Manage attachment filtering on Edge Transport servers
Applies to: Exchange Server 2013
Attachment filtering is provided by the Attachment Filter agent that's available only on Edge Transport servers. Attachment filtering can help prevent files that are attached in email messages from entering your organization. You can configure one or more attachment filter entries to filter attachments either by content type or by file name.
What do you need to know before you begin?
Estimated time to complete each procedure: 10 minutes.
You need to be assigned permissions before you can perform this procedure or procedures. To see what permissions you need, see the "Anti-spam features" entry in the Anti-spam and anti-malware permissions and the "Transport agents" entry in the Mail flow permissions topic.
Configuration changes that you make to attachment filtering on an Edge Transport server are made only to the local computer. If you have multiple Edge Transport servers in your perimeter network, you need to configure attachment filtering on each Edge Transport server separately.
You can only use the Shell to perform this procedure.
When you disable attachment filtering and restart the Microsoft Exchange Transport service, all attachment filtering features stop working.
For information about keyboard shortcuts that may apply to the procedures in this topic, see Keyboard shortcuts in the Exchange admin center.
Tip
Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Server.
Use the Shell to enable or disable attachment filtering
When you enable or disable the Attachment Filtering agent, the change takes effect after you restart the Microsoft Exchange Transport service. When you restart the Microsoft Exchange Transport service on an Edge Transport server, mail flow on the server is temporarily interrupted.
To disable attachment filtering, run the following command:
Disable-TransportAgent "Attachment Filtering Agent"
To enable attachment filtering, run the following command:
Enable-TransportAgent "Attachment Filtering Agent"
After you enable or disable attachment filtering, restart the Microsoft Exchange Transport service by running the following command:
Restart-Service MSExchangeTransport
How do you know this worked?
To verify that you successfully enabled or disabled attachment filtering, do the following:
Run the following command:
Get-TransportAgent "Attachment Filtering Agent"
If the value of Enabled is
True
, attachment filtering is enabled. If the value isFalse
, attachment filtering is disabled.
Use the Shell to view attachment filtering entries
Attachment filtering entries define the message attachments that you want to keep out of your organization. To view the attachment filtering entries that are used by the Attachment Filtering agent, run the following command:
Get-AttachmentFilterEntry | Format-Table
To view a specific MIME content type entry, use the following syntax:
Get-AttachmentFilteringEntry ContentType:<MIMEContentType>
For example, to view the content type entry for JPEG images, run the following command:
Get-AttachmentFilteringEntry ContentType:image/jpeg
To view a specific file name or file name extension entry, use the following syntax:
Get-AttachmentFilteringEntry FileName:<FileName or FileNameExtension>
For example, to view the file name extension entry for JPEG attachments, run the following command:
Get-AttachmentFilteringEntry FileName:*.jpg
Use the Shell to add attachment filtering entries
To add an attachment filtering entry that filters attachments by MIME content type, use the following syntax:
Add-AttachmentFilterEntry -Name <MIMEContentType> -Type ContentType
The following example adds a MIME content type entry that filters JPEG images.
Add-AttachmentFilterEntry -Name image/jpeg -Type ContentType
To add an attachment filtering entry that filters attachments by file name or file name extension, use the following syntax:
Add-AttachmentFilterEntry -Name <FileName or FileNameExtension> -Type FileName
The following example filters attachments that have the .jpg file name extension.
Add-AttachmentFilterEntry -Name *.jpg -Type FileName
How do you know this worked?
To verify that you successfully added an attachment filtering entry, do the following:
Run the following command to verify that the filtering entry exists.
Get-AttachmentFilterEntry | Format-Table
Send a test message that contains a prohibited attachment from an external mailbox to an internal recipient and verify that the message is rejected, stripped, or deleted.
Use the Shell to remove attachment filtering entries
To remove an attachment filtering entry that filters attachments by MIME content type, use the following syntax:
Remove-AttachmentFilterEntry ContentType:<ContentType>
The following example removes the MIME content type entry for JPEG images.
Remove-AttachmentFilterEntry ContentType:image/jpeg
To remove an attachment filtering entry that filters attachments by file name or file name extension, use the following syntax:
Remove-AttachmentFilterEntry FileName:<FileName or FileNameExtension>
The following example removes the file name entry for the .jpg file name extension.
Remove-AttachmentFilterEntry FileName:*.jpg
How do you know this worked?
To verify that you successfully removed an attachment filtering entry, do the following:
Run the following command to verify that the filtering entry was removed.
Get-AttachmentFilterEntry | Format-Table
Send a test message that contains an allowed attachment from an external mailbox to an internal recipient and verify that the message was successfully delivered with the attachment.
Use the Shell to view the attachment filtering action
To view the attachment filtering action that's used when a prohibited attachment is detected in a message, run the following command:
Get-AttachmentFilterListConfig
Use the Shell to configure the attachment filtering action
To configure the attachment filtering action that will be used when a prohibited attachment is detected in a message, use the following syntax:
Set-AttachmentFilterListConfig [-Action <Reject | Strip | SilentDelete>] [-RejectResponse "<Message text>"] [-AdminMessage "<Replacement file text>"] [-ExceptionConnectors <ConnectorGUID>]
This example makes the following changes to the attachment filtering configuration:
Reject (block) messages that have prohibited attachments.
Use a custom response for rejected messages.
Set-AttachmentFilterListConfig -Action Reject -RejectResponse "This message contains a prohibited attachment. Your message can't be delivered. Please resend the message without the attachment."
For more information, see Set-AttachmentFilterListConfig.
How do you know this worked?
To verify that you successfully configured the attachment filtering action, send a test message that contains a prohibited attachment from an external mailbox to an internal recipient and verify that the message and the attachment are processed as you expect.