In Exchange Server 2003, Microsoft introduces several new features that have become necessary in today's enterprise messaging environment, including a set of filtering capabilities designed to protect Exchange against unsolicited commercial email (UCE—aka spam). Exchange 2003's recipient filtering, sender filtering, restricted groups, and restricted recipients features let you specify which senders and receivers can exchange messages across your Exchange environment. To get the most out of these features, you need to understand how they work, when to apply them, and how to configure them. (Connection filtering, a feature new to Exchange 2003 that uses Real-Time Block Lists—RBLs—to check incoming connections for known spammers, has been discussed elsewhere. For information about RBLs, see The Exchange Server Troubleshooter, "Exploring Exchange Server 2003's Spam-Filtering Capabilities," November 2003, http://www.winnetmag.com/microsoftexchangeoutlook, InstantDoc ID 40067.)
Recipient Filtering
Exchange 2000 Server lets you use Recipient Policies to define the domains for which the server will accept messages. Although these policies work well, they open a hole in the messaging service that a spammer can exploit. For example, if a spammer determines that your organization accepts email for hp.com or compaq.com, the spammer can simply generate email targeting those domains and send unwanted messages into your environment. In most forms, spam is just a nuisance, but it can also transport viruses or malicious information.
Microsoft addresses this hole through various filtering capabilities. One filter new to Exchange 2003 is recipient filtering, which lets an Exchange SMTP Virtual Server block incoming email by turfing, or dropping, an SMTP connection. Specifically, Exchange determines whether the "Rcpt To:" SMTP command contains an address that's in the recipient filter list on the Message Delivery Properties dialog box's Recipient Filtering tab, which Figure 1 shows, in Exchange System Manager (ESM).
Recipient filters apply to email submitted by anonymous clients, which typically means SMTP mailers (e.g., Sendmail). Any client, including any other Exchange servers in the same organization, that authenticates to the SMTP service bypasses the filter. You can configure authentication between Exchange 2000 servers in different organizations so that messages from these servers will bypass the filter as well, which can be useful in a multiforest Exchange 2003 environment.
You can configure recipient filters to apply to specific addresses or to all addresses that don't appear in the Exchange directory. Exchange will drop any messages sent to addresses that you add to the recipient filter list, regardless of whether the addresses exist in the directory. If you select the Filter recipients who are not in the Directory check box in Figure 1, Exchange will drop messages for any recipients not in the directory.
When you configure recipient filtering for an SMTP Virtual Server, the filter applies to every recipient of every message entering the SMTP Virtual Server. Exchange will drop messages to recipient addresses on a filter list and deliver messages to addresses not on the filter list. For example, if you filter the address tiger@quiddich.tst and send a message to this address and to jack@quiddich.tst, you'll receive a delivery receipt from Jack because his address wasn't filtered. However, Exchange will drop the message sent to tiger@quiddich.tst and the sending system will generate a nondelivery report (NDR).
Because Exchange 2003 implements recipient filtering as a transport sink, Microsoft claims that the server's performance doesn't suffer significantly. Furthermore, the sending system, not the filtering system, generates NDRs.
Any addresses that you enter in the recipient filter list must meet the following conditions:
- SMTP entries must include the at sign (@).
- According to the Help text, you can use display names if you insert a double quote (") before and after the name string; however, this feature doesn't appear to work as advertised.
- When you add an SMTP address with quotes, the at sign must appear immediately after the quoted name.
You configure recipient filters at a global level in ESM, but you must apply the filters to specific SMTP Virtual Servers. To apply a filter, right-click the SMTP Virtual Server of interest in ESM, select Properties from the context menu, select the General tab, click Advanced, select the IP address for the SMTP Virtual Server of interest, click Edit, then select the Apply Recipient Filter check box, as Figure 2 shows. You will typically set filters on Internet-facing bridgeheads and not on every SMTP Virtual Server in the organization. The requirement to specifically configure an SMTP Virtual Server to use a filter applies to all message delivery filters (i.e., connection filters, sender filters, and recipient filters).
After you set filtering on an SMTP Virtual Server, you can use any Lightweight Directory Access Protocol (LDAP) browser or directory-aware tool, such as ADSI Edit, to examine the Configuration naming context (NC) and see how recipient filtering manifests itself in Active Directory (AD). By viewing the default message filter object held in AD, you can see the attributes that are set when you create a recipient filter. To view this object and its associated attributes, you need to point your LDAP browser to
CN=Default Message Filter,
CN=Message
Delivery,CN=Global
Settings,CN=Organization
Name,CN=Microsoft
Exchange,
CN=Services,cn=configuration,
dc=domain,dc=domain
For my query, I pointed to
CN=Default Message Filter,
CN=Message
Delivery,CN=Global
Settings,CN=QUIDDICH,
CN=Microsoft
Exchange,
CN=Services, cn=configuration,
dc=quiddich,dc=tst
Note that Exchange stores the filtered recipient addresses in the msExchRecipTurfListNames attribute.