Outbound Filtering

One of my customers needed a way to scan outgoing mail by using the content filtering anti-spam agent. By default this agent does not work on trusted connections, therefore all emails sent from your Hub server to your Edge Transport server using the Internal Send Connector would not be scanned.

The solution was to have the hub server send anonymous emails to the Edge and this was accomplished by doing the following:

· Route inbound mail thru one set of dedicated edge transport servers with appropriate anti-spam/anti-phishing configuration

· Configure a second set of edge transport servers dedicated to outbound mail with appropriate anti-spam configuration (this is because Exchange 2007 doesn’t allow for separate configuration on a per-connector basis, and therefore, you cannot configure inbound to reject at one SCL and outbound at a different SCL)

· The trick is to get Exchange to score messages that are generated internally, which was a combination of the following:

  • Use the Set-ContentFilterConfig cmdlet to enable the InternalMailEnabled parameter
  • However, once that was set, the vast majority of messages still bypassed content filtering

The final step was to setup the hub server to send anonymous emails to the edge transport.

1. Create a New “Internet” Send Connector from the Hub Smart Hosting to your Edge Server--included all  Hub Servers in the environment as the Bridgehead servers for this connector.  By doing this you can bypass the Internal Connector and forcing the Hub to use this Send connector when talking to the Edge server.

However this is only possible if you force the Trusted Internal Send Connector to fail, and we will do this by next step.

2. Create a New Receive connector on the Edge server, only accepting connections from your  Hub servers. This connector also only accepts anonymous connections, at the same time we disabled the “Exchange Authentication” and “Exchange Server” permissions on your default receive connector. This is how we force the Hub to use the other connector.

3. Finally assign the new receive connector on the Edge server the “relay” permission for Hub. This is done by using the following command.

Get-ReceiveConnector "Your Second Connector" | Add-ADPermission -User "NT AUTHORITY\ANONYMOUS LOGON" –ExtendedRights


The above workaround was achieved by working with the customer and Premier support and using the below blog as a reference point.


Comments (1)

  1. Anonymous says:

    One of my customers needed a way to scan outgoing mail by using the content filtering anti-spam agent

Skip to main content