Initial situation:
The SEPPmail Secure E-Mail Gateway is placed in the email flow directly upstream to a Microsoft Exchange Server.
After activation of the option Verify recipient addresses using SMTP-Lookups in the administration interface of the SEPPmail Secure E-Mail Gateway under Mail System Managed domains, the SEPPmail Secure E-Mail Gateway rejects incoming emails with the message "550 5.1.1 Recipient address rejected". The notifications from the manual regarding this option have been observed.
Question:
What else needs to be observed to successfully use the function in connection with Microsoft Exchange?
Answer/solution:
As of Exchange 2013 (also applies to 2016 and 2019), the AD Lookup no longer works directly in the SMTP Front End Connector. For the correct function of the SMTP AD Recipient Verification, therefore, the backend connector on port 2525 is to be used.
When installing the CAS role, the SMTP frontend server will also be installed by default. Consequentially, the antispam agent has a double effect for the recipient verification, at first when receiving the email via port 25 and, subsequently, with the proxy routing via port 2525. Thus, even emails which have just one invalid recipient address are rejected.
By contrast, if the email is directly handed over to port 2525, the antispam agent only has a single effect and the recipient verification functions as expected. In detail, here, every recipient of an email is verified. If at least one of the addressed recipients is valid, the email is accepted.
For the receipt of emails, the following should be set: Permission Groups of the Default Receive Connector HUB Transport
•Anonymous Users
(for the receipt via port 2525)
•Exchange Users
(if a login verification is required, e.g. if the frontend assumes the authentication via SMTP login.)
Other necessary actions via the Exchange Admin Shell:
•Install antispam agents
& $env:ExchangeInstallPath\Scripts\Install-AntiSpamAgents.ps1
•Enable the necessary transport agents
Enable-TransportAgent "Recipient Filter Agent"
•Configure spam filters
set-recipientFilterConfig –Enabled $true
set-recipientFilterConfig –RecipientValidationEnabled $true
set-ContentFilterConfig –Enabled $false
set-SenderIDConfig –Enabled $false
Set-IPAllowListConfig –Enabled $false
Set-IPAllowListProvidersConfig –Enabled $false
Set-IPBlockListConfig –Enabled $false
Set-IPBlockListProvidersConfig –Enabled $false
Set-SenderfilterConfig –Enabled $false
Set-SenderIDConfig –Enabled $false
Set-SenderReputationConfig –Enabled $false
Theoretically, different additional filters could be activated, which is generally not necessary in systems with an external frontend, however.
It is possible that the recipient domain must still be verified/adapted
Get-AcceptedDomain |fl name,AddressBookEnabled
Additionally, the address book is to be activated for the look-up, unless this has already been done:
set-recipientDomain xxxxx.ch AddressBookEnabled $true
Restart Transport Services
Finally, the Exchange transport services are to be restarted
Restart-Service MSExchangeTransport
The frontend system, i.e. The SEPPmail Secure E-Mail Gateway, can only transfer incoming emails to the Exchange Backend Server at port 2525 using the option Verify recipient addresses using SMTP-Lookups (see Mail System Managed domains, table, column Server IP Address).
