3

My problem basically boils down to this: Exchange (2016) is accepting mail for non-existent addresses and then later sending out DSNs (delivery status notification) to notify the sender of failure. I want it to instead immediately reject mail sent to non-existent addresses with a 550 response.

More background

My setup looks roughly like this:

                                                 +-----+
                  Datacenter          Office     |User1|
+----------+      +---------+      +----------+  +-----+  +-----+
| Internet | <--> | Postfix | <--> | Exchange |           |UserN|
+----------+      +---------+      +----------+  +-----+  +-----+
                                                 |User2|
                                                 +-----+

Incoming mail hits my postfix server first, which does virus scanning, spam filtering and quarantine. It then gets forwarded on to our office Exchange server.

Postfix is configured to do recipient verification against the exchange server. This involves connecting to the server and performing a partial SMTP transaction, up to the RCPT TO command. If the server responds with code 250 then the recipient is considered valid.

The problem is that Exchange is always responding with 250... it apparently does not even attempt to do any validation upon receiving the RCPT TO command.

I have followed the instructions on technet for enabling the anti-spam functionality and recipient validation in Exchange, but I have no idea what it did, because the behavior of Exchange's SMTP server is exactly the same as it was before I did anything.

Here are the commands I have run on the Exchange server trying to get this working.

& $env:ExchangeInstallPath\Scripts\Install-AntiSpamAgents.ps1
Restart-Service MSExchangeTransport

Set-RecipientFilterConfig -Enabled $true
Set-RecipientFilterConfig -RecipientValidationEnabled $true

Is Exchange's recipient validation supposed to make it perform immediate validation upon receiving RCPT TO? (And if not, what exactly does it do?)

Chris L
  • 323
  • 1
  • 4
  • 9
  • This is probably what you're looking for - https://technet.microsoft.com/en-us/library/bb123891(v=exchg.160).aspx – joeqwerty Apr 21 '16 at 17:31

2 Answers2

1

This question is similar, and its accepted answer worked for me.

For recipient validation to be done right after the RCPT TO command, you have to be connected to a Hub Transport (as opposed to a Frontend Transport). I edited an existing Hub Transport bound to port 2525, checking the box to allow "Anonymous users" to connect to it (make sure to lock this down by some other means, so only known servers can access it).

Then I changed the settings on my gateway (postfix) server to use port 2525 when communicating with this exchange server. At this point the recipient validation started working as intended.

Community
  • 1
Chris L
  • 323
  • 1
  • 4
  • 9
  • We have Mimecast in front of Microsoft's In-Cloud Exchange "solution". Send mail to a nonexistent user and .... it looks rightly accepted to the sender. Are we SOL? See also this post on Mimecast Central: [NDR's not sent externally for deleted users. Mimecast shows emails as delivered.](https://community.mimecast.com/groups/administrators/blog/2017/01/06/ndrs-not-sent-externally-for-deleted-users-mimecast-shows-emails-as-delivered) – David Tonhofer May 23 '17 at 13:44
0

I would switch to LDAP lookups instead of trying to do failures on the SMTP communication. A lot more reliable.

Sembee
  • 2,854
  • 1
  • 7
  • 11