none
SenderIdConfig SpoofedDomainAction Reject also rejecting Internal Devices/Applications Email

    Question

  • Hi, if you could help me to resolve my issue here.

    when I do following, this enables SPF validation and rejects spoofed emails. However this also starts to reject internal devices and application emails which are connecting to our Exchange server 2013 as Anonymous user.

    Set-SenderIdConfig -SpoofedDomainAction Reject

    I need to have our internal devices and applications emails working while rejecting spoofed emails from outside.

    Its on Exchange Server 2013 environment.

    Will appreciate if anyone can help. Thanks.


    • Edited by spark53 Wednesday, August 24, 2016 7:56 AM
    Wednesday, August 24, 2016 7:55 AM

Answers

All replies

  • Hi,

    You can create a separate relay connector so that those mails still get through. See this link for more info:

    https://community.spiceworks.com/topic/1656682-exchange-2013-spoofeddomainaction-reject-also-rejects-internal-anonymous-emails


    Peter Van Gils Toa Projects

    Wednesday, August 24, 2016 8:02 AM
  • Hi,

    Do you need any more assistance?

    Don't forget to mark the question as answered if your problem was solved.


    Peter Van Gils Toa Projects

    Thursday, August 25, 2016 8:26 AM
  • Hi,

    For your question, we can use Set-TransportConfig with InternalSMTPServers parameter to specify the IP addresses for internal devices and applications to ignore the Sender ID agent, for example:

    Set-TransportConfig -InternalSMTPServers @{Add="<ip address1>","<ip address2>"...

    More details about it, for your reference:
    https://technet.microsoft.com/en-us/library/bb201691(v=exchg.150).aspx


    Allen Wang
    TechNet Community Support


    Please remember to mark the replies as an answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, August 25, 2016 8:59 AM
    Moderator
  • hi Allen_WangJF, we have our internal mail server IP addresses already maintained in TransportConfig. However as soon as i activate SpoofedDomainAction as reject it starts to reject internal devices/applications emails too.

    Set-SenderIdConfig -SpoofedDomainAction Reject

    Do i need to add it in TransportConfig as a format of "mail.domain.com"?

    I need to enable SpoofedDomainAction Reject because we want to reject such emails while making sure internal devices/applications email is not affected.

    Thanks.

    Friday, August 26, 2016 6:22 AM
  • hello Peter Van Gils_, I created a separate internal relay connector, added internal IP address range to Remote Network Settings. Anonymous users and TLS are checked-off under security. Added following permission.

    Get-ReceiveConnector "Internal-Relay" | Add-ADPermission -User "NT AUTHORITY\ANONYMOUS LOGON" -ExtendedRights "Ms-Exch-SMTP-Accept-Any-Recipient"

    Still when I enable "Set-SenderIdConfig -SpoofedDomainAction Reject" the scan to email is failing with following error.

    Mail server response:

    550 5.7.1 Sender ID (PRA) Not Permitted

    Friday, August 26, 2016 8:58 AM
  • Hi,

    Thank you for your updates.

    Please try to use transport rule to bypass sender ID filter:
    Condition: "The sender", "IP address is in any of these ranges or exactly matches", add internal device IP address.
    Action: "Modify the message properties", "Set the spam confidence level (SCL) to...", select "Bypass Spam Filtering".
    Figure as below:


    Allen Wang
    TechNet Community Support


    Please remember to mark the replies as an answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.
    Sunday, August 28, 2016 7:50 AM
    Moderator
  • Hi,

    I created the rule to bypass spam filtering initially for one device IP address to test, priority is 2. the rule is on, but still the same issue. as soon as I enabled spoofeddomainaction to reject, scan to email is also rejected with same error

    550 5.7.1 Sender ID (PRA) Not Permitted

    our exchange server and scanner devices are on different VLAN. I believe internal devices emails, Exchange server is considering those as outside emails connected by SMTP.

    Is there any way I can make Exchange apply spam filtering or spoofdomainaction settings only for external emails coming in and not to the internal connected devices emails? There should have a smarter way to handle this.

    Thanks for your support.


    • Edited by spark53 Monday, August 29, 2016 2:51 AM
    Monday, August 29, 2016 2:50 AM
  • I was at last able to stop spoofed-domain emails coming from outside without affecting internal LAN devices and applications anonymous emails. Here is what I did:

    (1) Created a separate relay receive connector in Exchange server. Checked-off “Externally secured", "Exchange servers", "TLS" and "Anonymous user" authentications under Security. Address IP address range under Remote Network Settings. Applied some extra settings as per following post.

    http://www.shudnow.net/2013/06/04/how-anonymous-relay-works-in-exchange-2013/

    (2) Take-out AD-permission called “ms-exch-smtp-accept-authoritative-domain-sender” from “Anonymous Logon” security-principal from default receive connector

    http://exchangepedia.com/2008/09/how-to-prevent-annoying-spam-from-your-own-domain.html/comment-page-1#comment-237926

    (3) Block own domain in SenderID filtering

    (4) Enable internal email for SenderID filtering

    http://serverfault.com/questions/741501/how-can-i-prevent-spoofed-emails-from-outside-thats-using-my-internal-accepted-d

    So far Its working fine. I feel good after so much of effort I put. I couldn’t take SPF validation advantage because it was affecting internal anonymous emails.

    • Marked as answer by spark53 Thursday, September 1, 2016 8:12 AM
    Thursday, September 1, 2016 8:11 AM
  • Thank you for your sharing, and glad it solved.

    Allen Wang
    TechNet Community Support


    Please remember to mark the replies as an answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, September 1, 2016 9:10 AM
    Moderator