PROBLEM
Starting with Exchange 2013, Microsoft have changed the behavior of the Exchange FrontEnd Transport service so that it no longer rejects invalid recipients after they are specified. This is causing Libra ESVA Dynamic Verification check to fail. To restore it a few configuration steps are required on Exchange, to use the default HubTransport connector which is still SMTP compliant, and rejects invalid recipients after they are specified using the RCPT TO command. By default the Default HubTransport connector is accessed on port 2525.
SOLUTION
This solution works only with Libra Esva version 4.4 and above.
- Check the Exchange Anti-Spam Agents on Exchange
- Enable the “Recipient Filtering Agent”
- Enable AddressBook
- Enable Recipient Validation
- Disable all the other Anti-Spam Agents (recommended)
- Allow access to the Default receive connector
- Configure Libra ESVA to use port 2525 for Dynamic Verification
1) Check the Exchange Anti-Spam Agents on Exchange
This can be checked via the Exchange Management Shell (EMS). Open EMS. Issue the following command:
Get-TransportAgent
Check to see if “Recipient Filter Agent” is listed. If “Recipient Filter Agent” is not listed, issue the following command to install the Exchange Anti-Spam Agents:
& $env:ExchangeInstallPath\Scripts\Install-AntiSpamAgents.ps1
2) Enable the “Recipient Filtering Agent”
After installing the Anti-Spam Agents issue the following command to verify that the Recipient Filter Agent has been installed and is enabled:
Get-TransportAgent
f it is not enabled run the following command to enable the Recipient Filtering Agent:
Enable-TransportAgent “Recipient Filter Agent”
3) Enable AddressBook
Cross check that your accepted domains are using Address Book to check for valid recipients. This should be already enabled by default. To check it, run this command:
Get-AcceptedDomain | Format-List Name,AddressBookEnabled
In case is disabled you can enable it with the command:
Set-AcceptedDomain <name of accepted domain> -AddressBookEnabled $true
4) Enable Recipient Validation
Last configuration step is to cross check that Recipient Validation is enabled. To check if it is disabled, run:
Get-RecipientFilterConfig | FL Enabled,RecipientValidationEnabled
It should return that Recipient Filter is enabled, but if validation is not run this command:
Set-RecipientFilterConfig -RecipientValidationEnabled $true
5) Disable all the other Anti-Spam Agents (recommended)
It is recommended to disable all the other Anti-Spam Agents so that ONLY recipient verification is enabled. This will prevent issues such as your Exchange server blocking the Libra Esva Quarantine Report (this report will contain a list of Subject lines from spam mails and may be blocked as spam by the Content Filter Agent):
Set-SenderFilterConfig -Enabled $false
Set-SenderIDConfig -Enabled $false
Set-ContentFilterConfig -Enabled $false
Set-SenderReputationConfig -Enabled $false
and then (each of the following lines require a confirmation):
Disable-TransportAgent "Sender Filter Agent"
Disable-TransportAgent "Sender ID Agent"
Disable-TransportAgent "Content Filter Agent"
Disable-TransportAgent "Protocol Analysis Agent"
6) Allow access to the Default receive connector
Allow access to the Default receive connector
Now go to the Exchange Administrative Cente, go to Mail Flow -> Receive Connectors. Edit your ”Default <servername>” connector’, go to the Security tab and ensure that Anonymous users are allowed. This will allow connections to this Receive connector so it can be used for Dynamic Recipient Verification, but mail cannot be delivered directly via this connector. By default this connector can be accessed on port 2525.
7) Configure Libra ESVA to use port 2525 for Dynamic Verification
In your Libra Esva go to menù System -> Mail Transport -> Relay Domains and edit the domain configuration. Set Dynamic Verification as Recipient Verification. Then set the Dynamic Verification Server and port (default 2525).
Now you are ready to go!