Adding DMARC support to Exchange

Spammers can sometimes forge the “From” address on mail messages so the spam appears to come from a user in your domain. To help prevent this sort of abuse, Hexamail supports DMARC, which gives domain owners more control over what recipient domains do with spam emails from your domain. Hexamail software allows you to follow the DMARC.org standard and decide how recipient domains treat unauthenticated emails coming from your domain. You can publish a policy telling recipient domains and other participating email providers how to handle unauthenticated messages sent from your domain. By defining a policy, you can help combat phishing to protect users and your reputation.

Let’s break the guide into some easy steps:

To add DMARC support to Exchange 2k – Exchange 2013 you need to do the following:

  1. Download and install a Hexamail Gateway product like Hexamail Guard or Hexamail Nexus
  2. Enable the Secure module
  3. Configure an Outbound Send Connector in Exchange to send email out via the Hexamail SMTP gateway
  4. Configure your DMARC settings for your domain.

Setting up SPF

SPF is the Sender Policy Framework. This is one of the two mechanisms used by DMARC to help verify email from your domain.It is implemented just by creating a simple DNS record telling other domains which servers can legitimately send email with a From address containing your domain. You just need to know all the servers and other domains or mailservers that may need to send email using your domain email addresses.

Creating the SPF record for your domain

Creating the SPF record for your domain

 

Hexamail software (the spam blocker module) includes a wizard to help you create the SPF record you need to add through your DNS management console.

 

Setting up DKIM

DKIM is DomainKeys Identified Mail and involves signing your outbound email with a special signature in the header that guarantees the message was sent thru your server and has not been tampered with or modified since leaving your server. This is the second mechanisms used by DMARC to help verify email is genuinely from your domain. The system uses encryption keys to sign and verify the email. Your private key is generated on your server and signs all outbound email and the public key is published as a DNS record through your DNS management console to allow others to verify your signed email.

Managing DKIM keys for your domain

Managing DKIM keys for your domain

 

 

 

 

 

 

 

 

Hexamail software (the secure module) includes a management interface to let you simply generate and manage your signing keys. You can have multiple different signing keys with various different parameters. This lets you test a key or have keys that expire after a certain time or use specific keys for specific email subdomains or email addresses.

Generating a DKIM key for your domain

Generating a DKIM key for your domain

 

 

 

 

 

 

 

 

 

 

You need at least one key setup to start using DMARC. The secure module also shows you how to create the DNS record you need to add through your DNS management console to allow others to access your public key for verifying your email.

Creating a DKIM ADSP record for your domain

Creating a DKIM ADSP record for your domain

ADSP is Author Domain Signing Practices. This has largely been replaced by DMARC now. The secure module also shows you how to create the DNS record you need to add through your DNS management console to allow others to access your public key for verifying your email.

Setting up DMARC

Next you need to create a DMARC DNS record instructing other domains how to verify email from your domain and what to do with spoofed or fraudulent email

Creating a DNS record for DMARC

Creating a DNS record for DMARC

The secure module also shows you how to create the DNS record you need to add through your DNS management console to allow others to perform DMARC processing on email from your domain.

Verifying your DMARC setup

Finally you should verify your DMARC setup. To do this send an email from your domain to one of the many DMARC verification services or to a gmail account. The verification services usually send a reply containing the DMARC, SPF and DKIM test results in details.

Unlock the Inbox can verify your DMARC setup if you send an email to this address mailtest@unlocktheinbox.com
Returnpath can verify your DMARC setup if you send an email to this address checkmyauth@auth.returnpath.net

There are also many other deployment tools and verification services listed here DMARC.org

Gmail will add an email header to all received email stating the authentication results for DMARC, SPF and DKIM. Just view the “original message” in the Gmail inbox and you can read all the headers.

Advertisements

Using DNSBL in Exchange 2013

In order to use an RBL with Exchange 2013 its best to use Hexamail to provide antispam for Exchange 2013.

This has several advantages over any built in antispam protection in Exchange:

  1. Hexamail blocks spam before it reaches Exchange and therefore email doesnt ever burden Exchange
  2. It offers various options per blocklist, such as allow, weight, block and reject so you can configure each blocklist to be as aggressive as you wish
  3. Blocked spam appears in a web based quarantine allowing the admin or users to unblock and whitelist in a single click if required
  4. Blocked spam never reaches Exchange or Outlook so no scripts or malicious links can be activated by end users
  5. Configuration is via a full Windows GUI that allows clear configuration of each list and the action it performs rather than using a complicated command line interface (Powershell)

Hexamail DNSBL support is shown in the screenshot below:

ip

 

DNSBLs can be used not only for the sending IP address (or IP address in the email headers) but also to reject sender

email address domains:

 

sender

 

 

And also any links (URL hostnames)  contained in the contents:

urlhost

 

 

In every case the email can be allowed, weighted, blocked or rejected/deleted based on the matching list found.

