Generating an SMTP WhiteList in Exchange 2010 via EMS Script

SMTP WhiteList in Exchange 2010

On a recent Domino to Exchange 2010 migration project the customer was using the a perimeter message layer product that had an SMTP Whitelist configured.   This allowed only email sent to (and from) authorised SMTP addresses to pass through the Perimeter Message layer.   The scenario described is not uncommon as some companies only allow a subset of their employees to use internet email from their internal mailbox.  A typical Perimeter Message layer may be running Postfix or Symantec MessageLabs, for example.

For the email migration project I was working on, the customer had a Domino Mail-In Database configured (with a Domino Agent) to send a scheduled email to a set mail address (hosted on the Edge Message layer system) that contained all the valid SMTP address of Domino mail objects.  The list contained only primary SMTP addresses in one column with no header and no EOF character.   The Edge Message layer system then imported the SMTP addresses into its SMTP Whitelist.

As part of the email migration I had to move this function off Domino onto Exchange 2010, otherwise we would be unable to decommission Domino at the end of the email migration.

After spending the usual half an hour searching on the internet I could find no clear example(s) of how to achieve this.   So I had to work it out for myself, and decided it may be useful for other people out there who need to use a similar SMTP Whitelist function.

I managed to develop two ways of presenting the whitelist: firstly the SMTP addresses were attached to an email in a text file, and secondly the SMTP addresses were embedded in the message body.   Either variant may be useful for the SMTP Whitelist in Exchange 2010.

Also, I did a further version which excluded Mail Group SMTP addresses where the Require Sender Authentication setting was enabled, as Exchange would reject internet emails being sent in to these addresses anyway.  So no point cluttering up a SMTP Whitelist with such addresses.

I researched EMS commands, CSVDE, DSQUERY, and DSGET.  Finally I decided to go with a hybrid approach which combined a series of DSQUERY commands, some DOS batch commands, and an EMS Powershell SendMail call.    All these parts can be placed into the one central DOS batch (.bat) file.  The only other file required is a .PS1 EMS script to execute the SendMail function at the end.

Be aware that this solution does not cater for secondary SMTP addresses – I will research this extra requirement if someone requests it !

The SMTP WhiteList in Exchange solution can be broken down into sections:

Section 1 – DSQUERY Commands

Three DSQUERY commands were needed in order to extract (to a text file) the primary SMTP addresses for the following three object types: Mail Contacts, Mail Groups, Mailboxes.

dsquery * -filter “(&(objectCategory=person)(objectClass=contact)(mail=*@contuso.com))” -attr mail -limit 0 >smtp_contacts.txt

dsquery * -filter “(&(objectCategory=group)(objectClass=group)(mail=*@contuso.com))” -attr mail -limit 0 >smtp_groups.txt

dsquery * -filter “(&(objectCategory=person)(objectClass=user)(mail=*@contuso.com))” -attr mail -limit 0 >smtp_users.txt

Section 2 – Remove Line 1 Column Header Line from Text (TXT) Files

Each of the above export files contained a header line (column header) which needed to be removed as the Edge Message Layer requires raw SMTP addresses only.  To do this we need to lean on some DOS batch file wizardry, which re-writes each Text file to a new Text file, but minus the first line.

for /f “skip=1″ %%A in (smtp_contacts.txt) do ( echo %%A >> contacts.txt )

for /f “skip=1″ %%A in (smtp_groups.txt) do ( echo %%A >> groups.txt )

for /f “skip=1″ %%A in (smtp_users.txt) do ( echo %%A >> users.txt )

Section 3 – Merge the Text Files together into a single Text File

More DOS batch commands to achieve this.  Use the following command.

copy /b contacts.txt+groups.txt+users.txt SMTP_ALL.txt

Note the use of the “copy /b” command, which treats the Text files as Binary files.   This is required to stop the EOF character appearing at the end of the resultant text file.

Section 4 – Initiate a SendMail EMS task

Use this call to run the EMS Powershell batch command to send the SMTP_ALL text file to the required target mailbox.

