You may have noticed a change in the behavior of the Safe Senders list within Outlook starting in Exchange 2010. Users can no longer add accepted domains to Outlook’s Safe Senders list. Figu...
Updated Jul 01, 2019
Version 2.0
Blog Post
Thanks Tom, I like the article and invetive use of Exchange anti spam agents.
This should be revised showing best practice clearly and the preference order of actions.
1. Have app servers authenticate using a service account, (they’ll likely have one anyway), use one service account over many printers/scanners and allow it to authenticate – or use a sub domain like scanners.company.com
a. Not printers, scanners and monitoring alerts in general don’t need to relay so need no additional permissions on the send connector.
b. Authenticated connections always get SCL-1
2. Move to the above authenticated model for all new relay devices and choose one of the below methods for existing devices you can’t change.
3. install the anti-spam agents on your relay hub(s) and add the IPs of your app servers to the IP Allow list of the connection filtering agent
a. also you could add entire server subnets
b. script the following - query DHCP servers for printer reservations and add them to the allow list
4. We know that adding all the addresses manually is an available albeit painful option
5. A second option is to disable Outlook’s client side filtering (yeah... not a good idea, so do not seriously consider it. Spam checks out the window!)
Tom