Libraesva Email Security Gateway

Dynamic Verification with Exchange 2013 and 2016

150 views June 20, 2018 June 20, 2018 paolo 0

PROBLEM

Starting with Exchange 2013, Microsoft have changed the behavior of the Exchange FrontEnd Transport service so that it no longer rejects invalid recipients after they are specified.  This is causing Libra ESVA Dynamic Verification check to fail. To restore it a few configuration steps are required on Exchange, to use the default HubTransport connector which is still SMTP compliant, and rejects invalid recipients after they are specified using the RCPT TO command.  By default the Default HubTransport connector is accessed on port 2525.

SOLUTION

This solution works only with Libra Esva version 4.4 and above.

  1. Check the Exchange Anti-Spam Agents on Exchange
  2. Enable the “Recipient Filtering Agent”
  3. Enable AddressBook
  4. Enable Recipient Validation
  5. Disable all the other Anti-Spam Agents (recommended)
  6. Allow access to the Default receive connector
  7. Configure Libra ESVA to use port 2525 for Dynamic Verification

 

1) Check the Exchange Anti-Spam Agents on Exchange

This can be checked via the Exchange Management Shell (EMS).  Open EMS.  Issue the following command:

Get-TransportAgent

Check to see if “Recipient Filter Agent” is listed. If “Recipient Filter Agent” is not listed, issue the following command to install the Exchange Anti-Spam Agents:

& $env:ExchangeInstallPath\Scripts\Install-AntiSpamAgents.ps1

2) Enable the “Recipient Filtering Agent”

After installing the Anti-Spam Agents issue the following command to verify that the Recipient Filter Agent has been installed and is enabled:

Get-TransportAgent

f it is not enabled run the following command to enable the Recipient Filtering Agent:

Enable-TransportAgent “Recipient Filter Agent”

NOTE: To apply these settings the “Microsoft Exchange Transport” service needs to be restarted.

3) Enable AddressBook

Cross check that your accepted domains are using Address Book to check for valid recipients. This should be already enabled by default. To check it, run this command:

Get-AcceptedDomain | Format-List Name,AddressBookEnabled

In case is disabled you can enable it with the command:

Set-AcceptedDomain <name of accepted domain> -AddressBookEnabled $true

NOTE: If you made any change here, remember that the “Microsoft Exchange Transport” service needs to be restarted again.

4) Enable Recipient Validation

Last configuration step is to cross check that Recipient Validation is enabled. To check if it is  disabled, run:

Get-RecipientFilterConfig | FL Enabled,RecipientValidationEnabled

It should return that Recipient Filter is enabled, but if validation is not run this command:

Set-RecipientFilterConfig -RecipientValidationEnabled $true

NOTE: If you made any change here, remember that the “Microsoft Exchange Transport” service needs to be restarted again.

5) Disable all the other Anti-Spam Agents (recommended)

It is recommended to disable all the other Anti-Spam Agents so that ONLY recipient verification is enabled.  This will prevent issues such as your Exchange server blocking the Libra Esva Quarantine Report (this report will contain a list of Subject lines from spam mails and may be blocked as spam by the Content Filter Agent):

Set-SenderFilterConfig -Enabled $false
Set-SenderIDConfig -Enabled $false
Set-ContentFilterConfig -Enabled $false
Set-SenderReputationConfig -Enabled $false

and then (each of the following lines require a confirmation):

Disable-TransportAgent "Sender Filter Agent"
Disable-TransportAgent "Sender ID Agent"
Disable-TransportAgent "Content Filter Agent"
Disable-TransportAgent "Protocol Analysis Agent"

NOTE: If you made any change here, remember that the “Microsoft Exchange Transport” service needs to be restarted again.

6) Allow access to the Default receive connector

Allow access to the Default receive connector

Now go to the Exchange Administrative Cente, go to Mail Flow -> Receive Connectors.  Edit your ”Default <servername>” connector’, go to the Security tab and ensure that Anonymous users are allowed.  This will allow connections to this Receive connector so it can be used for Dynamic Recipient Verification, but mail cannot be delivered directly via this connector.  By default this connector can be accessed on port 2525.

7) Configure Libra ESVA to use port 2525 for Dynamic Verification

In your Libra Esva go to menù System -> Mail Transport -> Relay Domains and edit the domain configuration. Set Dynamic Verification as Recipient Verification. Then set the Dynamic Verification Server and port (default 2525).

Now you are ready to go!

Was this helpful?