42 Module 3: Securing Exchange Server 2003

Practice: Maintaining Message Hygiene

*****************************ILLEGAL FOR NON-TRAINER USE******************************

Objectives In this practice, you will:
„ Configure sender filtering
„ Configure connection filtering
„ Configure Sender ID filtering

Instructions Ensure that the MTL-DC1, MTL-CL1, and MTL-NT1 virtual machines are
running.
Practice
Ç Configuring sender filtering
1. If necessary, log on to MTL-DC1 as TailSpinToys\Administrator with the
password of Pa$$w0rd.
1. Open Exchange System Manager and click Global Settings.
2. In the details pane, right-click Message Delivery, and then click
Properties.
3. In the Message Delivery Properties dialog box, on the Sender Filtering
tab, click Add.
4. In the Add Sender dialog box, type SPAMSource@contoso.com and then
click OK.
5. In the Message Delivery Properties dialog box, click OK.
6. In the Exchange System Manager warning, click OK to acknowledge that
this filter must be enabled on the virtual server.
7. Expand Servers, expand MTL-DC1, expand Protocols, and then click
SMTP.
8. In the details pane, right-click Default SMTP Virtual Server, and then
click Properties.
9. In the Default SMTP Virtual Server Properties dialog box, on the
General tab, click Advanced.
 Module 3: Securing Exchange Server 2003 43

11. In the Advanced dialog box, click Edit.

12. In the Identification dialog box, select the Apply Sender Filter check box
and then click OK.
13. In the Advanced dialog box, click OK.
14. In the Default SMTP Virtual Server Properties dialog box, click OK.
15. Log on to MTL-CL1 as TailSpinToys\Administrator with the password of
Pa$$w0rd.
16. On the Start menu, click Run.
17. In the Run box, type CMD and click OK.
18. In the Command Prompt window, type Telnet MTL-DC1 25 and then press
ENTER.
19. From the Telnet prompt, type the following text on individual lines:
Ehlo
Mail From: SPAMSource@contoso.com
20. What happened when you tried to send the message? Close the command
prompt.
The connection was dropped with a Sender Denied message.
____________________________________________________________

____________________________________________________________

Note If you make a mistake when you are typing the command at the Telnet
prompt, you must press ENTER and then type the entire command again. You
cannot use Backspace to correct errors when typing the commands.

Ç Configuring connection filtering

1. On MTL-DC1, click Start, point to All Programs, point to Administrative
Tools, and then click Active Directory Users and Computers.
2. In Active Directory Users and Computers, if necessary, expand
TailspinToys.com, and then click the Users container.
3. In the right pane, double-click Administrator. The Administrator
Properties dialog box opens.
4. On the E-mail Addresses tab, confirm that
postmaster@TailspinToys.com is listed as an SMTP address.
5. Click OK to close the Administrator Properties page.
6. Close Active Directory Users and Computers.
7. Click Start, point to All Programs, point to Administrative Tools, and
then click DNS.
8. Right-click Forward Lookup Zones and click New Zone.
9. On the Welcome to the New Zone Wizard page, click Next.
10. On the Zone Type page, ensure that Primary Zone is selected. Clear the
check box for Store the zone in Active Directory (available only if DNS
server is a domain controller). Click Next.
44 Module 3: Securing Exchange Server 2003

11. On the Zone Name page, type rbl.msft. Click Next.

12. On the Zone File page, click Next.
13. On the Dynamic Update page, click Next.
14. On the Completing the New Zone Wizard page, click Finish.
15. Expand Forward Lookup Zones and expand rbl.msft. Right-click rbl.msft
and click New Host(A).
16. In the New Host dialog box, type 30.0.10.10 as the host name and 127.0.0.1
as the IP address. In this example, you will be using MTL-NT1 (IP address
10.10.0.30) as the UCE SMTP server. When the Exchange server receives a
connection attempt from this IP address, it will look up the IP address in
DNS. The DNS server will return 127.0.0.1 as the IP address for this host.
17. Click Add Host.
18. Click OK, and then click Done. Close the DNS management console.
19. In Exchange System Manager, under Global Settings, right-click
Message Delivery, and then click Properties.
20. In the Message Delivery Properties dialog box, on the Connection
Filtering tab, click Add.
21. In the Connection Filtering Rule dialog box, in the Display Name box,
type Blocklist Provider and, in the DNS Suffix of Provider box, type
RBL.msft.
22. In the Custom Error Message to Return box, type You are denied
permission to submit SMTP messages. Send mail to
postmaster@TailspinToys.com for more information.
23. Under Return Status Code from Provider Service, click Return Status
Code.
24. In the Return Status Code window, click Match Filter Rule to the
Following Mask, type 127.0.0.1, and then click OK.
25. Verify that Disable this rule is not selected, and then click OK.
26. Click Exception.
27. In the Block List Service Configuration Settings window, click Add.
28. In the Recipient field, type postmaster@TailspinToys.com, and then
click OK.
29. Click OK, and then click OK again to close the Message Delivery
Properties window.
30. Click OK to the Exchange System Manager warning.
31. Expand Servers, expand MTL-DC1, expand Protocols, and then click
SMTP.
32. In the details pane, right-click Default SMTP Virtual Server, and then
click Properties.
33. In the Default SMTP Virtual Server Properties dialog box, on the
General tab, click Advanced.
34. In the Advanced dialog box, click Edit.
35. In the Identification dialog box, select the Apply Connection Filter check
box and then click OK.
36. In the Advanced dialog box, click OK.
 Module 3: Securing Exchange Server 2003 45

