Although it is simple to deploy an Edge Transport Server, the deployment can have adverse effects on your network if not implemented carefully. A carelessly implemented Edge Transport Server can cause legitimate messages to be treated as spam. To avoid losing legitimate messages, it is important to apply filtering rules gradually so that you can gauge their effects. In this article, I will discuss some best practices for bringing an edge transport server online with minimal impact on your network.
When you first bring an Edge Transport Server online, I recommend that you initially avoid performing any message filtering for at least a few days. This allows you to make sure that your Edge Transport Server isn’t having any adverse effects on mail flow. If a hardware problem or a configuration problem is impacting mail flow, it will be a lot easier to detect , diagnose, and correct the problem if the server is not performing any filtering.
Once you are confident in your Edge Transport Server’s stability, I recommend implementing attachment filtering. Attachment filtering is by far the safest type of filtering. For example, in my own organization, I routinely receive e-mail messages from editors containing Microsoft Office documents. It is also fairly common for me to receive HTML and PDF documents, as well as video files. These are pretty much the only legitimate file types that I ever receive though. There’s no reason why anyone should ever e-mail me an executable file. That being the case, I know that if someone does send me an executable file, the file is probably malicious, so it would be better to have my Edge Transport Server filter the message before it ever makes its way into my mailbox.
Mark Suspicious Messages
If you know for sure that you never want to allow specific types of files into your organization, then it is fine to configure your Edge Transport Server to automatically delete messages containing those types of files. For other types of filtering though, I recommend that you initially configure your Edge Transport Server to mark messages as possible spam, rather than deleting them.
Until you finish fine tuning your Edge Transport Server, there is a strong possibility that some legitimate messages will be captured as spam. Marking these messages rather than deleting them allows the recipient to receive the messages, and allows you to see that additional fine tuning is needed.
Understand the Filtering Process
It’s a good idea to continue to mark suspected spam rather than delete it until you are completely comfortable that the filtering process is working as intended. It is OK however, to begin fine tuning your filters to work toward the goal of eventually removing spam.
The key to fine tuning the filtering process is to understand the order in which the various filters are applied. If you understand the filtering order, you can usually save yourself some work, and make the edge server run more efficiently, by figuring out which types of filters are and are not needed. For example, Exchange processes the IP address black list early in the filtering process. If there is a certain domain that you want to block, there is no need to create a rule to block the domain’s IP address, and another rule to block the domain name, because the IP address filter would block the message before the server would even have a chance to examine its domain name. My point is that filtering rules are necessary, but the fewer rules that you can get by with, the more efficiently your edge transport server will be able to process messages. Keeping the rules simple will also make it much easier to make adjustments to the filters as your needs change over time.
With that in mind, here is the order in which the various filters are applied:
- The IP block and allow list is processed
- The IP Block List Providers and IP Allow List Providers are processed
- The sender filtering agent checks the blocked senders list
- The Sender ID agent performs a SPF record query
- The Recipient Filtering Agent checks the blocked senders list
- The Content Filtering Agent checks the message’s contents. Safe list aggregation is also applied at this point in the process to help to reduce false positives.
- The edge transport server filters out prohibited attachment types
- Finally, the message is either handed off to a hub transport server, rejected, or deleted, depending on the rules that are in place.
Unfortunately, there is no way that I can possibly discuss all of the issues associated with configuring an edge transport server within the confines of an article. For that, I would have to write a book. Instead, my goal has been to help you to understand the filtering process, and to help you think about the safest ways of initially enabling edge filtering.