Entrar
 
HomeBibliotecaWikiAprenderGaleriaDownloadsSuporte ComunidadeFóruns
Recursos para Profissionais de TI >
Need help with IMF on Exchange 2003 SP2

Answered Need help with IMF on Exchange 2003 SP2

  • quinta-feira, 5 de abril de 2012 00:50
     
     
    Entrar para Votar
    0

    I have one Exchange Server 2003 SP2 box behind a firewall...that's it. I want to block spam and I think I've enabled Connection Filtering, and Intelligent Message Filtering on the SMTP Virtual Server correctly. Recipient Filtering was already enabled, but I don't think we're really utilizing that. I've added 3 Block List providers and now I want to configure a Global Allow List.

    After reading many different articles/posts about this feature in Exchange 2003 SP2 I believe that I must configure the Perimeter IP List and the Internal IP Range in order for everything to work correctly. Am I correct in that understanding? I'm a little unclear on the 'Perimeter IP List': I don't need to add the external IP address of our router in there do I? My understanding is that's just for the case where we would have other Exchange (or other) mail servers outside of our local subnet. Could some one please tell me if I've got that right?

    Finally, this article at exchangeinbox.com (http://www.exchangeinbox.com/article.aspx?i=44) talks about a conflict with Connection Filtering that I'm having a hard time following. I have our subnet ID and mask configured from the General tab of the Message Delivery Properties as 192.168.1.0 (255.255.255.0) and that's all that's in there. Is that all I need other than determining the IPs of the mail servers that we ALWAYS want to receive mail from and putting those in the Global Allow List?

    TIA

    Wayne S. CompTIA A+ CompTIA Network+ Microsoft MCP www.centralcoastcomputing.com

     

Todas as Respostas

  • sexta-feira, 6 de abril de 2012 02:50
     
     
    Entrar para Votar
    0
    Hi
       Quote:     I don't need to add the external IP address of our router in there do I? My understanding is that's just for the case where we would have other Exchange (or other) mail servers outside of our local subnet. Could some one please tell me if I've got that right?
       Answer: You are right.
       You must include all servers in your organization that process incoming SMTP mail. You must also include all servers that route mail to the Sender ID and connection filtering deployment servers. If any of the servers that process SMTP mail are located on the perimeter, you should include all perimeter IP addresses of these servers. You can specify individual IP addresses or groups of IP addresses.
       IP addresses that you configured to be excluded from Sender ID filtering and connection filtering are displayed. If the Sender ID filtering or connection filtering deployment servers find an IP address in this list in an e-mail message, Exchange Server skips the IP address without running Sender ID filtering or connection filtering validation on it
            TechNet Subscriber Support in forum
      If you have any feedback on our support, please contact tngfb@microsoft.com

    Terence Yu

    TechNet Community Support


    • Editado Terence Yu segunda-feira, 9 de abril de 2012 01:13
    •  
     
  • sexta-feira, 6 de abril de 2012 13:40
     
     
    Entrar para Votar
    0

    I have one Exchange Server 2003 SP2 box behind a firewall...that's it. I want to block spam and I think I've enabled Connection Filtering, and Intelligent Message Filtering on the SMTP Virtual Server correctly. Recipient Filtering was already enabled, but I don't think we're really utilizing that. I've added 3 Block List providers and now I want to configure a Global Allow List.

    [...]

    Hi there, Wayne (btw the avatar is "crazy" enough :D !!), to be able to help you, it could be useful knowing the kind of config you have (network AND exchange) and how you configured your exchange filtering; at any rate, my humble suggestion is to read this and try using the settings recommended in that discussion, then, in case of problems... just holler I/we will be here :)

     
  • sexta-feira, 6 de abril de 2012 21:48
     
     Respondido
    Entrar para Votar
    0
    On Thu, 5 Apr 2012 00:50:11 +0000, Wayniack wrote:
     
    >
    >
    >I have one Exchange Server 2003 SP2 box behind a firewall...that's it. I want to block spam and I think I've enabled Connection Filtering, and Intelligent Message Filtering on the SMTP Virtual Server correctly. Recipient Filtering was already enabled, but I don't think we're really utilizing that. I've added 3 Block List providers and now I want to configure a Global Allow List.
    >
    >After reading many different articles/posts about this feature in Exchange 2003 SP2 I believe that I must configure the Perimeter IP List
     
    You only need that if you have either SMTP clients on your LAN that
    are using your HT server as a SMTP relay, or if you have some other
    SMTP server that you trust that is used as a SMTP relay to send you
    e-mail. The purpose of the perimeter IP list is to exclude the servers
    in the list from having their IP address checked by the DNSBLs.
     