 

Hexamail can be installed on the same server as Exchange or on another, separate server. Installation is controlled by a really simple to use setup wizard that automatically integrates with Exchange if it is installed on the same machine.

You can download a trial of Hexamail Guard here

Managing Message Size Limits

 Applies to: Exchange Server 2007 SP3, Exchange Server 2007 SP2, Exchange Server 2007 SP1, Exchange Server 2007

This topic describes the message size limits that you can apply to individual messages that traverse the Microsoft Exchange Server 2007 organization. You can restrict the total size of a message or the size of the individual components of a message, such as the message header, the message attachments, and the number of recipients. You can apply limits globally for the whole Exchange 2007 organization, or specifically for a particular connector or user object.

As you plan the message size limits for your Exchange 2007 organization, consider the following questions:

  • What size limits should I impose on all incoming messages?
  • What size limits should I impose on all outgoing messages?
  • Does my Exchange 2007 organization have a mailbox quota?
  • How do the message size limits that I have chosen relate to the mailbox quota size?
  • Are there special users in my Exchange 2007 organization who must send or receive messages that are larger that the specified allowed size?
  • Does my Exchange 2007 network topology include other messaging systems or distinctly separate business units that have different message size limits?

The size limits that are available for individual messages can be divided into the following basic categories:

  • Message header size limits   These limits apply to the total size of all message header fields that are present in a message. The size of the message body or attachments is not considered. Because the header fields are plain text, the size of the header is determined by the number of characters in each header field, and by the total number of header fields. Each character of text consumes 1 byte.
    noteNote:
    Some third-party firewalls or proxy servers apply their own message header size limits. These third-party firewalls or proxy servers may have difficulty processing messages that contain attachment file names that are greater than 50 characters, or attachment file names that contain non-US-ASCII characters.
  • Message size limits   These limits apply to the total size of a message. This includes the message header, the message body, and any attachments. Message size limits may be imposed on incoming messages or outgoing messages. For internal message flow, Exchange 2007 uses the custom X-MS-Exchange-Organization-OriginalSize: message header to record the original message size of the message as it enters the Exchange 2007 organization. Whenever the message is checked against the specified message size limits, the lower value of the current message size or the original message size header is used. The size of the message can change because of content conversion, encoding, and agent processing.
  • Attachment size limits   These limits apply to the maximum allowed size of a single attachment within a message. The message may contain many attachments that greatly increase the overall size of the message. However, an attachment size limit would apply to the size of an individual attachment only.
  • Recipient limits   These limits apply to the total number of message recipients. When a message is first composed, the recipients exist in the To:Cc:, and Bcc: header fields. When the message is submitted for delivery, the message recipients are converted into RCPT TO: entries in the message envelope. A distribution group is counted as a single recipient during message submission.

The scope of the limits that are available for individual messages can be divided into the following basic categories:

  • Organizational limits   These limits apply to all Exchange 2007 servers that exist in the organization. The specified message limits apply to all Exchange 2007 servers that have the Hub Transport server role installed. On an Edge Transport server, the specified limits apply to the specific server.
  • Global limits   These limits apply to all Exchange 2007 and Exchange Server 2003 servers that exist in the organization. The global message limits are stored in the Active Directory directory service.
    In the release to manufacturing (RTM) version of Microsoft Exchange Server 2007, it is common for the organization limits and the global limits to conflict. When the organizational limits and the global message limits conflict, the lowest value takes precedence. In Exchange 2007 RTM, you must use Exchange System Manager on an Exchange 2003 server or the Active Directory Service Interfaces (ADSI) Edit tool to modify global message limits. For more information, see How to Modify Exchange 2003 Global Message Size Limits in Exchange 2007 RTM.
    In Microsoft Exchange Server 2007 Service Pack 1 (SP1), the condition that cause the organization limits and the global limits to conflict has been eliminated. Changes that you make to the organizational limits are automatically copied to the corresponding global limits. In Exchange 2007 SP1, you can modify the organizational limits by using the Set-TransportConfig cmdlet in the Exchange Management Shell, or by configuring the Hub Transport server organization configuration properties in the Exchange Management Console.
  • Connector limits   These limits apply to any messages that use the specified Send connector, Receive connector, or Foreign connector for message delivery. Connectors are defined on Hub Transport servers or Edge Transport servers.
    In Exchange 2007 SP1, you can also set message size limits on the following types of connections:

