Skip to main content

What is SafeList Aggregation in Exchange 2007 or How to help you administer Safe senders list in Exchange 2007 to fight false-positives?

"safelist aggregation refers to a set of anti-spam functionality that is shared across Microsoft Office Outlook and Exchange" - Microsoft

So let's see what this functionality really is. Presume your Exchange architecture is using Hub Transport and no Edge Transport Exchange server role. You enabled Anti-spam functionality on your Hub Transport server and you created quarantine mailbox for collecting spam mails.To help you reduce instances of false-positives you can enable the SafeList Aggregation which uses Outlook's Safe senders and safe recipients, Safe Domain and External Contacts collections for Exchange's ALLOWED senders list.

First, you need to send this data to Active Directory from where it can be read by Anti-spam agent on Exchange 2007 Hub or Edge Transport Exchange role.This can be done by running the Exchange Management Shell cmdlet Update-SafeList on a user's mailbox.

Syntax: Update-SafeList -Identity <MailboxIdParameter>

Let's say you want to use Safe Senders collection from Dusan Kosaric's mailbox. You would use the following syntax:

Update-SafeList -Identity "Dusan Kosaric"

If you wan to update Safe List from every mailbox in organization on regular basis you can create scheduled task. First create the SafeList.bat file with following entries:

"C:\Program Files\Microsoft Command Shell\v1.0\Powershell.exe" -psconsolefile
"C:\Program Files\Microsoft\Exchange Server\bin\exshell.psc1" -command

"get-mailbox where {$_.RecipientType -eq [Microsoft.Exchange.Data.Directory.Recipient.RecipientType]::UserMailbox } update-safelist"

After you create SafeList.bat file, run this command in Exchange Management Shell:

at 01:00 /every:M,T,W,Th,F,S,Su cmd /c "X:\SafeList.bat"

If your organization is not a large one and you are not dealing with A LOT of spam, you can use SafeList Aggregation only from Quarantine mailbox. You can open your quarantine mailbox in Outlook 2003 or 2007 and search through mails to find false-positives. Add senders to the Outlook Safe Senders list under Actions -> Junk e-mail -> Junk e-mail options -> Safe Senders in Outlook and than run Update-SafeList cmdlet in Exchange Management Shell.

************
Related links:

http://technet.microsoft.com/en-us/library/bb125168.aspx

http://technet.microsoft.com/en-us/library/aa998280.aspx

Comments

  1. Hi,

    I tried to use this procedure.

    1° fyi in SBS2008 path for Powershell.exe is C:\windows\System32\WindowsPowerShell\V1.0\

    2° when I start the .bat file a received the message "C:\windows\System32\WindowsPowerShell\V1.0\Powershell.exe" -psconsolefile
    Missign argument for parameter psconsolefile

    Any idea?

    Yves

    ReplyDelete
  2. For SBS2008:

    C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -PSConsoleFile "C:\Program Files\Microsoft\Exchange Server\bin\exshell.psc1" -command ....

    ReplyDelete
  3. I've been using this feature for quite a while now. Spammers must have noticed and are lately starting to spoof e-mail adresses to get Spam through my Spam filters. Any idea what to do?

    ReplyDelete
  4. It is a common problem. Some people block their own domain in order to prevent this, but be careful with this in order not to block yourself fully if you have special architecture and combinations with mail flow.

    Dusan

    ReplyDelete

Post a Comment

Popular posts from this blog

Netscaler vs Exchange 2019 "time out during ssl handshake stage

If you are using Citrix Netscaler as load balancer in front of Exchange 2019 server you must know this: Microsoft Exchange 2019 is secured by default and allows only TLS 1.2. Therefore default schannel settings are as follows (using IISCrypto tool from Nartac Software): While Citrix Netscaler offers following Cipher Suites: TLS_RSA_WITH_AES_256_CBC_SHA TLS_RSA_WITH_AES_128_CBC_SHA TLS_DHE_RSA_WITH_AES_256_CBC_SHA TLS_DHE_RSA_WITH_AES_128_CBC_SHA TLS_DHE_DSS_WITH_AES_256_CBC_SHA TLS_DHE_DSS_WITH_AES_128_CBC_SHA TLS_RSA_WITH_DES_CBC_SHA TLS_RSA_EXPORT_WITH_DES40_CBC_SHA TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 TLS_DHE_DSS_WITH_DES_CBC_SHA TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA TLS_DHE_RSA_WITH_DES_CBC_SHA TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA TLS_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5 TLS_DH_anon_WITH_DES_CBC_SHA TLS_DH_anon_WITH_AES_128_CBC_SHA TLS_DH_anon_WITH_AES_256_CBC_SHA TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA Now, you will fi

Reason: [{LED=250 2.1.5 RESOLVER.GRP.Expanded; distribution list expanded};{MSG=};{FQDN=};{IP=};{LRT=}]

 If you got this error checking the mail flow for a distribution group, it means the distribution group is closed and only internal senders can send e-mail to this group. When outside user sends e-mail to this group you get  Reason: [{LED=250 2.1.5 RESOLVER.GRP.Expanded; distribution list expanded};{MSG=};{FQDN=};{IP=};{LRT=}] Set Delivery for this group to internal and external users and your problem will be solved. 

Ports that need to be open on Firewall for Edge Transport servers

Ports that need to be open on firewall for Edge Server subscription with Hub Server to function properly: For Inbound traffic: SMTP - TCP port 25 (from Internet) SMTP - TCP port 25 (from Edge server to Hub server on internal network) For Outbound traffic: SMTP - TCP/UDP port 25 (from Edge to Internet) SMTP - TCP/UDP port 25 (from Hub to Edge server) LDAP for EdgeSync - TCP port 50389 (from Hub to Edge server) Secure LDAP for EdgeSync - TCP port 50636 (from Hub to Edge server) Since Edge server needs to communicate with Hub server it is important that it can resolve Hub transport servers by FQDN and Hub transport servers must be able to resolve Edge servers by its FQDNs. To accomplish this you need to either open 53 (DNS) port and configure internal network adapter to use internal DNS but as a security precaution I would suggest to enter DNS records for Edge servers on local DNS manually and to fill hosts file on Edge servers with FQDNs for Hub transport servers.