[Today’s post comes to us courtesy of Shawn Sullivan]
Exchange 2007 introduces a built-in feature called Sender Reputation for both the Edge and Hub Transport server roles. The purpose of Sender Reputation is to record the legitimacy, through a number of tests, of each external SMTP server that sends email to Exchange. For detailed information on how Sender Reputation works, please visit the following link: http://technet.microsoft.com/en-us/library/bb124512.aspx
By default, SBS 2008 is aggressive in blocking suspicious senders, and since all inbound e-mail is coming from the same sending server, there is a risk that the hosting company server could be incorrectly blocked. This feature will eventually block an offending host for 24 hours.
Furthermore, you need to also consider Sender ID Filtering, also enabled by default on SBS, since all e-mail is coming from a series of hosts that are most likely not the designated approved senders (as they are your hosting companies servers), this will cause the SPF check to fail and raise the probability of the sender reputation to fail among other things. This can cause an issue for those using a 3rd party mail hosting service to deliver incoming email. Based on the nature of their operation, these SMTP servers will likely fail some of the criteria used by Exchange once they connect, ending up in denied connections and broken inbound email flow.
The other scenario you need to consider is if you have a non-Exchange mail server in your organization that is accepting inbound e-mails, performing messaging hygiene functions and then forwarding the e-mails to the Exchange server running on the SBS server. On that case, you should add the IP of this server to your InternalSMTPServers. If you have a firewall doing SMTP Proxy and the connections appear to come from the Internal IP, you will potentially have to also add that internal IP, however, you should not do this unless the firewall is performing messaging hygiene.
To resolve this problem, you will need to add the IP address ranges of the hosting SMTP servers to a list trusted by Exchange. Open the Exchange Management Shell as Administrator and type the following:
Set-TransportConfig –InternalSMTPServers <IP>
For example, if we were using Exchange Hosted Service message hygiene and compliance, then we would run:
Set-TransportConfig –InternalSMTPServers 127.0.0.1, 22.214.171.124/24, 126.96.36.199/24, 188.8.131.52/26, 184.108.40.206/24, 220.127.116.11/24, 18.104.22.168/24, 22.214.171.124/24, 126.96.36.199/24, 188.8.131.52, 184.108.40.206, 220.127.116.11
To verify that these have been added correctly, you can run the following cmdlet to display the entries:
Get-TransportConfig | ft “InternalSMTPServers”
Once added, connections from these IP addresses will have bypass-anti-spam access rights on each receive connector in your organization; so take caution and make sure you are truly adding trusted IPs only.
IMPORTANT: If you are using one of our partner registrars to host your external DNS information while using a mail hosting company to accept your email, you will need to either set or create the following registry key on your SBS 2008 server:
This prevents the dynamic DNS service on the SBS 2008 server from incorrectly changing the IP address on your MX to point to your router’s public IP instead of your mail host. The DDNS service checks this every 5 minutes by default when you choose to host your DNS at a partner registry when you run the Internet Management Address Wizard (IAMW).
You do not need to set this if you have chosen the option to manage your domain name yourself using the IAMW.
IP address range information for Exchange Defender and Postini can be found in the following links:
- Exchange Defender: https://www.exchangedefender.com/support_deployment_guide.php
- Postini: http://www.postini.com/webdocs/admin_ee_cu/wwhelp/wwhimpl/js/html/wwhelp.htm (under IP Ranges and Security)