Enable antispam functionality on Mailbox servers
The following antispam agents are available in the Transport service on Exchange 2016 and Exchange 2019 Mailbox servers, but they aren't installed by default:
Content Filter agent
Sender Filter agent
Sender ID agent
Protocol Analysis agent for sender reputation
You can install these antispam agents on a Mailbox server by using an Exchange Management Shell script, which is important if these agents are your only defense to help prevent spam. Typically, you don't need to install the antispam agents on a Mailbox server when your organization uses other types of antispam filtering on incoming mail.
Note
Although the Recipient Filter agent is available on Mailbox servers, you shouldn't configure it. When recipient filtering on a Mailbox server detects one invalid or blocked recipient in a message that contains other valid recipients, the message is rejected. The Recipient Filter agent is enabled when you install the antispam agents on a Mailbox server, but it isn't configured to block any recipients.
What do you need to know before you begin?
Estimated time to complete this task: 15 minutes
You can only use PowerShell to perform this procedure. To learn how to open the Exchange Management Shell in your on-premises Exchange organization, see Open the Exchange Management Shell.
The Connection Filtering agent and the Attachment Filtering agent aren't available on Mailbox servers. They're only available on Edge Transport servers, and they're installed and enabled there by default. However, the Malware agent is installed and enabled by default on Mailbox servers. For more information, see Antimalware protection in Exchange Server.
If you have other Exchange antispam agents operating on the messages before they reach the Mailbox server (for example, an Edge Transport server in the perimeter network), the antispam agents on the Mailbox server recognize the antispam X-header values that already exist in messages, and those messages pass through without being scanned again.
You need to be assigned permissions before you can perform this procedure or procedures. To see what permissions you need, see the "Transport configuration" entry in the Mail flow permissions topic.
For information about keyboard shortcuts that may apply to the procedures in this topic, see Keyboard shortcuts in the Exchange admin center.
Tip
Having problems? Ask for help in the Exchange forums. Visit the forums at: Exchange Server, Exchange Online, or Exchange Online Protection.
Step 1: Run the Install-AntispamAgents.ps1 PowerShell script
Run the following command in the Exchange Management Shell on the Mailbox server:
& $env:ExchangeInstallPath\Scripts\Install-AntiSpamAgents.ps1
How do you know this step worked?
You know this step worked if the script runs without errors and asks you to restart the Microsoft Exchange Transport service. The output looks like this:
WARNING: Please exit Windows PowerShell to complete the installation.
WARNING: The following service restart is required for the change(s) to take effect : MSExchangeTransport
WARNING: The following service restart is required for the change(s) to take effect : MSExchangeTransport
Identity Enabled Priority
-------- ------- --------
Content Filter Agent True 8
WARNING: Please exit Windows PowerShell to complete the installation.
WARNING: The following service restart is required for the change(s) to take effect : MSExchangeTransport
WARNING: The following service restart is required for the change(s) to take effect : MSExchangeTransport
Sender Id Agent True 9
WARNING: Please exit Windows PowerShell to complete the installation.
WARNING: The following service restart is required for the change(s) to take effect : MSExchangeTransport
WARNING: The following service restart is required for the change(s) to take effect : MSExchangeTransport
Sender Filter Agent True 10
WARNING: Please exit Windows PowerShell to complete the installation.
WARNING: The following service restart is required for the change(s) to take effect : MSExchangeTransport
WARNING: The following service restart is required for the change(s) to take effect : MSExchangeTransport
Recipient Filter Agent True 11
WARNING: Please exit Windows PowerShell to complete the installation.
WARNING: The following service restart is required for the change(s) to take effect : MSExchangeTransport
WARNING: The following service restart is required for the change(s) to take effect : MSExchangeTransport
Protocol Analysis Agent True 12
WARNING: The agents listed above have been installed. Please restart the Microsoft Exchange Transport service for
changes to take effect.
Step 2: Restart the Microsoft Exchange Transport service
Run the following command in the Exchange Management Shell on the Mailbox server:
Restart-Service MSExchangeTransport
How do you know this step worked?
You know this step worked if the Microsoft Exchange Transport service restarts without errors. The output looks like this:
WARNING: Waiting for service 'Microsoft Exchange Transport (MSExchangeTransport)' to start...
WARNING: Waiting for service 'Microsoft Exchange Transport (MSExchangeTransport)' to start...
WARNING: Waiting for service 'Microsoft Exchange Transport (MSExchangeTransport)' to start...
WARNING: Waiting for service 'Microsoft Exchange Transport (MSExchangeTransport)' to start...
WARNING: Waiting for service 'Microsoft Exchange Transport (MSExchangeTransport)' to start...
WARNING: Waiting for service 'Microsoft Exchange Transport (MSExchangeTransport)' to start...
Step 3: Specify the internal SMTP servers in your organization
You need to specify the IP addresses of every internal SMTP server that should be ignored by the Sender ID agent. In fact, you need to specify the IP address of at least one internal SMTP server. If the Mailbox server where you're running the antispam agents is the only SMTP server in your organization, specify the IP address of that computer.
To add the IP addresses of internal SMTP servers without affecting any existing values, run the following command in the Exchange Management Shell on the Mailbox server:
Set-TransportConfig -InternalSMTPServers @{Add="<ip address1>","<ip address2>"...}
This example adds the internal SMTP server addresses 10.0.1.10 and 10.0.1.11 to the transport configuration of your organization.
Set-TransportConfig -InternalSMTPServers @{Add="10.0.1.10","10.0.1.11"}
How do you know this step worked?
To verify that you have successfully specified the IP address of at least one internal SMTP server, run the following command in the Exchange Management Shell on the Mailbox server, and verify that the IP address of at least one valid internal SMTP server is displayed.
Get-TransportConfig | Format-List InternalSMTPServers
Step 4: Next steps
The Content Filter agent, Sender ID agent, Sender Filter agent, and Protocol Analysis (sender reputation) agent should now be installed and running on the Mailbox server. To verify this, run the following commands in the Exchange Management Shell on the Mailbox server:
Get-TransportAgentGet-ContentFilterConfig | Format-Table Name,Enabled; Get-SenderFilterConfig | Format-Table Name,Enabled; Get-SenderIDConfig | Format-Table Name,Enabled; Get-SenderReputationConfig | Format-Table Name,EnabledTo see detailed information about the configuration of each agent, run the following commands:
Get-ContentFilterConfig | Format-List *Enabled,RejectionResponse,*Postmark*,Bypassed*,Quarantine*;Get-SenderFilterConfig | Format-List *Enabled,*Block*Get-SenderIDConfig | Format-List *Enabled*,*Action,Bypassed*Get-SenderReputationConfig | Format-List *Enabled*,*Proxy*,*Block*,*Ports*To configure each agent, see the following topics:
By default, the Content Filter agent, the Sender Filter agent, and the Sender ID agent record their activities in the antispam agent log on the Mailbox server. You can verify that these antispam agents are working when information is written to the log. To see the location and configuration of the log, run the following command in the Exchange Management Shell on the Mailbox server:
Get-TransportService | Format-List AgentLog*
For instructions on how to configure the log, see Configure antispam Agent Logging.