Recipient Verification with Exchange 2013 and Later

The new hoops Microsoft makes you jump through...

Starting with Exchange 2013, Microsoft changed the Exchange FrontEnd Transport service so that it no longer rejects invalid recipients during the RCPT phase of the SMTP conversation, which breaks CanIt's recipient verification.

To work around this, please follow these instructions:

  1. Ensure the Exchange Anti-Spam Agents are installed. You can check via Exchange Management shell with the following EMS command:

    Get-TransportAgent

    Make sure that Recipient Filter Agent is listed and enabled. If it is not, install it with the following command:

    & $env:ExchangeInstallPath\Scripts\Install-AntiSpamAgents.ps1

  2. Ensure that the Recipient Filter Agent is enabled. Use the following command:

    Enable-TransportAgent "Recipient Filter Agent"

  3. Enable AddressBook. All of your domains need to be using Address Book to check for recipients. To check, run the following command:

    Get-AcceptedDomain | Format-List Name,AddressBookEnabled

    If Address Book is disabled for any domains for which the Exchange server is authoritative, fix that with the following command, once for each such domain:

    Set-AcceptedDomain name_of_domain -AddressBookEnabled $true

  4. At this point, restart the Microsoft Exchange Transport service.
  5. Ensure that Recipient Validation is enabled. Run the following command:

    Set-RecipientFilterConfig -RecipientValidationEnabled $true

    and again, restart the transport service.

  6. Allow access to the Default receive connector. In the Exchange Administrative Center, go to Mail Flow : Receive Connectors. Edit the default connector, go to the Security tab and ensure that anonymous users are allowed. This lets CanIt use the connector for recipient verification.
  7. Make sure that port 2525 on your Exchange server is open to all the IPs listed in Hosted CanIt under My Domains. If the Exchange server is behind a firewall, you may also need to make a port-forwarding rule.
  8. Test that Recipient Filtering works. Open a telnet session to port 2525 of your Exchange server. Type the bold text; the server responses should be similar to those shown below. Replace example.com with an actual domain name hosted on the Exchange server.

    220 myexchange.example.com Microsoft ESMTP MAIL Service ready at...
    HELO example.com
    250 myexchange.example.com Hello ...
    MAIL From:<devnull@roaringpenguin.com>
    250 2.1.0 Sender OK
    RCPT To:<nonexistent_user@example.com>
    550 5.1.1 User unknown

  9. Configure CanIt to use port 2525 for recipient verification; under Setup : Verification Servers, set the server to myexchange.example.com/2525