Tuesday, 19 January 2016

Block spoofed email - Part 1 | Exchange 2010 - 2016

Introduction


In this post we'll look at a hot topic which is how do you block email sent from your own domain but not by your email server - i.e. email from someone spoofing your email domain. This will work for Exchange 2010, 2013 and 2016.

We’ll also block spoofed email for other domains.


How to block spoofed email from your domain


We’ll go through these steps:

  • Create an SPF record for your domain configured with a HardFail
  • Configure the InternalSMTPServers property on your transport servers
  • Install the Anti-Spam agents on Exchange
  • Configure SenderID filtering to reject emails that fail SPF checks
  • Test SenderID Agent



Create an SPF record for your domain configured with a HardFail


An SPF record is a TXT record in DNS that begins with v=spf1. It includes a list of IPs that sending domain owner has specified as permitted to send email for that domain and it also informs the recipient mail server what to do if an email is received from an IP that is not on the permitted senders list.

Create an SPF record for your domain by following the instructions here. Make sure set your SPF record to prohibit all sending IPs that are not specified by using the -all mechanism at the end of the SPF record.

Your SPF record should look something like this:

v=spf1 ip4:95.59.2.21 ip4:95.59.2.22 ip4:195.168.1.0/28 mx -all

This simple SPF record states that the MX records and the additional IPs that are listed are allowed to send email for your domain.

Note the -all mechanism at the end of the record. This is important as you will see later when we come to configuring the SenderID Agent on Exchange.

If you are using split DNS then you need to ensure that you configure your SPF record on both your external DNS forward lookup zone and your internal DNS forward lookup zone.

Configure the InternalSMTPServers property on your transport servers


For SenderID filtering, Exchange looks at the client IP for email when working out whether the sending IP is permitted or not. In order for Exchange to differentiate between the IPs of other Exchange servers (or email gateways/smart hosts) and the actual client IP, you need to let Exchange know which IPs to ignore.

For example, if your have two Exchange servers with IPs 10.2.0.21 and 10.2.0.22 and an email gateway on 10.3.0.10 then set your transport configuration using this command on each Exchange server:

Set-TransportConfig -InternalSMTPServers 10.2.0.21,10.2.0.22,10.3.0.10

image

Install the Anti-Spam agents on Exchange


Our next step is to install the Anti-Spam agents on Exchange if you have not already installed them. If you run list transport agents, you will see which are installed:

Get-TransportAgent

image

In the above screenshot, there are no anti-spam transport agents listed because they’re not installed. We should expect to see new transport agents such as Sender Filter Agent and Sender Id Agent.

To go ahead and install the Anti-Spam agents, run the command below on your mailbox server in Exchange 2013 or 2016 or your hub transport server in Exchange 2010:


& $env:ExchangeInstallPath\Scripts\Install-AntiSpamAgents.ps1

image

Then restart the Microsoft Exchange Transport Service:

Restart-Service MSExchangeTransport

image

Now we can confirm that we have additional Transport Agents:

Get-TransportAgent

image

Configure SenderID filtering to reject emails that fail SPF checks


Our next and final step is to configure Exchange to reject email that fails the SenderID check (SPF) by using the SenderID Transport Agent which we’ve just installed. Emails that are SPF HardFails fail this SPF check.

When installed, the SenderID agent is enabled but set to only stamp the status of the SPF record check in the message headers which means it doesn't reject any email. It’s also only enabled for external email by default. 

For our purposes, we will configure it to reject spoofed domains. This will not only reject spoofed email for our email domain but it will also reject spoofed email for any other domain that has a valid SPF record configured with a HardFail. This is why the hard fail is important as Exchange and many other mail systems will generally not block a soft fail (but see part 2 how to do this in Exchange).

Let’s go ahead and configure the SenderID agent to block spoofed emails:

Set-SenderIdConfig -SpoofedDomainAction Reject

image

Some domains have not got their SPF records configured correctly and are recommending an SPF hard fail but are actually sending some email from IPs not included on the SPF record. To do get around this, you can set these domains to bypass the SenderID checks:

Set-SenderIdConfig -BypassedSenderDomains contoso.com,tailspintoys.com

image


Test SenderID Agent


Now, we can demonstrate that this is blocking spoofed email for our domain. First, let’s test using the Send-MailMessage cmdlet in PowerShell running from a computer on the internet which has an IP which is not listed on the SPF record:

Send-MailMessage -To administrator@litwareinc.com -From administrator@litwareinc.com -Subject "Testing email server SenderID Filter" -SmtpServer mx1.litwareinc.com

image

For more information about how to send email using PowerShell, see here. The error we get is:

The server response was: 5.7.1 Sender ID (PRA) Not Permitted

…….and the email was rejected! Great! Now spoofed email from your domain is blocked and spoofed email from other domains is blocked if they have an SPF record configured with a hard fail.


Conclusion


In this post, I’ve demonstrated how to configure Exchange 2010, 2013 or 2016 to reject spoofed email for your domain and other domains. This is done by blocking SPF HardFails.

In part 2, I'll demonstrate how to block emails that are from domains that are not configured with an SPF HardFail but as SoftFail instead. 

11 comments:

  1. Great post! Informative, all commands work perfectly.

    ReplyDelete
  2. When testing I get 5.7.1 Unable to relay. Solution?

    ReplyDelete
  3. Blogging is incredible and every blogger playing a great role to introduce new things in blogging. I always like to fly on different blogs and read the strategies of different blogger to understand the blogging in more depth. Being a bloggers I really appreciate your works and no doubt your blog is awesome.
    Love from Asad Niazi

    ReplyDelete
  4. This blog really amazing, this give me many informations.
    Thanks you very much. Hope see more blog from you.

    ReplyDelete
  5. Thanks so much. Is there a way to set it so we only are checking for a valid SPF on our domain only? E.g. our domain is @widgets.com and I want to allow all people with no spf through provided they aren't from our own domain? We get a lot of fake emails from many public IPs that are from lets say info22@widgets.com - there is no one internally with that email address but the end users will open it thinking it is valid.

    ReplyDelete
  6. Is there a way to bypass SPF checks for a certain Client IP and a Sender Address?
    i.e. I want to be able to send email from an internal spoofed address but only allow it if its come from my server.

    ReplyDelete
  7. Create a receive connector, allow anonymous login to send, and restrict by a certain IP address. Best if that IP is LAN-based. Not sure for sender address tho, because someone can spoof that a certain sender address has an open relay enabled and will use it to send spam, making you blacklisted.

    ReplyDelete
  8. If you are using Powershell 4.0 to test, some additional commands are required. This post details it perfectly. https://markgossa.blogspot.com/2015/10/send-email-with-powershell.html

    ReplyDelete
  9. Woah this blog is fantastic i like studying your posts. Keep up the great work! You understand, a lot of people are hunting round for this info, you could help them greatly.
    freelance jobs online for beginners

    ReplyDelete