Connection Filtering Basics (Blocking Connection to the Server)
Many of you know what Connection Filtering is in Exchange. It allows you to control what IPs are allowed and what IPs are blocked. Taking a look at the following image, we can see exactly what parts of Anti-Spam utilize the connection filtering agent.
In the following image, we can see in what order the anti-spam agents run.
If you utilize the IP Block List, if something is blocked, the connection dies there. Let’s take a look at the IP Block in action and how the connecting server’s connection is terminated. For starts, let’s take a look at the connecting machine’s IP.
Let’s make a telnet to the server on port 25.
We see the connection works just fine. Now, let’s go add the client IP to the IP Block List. To do this, Select IP BlockList > Right-Click > Select Properties > Click Add > Enter Client IP Address.
Now let’s try Telneting to the Server over port 25 again.
As we can see, we cannot communicate via port 25 to the SMTP Server anymore due to the connecting IP being on the IP Block List.
Connection Filtering and Non-Exchange SMTP Filtering Appliances/Servers
One of the big things here, is that Connection Filtering happens based on the last untrusted IP Address. One of the biggest things that are overlooked when using the Exchange or Forefront Connection Filtering Agent is that it is very important for you to enter the trusted SMTP IP Addresses in your organization.
This will need to be done via your Hub Transport Server. To modify the trusted SMTP IP Addresses in your organization, go to Organization Configuration > Hub Transport > Global Settings > Message Delivery.
It is very important when using Connection Filtering to enter ALL trusted IP Addresses that handle SMTP in the organization. This includes any type of SMTP Appliance/Server that is sending traffic to Exchange. This includes Ironport, Sendmail, Barracuda, etc… The reason why is, the way Connection Filtering works, is that it looks at the sending server’s IP Address and does the lookup on that. But, let’s say it’s the Edge Transport Server and it’s receiving mail from an Ironport.
Do you really want the Connection Filtering lookup to lookup the Ironport IP? Of course not, Ironport is an internal server. Connection filtering ignores any IPs listed in the above Message Delivery list. This means, if an Exchange Edge server receives mail from an Ironport, if the Ironport IP is on that list, the Exchange Edge will then do a Connection Filteirng lookup on the last untrusted IP which would be the server that sent the mail to the Ironport (that is if the server that sent mail to Ironport is not also another internal device that is on the above list.
So, make sure you add all trusted IPs (Exchange and non-Exchange that are handling SMTP) internal to your organization to make sure Connection Filtering is working as it should be.