Managing the Edge Transport Server • Chapter 7 427 3. Set up delegation if you’re going to open the mailbox as an additional mailbox under your primary mailbox account. 4. On the Edge Transport server, open the EMS, type Set-ContentFilterConfi g -QuarantineMailbox <SmtpAddress>, and press Enter. All quarantined messages will now be sent to the specifi ed e-mail address, so be sure to check it for any false positives on a regular basis. When you fi nd a false positive, you can resend it to the original recipient by opening the message and clicking Resend. In addition, you can create a list of words and/or phrases that won’t be blocked no matter the SCL rating of the particular message (the Content Filter will assign an SCL rating of 0 to messages including these words and/or phrases). You can also create a list of words and/or phrases that should be blocked no matter the SCL rating (see Figure 7.43). Figure 7.43 The Custom Word List on the Content-Filtering Properties Page 428 Chapter 7 • Managing the Edge Transport Server If for some reason you don’t want to block any messages destined for a particular SMTP address, you can add the address to an exceptions list (see Figure 7.44). Figure 7.44 The Exceptions List on the Content-Filtering Properties Page Safelist Aggregation The content-fi ltering agent includes another antispam feature that isn’t visible in the EMC GUI. Called safelist aggregation, it is a feature that basically collects data from the Safe Senders and Safe Recipients lists, which can be found under the Junk E-Mail Options in Outlook 2007 (see Figure 7.45). Managing the Edge Transport Server • Chapter 7 429 Figure 7.45 The Safe Senders List in Outlook 2007 The e-mail addresses and/or domains that the end users in your Exchange organization have added to the Safe Senders and/or Safe Recipients list are stored on the respective mailbox servers on which a mailbox is located and can from here be pushed to Active Directory service, where the lists can be stored on each user object. If you use the EdgeSync service, these lists will, as part of the recipient data, be replicated from Active Directory to the ADAM store on the edge transport server. 430 Chapter 7 • Managing the Edge Transport Server To reduce the number of false positives on the Edge Transport server, the Content Filtering agent can, using safelist aggregation, let the e-mail addresses and domains confi gured on the Safe Sender list be allowed to pass through to end users’ mailboxes without additional processing by the rest of the fi ltering agents. If you enable Also trust e-mail from my Contacts on the Safe Senders tab in Outlook 2007, shown in Figure 7.45, all Outlook contacts in user mailboxes will be allowed to pass through the fi ltering agents as well. Pretty neat, right? Even though you have enabled the Content Filtering agent, you still need to enable and confi gure the safelist aggregation feature before you can use it. To do so, perform the following steps: 1. Log on to the Exchange 2007 server that has the Mailbox server role installed and open the EMS. 2. To read the Safelist collection from each user’s mailbox and then hash and write it to the respective user objects in Active Directory, you will need to run the Update-Safelist CMDlet. When using the Update-Safelist CMDlet, you are expected to provide the identity for the mailbox you want to run the CMDlet on. Since you want to run the Update-Safelist CMDlet on all mailbox users on the mailbox server, you will need to use piping. To run Update-Safelist for all mailbox users, type “get-mailbox | where {$_.RecipientType -eq [Microsoft.Exchange.Data.Directory.Recipient.RecipientType]::MailboxUser } | update-safelist” and then press Enter. 3. Since the Update-Safelist CMDlet is a onetime-only command, you need to use the Windows Scheduler to schedule the CMDlet to run, let’s say, once every 24 hours. To do so, create a batch fi le with the following code: “C:\Program Files\Windows Powershell\v1.0\Powershell.exe” -psconsolefi le “C:\Program Files\Microsoft\Exchange Server\bin\exshell.psc1” -command “Get-Mailbox | where {$_.RecipientType -eq [Microsoft.Exchange.Data. Directory.Recipient.RecipientType]::MailboxUser } | Update-Safelist” 4. Save the batch fi le as Update-Safelist.bat or something similar. (Remember to change Notepad to all fi les instead of .txt fi les.) 5. Now schedule this batch fi le to be run every 24 th hour (for example, at 00.00). To do this, open a command prompt window (or use the Windows Scheduler, which can be found in the Control Panel), type AT 00.00 /every:M,T,W,Th,F,S,SU cmd /c “C:\Update-Safelist.bat”, and press Enter. 6. To see whether Update-Safelist has updated the respective Active Directory user objects, you can check the msExchSafeRecipientsHash and msExchSafeSendersHash attributes for a couple of user objects using ADSI Edit or a similar tool. If these attributes have a value of <Not Set>, they haven’t been updated, but if they instead have a value similar to 0xac 0xbd 0x03 0xca, the user objects have been updated. Managing the Edge Transport Server • Chapter 7 431 NOTE To use ADSI Edit, you need to install the Windows Server 2003 Support Tools on the respective Exchange 2007 server. To see whether safelist aggregation works as expected on the edge transport server, try to add a custom word or phrase to the Custom Words block list, which is found on the Properties page of the Content Filter. Now add the e-mail address of the private e-mail account (such as a Hotmail) to the Safe Senders list of your mailbox in Outlook 2007. Finally, send an e-mail message containing the word or phrase you added to the block list to your Exchange 2007 Mailbox user account. If the message appears in your mailbox, the safelist aggregation feature works as expected. Outlook E-mail Postmark Validation In addition to the safelist aggregation feature, the Content Filtering agent includes one more feature that will help reduce the number of false positives in your Exchange organization. The feature, called Outlook E-Mail Postmark Validation, is a computational proof that Outlook applies to all outbound messages to help recipient messaging systems distinguish legitimate e-mail messages from junk. With Outlook E-Mail Postmark Validation enabled, the Content Filtering agent will parse all inbound messages for a computational postmark header. If a valid as well as solved computational postmark header is present in a message, it means that the client computer that generated the message solved the computational postmark. The result of a postmark validation will be used when the overall SCL rating for an inbound message is calculated. NOTE If no computational postmark header exists or if the header is invalid, the SCL rating will not be changed. On a default installation of the Edge Transport server role, the Outlook E-Mail Postmark Validation feature is enabled by default, but to verify that the feature indeed is enabled on your system, you can open the EMC and type Get-ContentFilterConfi g (see Figure 7.46). . server that has the Mailbox server role installed and open the EMS. 2. To read the Safelist collection from each user’s mailbox and then hash and write it to the respective user objects in Active. Filter will assign an SCL rating of 0 to messages including these words and/ or phrases). You can also create a list of words and/ or phrases that should be blocked no matter the SCL rating (see. Senders List in Outlook 2007 The e-mail addresses and/ or domains that the end users in your Exchange organization have added to the Safe Senders and/ or Safe Recipients list are stored on the respective