    • Active Directory site links   Hub Transport servers use Active Directory sites and the costs that are assigned to the Active Directory IP site links to determine the least cost routing path from each Hub Transport server in the organization to every other Hub Transport server in the organization. You can use the Set-AdSiteLink cmdlet to assign an Exchange-specific cost to the Active Directory IP site link. The Exchange-specific cost is a separate attribute that is used instead of the Active Directory-assigned cost to determine the least cost routing path. Any message size limits that are specified on an Active Directory site link don’t affect the selection of the least cost routing path. Any messages that exceed the maximum message size limit on any Active Directory site link included in the least cost routing path won’t be delivered, and will generate a delivery status notification (DSN) that has the value 5.3.4. For more information, about message routing in Exchange 2007, see Planning to Use Active Directory Sites for Routing Mail.
    • Routing group connectors   A routing group connector is used to send and receive messages between Exchange 2007 Hub Transport servers and Exchange 2003 or Exchange 2000 bridgehead servers when the organization is running more than one version of Exchange Server. Any message size limits that are specified on a routing group connector don’t affect the selection of the least cost routing path. Any messages that exceed the maximum message size limit on any routing group connector in the least cost routing path won’t be delivered. They will generate a DSN that has the value 5.3.4. For more information about routing group connectors, see Message Routing in a Coexistence Environment.

    For more information about message size limits on Active Directory site links and routing group connectors in Exchange 2007 SP1, see How to Configure Message Size Limits for Internal Routing.

  • Server limits   These limits apply to a specific Hub Transport server or Edge Transport server. The specified message limits are not stored in the Active Directory directory service. You can set the specified message limits independently on each Hub Transport server or Edge Transport server.
    Message size limits can apply to Microsoft Office Outlook Web Access on a Client Access server. For more information, see How to Manage Maximum Message Size in Outlook Web Access.
  • User limits   These limits apply to a specific user object, such as a mailbox, contact, distribution group, or public folder.

The following table shows the organizational limits.

Organizational limits

Source Parameter Default value in Exchange 2007 RTM Default value in Exchange 2007 SP1
Set-TransportConfig MaxReceiveSize Unlimited 10 MB
Set-TransportConfig MaxSendSize Unlimited 10 MB
Set-TransportConfig MaxRecipientEnvelopeLimit Unlimited 5000
Transport rule on a Hub Transport server that applies to all Hub Transport servers in the organization. AttachmentSizeOver Not configured Not configured

The following table shows the global limits.

Global limits

Source Property Default value
Active Directory
  • delivContLength in Active Directory
  • Incoming message size in Exchange System Manager Global Settings in Exchange 2003
10240 KB (10 MB)
Active Directory
  • submissionContLength in Active Directory
  • Outgoing message size in Exchange System Manager Global Settings in Exchange 2003
10240 KB (10 MB)
Active Directory
  • msExchRecipLimit in Active Directory
  • Maximum number of recipients in Exchange System Manager Global Settings in Exchange 2003
5000

In Exchange 2007 RTM, the initial values of the global limits differ from the default values only when the organization was upgraded from Exchange 2003, and a numeric value was specified for Incoming message sizeOutgoing message size, or Maximum number of recipients. The numeric value is preserved after the upgrade to Exchange 2007 RTM.

In Exchange 2007 RTM, any changes that you make to an organizational limit by using the Set-TransportConfig cmdlet are never copied to the corresponding global limit. In Exchange 2007 RTM, you must use Exchange System Manager on an Exchange 2003 server or the ADSI Edit tool to modify global message limits. For more information, see How to Modify Exchange 2003 Global Message Size Limits in Exchange 2007 RTM. We recommend that you set the global limits and the corresponding organization limits to the same values.

