Sunday, May 29, 2011

Migrating to Microsoft SMTP Gateway guidelines and recommendations

Because of the huge success of the Forefront Protection 2010 for Exchange; a lot of companies are considering migrating from other products to FPE; so I decided to write a guidelines and recommendations to insure a smooth migration with a zero downtime,
Please make sure to read the recommendation carefully before jumping to the migration steps.


  • Plan the migration steps with the Network and External DNS teams.
  • If you network team are using Cisco PIX Firewall make sure they read the following article ahead and that the header of your SMTP gateway isn’t masked
  • Export the list of blocked IP’s, senders and domains from your old anti-spam to the Forefront Protection 2010 for Exchange.
  • Enroll your environment at the Junk Mail Reporting Partner Program
  • Make sure the new IP’s that will be assigned to your Edge Server aren’t blacklisted
  • Monitor the blacklist status of your domain sending IP’s and get email alerting when added or removed from any blacklist database by registering at
  • Install the Forefront Protection Server Management Console to get a centralized console for configuration deployment, reporting, quarantine management, engine and definition update deployment
  • Make sure to manage your customer’s expectation at the early deployment phase and try to educate them about your plan in order to win their cooperation with you.
  • Be sure to use the right disk types to provide you with enough IO’s for your SMTP gateways.
  • Don’t enable recipient filtering until you are sure the synchronization process has been completed on all SMTP Gateways.


Useful Links
Preparing the windows servers.  
Installing the file level anti-virus"FEP 2010"
Defining the anti-virus exclusions
Installing Microsoft Exchange Server 2010 SP1 Edge Server role
Creating the Accepted Domains
Configuring the External DNS Lookups
Configure DNS Records for Your Edge Servers
Installing the Forefront Protection 2010 for Exchange.
Configuring the forefront protection 2010 for exchange.
Create new MX records to point to the new edge servers with a higher priority than the old ones.
Create an Edge Subscription File on an Edge Transport Server.
Import an Edge Subscription File to an Active Directory Site.
Force EdgeSync Synchronization.
Disable the send connector that is sending to the old SMTP gateways.  
Make sure you can send mail outside your organization using the new SMTP gateways.  
Shift the priority of your MX records so the low priority will be your new Microsoft SMTP gateway.  
Make sure you are receiving emails on your new SMTP gateways.  
Shutdown your old SMTP gateways.  
After a period of time make sure to delete your old MX records after making sure that everything is working smoothly  
Congratulations; you have done a good job.  

See you soon, Hany Donia

Sunday, May 1, 2011

~all or –all; does it really make a difference?

Before we move further I suggest you to read the following post in advance Sender ID and Spoofing
Recently I’ve received a lot of concerns about sender ID filtering including configuration that are implemented correctly but aren’t taking effect and the differences between SPF record Pre’s,
So I decided to reveal the mystery between the SPF record Pre’s especially ~all and –all and the sender id filtering options.
Let’s start from sender id configuration prospective, it is very simple from exchange EMC as below

And from the Forefront Protection 2010 for Exchange as below
And now let’s take a simple straight forward SPF record where a company is sending mails from its MX records IP’s so their SPF record should be as below IN TXT "v=spf1 mx ~all"
OR IN TXT "v=spf1 mx -all"
But what is the difference between both? And what it has to do with the Sender ID filtering action options?
Actually there is two scenarios; one when the result of the filter is positive and the other one when it is negative
When the result is positive; whether you are using the tilde or the minus you should see the below Sender ID result in the message header.
But when the result is negative and you are using the tilde you will see the below Sender ID result in the message header
While when you are using the minus you should see the below Sender ID result in the message header
Ok I got it; the difference is when the test fails; with the tilde it will return SOFTFAIL while with the minus it will return FAIL; but what does it have to do with sender id filtering actions option?
The below figure will answer this question.
So the options available for the sender id to take on the mails are different according to the Sender ID status which means if your SPF is using the tilde while you set the Sender ID option to reject message nothing will happen and you will find yourself a victim to spoofing as with the tilde you can only stamp messages while with the minus you have all options.
This was only a glance on the relation between Sender ID options and SPF record Pre’s
See you soon , Hany Donia