Exchange 2013 "IP-AllowListEntry" not working

Hello,

we are using "Spamhaus ZEN" RBL for our Exchange.
There are a few IP-Adresses that I want to whitelist, this should work with "Add-IPAllowListEntry -IPAddress x.x.x.x"
The Command works successfully and returns the results with "Get-IPAllowListEntry"
Settings for IPAllowListConfig are "-Enabled True" and "-ExternalMail Enabled True"

My problem is that mails are being blocked even if they are on the whitelist.
Can someone tell me why that is happening?
I tried to restart TransportService and even whole Exchange server without success.

Regards

gugaua

June 13th, 2015 9:17am

Hi,

Have you installed the Connection Filtering agent in exchange 2013?  In Exchange 2013, Install-AntispamAgents.ps1 installs only the Content Filtering agent. Please take the following steps to install the Connection Filtering agent.

  • Install the Connection Filtering agent with the Install-TransportAgent cmdlet.

    Install-TransportAgent -Name "Connection Filtering Agent" -TransportService FrontEnd -TransportAgentFactory "Microsoft.Exchange.Transport.Agent.ConnectionFiltering.ConnectionFilteringAgentFactory" -AssemblyPath "C:\Program Files\Microsoft\Exchange Server\V15\TransportRoles\agents\Hygiene\Microsoft.Exchange.Transport.Agent.Hygiene.dll"

  • After you have installed the agent you must then enable it and restart the Front End Transport Service with the following command:

    Enable-TransportAgent -TransportService FrontEnd -Identity "Connection Filtering Agent"

    Restart-Service MSExchangeFrontEndTransport

  • Add the RBL providers with the following PowerShell command:

    Add-IPBlockListProvider -Name zen.spamhaus.org -LookupDomain zen.spamhaus.org -AnyMatch $true -Enabled $true

  • verify that both the front end Connection Filter agent and back end Content Filter agents are installed and working by using the Get-TransportAgent commands as follows:

    Get-TransportAgent

    Get-TransportAgent -TransportService FrontEnd

  • Use command to Add IP Allow List Entry

    Add-IPAllowListEntry -IPAddress 192.168.0.100

Best Regards.

Free Windows Admin Tool Kit Click here and download it now
June 17th, 2015 5:05am

Hi,

Have you installed the Connection Filtering agent in exchange 2013?  In Exchange 2013, Install-AntispamAgents.ps1 installs only the Content Filtering agent. Please take the following steps to install the Connection Filtering agent.

  • Install the Connection Filtering agent with the Install-TransportAgent cmdlet.

    Install-TransportAgent -Name "Connection Filtering Agent" -TransportService FrontEnd -TransportAgentFactory "Microsoft.Exchange.Transport.Agent.ConnectionFiltering.ConnectionFilteringAgentFactory" -AssemblyPath "C:\Program Files\Microsoft\Exchange Server\V15\TransportRoles\agents\Hygiene\Microsoft.Exchange.Transport.Agent.Hygiene.dll"

  • After you have installed the agent you must then enable it and restart the Front End Transport Service with the following command:

    Enable-TransportAgent -TransportService FrontEnd -Identity "Connection Filtering Agent"

    Restart-Service MSExchangeFrontEndTransport

  • Add the RBL providers with the following PowerShell command:

    Add-IPBlockListProvider -Name zen.spamhaus.org -LookupDomain zen.spamhaus.org -AnyMatch $true -Enabled $true

  • verify that both the front end Connection Filter agent and back end Content Filter agents are installed and working by using the Get-TransportAgent commands as follows:

    Get-TransportAgent

    Get-TransportAgent -TransportService FrontEnd

  • Use command to Add IP Allow List Entry

    Add-IPAllowListEntry -IPAddress 192.168.0.100

Best Regards.

June 17th, 2015 5:05am

Hello Lynn-Li,

thank you for your reply.
This is exactly what I did see my link below:
http://woshub.com/configure-spam-protection-in-exchange-2013-rbl-providers

Our exchange has not got any problems with blocking RBLs but with whitelisting ip-addresses.

I tried to send a message via SMTP which was blocked via RBL(Spamhaus ZEN) rule successfully.
I looked at the FrontEnd Agent log and noted the blocked IP address.
Added via "Add-IPAllowListEntry -IPAddress x.x.x.x" and checked via Get-IPAllowListEntry with success.
I also checked Get-IPAllowListConfig, both settings -Enabled and -ExternalMailsEnabled are True.
But the message was blocked again and logged in FrontEnd Agentlog.
Same problem with IPBlockListEntry

Every help is appreciated

Regards

gugaua

Free Windows Admin Tool Kit Click here and download it now
June 17th, 2015 6:47am

Hello Lynn-Li,

thank you for your reply.
This is exactly what I did see my link below:
http://woshub.com/configure-spam-protection-in-exchange-2013-rbl-providers

Our exchange has not got any problems with blocking RBLs but with whitelisting ip-addresses.

I tried to send a message via SMTP which was blocked via RBL(Spamhaus ZEN) rule successfully.
I looked at the FrontEnd Agent log and noted the blocked IP address.
Added via "Add-IPAllowListEntry -IPAddress x.x.x.x" and checked via Get-IPAllowListEntry with success.
I also checked Get-IPAllowListConfig, both settings -Enabled and -ExternalMailsEnabled are True.
But the message was blocked again and logged in FrontEnd Agentlog.
Same problem with IPBlockListEntry

Every help is appreciated

Regards

gugaua

June 17th, 2015 6:47am
Is there nothing that can be done?
Free Windows Admin Tool Kit Click here and download it now
June 29th, 2015 8:14am

Nice and quiet here. You bring a real issue to the table and no adequate answers. This is not a hard problem to reproduce MS. I'm on 2013 CU9 and very frustrated that it's not working like it did in Exchange 2010 and easily showed up in my logs. My massive list of Class C addresses are being ignored and not logged in FrontEnd or Hub logs.

I do see Block List Provider working properly in my FrontEnd\AgentLog --- just no locally defined IP's via

add-ipblocklistentry or add-ipallowlistentry.

For folks who don't know that /16 (Class B) is not allowed anymore in 2013 via the add-ipblocklistentry command then see the following:

https://technet.microsoft.com/en-us/library/JJ200718(v=EXCHG.150).aspx

Go to 1min 20sec of this video. Thank God for this guy otherwise who knows these lovely new restrictions... there are so many from 2010 to 2013 like not able to log into imap or pop3 with an admin account, etc. The errors have to be better since these are all new limitations.

Looks like I'm not the only one with this problem please help us MS to keep spammers away. Blocklist providers alone as my protection mechanism is not enough. I have over 3000 blocked /24 (Class C) addresses and over 500 /16 (Class B) ones. Thankfully I figured out the /16 limitation but fix IPBlockListEntry please and IPAllowListEntry. It's ridiculous that this is not getting as much attention as it should. Spam is not going anywhere...

Not to tangent but then there's general bugs like IMAP not working with NTLM as described here: http://blogs.technet.com/b/mspfe/archive/2015/08/24/exchange-server-2013-cu9-watch-your-imap-clients.aspx


Thanks for listening and please consider quality, MS :)

September 10th, 2015 11:01pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics