External e-mail coming in with -1 SCL rating
-
Monday, May 14, 2012 11:22 PM
very similar to this post:
But the resolutions didn't seem to match with me. I checked the receive connectors on Hub and Edge transport servers, but the Externally Secured checkbox (where it was shown) was not checked. Also, I'm not sure how to "check SCL rating on message on the first hop."
This started happening when we migrated external mail from from our 2003 server to our Edge server. I remember testing some settings with transport rules to set messages to -1, but that has long since been removed. Looking for any one that can help.. I'm at a loss.
Thanks,
Robert
All Replies
-
Tuesday, May 15, 2012 2:24 AMOn Mon, 14 May 2012 23:22:37 +0000, rdecast6308 wrote:>very similar to this post:>>http://social.technet.microsoft.com/Forums/en-US/exchangesvrantivirusandantispam/thread/6bacf3c9-c96e-46a3-a261-3a2cf2bd1596>>>>But the resolutions didn't seem to match with me. I checked the receive connectors on Hub and Edge transport servers, but the Externally Secured checkbox (where it was shown) was not checked. Also, I'm not sure how to "check SCL rating on message on the first hop.">>This started happening when we migrated external mail from from our 2003 server to our Edge server. I remember testing some settings with transport rules to set messages to -1, but that has long since been removed. Looking for any one that can help.. I'm at a loss.What's doing the A/V scanning on the 1st server the mail hits in yourExchange organization? Check the agent log files and see if there'sanything interesting in them.Besides having the e-mail delivered to the edge server, did you makeany changes in the definition of what's an internal network? Is youeedge server in the same network as the rest of your Exchangeorganization, or does it have an IP address in a DMZ? Does yourExchange organization think the edge server network is NOT part of theorganization?---Rich MatheisenMCSE+I, Exchange MVP
--- Rich Matheisen MCSE+I, Exchange MVP -
Tuesday, May 15, 2012 3:15 PM>What's doing the A/V scanning on the 1st server the mail hits in your
>Exchange organization?
We have a Barracuda that is internet facing and taking care of our spam/AV - the Barracuda then forwards to the Edge>Besides having the e-mail delivered to the edge server, did you make>any changes in the definition of what's an internal network? Is youe>edge server in the same network as the rest of your Exchange>organization, or does it have an IP address in a DMZ?Our Edge server is configured with one NIC in a DMZ. So it is not on the same network as the rest of our Exchange environment. Also, not on our domain either.
>Does your Exchange organization think the edge server network is NOT part of the>organization?
Sorry, not sure what you mean by this. The Edge and Hub are edge synchronized, so I'm thinking that the Hub Transport server acknowledges that the Edge is some part of the organization?Thanks for your help.
-
Tuesday, May 15, 2012 11:38 PMOn Tue, 15 May 2012 15:15:37 +0000, rdecast6308 wrote:>>What's doing the A/V scanning on the 1st server the mail hits in your>>Exchange organization?>We have a Barracuda that is internet facing and taking care of our spam/AV - the Barracuda then forwards to the EdgeSo it's part of your e-mail system. Not an Exchange server, but not tobe considered as some "outside" server.>>Besides having the e-mail delivered to the edge server, did you make>>any changes in the definition of what's an internal network? Is youe>>edge server in the same network as the rest of your Exchange>>organization, or does it have an IP address in a DMZ?>Our Edge server is configured with one NIC in a DMZ. So it is not on the same network as the rest of our Exchange environment. Also, not on our domain either.>>Does your Exchange organization think the edge server network is NOT part of the>>organization?>Sorry, not sure what you mean by this. The Edge and Hub are edge synchronized, so I'm thinking that the Hub Transport server acknowledges that the Edge is some part of the organization?When you run "(get-transportconfig).InternalSMTPServers" does the setof IP addresses include your Barracuda and Edge servers (and any otherSMTP clients on you LAN)?---Rich MatheisenMCSE+I, Exchange MVP
--- Rich Matheisen MCSE+I, Exchange MVP -
Wednesday, May 16, 2012 3:50 PM
Running get-transportconfig |ft internalsmtpservers returns:
{}thanks for your help in getting this figured out.
Robert
-
Wednesday, May 16, 2012 10:16 PMOn Wed, 16 May 2012 15:50:42 +0000, rdecast6308 wrote:>Running get-transportconfig |ft internalsmtpservers returns: {}>>thanks for your help in getting this figured out.Add the IP addresses of the edge server(s) and the barracuda(s). Youwant to treat thm as part of your organization. Any IP addresses thatshow up in the "Received:" headers after the headers inserted by theedge/barracuda machines are the ones that should be subjected tosender reputation. Infact, why are you even using Exchange anti-spamagents if you have an e-mail security appliance. Don't you trust theBarracua(s)?---Rich MatheisenMCSE+I, Exchange MVP
--- Rich Matheisen MCSE+I, Exchange MVP -
Thursday, May 17, 2012 6:18 PM
i can give that a shot.
Can you help me understand what this setting does in terms of the -1 SCL rating that I'm seeing? Does inputting these IP addresses stop the applying of an SCL rating at all?
We traditionally have followed a two layer structure in our mail flow for AV and Spam. Will disabling the content filtering in the Edge server fix the issue I'm seeing?
Thanks,
Robert
-
Friday, May 18, 2012 1:08 AM On Thu, 17 May 2012 18:18:09 +0000, rdecast6308 wrote:>>>i can give that a shot.>>Can you help me understand what this setting does in terms of the -1 SCL rating that I'm seeing? Does inputting these IP addresses stop the applying of an SCL rating at all?No, it doesn't stop the SCL rating. The SCL is the result ofevaluating the message content or the authenticity of the sender (i.e.anonymous SMTP or authenticated SMTP session).By defining the IP addresses or networks of your SMTP clients you'llinstruct the agents to ignore the "Received:" headers inserted bythose machines and perfrom the DNSBL or sender reputation filtering onthe IP address in the first "Received:" header that isn't inserted bythose machines.>We traditionally have followed a two layer structure in our mail flow for AV and Spam. Will disabling the content filtering in the Edge server fix the issue I'm seeing?If you correctly identify the internal addresses, don't do any contentfiltering, and the barracuda is sending the mail to the edge using ananonymous SMTP session the SCL shouldn't be inserted in the set ofheaders.---Rich MatheisenMCSE+I, Exchange MVP
--- Rich Matheisen MCSE+I, Exchange MVP- Proposed As Answer by Castinlu Monday, May 21, 2012 1:31 AM
- Marked As Answer by rdecast6308 Monday, May 21, 2012 11:57 PM
-
Monday, May 21, 2012 10:18 PM
Hi Rich,
Sorry for the late response. Was away for a long weekend.
I just ran the set-transportconfig -internalsmtpservers [IP Addresses of Edge and Barracuda]
Will report back with findings.
Thanks,
Robbie
**************
Sorry, in addition as you instructed, i disabled content filtering on the Edge server. Incoming messages from the outside now no longer have an SCL rating on the message details (it reads PASSED) instead. I force delivered some obvious junk e-mail from the Barracuda to my mailbox and I verified that it did enter my Junk E-mail folder.
Success!
Thanks again for your help.
- Edited by rdecast6308 Monday, May 21, 2012 11:57 PM additional details/confirmation of resolution
- Marked As Answer by Castinlu Wednesday, May 23, 2012 1:15 AM
.png)