     
    >and the Internal IP Range in order for everything to work correctly.
     
    If you have only a HT server and your firewall/router sends packets to
    that server and make it look like they're coming from the original
    source address then you can leave the ip range as it is. However, if
    you intend to receive e-mail from the Internet the receive connector
    must accept anonymous connections. If you want to exert some control
    over internal SMTP clients it would be a good idea to create a 2nd
    receive connector and use IP ranges on it that don't include your LAN
    network. Then you can replace the IP range on the default receive
    connector with the network your LAN uses.
     
    >Am I correct in that understanding? I'm a little unclear on the 'Perimeter IP List': I don't need to add the external IP address of our router in there do I?
     
    Only if the router is acting as a SMTP relay and inserting its own
    "Received:" header into the message.
     
    >My understanding is that's just for the case where we would have other Exchange (or other) mail servers outside of our local subnet. Could some one please tell me if I've got that right?
     
    If you have SMTP clients on your LAN it's a good idea to add your LAN
    network range to the list.
     
    >Finally, this article at exchangeinbox.com (http://www.exchangeinbox.com/article.aspx?i=44) talks about a conflict with Connection Filtering that I'm having a hard time following. I have our subnet ID and mask configured from the General tab of the Message Delivery Properties as 192.168.1.0 (255.255.255.0) and that's all that's in there.
     
    That's all you need.
     
    >Is that all I need other than determining the IPs of the mail servers that we ALWAYS want to receive mail from and putting those in the Global Allow List?
     
    If you want to exclude IP addresses from being checked against the
    DNSBLs you've chosen to use then you should add those IP addresses to
    the "Exception.." button's list on the Connection Filtering tab of the
    Message Delivery property page. You can also add those IP addresses to
    the Global Accept and Deny.... lists.
     
    I see you're using Exchange 2003 (sorry I didn't catach that right
    away), so where I said "receive connector" you should read "virtual
    server". Ignore the "HT server". That's just the "SMTP Virtual Server"
    in E2K3. The concepts are the same although the mechanics are
    different.
     
    ---
    Rich Matheisen
    MCSE+I, Exchange MVP
     
    --- Rich Matheisen MCSE+I, Exchange MVP
    • Sugerido como Resposta Terence Yu segunda-feira, 9 de abril de 2012 01:13
    • Marcado como Resposta Wayniack quinta-feira, 10 de maio de 2012 00:49
    •  
     
  • segunda-feira, 9 de abril de 2012 06:56
     
     
    Entrar para Votar
    0
    Hi Wayniack
       Do you have anything update on your issue?
     

    Terence Yu

    TechNet Community Support

     
  • segunda-feira, 9 de abril de 2012 17:41
     
     
    Entrar para Votar
    0

    Hi Terence,

    Thanks for the follow up. Nothing yet. I think I have it configured correctly and I haven't heard any complaining so far, but I haven't had a chance to go through it again. Don't mark it 'Answered' yet...I'll do that as soon as I have a chance to work on this some more (which should be soon).

    Regards,

    Wayne S. CompTIA A+ CompTIA Network+ Microsoft MCP www.centralcoastcomputing.com

     
  • terça-feira, 10 de abril de 2012 01:07
     
     
    Entrar para Votar
    0
    Hi
       Thanks for your response. I will wait for your confirm.

    Terence Yu

    TechNet Community Support

     
  • quinta-feira, 12 de abril de 2012 09:59
     
     
    Entrar para Votar
    0

    Hi Wayne,

    Regarding this ExchangeInbox article:
    http://www.exchangeinbox.com/article.aspx?i=44

    This is most relevant in case you are also using the Exchange Intelligent Message Filter.

    The conflict I describe in that article goes something like this:

    1. Imagine you have an internal application (for example a reporting system) that sends emails to your Exchange server.

    2. Now normally you will want to let these internal emails to bypass IMF.

    3. The easiest way to do that would be to whitelist the internal IP where the reporting app is running under:

    Global Settings | Message Delivery | Connection Filtering | Accept

    Now the problem arises if this internal IP is also present under the perimeter IP list:

    Global Settings | Message Delivery | General

    What happens is that IMF will still scan these emails despite the IP being whitelisted. If you don’t have any such internal applications you don’t have to worry about this.

    IMF Tune - Anti-spam extending the Exchange 2003, 2007, 2010 IMF/Content Filter - http://www.windeveloper.com/imftune/