The next step in shutting down our old Exchange 2003 servers is to configure our anti-spam appliance. If you’re looking for a great anti-spam vender check out Xecuritas. We’re in the healthcare industry which makes it tough to filter based on the body parts and drugs listed in your typical spam message. These guys do a great job and proved stellar service.
So the process involves setting up a NAT for LDAP authentication so folks can log in and check their quarantines. This NAT points to a DC and provides a one-to-one connection from the anti-spam appliance. It only accepts those 2 IP addresses and is only open for LDAP traffic.
I also have a NAT for recipient verification. This allows the appliance to check the recipient for every mail and if the recipient doesn’t exist we drop the mail. Yes, I know the current RFC says we should bounce that mail, but hey, during a heavy spam flood we may see 2.7 MILLION messages a day. I can’t really afford to double that kind of traffic with NDR’s This NAT is also a one-to-one connection from the appliance to my HUB server. It only allows SMTP traffic.
The Exchange 2007 native anti-spam features are installed using the install-AntispamAgents.ps1 script located in Program Files\Microsoft\Exchange Server\Scripts. All of the anti-spam options are enabled by default. To turn on recipient filtering Go in the properties of recipient filtering and enable the option "Block messages sent to recipients not in the global address list" on the Blocked Recipients list. Click Apply/OK. Restart the Microsoft Exchange Transport Service again.
I know what you’re thinking. My boss asked the same thing, “What about all of those mail enabled public folders that you have hidden?” They still work. They are still in the GAL. Hiding them does not remove them from the GAL. They simply have a database flag set the hide them.
The final Exchange configuration piece is to disable tarpitting. This feature is to help prevent directory harvest attacks. It’s a delay in the rejection response. The idea is that the spamming server will drop the connection before the rejection is generated. If your Exchange server is open to outside connections this is a good thing. I have two hygiene servers between my Exchange environment and the rest of the world so I don’t need this feature. In fact I want that rejection to happen instantly so mail doesn’t back up on my inbound mail server.
You can check your tarpitting interval from the command prompt.
Get-ReceiveConnector | select name,tarpitinterval
It’s turned off by the command line too.
set-ReceiveConnector "Server1\Default Server1" -tarpitinterval 00:00:00
set-ReceiveConnector "Server1\Client Server1" -tarpitinterval 00:00:00
set-ReceiveConnector "Server2\Default Server2" -tarpitinterval 00:00:00
set-ReceiveConnector "Server2\Client Server2" -tarpitinterval 00:00:00
No comments:
Post a Comment