The following list describes the conditions that cause the initial values of the global limits to differ from the default values in Exchange 2007 SP1:

  • The existing numeric values of delivContLengthsubmissionContLength, or msExchRecipLimit are preserved for the following circumstances:
    • The organization was upgraded from Exchange 2007 RTM and the corresponding organizational limit values that are specified by the MaxReceiveSize parameter, the MaxSendSize parameter, or theMaxRecipientEnvelopeLimit parameter on the Set-TransportConfig cmdlet were set to Unlimited.
    • The organization was upgraded from Exchange 2003, and a numeric value was specified for Incoming message sizeOutgoing message size, or Maximum number of recipients.
  • The values of delivContLengthsubmissionContLength, or msExchRecipLimit are changed to match the values of the corresponding organizational limits that are specified by the MaxReceiveSize parameter, the MaxSendSizeparameter, or the MaxRecipientEnvelopeLimit parameter on the Set-TransportConfig cmdlet when all the following conditions are true:
    1. The organization was upgraded from Exchange 2007 RTM to Exchange 2007 SP1.
    2. A numeric value was specified for delivContLengthsubmissionContLength, or msExchRecipLimit.
    3. A different numeric value was specified for the corresponding organizational limit in the MaxReceiveSize parameter, the MaxSendSize parameter, or the MaxRecipientEnvelopeLimit parameter.

In Exchange 2007 SP1, you shouldn’t modify the global limits directly. In Exchange 2007 SP1, if you set a global limit to a different value than the corresponding organizational limit, you will generate event log errors. When you want to modify the organizational limits or the global limits in Exchange 2007 SP1, you should use the Set-TransportConfig cmdlet in the Exchange Management Shell or the Hub Transport organization configuration properties in the Exchange Management Console. When you modify an organizational limit in Exchange 2007 SP1, the new value is automatically copied to the corresponding global limit.

The following table shows the connector limits.

Connector limits

Source Parameter Version Default value
Set-ForeignConnector MaxMessageSize Exchange 2007 RTM and Exchange 2007 SP1 Unlimited
Set-ReceiveConnector MaxHeaderSize Exchange 2007 RTM and Exchange 2007 SP1 64 KB
Set-ReceiveConnector MaxMessageSize Exchange 2007 RTM and Exchange 2007 SP1 10 MB
Set-ReceiveConnector MaxRecipientsPerMessage Exchange 2007 RTM and Exchange 2007 SP1 200
Set-SendConnector MaxMessageSize Exchange 2007 RTM and Exchange 2007 SP1 10 MB
Set-AdSiteLink MaxMessageSize Exchange 2007 SP1 Unlimited
Set-RoutingGroupConnector MaxMessageSize Exchange 2007 SP1 Unlimited

The following table shows the server limits.

Server limits

Source Parameter Default value
Transport rule on an Edge Transport server that only applies to the specific server AttachmentSizeOver Not configured
Set-TransportServer on a Hub Transport server or Edge Transport server PickupDirectoryMaxHeaderSize 64 KB
Set-TransportServer on a Hub Transport server or Edge Transport server PickupDirectoryMaxRecipientsPerMessage 100
Outlook Web Access Web.config file on a Client Access server maxRequestLength 30000 KB

The following table shows the user limits.

User limits

Source Parameter Default value
Set-DistributionGroup MaxReceiveSize

MaxSendSize

Unlimited
Set-DynamicDistribution Group MaxReceiveSize

MaxSendSize

Unlimited
Set-Mailbox MaxReceiveSize

MaxSendSize

RecipientLimits

Unlimited
Set-MailContact MaxReceiveSize

MaxSendSize

MaxRecipientPerMessage

Unlimited
Set-MailPublicFolder MaxReceiveSize

MaxSendSize

Unlimited
Set-MailUser MaxReceiveSize

MaxSendSize

RecipientLimits

Unlimited

You can set different message size limits for the same message component, such as the maximum message size, at different levels in the Exchange organization. When different message size limits are applied to the same message component, Exchange 2007 uses an order of precedence to enforce the message size limit that is imposed on the same message component.

For example, the recipient will receive a message that was sent by a particular sender if the following conditions are true:

  • An organization-wide send and receive message size limit of 10 MB is imposed on the Exchange 2007 organization.
  • A particular sender’s mailbox has a send message size limit of 20 MB.
  • The recipient’s mailbox has a receive message size limit of 20 MB.

Generally, it is better to maximize the restrictiveness of your message size limits. You should base any exceptions on a proven need to exceed the established size limits, and you should put those limits as close as possible to the objects that must exceed the established size limits. This strategy helps make sure that messages in the transport pipeline are rejected as early as possible if they violate message size limits. It is a waste of system resources to set a high message size limit at the Exchange organization level, allow a message to enter the Exchange organization, and then reject the message at the last stage of delivery because of a violation of a message size limit.

The tables in the following sections present scenarios that demonstrate how you can apply various message size limits in Exchange 2007 RTM and in Exchange 2007 SP1.

