Not valid Email Addresses validated by Edge Transport role in Exchange 2007/2010
Search Support Articles
Date published: 2011-03-29 Date updated: 2011-07-06
Product:
Email Protection, Online Protection
Module(s):
Configuration
Problem description
Any email address, even email addresses that do not exist in the Active Directory, are validated by Exchange.
Exchange 2007 introduced a feature that has been continued in Exchange 2010. This feature was the “Edge Transport” role. It is this roles job to verify, filter and pass along emails to the “Hub Transport” server. The idea behind this role is that it should be placed outside the domain and should be a first stop for all emails to the exchange server. It has many features, such as IP filtering, word filtering and black/white-listing.
Because this server is to be placed outside the domain, it has limited access to the Active Directory within the domain. The “Edge Transport” role comes therefore with the feature “Block messages sent to recipients that do not exist in the directory” deactivated.
This will mean that any SMPT request done to verify the existents of a specific email address will return true, no matter what the email address is. So as long as the address has the correct syntax, {anything}@{domain}, the “Edge Transport” server will send a “250 2.1.5 Recipient OK” back to whoever sent the SMPT traffic.
There can be different reasons why an organization would want their “Edge Transport” server to do this, but in the case of Norman Online Protection (NOP) and Norman Email Protection (NEP) this is a very bad choice. And the reason this is a bad choice is that when NOP or NEP receive a “250 2.1.5 Recipient OK” message back, they believe that the user exists on the Exchange server. NOP and NEP will then automatically create a user based on the user portion of the email address and forward the email to the Exchange server.
What this will mean is that every single email sent to the domain, whether it is to a valid, existing email address or not, will be forwarded by NOP or NEP to the exchange server because the “Edge Transport” server confirms the recipient.
Problem solution
There are different methods to solving this problem.
Method 1: Enable “Block messages sent to recipients that do not exist in the directory”
You can enable the feature that will block all emails to recipients that do not exist in the domains Active Directory. By enabling this feature you will allow the “Edge Transport” server to check if the email address of the recipient is found in the Exchange server.
If the email address is found, the “Edge Transport” server will send a reply saying “250 2.1.5 Recipient OK”. But if the email address is not found, the “Edge Transport” server will reply “550 5.1.1 User unknown”. This will then let Norman Online Protection or Norman Email Protection know that the user does not exist and it will not forward the email to the Exchange server.
- Open “Exchange Management Console” on the server that has “Edge Transport” installed.
- In the result pane, click the Edge server you want to configure and then select the “Anti-spam”.
- Find “Recipient Filtering” and enable it, if it is not enabled.
- Right-click “Recipient Filtering” and then select Properties.
- Click on the “Blocked Recipients” tab.
- Select the option “Block messages sent to recipients that do not exist in the directory” and then press “Ok”.
The “Edge Transport” server will now block all emails that do not have an existing recipient in the domains Active Directory.
Method 2: Merge the “Edge Transport” and “Hub Transport” roles
Exchange 2007 and Exchange 2010 give the option of merging the two transport roles.
This option will allow the “Hub Transport” server to take upon itself some of the features provided by the “Edge Transport” server.
- You must first run the script “install-AntispamAgents.ps1” in “Exchange Management Shell”.
-For Exchange 2007, the script can be found in the folder:
“%system drive%/Program Files\Microsoft\Exchange Server\Scripts”
-For Exchange 2010, the script can be found in the folder:
“%system drive%/Program Files\Microsoft\Exchange Server\V14\Scripts” - Run the following command to execute the script:
./install-AntispamAgents.ps1 - After the script has run, restart the Microsoft Exchange Transport service by running the following command:
Restart-Service MSExchangeTransport - Open “Exchange Management Console” on the server that has “Hub Transport” installed.
- Click on “Hub Transport” under “Organization Configuration” and then select the “Anti-spam”.
- Find “Recipient Filtering” and enable it, if it is not enabled.
- Right-click “Recipient Filtering” and then select Properties.
- Click on the “Blocked Recipients” tab.
- Select the option “Block messages sent to recipients that do not exist in the directory” and then press “Ok”.
The “Hub Transport” server, now acting as both “Edge Transport” and “Hub Transport”, will block all emails that do not have an existing recipient in the domains Active Directory.
Method 3: Remove the “Edge Transport” role/server
Remove the “Edge Transport” role/server.
This might be the simplest method to fixing the issue, since both Norman Online Protection and Norman Email Protection contain most of the features provided by the “Edge Transport” server.
But if there are other reasons for keeping the “Edge Transport” role in place, or that the reconfiguration of the Exchange server is a task the organization does not want to perform, you can follow Method 1 or Method 2.
