Recipient Validation on the non Domain Excрange EDEGE Servers - ORF Forums

Recipient Validation on the non Domain Excрange EDEGE Servers RSS Back to forum



We want to enable the sender verification function(Blacklists->Recipient Validation).

In our configuration, ORF runs on the Exchange Edge Server, is not domain members.
On the EDGE server, users are stored in the AD LDS service.
Is there any instruction on how to set up ORF with ADLDS Exchange Edge.

ORF 6.3, Exchange 2010 sp3

by Nikolay.Yakimov 1 month ago

@Nikolay.Yakimov: Hello Nikolay,

Recipient Validation under Edge Transport Role is not supported for two reasons:

1) Exchange Edge Transport does recipient validation on its own, on protocol level, so ORF's check would be redundant.

2) On Edge Transport role servers there is no Active Directory to validate the recipients address against. Edge Transport uses ADAM with a different schema than the actual source Active Directory: for security purposes, ADAM does not store the recipient email addresses, but a kind of undocumented one-way hash of the addresses, so anyone penetrating the Edge Transport server would not get this information. Assuming we would provide AD-based recipient validation on Edge Transport servers, that would take drilling a hole in the firewall to provide a TCP channel to the AD server, which would significantly weaken the security model of Exchange Edge Transport separation.

What you can do to work this problem around is to export the email addresses from the various ADs and use either SQL-based or text file-based validation. I would recommend SQL, if your organization is large and changes address data frequently.

by Daniel Novak (Vamsoft) 1 month ago
(in reply to this post)


@Nikolay.Yakimov: As Daniel pointed out it's not supported and not necessary. As ORF would need a connect to the domain controller this would weaken your security you now have built in into the Edge sync (which is a one-way-sync from internal exchange to edge only). So just enable recipient validation on the recipientfilter agent and accepted domains.
1. activate the recipient filter agent on edge with block for non existent addresses
Set-RecipientFilterConfig -RecipientValidationEnabled $true
Set-RecipientFilterConfig -BlockListEnabled $true

2. enable accepted domains to be checked:
Get-AcceptedDomain | Set-AcceptedDomain -AddressBookEnabled $true (this will enable it for all accepted domains please modify as needed)

This above will only work when Edge sync is configured.


PS: Exchange 2010 is way out of support.

by NorbertFe 1 month ago
(in reply to this post)

New comment

Fill in the form below to add a new comment. All fields are required. If you are a registered user on our site, please sign in first.

It will not be published.
hnp1 | hnp2