Scope Source Parameter Default value in Exchange 2007 RTM Default value in Exchange 2007 SP1
Edge Transport server Organization Transport configuration MaxSendSize Unlimited 10 MB
noteNote:
The MaxReceiveSize and MaxEnvelopeReceiveLimit parameters are not used on an Edge Transport server. Use the message size limits on the Send and Receive connectors that are configured on an Edge Transport server to control the size of messages processed by the server.

Anonymous senders are always subject to the message size limits on the Receive connector that accepts messages from the Internet.

The default value of the MaxRecipientsPerMessage setting on the Receive connector is 200 recipients. If the number of recipients is exceeded for an anonymous sender, the message is accepted for the first 200 recipients. Most SMTP messaging servers will detect that a recipient limit is in effect. The SMTP messaging server will continue to resend the message in groups of 200 recipients until the message is delivered to all recipients.

Scope Source Parameter Default value in Exchange 2007 RTM Default value in Exchange 2007 SP1
Connector on Edge Transport server Send connector MaxMessageSize 10 MB 10 MB
Connector on Hub Transport server Receive connector MaxRecipientsPerMessage 200 200
Connector on Hub Transport server Receive connector MaxMessageSize 10 MB 10 MB
Connector on Hub Transport server Receive connector MaxHeaderSize 64 KB 64 KB
Recipient Distribution group

Dynamic distribution group

Mailbox

Mail contact

Mail-enabled public folder

Mail user

MaxReceiveSize Unlimited Unlimited
All Hub Transport servers in the organization Transport rule AttachmentSizeOver Not configured Not configured
Organization Transport configuration MaxReceiveSize Unlimited 10 MB
Organization Transport configuration MaxRecipientEnvelopeLimit Unlimited 5000
Organization Transport configuration MaxSendSize Unlimited 10 MB

An X-header that is named X-MS-Exchange-Organization-OriginalSize: is inserted into the message header. Any Hub Transport servers that are involved in the future delivery of the message will use this value for the message size. Conversion encoding and agent processing can increase the size of the message as it flows through the Exchange organization.

Scope Source Parameter Default value in Exchange 2007 RTM Default value in Exchange 2007 SP1
Sender Distribution group

Dynamic distribution group

Mailbox

Mail contact

Mail-enabled public folder

Mail user

MaxSendSize Unlimited Unlimited
Recipient Mail contact MaxRecipientPerMessage Unlimited Unlimited
Recipient Mailbox

Mail user

RecipientLimits Unlimited Unlimited
Recipient Distribution group

Dynamic distribution group

Mailbox

Mail contact

Mail-enabled public folder

Mail user

MaxReceiveSize Unlimited Unlimited
All Hub Transport servers in the organization Transport rule AttachmentSizeOver Not configured Not configured
Organization Transport configuration MaxReceiveSize Unlimited 10 MB
Organization Transport configuration MaxRecipientEnvelopeLimit Unlimited 5000
Organization Transport configuration MaxSendSize Unlimited 10 MB

In Exchange 2007 SP1, you can set a maximum message size limit on an Active Directory site link or a routing group connector. For more information, see How to Configure Message Size Limits for Internal Routing.

Scope Source Parameter Default value in Exchange 2007 RTM Default value in Exchange 2007 SP1
Sender Distribution group

Dynamic distribution group

Mailbox

Mail contact

Mail-enabled public folder

Mail user

MaxSendSize Unlimited Unlimited
Connector Send connector MaxMessageSize 10 MB 10 MB
Connector Receive connector MaxRecipientsPerMessage 200 200
Connector Receive connector MaxMessageSize 10 MB 10 MB
Connector Receive connector MaxHeaderSize 64 KB 64 KB
Recipient Mail contact MaxRecipientPerMessage Unlimited Unlimited
Recipient Mailbox

Mail user

RecipientLimits Unlimited Unlimited
Recipient Distribution group

Dynamic distribution group

Mailbox

Mail contact

Mail-enabled public folder

Mail user

MaxReceiveSize Unlimited Unlimited
All Hub Transport servers in the destination organization Transport rule AttachmentSizeOver Not configured Not configured
Destination Organization Transport configuration MaxReceiveSize Unlimited 10 MB
Destination Organization Transport configuration MaxRecipientEnvelopeLimit Unlimited 5000
Destination Organization Transport configuration MaxSendSize Unlimited 10 MB

If a specific Receive connector is configured in the destination Active Directory forest to accept messages from the source Active Directory forest, that specific Receive connector should have the ExchangeServers permission group and the ExernalAuthoratative authentication method assigned. This permission group contains the Ms-Exch-Bypass-Message-Size-Limit permission that allows messages to flow through the Receive connector without checking the message size. The message is still be subject to organization, transport server, sender, and recipient limits that are defined in the destination Active Directory forest.