Powershell -command “& {C:\Scripts\whitelist\sendmail_whitelist.ps1 }”

Section 5 – SendMail EMS Script

Create a .PS1 file to contain the EMS script to send the email to the required target mailbox.  I called my .PS1 file SENDMAIL_WHITELIST.PS1  .  The script is shown below.   You will need to enter your internal mail relay IP address details, a valid From address, and the target SMTP address you want to send the WhiteList to.  Note that I have placed the SMTP_ALL.TXT file into C:\TEMP  .  You will need to change this path for your environment.

#Send an email

$FromAddress = “postmaster@contuso.com”

$ToAddress = “admin@mail.edgeservice.com”

$MessageSubject = “Whitelist SMTP List”

$MessageBody = “Attached is EPS SMTP Whitelist”

$SendingServer = “xxx.xxx.xxx.xxx”

$SMTPMessage = New-Object System.Net.Mail.MailMessage $FromAddress, $ToAddress, $MessageSubject, $MessageBody

$Attachment = New-Object Net.Mail.Attachment(“c:\temp\SMTP_ALL.TXT”)

$SMTPMessage.Attachments.Add($Attachment)

$SMTPClient = New-Object System.Net.Mail.SMTPClient $SendingServer

$SMTPClient.Send($SMTPMessage)

Section 6 – Put it all together

I have not posted the complete DOS Batch script here, as you should be able to use the information provided to put together your own version.  I called mine from a Windows Server running Exchange 2010 Management Tools, under Scheduled Tasks to run one a day.   Also, you may need to run the Exchange 2010 Remote Execution Policy powershell command – this is widely documented if you need to find it.

Hope you found this blog on how to generate a SMTP WhiteList in Exchange 2010 useful.  Not an everyday requirement, but I am sure that if I stumbled across it, then at least one other person out there will do also !

Section 7 – Extra Development Bits

This section provides some advanced variants to the above solution that you may find useful.  I am no script expert but was able to work this one out after a few hours, as could find the solution I wanted elsewhere on the internet.

The first variant places the SMTP Whitelist into the message body of the email that is generated via the EMS Powershell script.   The new version of the EMS script is below:

#Send an email

$scr = type SMTP_ALL.TXT | out-string

$FromAddress = “postmaster@contuso.com”

$ToAddress = “admin@mail.edgeservice.com”

$MessageSubject = “Whitelist SMTP List”

$SendingServer = “xxx.xxx.xxx.xxx”

$SMTPMessage = New-Object System.Net.Mail.MailMessage $FromAddress, $ToAddress, $MessageSubject, $scr

$SMTPClient = New-Object System.Net.Mail.SMTPClient $SendingServer

$SMTPClient.Send($SMTPMessage)

You can see that the SMTP Whitelist text file contents are piped into a $string variable, and this $string variable is used as the Message Body.  All references to the attachment are dropped.   The previous lines of code for the queries remain the same.

The second variant excludes any Mail Groups that have the Require Sender is Authenticated setting enabled ($true).  This is a default setting for Exchange 2010 Mail Groups, and needs removing if you wish the Mail Group to receive internet email to the SMTP address assigned to that Mail Group.   You may wish to optimize your SMTP Whitelist to not include the SMTP addresses for Mail Groups that are set to Require Sender Authentication.   Do achieve this you need to modify the DSQUERY line used to generate the SMTP addresses for the Mail Groups:

dsquery * -filter “(&(objectCategory=group)(objectClass=group)(mail=*@contuso.com)(!msExchRequireAuthToSendTo=TRUE))” -attr mail -limit 0 >smtp_groups.txt

Note the inclusion of the additional LDAP Filter,  !msExchRequireAuthToSendTo=TRUE .  The use of the exclamation mark at the front performs a reverse query, so will return all Mail Groups who do not have the msExchRequireAuthToSendTo=TRUE AD attribute set.   You can cross check the Mail Group AD objects in the AD Attribute Editor, or ADSIEdit, to see how this msExchRequireAuthToSendTo value is set.   The reverse query trickery is required, as I was unable to find a way to do a successful DSQUERY against the <not set> value, or null.    This works a treat, and will ensure only Mail Groups that are set to receive external internet email are included in your final SMTP Whitelist in Exchange.


Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>