Intelligent Message Filter, Content Filter, can do more...

WinDeveloper IMF Tune
WinDeveloper IMF Tune
  • Home
  • Anti-Spam
  • Connection Filtering IP Accept List in Exchange SP2

Connection Filtering IP Accept List in Exchange SP2

Alexander Zammit

Alexander Zammit Photo

Alexander Zammit has been developing server applications for over 15 years. Most of his works involve Exchange integrated applications, including a FAX server, a mail security product and anti-spam products.

  • Published: Jan 24, 2006
  • Category: Anti-Spam
  • Votes: 4.9 out of 5 - 8 Votes
Cast your Vote
Poor Excellent

Getting the Connection Filtering IP Accept List to work became trickier since Exchange SP2. IPs configured to bypass the Intelligent Message Filter, sometimes have no effect. Luckily the solution is around the corner.

Accept List Configuration

Finally, for those discovering IP Accept lists for the fist time, here is a configuration walkthrough.

  1. From the Exchange System Manager open the properties for Global Settings | Message Delivery.

  2. Select the Connection Filtering property page.

    Connection Filtering Properties

  3. Click on the Accept button

    IP Accept List

  4. Click on the Add button to specify the IPs for hosts whose emails are to be accepted without further Connection Filtering or IMF processing.

  5. Save and close all dialogs.

Next enable Connection Filtering at each SMTP Virtual server where the Accept list is to be enforced:

  1. Browse the left pane tree and open the properties for:
    <Organization> | Servers | <Exchange Server> | Protocols | SMTP | <SMTP Virtual Server>

  2. From the General property sheet click on Advanced.

    SMTP Virtual Server Properties

  3. In the Advanced dialog that opens select the IP on which Connection Filtering is to be enabled and click on the Edit button.

    Advanced Dialog

  4. Set the 'Apply Connection Filter' checkbox.

    Apply Connection Filter

  5. Save changes.

User Comments - Page 1 of 1

Add New Comment...

Alexander Zammit 27 Sep 2010 01:06
The simple answer to 1) is that you shouldn’t do that.

There is no need to enter all local IPs to the Perimeter IP List, even though the MS documentation tells you to do so.

This list only truly needs the list of IPs involved in routing emails inbound.


Point 2) is fine. The Accept List is a whitelist so of course you only want to whitelist Organizations you trust. As for duplication, you normally won’t have any duplication if you do as I said in the 1st point.
Stephen White 26 Sep 2010 18:29
Can we please just clarify that, in short, what you are saying it this:
(1) All local network IPs and ranges, including any public IP addresses assigned to the external interface of a firewall, should be entered into the "Perimeter IP List and Internal IP Range Configuration" section.
(2) You should only use the 'Accept' list in the Connection filtering section for allowing external organisations you trust, and you must not duplicate any of the IPs previously entered in (1).
Elizabeth 12 May 2010 11:21
Please clarify 1) adding a second IP to Exchange server without adding a second NIC - can it be from the same subnet?

2) Once the second Virtual SMTP server is set up, how to set it to route internal email only and how to set up the original default SMTP server with IMF to not route email originating from local network.

I think I know the answers to the above questions, but when I tried to implement it it did not work so I thought I would get clarification. Thanks.
Alexander Zammit 5 Oct 2009 12:18
1. You need a unique IP/Port pair i.e. the combination has to be unique. So if the IP is unique than the port can be 25 like for other SMTP Virtual server.

2. Of course you have to assign an IP which one of the NICs is listening.
Steve 5 Oct 2009 11:03
When creating an additional vitual smtp, you mention using a unique IP/Port and everything will work.

So, from my subnet, I can just take any IP# and throw it in there, or do I have to have an associate NIC to go along with it? If I use an alternate IP# for the secondary SMTP, why would I need to use a different port than 25?

Alexander Zammit 2 Jul 2009 02:52
The solutions I know of, are listed in the article.

That list should only include the hosts that are involved in the routing of internet email to the first Exchange Server in your organization.

Normally you will only have very few machines involved in this routing and only those should be listed.
SimonG 2 Jul 2009 02:12
Thanks for this article - it's certainly allowed me to understand why our internal devices are being processed by the IMF and hence categorised as potential spam.
In the article you mention that the 'trivial solution' to solving this issue is by ensuring the device IP's are not inserted in the local IP list - our list contains a subnet which contains the IP's of these devices - how do we handle this?
Copyright © 2005 - 2018 All rights reserved. ExchangeInbox.com is not affiliated with Microsoft Corporation