For more information, see Configuring Cross-Forest Connectors.

Scope Source Parameter Default value in Exchange 2007 RTM Default value in Exchange 2007 SP1
Sender Distribution group

Dynamic distribution group

Mailbox

Mail contact

Mail-enabled public folder

Mail user

MaxSendSize Unlimited Unlimited
Recipient Mail contact MaxRecipientPerMessage Unlimited Unlimited
Recipient Mailbox

Mail user

RecipientLimits Unlimited Unlimited
Recipient Distribution group

Dynamic distribution group

Mailbox

Mail contact

Mail-enabled public folder

Mail user

MaxReceiveSize Unlimited Unlimited
All Hub Transport servers in the organization Transport rule AttachmentSizeOver Not configured Not configured
Organization Transport configuration MaxReceiveSize Unlimited 10 MB
Organization Transport configuration MaxRecipientEnvelopeLimit Unlimited 5000
Organization Transport configuration MaxSendSize Unlimited 10 MB

Scope Source Parameter Default value in Exchange 2007 RTM Default value in Exchange 2007 SP1
Sender Distribution group

Dynamic distribution group

Mailbox

Mail contact

Mail-enabled public folder

Mail user

MaxSendSize Unlimited Unlimited
All Hub Transport servers in the organization Transport rule AttachmentSizeOver Not configured Not configured
Connector Foreign connector MaxMessageSize 10 MB 10 MB
Organization Transport configuration MaxReceiveSize Unlimited 10 MB
Organization Transport configuration MaxRecipientEnvelopeLimit Unlimited 5000
Organization Transport configuration MaxSendSize Unlimited 10 MB

Scope Source Parameter Default value in Exchange 2007 RTM Default value in Exchange 2007 SP1
Server Transport server PickupDirectoryMaxHeaderSize 64 KB 64 KB
Server Transport server PickupDirectoryMaxRecipientsPerMessage 100 100
Server Transport rule AttachmentSizeOver Not configured Not configured
Organization Transport configuration MaxReceiveSize Unlimited 10 MB
Organization Transport configuration MaxRecipientEnvelopeLimit Unlimited 5000
Organization Transport configuration MaxSendSize Unlimited 10 MB

Scope Source Parameter Default value in Exchange 2007 RTM Default value in Exchange 2007 SP1
Server Transport Rule AttachmentSizeOver Not configured Not configured
Organization Transport configuration MaxReceiveSize Unlimited 10 MB
Organization Transport configuration MaxRecipientEnvelopeLimit Unlimited 5000
Organization Transport configuration MaxSendSize Unlimited 10 MB

Scope Source Parameter Default value in Exchange 2007 RTM and Exchange 2007 SP1
Sender Distribution group

Dynamic distribution group

Mailbox

Mail contact

Mail-enabled public folder

Mail user

MaxSendSize Unlimited
Connector on Hub Transport server Send connector MaxMessageSize 10 MB
Connector on Edge Transport server Receive connector MaxRecipientsPerMessage 200
Connector on Edge Transport server Receive connector MaxMessageSize 10 MB
Connector on Edge Transport server Receive connector MaxHeaderSize 64 KB

Scope Source Parameter Default value in Exchange 2007 RTM Default value in Exchange 2007 SP1
Edge Transport server Organization Transport configuration MaxSendSize Unlimited 10 MB
noteNote:
: The following parameters are not used on an Edge Transport server. Use the message size limits on the Send and Receive connectors that are configured on an Edge Transport server to control the size of messages processed by the server.
•MaxReceiveSize
•MaxEnvelopeReceiveLimit

The following list shows the types of messages that are generated by a Hub Transport server or an Edge Transport server and exempted from all message size limits:

  • System messages
  • Agent-generated message
  • Delivery status notification (DSN) messages
  • Journal report messages
  • Quarantined messages

However, these messages are still subject to the organizational MaxRecipientEnvelopeLimit that is configured by using the Set-TransportConfig cmdlet in the Exchange Management Shell.

The primary difference in message size limits between Microsoft Exchange Server 2003 and Exchange Server 2007 is in the handling of recipient limits. Exchange 2007 treats a distribution group as one recipient. Exchange 2003 treats each member of the expanded distribution list as one recipient. This change was implemented to avoid the partial message delivery scenarios that may occur in Exchange 2003.

