When looking at the Exchange 2003 Sender, Recipient and Connection Filtering it is true to say that the configuration is fairly straight forward. Let's leave aside the Connection Filtering RBLs, which do give rise to some configuration difficulties. The rest is mostly a bunch of lists for blocking/allowing emails based on email addresses and the originating host IP.
Today I want to highlight the fact that operating these lists together may give rise to some unexpected results. I already dedicated an article to some weird behaviour involving IP Accept lists. Here we saw how IMF may still scan emails originating from IPs in this list. Today we discuss a similar problem, this time involving Sender and Recipient Filtering.
The job of Sender and Recipient Filtering is obviously that to identify and block senders and recipients. Similarly IP Deny/Accept lists are meant to block and allow emails based on the originating host IP. I will not delve into how to configure these. For more details refer to the articles discussing IP Accept lists and recipient filtering.
Now let's get straight to the point. Consider a case where the IP Accept list is configured together with sender and/or recipient filtering. What happens if an email matches both the IP accept list and one of the sender/recipient filtering entries? You already know where this is leading! The email is still rejected.
This type of situation is not uncommon. Consider the case where a mailbox is not allowed to receive external emails. Entering the mailbox address at the recipient filtering list does the job. All incoming emails are promptly rejected.
The same organization also has an internal application that may legitimately send emails to this mailbox. Emails are submitted via SMTP, triggering recipient filtering. At first the IP Accept list sounds like the right solution. After all this is also used to bypass IMF processing.
Indeed, in general white listing is expected to take precedence over black listing. This is standard practice in anti-spam solutions. Nevertheless recipient filtering is not as smart as IMF and the IP Accept list is ignored.
Solving this specific problem is possible. Here we could use the same solution suggested in the article
Connection Filtering IP Accept List in Exchange SP2 where a similar problem was discussed.
This is done with the help of a new SMTP Virtual server. Recipient/Sender filtering enablement is done per virtual server. Thus all we need is to redirect internal applications to the new server and to keep filtering disabled. Internet email is not redirected, retaining filtering in place.
Setting up virtual servers is easy. You will just need a unique IP/port pair. These are only exposed internally, thus avoiding security sensitive network boundaries.
Clearly here I just gave one example to illustrate a scenario where the problem may crop up. Other scenarios exist where this solution is not appropriate and other workarounds might be available.