Resolving invalid email addresses which are incorrectly validated in Exchange 2007/2010


Exchange 2007 introduced a new feature which has been continued in Exchange 2010. This feature is the Edge Transport role, which verifies, filters and passes emails to the Hub Transport server. The role is to be placed outside of the domain, acting as a first stop for all emails to the exchange server, and contains many features such as IP filtering, word filtering, and black/white-listing. 

Because this server is to be placed outside of the domain, it has limited access to the Active Directory within the domain. The Edge Transport role therefore comes with the feature Block messages sent to recipients that do not exist in the directory deactivated.

This means that any SMPT request done to verify the existence of a specific email address will return true, no matter what the email address is. Therefore, as long as the address has the correct syntax,  {anything}@{domain}, the Edge Transport server will send a “250 2.1.5 Recipient OK” back to whoever sent the SMPT traffic.

There are many reasons why an organization would want their Edge Transport to do this, but in the case of Norman Online Protection (NOP) and Norman Email Protection (NEP) this is not recommended. When NOP or NEP receive a “250 2.1.5 Recipient OK” message back, they believe that the user exists on the Exchange Server. NOP and NEP will then automatically create a user based on their user portion of the email address and forward the email to the Exchange server. 

This means that every single email sent to the domain, whether it is to a valid, existing email address or not, will be forwarded by NOP or NEP to the exchange server because the Edge Server confirms the recipient. 

There are three different methods to solve this problem which are listed below. 

Enable "Block Messages sent to recipients that do not exist in the directory"

You can enable a feature that will block all emails to recipients that do not exist in the domains Active Directory. By enabling this feature, you will allow the Edge Transport server to check if the email address of the recipient is found in the Exchange server.

If the email address is found, the Edge Transport server will send a reply saying “250 2.1.5 Recipient OK”. However if the email address is not found, the Edge Transport server will reply “550 5.1.1 User unknown”. This will let NOP and NEP know that the user does not exist, and will not forward the email to the Exchange server.

To enable this feature, please follow the steps below:

  1. Open Exchange Management Console on the server that has Edge Transport installed
  2. In the result pane, click the Edge server that you want to configure and select Anti-spam
  3. Find and enable Recipient Filtering
  4. Right click Recipient Filtering and select Properties
  5. Click on the Blocked Recipients tab
  6. Select the option Block messages sent to recipients that do not exist in the directory and click OK
The Edge Transport server will now block all emails that do not have an existing recipient in the domains Active Directory.

Merge the Edge Transport and Hub Transport roles

Exchange 2007 and Exchange 2010 give the option of merging the two transport roles. This option will allow the Hub Transport server to take upon itself some of the features provided by the Edge Transport server. To do this, please follow the steps below:

  1. Start by running the script install-AntispamAgents.ps1 in Exchange Management Shell
    • For Exchange 2007 the script can be found in the folder:
      %system drive%/Program Files\Microsoft\Exchange Server\Scripts
    • For Exchange 2010 the script can be found in the folder:
      %system drive%/Program Files\Microsoft\Exchange Server\V14\Scripts
  2. Run the following command to execute the script:
    ./install-AntispamAgents.ps1
  3. After the script has run, restart the Microsoft Exchange Transport service by running the following command:
    Restart-Service MSExchangeTransport
  4. Open Exchange Management Console on the server that has Hub Transport installed
  5. Click on Hub Transport under Organization Configuration and select Anti-spam
  6. Find and enable Recipient Filtering and select Properties
  7. Click on the Blocked Recipients tab
  8. Select the option Block messages sent to recipients that do not exist in the directory and click OK
The Hub Transport server, now acting as both Edge Transport and Hub Transport will block all emails that do not have an existing recipient in the domains Active Directory.

Remove the Edge Transport role/server

Remove the Edge Transport role/server.

This might be the simplest method to fixing the issue, since both Norman Online Protection and Norman Email Protection contain most of the features provided by the Edge Transport server. However, if you have other reasons for keeping the Edge Transport role in place, or that the reconfiguration of the Exchange server is a task that the organization does not want to perform, follow Method 1 or 2.

 

Need additional help?

Contact us
Avast Total Care

Your premium tech support for PCs, printers & more

Call now for a free consultation and subscribe! 1-844-340-9251
devices Get help for all your device problems 24x7
1-844-340-9251