Partial message delivery occurs in Exchange 2003 if the number of individual recipients and the recipients that are contained within the distribution list exceeds the specified recipient limit. The total number of message recipients isn’t known until after distribution list expansion. Message delivery occurs as the distribution list is expanded until the number of recipients reaches the specified limit. The remaining recipients don’t receive the message, but at least the sender receives a non-delivery report (NDR) for each unsuccessful delivery. However, if delivery failure reporting is disabled for the distribution list, the remaining recipients wouldn’t receive the message, and the sender would not know who didn’t receive the message.

Setting Message Size Limits in Exchange 2010 and Exchange 2007

Message size limits are an important mechanism to control mailbox sizes, guarantee service availability, and protect from potential DOS attacks. Another commonly asked question is about message size limits and the inability to send messages that are apparently within the maximum sizes configured. Let’s take a look at the message size settings in different places in Exchange 2010 and Exchange 2007.

1Organizational limits

The organizational send and receive size limits apply to all Exchange servers in the Organization. The default is 10MB.

You can modify the organizational message size limits using the Set-TransportConfig cmdlet from the Exchange shell:

Set-TransportConfig -MaxReceiveSize 40MB -MaxSendSize 40MB

In Exchange 2007 SP1 and later, you can also set the organizational message size limits using the EMCby going to Organization Configuration | Hub Transport | Global Settings tab | Transport Settings | properties | General tab.

Exchange Server 2007 | Transport Settings
Figure 1: Setting the organizational message size limits from the Global Settings tab in the EMC in Exchange 2007 SP1 and later

2Receive Connector limit

Unlike Exchange SMTP Virtual Servers in Exchange Server 2003/2000, Exchange 2007′s Receive Connectors are only used to receive messages. The maximum message size limit can be different on different Receive Connectors on a Hub Transport or Edge Transport server. For example, a Receive Connector for inbound Internet mail may have lower message size limits, but you may want to allow larger messages on Receive Connector for authenticated senders or partners.

To modify the maximum message size on a Receive Connector using the Exchange console, selectServer Configuration | Hub Transport | select a Hub Transport server | Receive Connectors -> select a connector | Properties | General tab.

Screenshot: Maximum message size on a Receive Connector
Figure 2: Setting the maximum message size on a Receive Connector

To set ReceiveConnector limit using the shell:

Set-ReceiveConnector “CONNECTOR NAME” -MaxMessageSize 40Mb

What’s a Unique Binding for a Receive Connector?

Exchange 2010 and Exchange 2007′s definition of a unique binding for a Receive Connector is different than Exchange 2003/2000.

Whereas the latter considers a unique combination of an IP address + TCP port number as a unique binding, and does not allow another SMTP Virtual Server to be bound to the same combination of IP address + port number, Exchange 2010/2007 view a combination of IP address + port number + RemoteIPRanges as unique. This allows you to create a Receive Connector using the same IP address + port number, but using different RemoteIPRanges to specify the remote hosts that can connect to it. For example, you can create a Receive Connector for a set of remote hosts and specify a different message size to allow those hosts to send larger messages, or to restrict them to smaller messages.

3Send Connector limit

Send Connectors are used for sending outbound messages to the internet or particular address spaces (domains). Edge Transport servers also have a Send Connector to send inbound messages to Hub Transport servers in an AD Site. To modify the maximum message size on Send Connectors, selectOrganization Configuration | Hub Transport | Send Connectors -> select connector |Properties | General tab.

Screenshot: Maximum message size on a Send Connector
Figure 3: Setting the maximum message size on a Send Connector

To set SendConnector limit using the shell:

Set-SendConnector “CONNECTOR NAME” -MaxMessageSize 40Mb

How to set size limits for messages in Exchange Server 2000/2003

This article describes the different kinds of limits that you can set on message size in Microsoft Exchange 2000 Server and in Microsoft Exchange Server 2003. It also explains how you can set these limits.
Size limits for messages depend on various settings. Settings can vary across users. You can customize the settings for the Exchange 2000 or Exchange 2003 organization, a specific connector, a specific virtual server, and an individual user.
Senders may receive a non-delivery report (NDR) that is similar to the following example if their messages are larger than their size limits:

Your message did not reach some or all of the intended recipients.

Subject: Test
Sent: 7/18/2002 2:40 PM
The following recipient(s) could not be reached:
Test Recipient on 7/18/2002 2:41 PM
This message is larger than the current system limit or the recipient’s mailbox is full. Create a shorter message body or remove attachments and try sending it again.
<server.domain.com #5.2.3>

Global setting

This setting determines the maximum size of the messages in the Exchange 2000 organization; the messages can be incoming, outgoing, or internal.

