New to EFA

Questions and answers about how to do stuff
Post Reply
jamerson
Posts: 164
Joined: 19 Aug 2017 18:57
Location: kaaskop

New to EFA

Post by jamerson »

Dear All,
during my research on the internet I come across your forum and I've registered.
I must admit you did a great work here. I never tried your appliance before however I am willing to.
before I start I need to ask some questions.
in Our environment we are using Exchange 2016 with build in spamID filter.
We have the next domains.
domain1.com
domain2.com
domain3.com
pointing to the same IP 1.1.1.1 with their MX records.
on the firewall we have port 25 and 443 pointing to the exchange 2016 with LAN IP 10.10.10.3
MX of Domain1.com is pointing to 1.1.1.1 ( our public IP)
MX of domain2.com is pointing to 1.1.1.1 ( our public IP)
MX of domain3.com is pointing 1.1.1.1 ( our public IP )

we want to configure the EFA to be between the exchange 2016 and the internet in order to scan the incoming mails of those above 3 domains.

let say we will configure the Appliance with 10.10.10.4 do we have to point the port 25 to the EFA appliance?


Thank you so much for your time you are taking to answer my questions.
Version eFa 4.0.0 RC1 now available in testing repo. Come join us in advancing eFa!
jase72
Posts: 20
Joined: 21 Jul 2017 09:06

Re: New to EFA

Post by jase72 »

Hi jamerson. EFA works well with Exchange 2016. Pretty easy to integrate with the Junk E-mail folder (one setting change in EFA, one rule in Exchange).

Quick 'n' dirty setup guide is;
  1. Add all the domains to EFA (SSH EFA > Mail Settings > Transport Settings). Relay is your Exchange box (10.10.10.3).
    If you ever add a new allowed domain to Exchange remember you'll need to also add it to EFA.
  2. If EFA's going to do all your inbound filtering then disable SenderID filtering in Exchange. ExPS > Set-SenderIDConfig -Enabled $false
  3. Optionally get suspect spam email delivered the user's Junk Email folder;
    SSH EFA > Spam settings > Spam Settings > Enable spam delivery: Yes
    ECP > Mail Flow > Rules
    Add a new rule. More options.
    Apply this rule if.... A message header matches... "X-Spam-Status" header matches "Yes"
    Do the following... Set the spam confidence level (SCL) to... 8
    No auditing (unless you're keen), enforce the rule. Defer the message if rule processing doesn't complete.
    ** Note this relies on your global Exchange configuration having the global junk setting of 8 (or less). Check it via ExPS > Get-OrganizationConfig | fl scl*. If it's above 7 then lower it to 7 (has to be lower than the SCL number you set in the Exchange rule).
  4. Review your SCL thresholds ExPS > Get-ContentFilterConfig | ft *mailenabled, scl* -AutoSize. You'll either want it off for external mail or (my preference) SCL reject threshold of 9 (and the other thresholds disabled).
  5. You'll probably also want to manually allow ics files, I've found mailscanner can block a few ics files due to the format of the filename.
    SSH EFA > Shell > sudo vi /etc/MailScanner/filename.rules.conf
    Add, somewhere near the top "Allow \.ics$ - -". Note the whitespaces are tabs.
    Think you need a mailscanner restart after editing that. "sudo service MailScanner restart"
There's a heap of other settings you'll probably end up tweaking, but nothing specific to getting Exchange going (others have integrated it with Active Directory but I haven't bothered as I don't need it). You might want to review the inline signature settings, message size, allow password protected archives, adding other RBLs, greylisting (so good), the list goes on. Poke around.

Once you think you've got it right then manually test the config, once you're happy then yes, you'll need to point port 25 to EFA (10.10.10.4). It'll filter, block/tag where appropriate and then deliver to Exchange.

Best also if you can train Spamassassin's Bayes database. Check my first ever post regarding that. You can do this as you collect samples (so after EFA is implemented), but beware EFA/spamassassin won't block as much as you'd like without a fair few hundred samples in the DB. I'm constantly reviewing suspect spam and adding it to SA.
Post Reply