Thursday, May 30, 2013

RBL and Exchange 2013

When you install the Antispam agents on Exchange 2013 servers you get all of them installed like you did for previous versions of Exchange server. most of them will get installed on the mailbox role but not the Connection filtering agent aka. RBL, DNS Block List etc.

The powershell script: install-AntispamAgents.ps1 will look for which server role is installed and will not install Connection filtering if the server hold the mailbox role. This is understandable since SMTP connection should come in from the CAS server and then the original sending IP will not be show since CAS do Source-NAT. So the logic would be to install the connection filtering agent on CAS but the install script will not let you do that either. Connection Filtering will only install on Edge role.

I can only speculate why this is, but either Microsoft want it to be like this or they have found some trouble with the Connection Filtering Agent running on CAS.

I figured I will give this a try anyway, and here is how you get it to work.

Start Exchange Management Shell as administrator.

Change Directory to scripts folder.
cd $exscripts

Install the agent.
Install-TransportAgent -Name "Connection Filtering Agent" -TransportService FrontEnd -TransportAgentFactory "Microsoft.Exchange.Transport.Agent.ConnectionFiltering.ConnectionFilteringAgentFactory" -AssemblyPath "C:\Program Files\Microsoft\Exchange Server\V15\TransportRoles\agents\Hygiene\Microsoft.Exchange.Transport.Agent.Hygiene.dll"

If you have multiple agents running on the frontend transport you must set them in the correct order with the priority parameter

Add a IPBlocklistprovider of your choice
Add-IPBlockListProvider -Name zen.spamhaus.org -LookupDomain zen.spamhaus.org -AnyMatch $true -Enabled $true

You can add more than one provider if you like. If you Don’t provide a custom response it will be “Recipient not authorized, your IP has been found on a block list”

Enable the agent
Enable-TransportAgent -TransportService FrontEnd -Identity "Connection Filtering Agent"

Restart FrontEnd transport service
Restart-Service MSExchangeFrontEndTransport

Now the agent should be live and kicking. Logging for the frontend agent is here “C:\Program Files\Microsoft\Exchange Server\V15\TransportRoles\Logs\FrontEnd\AgentLog” instead of the directory for the backend transport “C:\Program Files\Microsoft\Exchange Server\V15\TransportRoles\Logs\Hub\AgentLog”

Since the script don’t install the Connection filtering agent on CAS it is probably unsupported to install the agent manually, but I had it running for months without any problem so make your own judgment.

11 comments:

  1. Thank you Lasse Pettersson. I have been bombarded with spam since upgrading to Exchange 2013 as Microsoft disabled the connection filter feature of their anti-spam software. So far this has done the trick!

    Thanks,

    Ray

    ReplyDelete
  2. Binding the connection agent to the FrontEnd transport does work! The FrontEnd transport is where connections to port 25 are made to, so this transport agent should handle the connection filtering, not the Hub transport where the connection is relayed to.

    The reason that subsequent connections are also rejected is because the connection between the frontend and transport agents stays open for subsequent message deliveries so the connection agent keeps responding to the first rejected message until the connection between the frontend and transport is dropped after timeout.

    ReplyDelete
  3. hello lasse, thx for the post. it got a bit more clear for me but still confusing. i have installed and working anti-spam agent for rbl. however i like to make some exceptions to this for some mail sender hosts (domain or sender). due to i do not see the connection agent in the list of my 9 agents (starting with the contend filter) do you know how i could make an exception to an rbl not to check for this ip/domain/sender?

    ReplyDelete
  4. Dear Anon,

    You can see the agent with this command:
    Get-TransportAgent -TransportService FrontEnd

    To add excepted domains run the following commands:

    $list = (Get-ContentFilterConfig).BypassedSenderDomains
    $list.add("domain.com")
    set-contentfilterconfig -BypassedSenderDomains:$list

    You can see the current list with:
    (Get-ContentFilterConfig).BypassedSenderDomains

    Use BypassedSender to add senders email addresses.

    ReplyDelete
  5. Has any one tested this on the CAS role without the Mailbox and CAS on one server?

    Doesn't work for me on the CAS role. No logs or anything to see why.

    ReplyDelete
    Replies
    1. To get this working on a CAS server without colocated mailbox role, you need to use local powershell instead of remote powershell.
      Start a regular powershell on your CAS and add Exchange snapin. Then install and configure the agent as described.

      To stop doing RBL checks for some IP, add those IP in the InternalSMTPServers list with the Set-TransportConfig cmdlet.

      Another thing you can do is to add recipient addresses that should be excluded from the RBL check with set-IPBlockListProvidersConfig -BypassedRecipients xxx

      Delete
  6. Good morning,

    We're trying to follow your instructions (your nickname is also Barxane ?) and nelson-sbl-test@crynwr.com always answered that the test failed.

    Could you please help ?

    Many many thanks,

    jb_2000

    **********************************

    Environment : Exchange 2013 CAS & Mailbox

    *****************************

    [PS] C:\Windows\system32\Get-TransportAgent -TransportService FrontEnd
    Identiy Enabled Priority
    ------- ------- --------
    Connection Filtering Agent True 1

    [PS] C:\Windows\system32\Get-IPBlockListProvider
    Name LookupDomain Priority
    ------ ------- -------
    zen.spamhaus.org zen.spamhaus.org 1

    ReplyDelete
  7. Good morning,

    We're trying to follow your instructions and nelson-sbl-test@crynwr.com always answered that test failed.

    Could you please help ?

    Many many thanks,

    jb_2000

    **********************************

    Environment : Exchange 2013 CAS & Mailbox


    [PS] C:\Windows\system32\Get-TransportAgent -TransportService FrontEnd
    Identiy Enabled Priority
    ------- ------- --------
    Connection Filtering Agent True 1

    [PS] C:\Windows\system32\Get-IPBlockListProvider
    Name LookupDomain Priority
    ------ ------- -------
    zen.spamhaus.org zen.spamhaus.org 1

    Furthermore there's no new AgentLog folder created under C:\Program Files\Microsoft\Exchange Server\V15\TransportRoles\Logs\FrontEnd\

    ReplyDelete
  8. Hi, these instructions worked great. I was logging a lot of blocked spam and all looked well. Somewhere along the line it just stopped and I can't figure out why. I've removed the block list and the transport agent and re-installed it. Restarted the services and even rebooted but now I get no activity in the log. I can't see any errors in the event viewer to point me anywhere. Not sure what happened. Can you point me to something to troubleshoot? Thank you kindly for you post and any help you might be able to provide.

    ReplyDelete
  9. Is the Blocklistprovider enabled?
    Verify with "Get-IPBlockListProvider | fl"

    ReplyDelete
  10. Yes, the block list provider is enabled. I think the issue might have to do with what my outside IP address is for my mail server. I found tried the test email mentioned above and it didn't work because they were trying to connect back to a wrong address. Thank you for the reply.

    ReplyDelete