Connection Filtering in Exchange 2003

A client recently had problems with a compromised account being used to send SPAM.  Unfortunately, in this case, the client does not require authenticated SMTP from internal mail clients.  So, at first glance, it appeared that there would be no way to prevent the compromised account from sending (short of blocking his IP on the MTA’s firewall or removing the offending computer from the internal network).

After a little bit of digging, it turns out that Exchange 2003 has a feature that permits an administrator to filter messages based on sender or recipient.  In this case, we wanted to filter based on a specific sender.  So, open up Exchange Global Settings > Message Delivery Properties > Sender Filtering and insert the offending sender (we can also use *@domain.tld to block an entire domain).  Click Apply … and nothing changes.

This is because we also have to enable filtering on each of the SMTP instances.  To do this, open the Exchange System Manager > Administrative Groups > Servers > (servername) > Protocols > SMTP > Default SMTP Virtual Server > Properties > General > Advanced.  Select the SMTP instance, click “Edit” and check the boxes for sender or recipient filtering.  Click OK, Apply.  And now filtering is enabled!

We can confirm this is working by using SMTP via telnet:

imac:~ jfiske$ telnet mta.domain.tld 25
Connected to mta.domain.tld.
Escape character is ‘^]’.
220 mta.domain.tld Microsoft ESMTP MAIL Service, Version: 6.0.3790.3959 ready at  Sun, 2 May 2010 13:32:06 -0400
HELO webilaz.local
250 mta.domain.tld Hello []
MAIL FROM: username@domain.tld
554 5.1.0 Sender Denied
Connection closed by foreign host.

Leave a Reply