37. In the Default SMTP Virtual Server Properties dialog box, click OK.
38. On MTL-CL1, open Outlook Express. An account is configured in Outlook
Express to use MTL-NT1.
39. Create a new message with a recipient address of Ben@TailspinToys.com
and a subject of Connection Filter Test message. Send the message.
40. Click Send/Recv. Open the message from the System Administrator and
confirm that the message contains the custom error message you configured
earlier. If the message from the System Administrator does not appear, click
Send/Recv again.
41. Create a new message with a recipient address of
Postmaster@TailspinToys.com and a subject of Connection Filter Test 2
message. Send the message.
42. Click Send/Recv. Confirm that the message was sent from the Outbox.
Close Outlook Express.
43. Click Start and click E-mail. Microsoft Office Outlook opens.
44. Confirm that the message arrived from the Fabrikam administrator. Close
Outlook.

Ç Configure Sender ID Filtering

1. On MTL-DC1, open the DNS management console.
2. Expand Forward Lookup Zones, and then expand Fabrikam.com.
3. Right-click Fabrikam.com, and then click Other New Records.
4. In the Resource Record Type dialog box, click Text (TXT), and then click
Create Record.
5. In the New Resource Record dialog box, in the Text box, type
v=spf1 ip4:10.10.0.40 –all. Click OK.
6. In the Resource Record Type dialog box, click Done.
7. In Exchange System Manager, under Global Settings, right-click
Message Delivery, and then click Properties.
8. In the Message Delivery Properties dialog box, click the Sender ID
Filtering tab.
9. Click Reject (the message will not be accepted; the sending party will be
responsible for NDR generation.
10. On the General tab, under Perimeter IP List and Internal IP Range
Configuration, click Add.
11. In the Sender ID and Connection Filter Configuration Settings dialog
box, click Add.
12. In the IP Address (Mask) dialog box, under Single IP Address, type
10.10.0.10. Click OK.
13. In the Sender ID and Connection Filter Configuration Settings dialog
box, click OK.
14. Click OK to clear the Exchange System Manager warning, and then click
OK to close the Message Delivery Properties dialog box.
15. Expand Servers, expand MTL-DC1, expand Protocols, and then click
SMTP.
46 Module 3: Securing Exchange Server 2003

16. In the details pane, right-click Default SMTP Virtual Server, and then
click Properties.
17. In the Default SMTP Virtual Server Properties dialog box, under IP
address, select 10.10.0.10, and then click Advanced.
18. In the Advanced dialog box, click Edit.
19. In the Identification dialog box, click the Apply Sender ID Filter check
box, and then click OK.
20. Click OK to clear the warning.
21. In the Advanced dialog box, click OK.
22. In the Default SMTP Virtual Server Properties dialog box, click OK.
23. Right click Default SMTP Virtual Server and click Stop. Wait for the
virtual server to stop, then right click Default SMTP Virtual Server and
click Start.
24. On MTL-CL1, open Outlook Express.
25. Create a new message with a recipient address of
Administrator@TailspinToys.com and a subject of Sender ID Filter Test
message. Send the message.
26. Click Send/Recv. Open the message from the System Administrator and
confirm that the message was not delivered. If the message from the System
Administrator does not appear, click Send/Recv again.

Note If the message from the System Administrator still does not appear,
stop and restart the Default SMTP Virtual Server on MTL-DC1. Then send
another message to Administrator@tailspintoys.com.

27. On MTL-DC1, in the DNS management console, modify the Text (TXT) to
read v=spf1 ip4:10.10.0.30 –all. Click OK.
28. On MTL-CL1, in Outlook Express, create a new message with a recipient
address of Administrator@TailspinToys.com and a subject of Sender ID
Filter Test 2 message. Send the message.
29. Click Send/Recv. Open Outlook to confirm that the message was delivered.
30. Close all open windows.

Note Do not shut down the virtual machines.