late.  Should reject before "data". Is there a way around this? Thanks.

    Hi jalabert,

    Adding to Martina's insights above, I think this is expected in Exchange 2013. Recipient Filtering is only present on Mailbox server role. Client Access Role will proxy SMTP session to Mailbox server but CAS will not effectively manage the Recipient filtering part.

    In fact, CAS needs the RCPT TO information in order to determine the best Mailbox Server to which it can proxy connection to. Connection from CAS to MBX will be established only after DATA being received by CAS from external SMTP server. CAS will pass to Mailbox server SMTP commands it received from external SMTP server. That is why you observe that "User unknown" only at the very end of the session.

    Hope this clarifies a bit,


    Anca Popa Follow ForumTechNetIt on Twitter

    Microsoft offre questo servizio gratuitamente, per aiutare gli utenti e aumentare il database dei prodotti e delle tecnologie. Il contenuto viene fornito “così come è” e non comporta alcuna responsabilità da parte dell'azienda. 

    Wednesday, March 13, 2013 8:09 PM
  • Good to know Anca

    Rajith Enchiparambil | http://www.howexchangeworks.com |

    HowExchangeWorks.Com

    Wednesday, March 13, 2013 10:18 PM
  • Does this behavior meet the RFC standards?  I know that when we set this up with a front-end MTA it created a lot of unnecessary NDR's.  This, in turn, can get your mail server on backscatter lists and your IP blocked.  It is not a good design and should be fixed.

    By the way, the front-end MTA was there because Exchange 2013 doesn't have an edge server role until SP1 (which no one knows when it will be released).

    There is a workaround although it may not work in everyone's setup.  The workaround is to create a new receive connector of type HubTransport scoped for the IP addresses of your front-end MTA's.  Limiting the scope will cause them to be used.  HubTransport receive connectors do recipient validation correctly just like previous version of Exchange.  

    I'd be interested if anyone can confirm the behavior in Exchange 2013 FrontendTransport recipient validation meets RFC standards.


    Rob

    Friday, February 14, 2014 9:18 PM