STEP 5 - Locking Down Exchange Connections

Created by Jason Carreiro, Modified on Mon, 14 Oct 2019 at 02:22 PM by Jason Carreiro

If other IP addresses are accepted, it is possible to bypass ProofPoint completely and spammers are known to save MX records for a long time and still attempt to deliver directly to any server that is willing. We encourage to lockdown your firewall and/or server to accept incoming messages only from the Proofpoint service. Locking down your environment you are ensuring that all email is filtered through Proofpoint and that no spam destined to your network can circumvent the filtering service.

  • The best place to lock down your environment would be via your firewall. This will prevent intranet bandwidth from being used unnecessarily.
  • If you cannot lock down via the firewall, Exchange environment also provide lock down functionality. Below are the instructions for locking down Exchange.

Exchange 2013-16

    1-   In the Exchange admin center, in the left menu, click mail flow.

    2-   Next to Select server, specify the exchange server to configure (if there is more than one), then in the top menu,           click receive connectors.

    3-   On the receive connectors page, click the plus sign + to add a new connector. The new receive connector dialog             box appears.

    4-    Provide the following information, then click next:

            . Name: Name for the receive connector

            . Server: Specify your Exchange server (if there is more than one)

            . Role: Hub Transport

            . Type: Internet

    5-    Under Network adapter bindings, click the plus sign + to specify the IP addresses and port that Exchange server             is to allow, then click finish. (For non-SSL connections, the default is port 25.)

            Note: Remove any IPs if any before you start adding the new ones.

    6-    After the receive connector is created, double-click it in the list.

    7-    The receive connector's properties appear. Click security.

    8-    Ensure the Transport Layer Security (TLS) and Anonymous users check boxes are selected, then click save.

    9-    IF the change didn’t take effect you might need to Restart the Frontend transport and Transport services.

Earlier Exchange versions:

Exchange 2007-10

Open the Exchange Management Console.

Expand Server Configuration, and then select Hub Transport.

Select the receive connector you are using for port 25 traffic. Right-click it and select Properties.

Select the Network tab.

At the bottom where it says "Receive mail from Remote Servers" that have these IP addresses select Add and then select IP.

Enter, repeat to add the other 10 CIDRs

By default the connector will have as an allowed IP range; this basically opens the server up to anyone so this will need to be removed.

These changes should be applied instantly with no need to restart any services. If you see the changes not taking effect then you may need to restart Exchange services to force then test with telnet

Exchange 2003

1.Open your Exchange System Manager (Start->All Programs->Microsoft Exchange->System Manager).
2. Expand Servers. (You may have to expand First Administrative Group first).
3. Expand Protocols.
4. Expand SMTP.
5. Right-click the Default SMTP Virtual Server, select Properties.
6. Click the 'Access tab'.
7. Click on 'Connection'.
8. Check the radio button which states “Only the list below”.
9. Click Add
10. Select 'Group of Computers'
11. Enter in the Subnet Address:,
12. Enter the Subnet Mask
13. Enter in the Subnet Address:
14. Enter the Subnet Mask (repeat steps to add other 10 subnet masks)
15. Click OK on all properties windows to save the changes.