Applies to: Exchange Server 2010 SP3, Exchange Server 2010 SP2

Topic Last Modified: 2011-08-24

IP Allow List Providers is part of the connection filtering feature in Exchange. When the IP Allow List Providers feature is enabled on a computer, the Connection Filter agent queries the specified IP Allow List provider services to determine if the messaging server that has initiated the connection is a host that can be relied on to not send spam.

This topic explains how to use the EMC or the Shell to manage the IP Allow List Providers feature.

Note:
Connection filtering is part of the suite of anti-spam features in Exchange. The anti-spam features are only available on Edge Transport servers by default. You can enable anti-spam features on a Hub Transport server even though it isn't recommended. To learn more about enabling anti-spam features on a Hub Transport server, see Enable Anti-Spam Functionality on a Hub Transport Server. The procedures listed in this topic are for configuring anti-spam functionality on an Edge Transport server, but the process is identical on Hub Transport servers.
Note:
Make sure that the IP Allow list that you want to add does not contain more than 1,000 entries. The IP allow list cannot contain more than 1,000 entries because of a limitation in byte size that applies to this field. Instead, use IP address ranges if more than 1,000 entries are required.

What Do You Want to Do?

Use the EMC to manage IP Allow List provider services

You need to be assigned permissions before you can perform this procedure. To see what permissions you need, see the "Anti-spam features" entry in the Transport Permissions topic.

  1. In the console tree, click Edge Transport.

  2. In the result pane, click the Edge server you want to configure and then select the Anti-spam tab in the work pane.

  3. Right-click IP Allow List Providers and then select Properties.

  4. The General tab displays the following information about the IP Allow List Providers feature.

    • Status   Shows whether the IP Allow List Providers feature is enabled or disabled.

    • Modified   Shows the date and time when IP Allow List Providers properties were last modified.

    • Description   Provides a brief description of the IP Allow List Providers feature.

  5. Use the Providers tab to manage the IP Allow List provider services for the local computer. We recommend that you put the most reliable IP Allow List provider service first to optimize performance. If the Connection Filter agent receives an IP Allow list match from one of the providers, it stops querying other IP Allow List provider services.

    • Add   Click Add to add a new IP Allow List provider service. In the dialog that appears, configure the following options:

      Provider name   Type the name of the IP Allow List provider service. This name is for your own use to identify the provider.

      Lookup domain   Type the domain name that the Connection Filter agent queries for updated IP Allow list information.

      Return status codes   This field shows the IP address status code that is returned by the IP Allow List provider service. If the IP address of a remote server that is sending a message matches an IP address on an IP Allow List provider service's IP Allow list, the provider service may return different types of codes. Most IP Allow List provider services return either a bitmask or absolute value code type.

      Match any return code   When you select this option, the Connection Filter agent treats any IP Address status code that is returned by the IP Allow List provider service as a match.

      Match specific mask and responses   When you select this option, the Connection Filter agent acts only on messages that match the IP Address status code that is returned by the IP Allow List provider service.

      Providers that return bitmask status codes may return a status code of 127.0.0.x, where the integer x is any one of the following values:

      1: The IP address is on an IP Allow list.

      2: The Simple Mail Transfer Protocol (SMTP) server is configured to act as an open relay.

      4: The IP address supports a dial-up IP address.

      Providers that return absolute values and the explicit responses may return one of the following responses:

      127.0.0.2: The IP address is a direct spam source

      127.0.0.4: The IP address is a bulk mailer

      127.0.0.5: The remote server that is sending the message is known to support multistage open relays.

      Match to the following mask   Type the bitmask status code you want to use.

      Match any of the following responses   Type the responses you want to use and then click Add. To modify a previously added response, select the response and click Edit. To remove a previously added response, select the response and click Remove icon.

    • Edit   To view or update settings for an IP Allow List provider, select a provider, and then click Edit.

    • Remove   To delete an IP Allow List provider, select the provider, and then click Remove icon.

    • Enable   To enable a disabled IP Allow List provider, select the provider, and then click Enable.

    • Disable   To stop using the selected IP Allow List provider, but retain the provider information, click Disable.

    • Up arrow   To move a provider higher in the Provider name list, select the provider, and then click Up arrow. The up arrow is enabled only when there is more than one provider in the Provider name list.

    • Down arrow   To move a provider lower in the Provider name list, select the provider, and then click Down arrow. The down arrow is enabled only when there is more than one provider in the Provider name list.

Use the Shell to manage IP Allow List provider services

You need to be assigned permissions before you can perform this procedure. To see what permissions you need, see the "Anti-spam features" entry in the Transport Permissions topic.

You use the Add-IPAllowListProvider, Set-IPAllowListProvider, and Remove-IPAllowListProvider cmdlets to manage the IP Allow List provider services you use in your organization.

The following example adds a new IP Allow List provider called "Contoso IP Allow List Provider", and configures it to match any return code:

Copy Code
Add-IPAllowListProvider -Name "Contoso IP Allow List Provider" -LookupDomain "contoso.com" -AnyMatch $true

The following example configures the same IP Allow List provider to be the top preferred provider:

Copy Code
Set-IPAllowListProvider "Contoso IP Allow List Provider" -Priority 1

For detailed syntax and parameter information, see the following topics: