9. Deal with Legacy Delivery
When you finally remove the mailbox from the Exchange server (or sooner, if you remove the primary SMTP address), you might find that message transport resources incur increased traffic. That traffic increase occurs because the system has to generate and deliver an NDR email message in response to every message someone sends to the legacy SMTP address. If you're running Exchange Server 2003, configuring recipient filtering is a simple and easy way to block messages sent to legacy addresses over the Internet.
Using the MMC Exchange System Manager (ESM) snap-in, open Global Settings, Message Delivery. On the Recipient Filtering tab, select Filter recipients who are not in the directory. For each SMTP virtual server that you want to accept inbound SMTP mail, click Advanced on the General tab, click Edit to display the IP Identification options, then select Recipient Filtering. Click OK, then stop and restart the SMTP virtual server. The next time someone sends an email message to the legacy address, the SMTP virtual server will query AD to check the address. When it finds the address, the recipient is accepted; if it doesn't find the address, the recipient is rejected.
Figure 4 shows an SMTP session that uses recipient filtering. As you can see, the server found the Jacob address in AD and accepted that message with a 250 2.1.5 response code. But the server didn't find the George and Jonas addresses and returned different SMTP response codes that reflect why the message was rejected. However, recipient filtering can be risky. An attacker can exploit the response codes during a directory-harvesting attack to learn which accounts are in your AD.
Two other options achieve similar results without exposing you to a directory-harvesting attack. First, you can specify individual addresses on the Recipient Filtering property page. When the SMTP virtual server processes a recipient address, it checks this list and rejects any matching addresses with a 550 5.7.1 response code, as Figure 4 shows. Second, you can add the legacy SMTP address as an alias for the NULL-DELIVERY empty DL. When a message is addressed, the list expansion doesn't yield any members and the MTA drops the message. Because the address is valid, the sender receives a response code indicating that the address was accepted, so an NDR isn't generated. This solution also works for Exchange 5.5 environments, which don't have recipient-filtering capabilities. When you use the NULL-DELIVERY aliasing technique, however, you can add only a finite number of aliases. In an AD environment, this number is about 800. If you have a lot of legacy addresses, when you reach the maximum you'll need to create additional empty DLs.
I prefer the NULL-DELIVERY option because attackers can't use it to gather information about your environment. In addition, if you ever want to reuse the legacy address, recipient filtering can cause delivery problems that can be difficult to track down. For example, if you add bill.smith@sgc.mil to recipient filtering and sometime later you hire someone with the same name and create a bill.smith account, the RUS will stamp the account with the bill.smith@sgc.mil address. Because of the recipient filter, this account won't be able to receive any Internet mail, and troubleshooting might not quickly identify the recipient filter as the culprit. If you add bill.smith@sgc.mil as an alias, the RUS can't use it for the new account and will instead create a bill.smith2@sgc.mil address for the account. Because these techniques require quite a bit of work to administer, you'll probably want to use recipient filtering or NULL-DELIVERY aliasing only for the most problematic and extreme cases.
Tradeoffs and Balance
When an employee leaves the company, you have to consider many email-related concerns. On one hand, you don't want to keep a mailbox online if someone else can use its storage resources. On the other hand, you might want to keep the mailbox online to access content and easily notify people that the account holder has left the company. But you don't want the mailbox to use additional resources as it accumulates new mail or the system bounces a lot of undeliverable mail. I hope I've given you a few ideas about how you can accommodate all these concerns to meet business needs while keeping your Exchange servers running smoothly.