We recently migrated form Exchange 2000 (yes I know...) to Exchange 2010 and went through the horror of configuring it. First of all we don't use ForeFront, sadly(?) we can't.
Before I ask my question here is what we've already done:
- We have configured the Organization -> HUB -> SendConnector to be scoped to disallow mailing through us (yet another stupid name for such important option).
- We have installed Anti-SPAM futures (for HUB if that is relevant)
- In Sender ID filter we have set the reject option (without this some spammer was still able to send stuff through our server somehow)
- Content filtering is disabled (it filtered out more good things then bad)
- We've also set Accepted domains to be only from our domain.
So the question is if it is possible to set up filtering so it only works for certain IPs? Specifically to be able to send e-mails with "From" addresses outside of our domain (with Return-Path in our domain) and send e-mails without authorization from a certain IP. Effectively set an option like "we know this IP, we know it sends crap but it's our internal stuff".
Yup, it's quite easy with a Receive Connector. I do this on Exchange 2010 at my organization, for example.
Server Configuration -> Hub Transport -> Receive Connectors -> New Receive Connector
Name it something like "Trusted IP's", leave the default "listen on all interfaces on port 25" rule, then finish the wizard with defaults.
Right-click on the resulting connector and set all (and only) the IP's you want to trust under "Receive mail from remote servers that have these IP addresses" under the Network tab.
Under authentication, click "Externally Secure (for example, with IPsec). This is the magic sauce, though it's not well-explained in the GUI. It means you flat-out trust these IP's to send good mail, no matter how spammy they appear.