Exchange 2016/2019: Spam filters and email quarantine

If you running any version of Exchange, you may be using the standard spam filter or one in the cloud such as Exchange Online Protection, GFI MailEssentials, Mimecast, Symantec, or the hardware types like Barracuda, to name just a few. Spam has been increasing extensively, and if you not careful, end-users can click on links that will introduce malware and viruses into your system. Having a spam filter in place also protects you against phishing emails and all the junk sent on an hourly basis. When the spam filters are set up and configured fully, you will be amazed at how much nonsense gets blocked daily that is sent to end-users. From fake bank statements to adverts to some really strange emails getting filtered, and as an admin, you can blacklist the email or domain and have a layer of protection in place. Teaching end-users to manage their own quarantines is a big process, as some mails look legit — and this is where you get caught with malware. Having admins handle the email quarantine will allow them to examine the sender and see why it was blocked and either release the email or deny it.

spammers
Shutterstock

Exchange spam and mailbox quarantines

I have been playing around with ESET Mail Security for Exchange, and it comes with a built-in quarantine system. It gives you access to a dashboard where you can release or delete spam or other emails. Sometimes legitimate emails get blocked, and you may need to investigate why. Maybe the sending server has been graylisted or is on a blacklist for some reason. In Exchange 2016 or Exchange 2019, when you have a DAG configuration, you can have each server in the DAG configured for ESET Mail for Exchange, or you can enable a cluster and select a server that will be a central point for you to manage all of the quarantine mails.

One thing to take note of is that ESET Mail Security for Exchange does not use IIS to run. It has its own web service that is used for this. You need to ensure that you update the port used by ESET Mail for Exchange, as its default is 443 for secure and 80 for non-secure. Exchange 2016 and Exchange 2019 already use these ports, so you will have OWA going down and constantly have a conflict. Change the port to something not used by Exchange like 444X, where X is a number you select or any other port.

If you launch a command prompt (cmd), you can run netstat to check what is being used and what ports are open/listening. We will not dive into a network session here, but you should understand where I am going.

Windows firewall considerations

The next thing to take into consideration is allowing this TCP port in the Windows firewall, or you are going to end up with prompts continuously after entering your username and password. In ESET Mail Security for Exchange, the URL used will be the local server name followed by /EsetQuarantine. An example would be ex2019a.tlab.local/esetquarantine. You can change this to the name you have on your SSL certificate used with your Exchange Server, and this can be mail.thexchangelab.com/esetquarantine. Once you have changed that on Exchange Server A, you need to change it on Exchange Server B, and so on.

Once you have changed the URL on all your Exchange 2016 or Exchange 2019 servers, you can now enable the cluster mode for ESET Mail Security for Exchange and let a single server be the point of reference for this. I have EX2019A, EX2019B, and EX2019C in my DAG configuration but I have opted to have EX2019C be the server the handles the quarantine section. Below is a snippet of what you need to configure:

  • Enable web interface
  • Web URL
  • HTTPS port
  • HTTP port

exchange spam

Take note that I am in the Advanced Setup interface here, which you can get to from ESET itself. Once the four options have been configured, the next step is to allow administrators or add additional rights, shown in the bottom half of the image above. Click the Edit button to add in users. This can be local or domain users.

On this same page, if you scroll up, you can enable the cluster and select the server.

ESET Mail Security for Exchange also gives you the ability to not use the quarantine option above but to use a quarantine mailbox or MS Exchange quarantine mailbox. Below is what the window should look like and the options to select based on the version you are on:

exchange spam

What about multiple admins dealing with Exchange spam?

If you are the IT administrator who needs to release emails, maybe a spam quarantine or MS Exchange spam quarantine mailbox makes sense. Still, when you have multiple administrators working on this, the interface might be easier to work with as each person will have their own login and assist you with releasing the emails. You can implement what works best for you. If you decide to go the other routes, ESET does have documentation on how to configure this.

Featured image: Shutterstock

1 thought on “Exchange 2016/2019: Spam filters and email quarantine”

  1. Hi Edward,
    I was wondering what would be a solution if multiple exchange servers are in DAG mode and used to serve web access to mailboxes in some kind of load-balanced mode. As the quarantine is local the only server chosen as primary will respond to the quarantine we interface request. The other members will give blank page. Is there any solution how to handle requests to quarantine in this case?

Leave a Comment

Your email address will not be published.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top