To configure the global setting, follow these steps:

  1. Start Exchange System Manager. To do this, click Start, point to Programs, point to Microsoft Exchange, and then click System Manager.
  2. Expand Global Settings.
  3. Right-click Message Delivery, and then click Properties.
  4. Click the Default tab to configure the global settings.

Connector setting

The settings for each connector control the maximum size of outgoing messages that users can send through the connector.

To configure the connector settings, follow these steps:

  1. Click Start, point to Programs, point to Microsoft Exchange, and then click System Manager.
  2. Expand Administrative Groups, and then expand Administrative Group Name, where Administrative Group Name is the name of your administrative group.
  3. Expand Routing Groups, and then expand Routing Group Name, where Routing Group Name is the name of your routing group.
  4. Expand Connectors, right-click the connector that you want to configure, and then click Properties.
  5. On the Content Restrictions tab, under Allowed sizes, click to select the Only messages less than (KB) check box, and then type the size (in KB) that you want to permit.

SMTP virtual server setting

This setting determines the maximum size of a message that is permitted to pass through a virtual server. The virtual server advertises the limit by means of the Extended Simple Mail Transfer Protocol (ESMTP) SIZE command verb (RFC 1870).

Note The protocol size restriction is meant to reject messages on boundaries with other e-mail systems. These restrictions are effective for individual servers and should not be used as methods to limit the message size in an Exchange enterprise server group. Administrators can set the message delivery option in the global settings to limit and to control the message size restriction across an organization that uses Exchange 2000 or Exchange 2003. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

326154 The OAB does not replicate if you set a message size restriction at the transport level

To configure the Simple Mail Transfer Protocol (SMTP) virtual server setting, follow these steps:

  1. Click Start, point to Programs, point to Microsoft Exchange, and then click System Manager.
  2. Expand Administrative Groups, and then expand Your Administrative Group Name, where Your Administrative Group Name is the name of your administrative group.
  3. Expand Servers, and then expand Your Server Name, where Your Server Name is the name of your server.
  4. Expand Protocols, and then expand the SMTP node.
  5. Right-click SMTP Virtual Server Name, where SMTP Virtual Server Name is the name of your SMTP virtual server, and then click Properties.
  6. Click the Messages tab to set the maximum size that you want to permit.

User mailbox setting

This setting determines the maximum size of a message that users can send or receive through their mailboxes. User mailbox settings are enforced by the information store instead of by the message categorizer. The information store prevents an oversized message from being sent to Transport if the message size exceeds the user mailbox maximum message size setting.

To configure an individual user’s mailbox settings, follow these steps:

  1. Start the Active Directory Users and Computers snap-in, and then locate the user account that you want to configure.
  2. Right-click the user’s account, and then click Properties.
  3. Click the Exchange General tab, and then click Delivery Restrictions to set the maximum size that you want to permit.

Note The size of SMTP messages that are sent between routing groups and to the Internet increase by about 30 percent if they contain binary attachments or other 8-bit data.

Examples of effective size limits

Example 1

In this example, the following size limits have been configured:

  • The global setting is set to 5 MB.
  • The Exchange SMTP connector is set to 3 MB.
  • The SMTP virtual server is set to 4 MB.
  • The user mailbox setting is set to 2 MB.

Because of these settings, users in the Exchange 2000 or Exchange 2003 organization can send and receive messages that are a maximum of 5 MB. Users can send messages through the connector that are a maximum of 3 MB. All mail that passes through the SMTP Virtual Server (sending or receiving) is limited to 4MB. The individual user, whose mailbox setting is 2 MB, is also limited to sending and receiving messages that are a maximum of 2 MB.

Example 2

In this example, the following size limits have been configured:

  • The global setting is set to 2 MB.
  • The Exchange 2000 SMTP connector is set to 5 MB.
  • The SMTP virtual server is set to 2 MB.
  • The user mailbox setting is set to 3 MB.

The global setting is 2 MB. Therefore, all the users who are using the default global setting in the Exchange 2000 Server organization or in the Exchange Server 2003 organization are limited to sending and receiving messages that are a maximum of 2 MB. If an individual user has a mailbox setting of 3 MB, that user overrides the global setting.

Note All Internet e-mail messages use the global setting for limits on sending and on receiving. The message categorizer evaluates the sender’s sending limit and the recipient’s receiving limit. In example 2 earlier, a user with a user mailbox limit of 3 MB could receive messages from another user with a 3-MB sending limit. Because Internet users use the global setting, they can send only a 2-MB message.