Configuration Guide for Exchange 2003, 2007 and 2010
Table of Contents
Exchange 2013 ... 2
Configuring Outbound Smart Host ... 2
Configure Access Restriction to Prevent DoS Attacks ... 2
Exchange 2007/2010 ... 4
Configuring Outbound Smart Host ... 4
Configure Access Restriction to Prevent DoS Attacks ... 4
Enable Recipient Filtering to Prevent Directory Harvesting ... 5
Step 1 - Install the Anti-spam Agent on the Hub Transport Role ... 5
Step 2 - Configure Recipient Validation... 6
Step 3 - Disable all other Anti-Spam Features ... 6
Exchange 2003 ... 7
How to Configure Outbound Smart Host ... 7
Configure Access Restriction to Prevent DoS Attacks ... 8
Enable Recipient Filtering to Prevent Directory Harvesting ... 8
Exchange 2013
Configuring Outbound Smart Host
• Open the 'Exchange Administration Center' (EAC)
• In the left hand column select 'Mail Flow'
• From the top menu bar choose 'Send Connectors'
• Click the Add button (+), this will open the 'New Send Connector' wizard
• Enter the name as AVG AntiSpam Outbound
• Change the 'Type' to 'Custom' and click 'Next'
• In the next step change the option to 'Route mail through smart hosts'
• Click the add (+) button underneath to add a new smarthost
• Enter
outbound.avgcloud.netin the 'Fully qualified domain name (FQDN)' field
• Click 'Save'
• In the next window for 'Smart host authentication' choose NONE
• Click 'Next'
• In the 'Address Space' window the 'Type' should already be 'SMTP' and cost should be '1'
• Enter '*' in the 'Fully qualified domain name (FQDN)' field, this means all mail sent to this
connecter (for all domains) will be routed through this smarthost
• Click 'Save' and then click 'Next' in the Send connector wizard
• For 'Source server' click add (+) and add the servers that can send via this connector
• Click 'OK' and then 'Finish'
• The basic setup is now complete and you should be able to send emails from your Exchange
server / network
Configure Access Restriction to Prevent DoS Attacks
Enforcing IP restrictions is absolutely critical to complete protection of your mail server.
Because hackers and spammers can easily bypass cloud services and target your server
directly, mail servers protected by AVG AntiSpam should accept only accept SMTP
connections from AVG AntiSpam IP's listed below and deny all other traffic:
100.42.120.96/27 (100.42.120.96/255.255.255.224) 100.42.115.0/27 (100.42.115.0/255.255.255.224) 208.70.208.0/22
1. From the EAC, click mail flow.
2. On the Mail Flow menu, click “Receive Connectors”, then select Default Hub Transport,
and finally click the edit icon.
3. On the Default Hub Transport menu, click scoping, and then select the default IP
addresses (0.0.0.0-255.255.255.255) under the *Remote network settings menu.
4. Click the delete icon to remove the default IP addresses and click the new icon to add the
list of AVG AntiSpam’s provided IP addresses into the field.
5. Enter one of the AVG AntiSpam provided IP addresses to allow for inbound SMTP into
the field and click save. Click the new icon and repeat this step until all provided IP
addresses have been added.
6. On the Default Frontend MAIL menu, click save and then exit the EAC.
Enable Recipient Filtering to Prevent Directory Harvesting
Recipient Filtering is the single most overlooked important setting. It allows you to fight
dictionary and other SPAM attacks. Spammers send mail to users they hope exist in your
domain, sometimes hoping to learn if they exist by reading NDRs generated by Exchange,
and sometimes just sending to common names, or running through a dictionary of names.
To enable recipient filtering in Exchange 2013, run the following command:
Set-RecipientFilterConfig -Enabled $true
When you disable recipient filtering, the underlying Recipient Filter agent is still enabled. To
disable the Recipient Filter agent, run the command: Disable-TransportAgent "Recipient
Filter Agent".
To verify that you have successfully enabled or disabled recipient filtering,
1. Run the following command
2. Get-RecipientFilterConfig | Format-List Enabled
3. Verify the value displayed is the value you configured.
Exchange 2007/2010
Configuring Outbound Smart Host
1. Login as the Administrative user to your Exchange 2007/2010 server and open Exchange Management Console.
2. Expand Organizational Configuration, click Hub Transport.
3. Select the Send Connector tab
4. Right click on the existing Send Connector, Select properties 5. Go to the Network tab
6. Select “Route mail through the following smart hosts” and click add
7. Select Fully qualified domain name (FQDN) and enter : outbound.avgcloud.net click Ok
8. Click Change to set the authentication type is set to None
The changes you've made to the Send Connector will take effect straight away without you having to reboot the server or restart any services.
Configure Access Restriction to Prevent DoS Attacks
Enforcing IP restrictions is absolutely critical to complete protection of your mail server.
Because hackers and spammers can easily bypass cloud services and target your server directly, mail servers protected by AVG Email AntiSpam should accept only accept SMTP connections from AVG AntiSpam IP’s listed below and deny all other traffic:
100.42.120.96/27 (100.42.120.96/255.255.255.224) 100.42.115.0/27 (100.42.115.0/255.255.255.224) 208.70.208.0/22
1. Open the Exchange Management Console.
2. Navigate to: Server Configuration - Hub Transport - Default Receive Connector - Properties - Network tab.
3. Under "Receive mail from remote servers that have these addresses:" find the entry that says 0.0.0.0-255.255.255.0 and delete the record.
4. Under "Receive mail from remote servers that have these addresses:" click Add. Input the first AVG AntiSpam IP range.
5. Click on the Permission Group Tab and ensure that "Anonymous" delivery is allowed from our ranges.
6. Stop and restart the MSExchangeTransport service on the HUB transport server(s)
Enable Recipient Filtering to Prevent Directory Harvesting
Recipient Filtering is the single most overlooked important setting. It allows you to fight dictionary and other SPAM attacks. Spammers send mail to users they hope exist in your domain, sometimes hoping to learn if they exist by reading NDRs generated by Exchange, and sometimes just sending to common names, or running through a dictionary of names.
In Exchange 2007/2010, the process of rejecting emails sent to invalid users is called Recipient Validation and enabling this is made complicated, in Exchange 2007/2010, by the way Microsoft has split the functions of Exchange into different roles.
Recipient Validation is part of the AntiSpam features that are present, by default, only on the server performing the Edge Transport Role.
The problem is, if you only have one Exchange server in your company, as most people do, it will be performing the Hub Transport, Client Access and Mailbox roles but not the Edge Transport role as this has to be on a separate server. An Exchange email system will work fine without the Edge Transport role.
The solution is to install the AntiSpam features on the Hub Transport role so we'll start by doing this.
If you do happen to have a separate Edge Transport server then skip ahead to the next section.
Step 1 - Install the Anti-spam Agent on the Hub Transport Role
1. Open Exchange Management Shell and enter the command: cd "c:\ProgramFiles\Microsoft\Exchange Server\Scripts"
2. This "changes directory" to the folder containing a PowerShell script, provided by Microsoft, for installing the Anti-spam features on the Hub Transport.
3. Type the following command to run this script: .\install-antispamagents.ps1
4. Close the Exchange Management Shell window and either reboot the server or go to:
Start – Run --- and type: services.msc then click OK
5. Locate the service called Microsoft Exchange Transport, right-click on it and select Restart
Step 2 - Configure Recipient Validation
1. Open the Exchange Management Console and go to:-
2. Organization Configuration - Hub Transport and select the new Anti-spam tab 3. Right-click on Recipient Filtering and select Properties
4. If you have a separate Edge Transport server then you'll find the Anti-spam tab under Edge Transport
5. Go to the Blocked Recipients tab and select: Block messages sent to recipients not in the Global Address List
6. Then click OK
Step 3 - Disable all other Anti-Spam Features
1. If you just installed the Anti-spam agents in Section 1 then, by default, some of these features will now be active.
2. Whether you enable or disable these other Anti-spam features is something you need to think about carefully and perhaps experiment with a little.
3. Today's job is to enable Recipient Filtering and not to reconfigure your whole anti- spam system so we recommend that, for now, you disable all the other new features.
4. Right-click on each feature, in turn, (except Recipient Filtering!) and select Disable
Exchange 2003
How to Configure Outbound Smart Host
1. Login to your Exchange 2003 server and open System Manager.
2.
Expand Connectors, right click Small Business SMTP Connector (or your active outgoing SMTP connector) and select properties.
3. In the general tab, set the radio option to forward all mail through this connector to the following smart hosts and input: outbound.avgcloud.net 4. Navigate to the Address Space tab and ensure there is one entry with the
address specified as * and the Cost as 1.
5. Click on the advanced tab, and then click Outbound Security
6. Click the radio button for anonymous access and a checkmark in TLS Encryption 7. Click OK and then OK again and verify that email is going out through the
system.
In order for the new settings to take effect, you need to restart the following services:
Microsoft Exchange Routing Engine and Simple Mail Transport Protocol (SMTP) service.
Configure Access Restriction to Prevent DoS Attacks
Enforcing IP restrictions is absolutely critical to complete protection of your mail server.
Because hackers and spammers can easily bypass cloud services and target your server directly, mail servers protected by AVG AntiSpam should accept only accept SMTP connections from AVG AntiSpam IP’s listed below and deny all other traffic:
100.42.120.96/27 (100.42.120.96/255.255.255.224) 100.42.115.0/27 (100.42.115.0/255.255.255.224) 208.70.208.0/22
1. Open the Exchange System Manager.
2. Expand Servers, Server Name, Protocols, SMTP - right click "Default SMTP Virtual Server" (Or the active receive connector name) and select properties
3. Navigate to the Access tab and then select the Connection button.
4. Remove any entries from previous providers or entries that have the IP range 0.0.0.0 - 255.255.255.0
5. Click Add to enter a new IP restriction. Select the Group of computers option, insert the first IP range for AVG Email AntiSpam and set the subnet mask to
255.255.255.224 - click OK.
6. Restart the Simple Mail Transfer Protocol (SMTP) service to apply the changes.
Enable Recipient Filtering to Prevent Directory Harvesting
The "Filter recipients who are not in the Directory" option, not enabled by default is the single most overlooked important setting. It allows you to fight dictionary and other SPAM attacks. Spammers send mail to users they hope exist in your domain, sometimes hoping to learn if they exist by reading NDRs generated by Exchange, and sometimes just sending to common names, or running through a dictionary of names.
1. In Exchange System Manager navigate to Global Settings, right-click on Message Delivery and chose Properties
2. On the Recipient Filtering tab, select "Filter recipients who are not in the Directory"
then click OK
3. Click OK to the warning message that pops-up - it's just saying we need to perform a further step.
4. Go to Servers - <SERVER NAME> - Protocols - SMTP - Right-click on Default SMTP Virtual Server and click Properties
5. On the General tab, click Advanced - Select the listed IP Address and then click Edit 6. Select Apply Recipient Filter then click OK - OK – OK
