How To Reject Undeliverable Mail

Some mail servers accept mail to any address. On the SMTP protocol level, they always reply "250 OK" whether an address exists or not. Undeliverables are silently forwarded to postmaster.

In the CleanMail licensing scheme, any address is counted when the mail server accepts it. So, if you don't do something, you will most likely exceed your license.

Non-Delivery Reports

Worse, once the mail server has falsely accepted a message, it is required to create a "non-delivery report" (NDR) for each undeliverable mail received, and tries to send it to the feigned sender of this spam or virus message. This costs you bandwidth, CPU load, and disk space. Typically, the sender addresses of spam and virus mails are fakes, so the NDRs are undeliverable and remain in the outgoing queue of your mail server for days. Upon a heavy virus or spam wave, this can crash your mail server, once thousands of undeliverable NDRs in your outgoing mail queue use up all your disk space.

Most spam and virus messages have forged sender addresses, so the NDR, if it is deliverable, is returned to an innocent third party. This is commonly referred to as the "backscatter" problem.

Realtime Rejection

Realtime rejection avoids the "backscatter" problem outlined above.

If your mail server rejects bad recipient addresses outright, it is the sending MTA's job (MTA: mail transfer agent) to inform the user if it is unable to send a mail. If the sending MTA is a mail client, it will pop up a window to notify the user. If it is another mail server, it will send a mail delivery failure notice to the sender. This way, the administrator of an open relay will suffer the consequences of his configuration error, and he will be the one that has cope with overflowing messages queues.

In conclusion, configuring a mail server without realtime rejection is a bad idea. Unfortunately, realtime rejection is sometimes not the default. This is also one of the infamous "features" of MS Exchange.

Configuring MS Exchange for realtime rejection of undeliverable mail

Since Exchange 2003 you can enable recipient checking, which is what you want.

Exchange 2003

Exchange 2003 actually allows checking recpient addresses. However, this is, if at all, not well documented. The following link has instructions on how to enable recipient checking for Exchange 2003:

Earlier Versions of Exchange

The Exchange 200x versions allow turning NDRs off, as described in Microsoft knowledge base article 294757. But this is not what you want, because Exchange still accepts all recipient addresses, whether they exist or not. But you still can use CleanMail to block undeliverable mail, as outlined in the next section.

Blocking undeliverable Mail with CleanMail

If your mail server accepts every recipient, you can at least configure CleanMail Server to accept only the recipient addresses you want. This is done on the "Relay Protection" page of the admin wizard. Instead of a domain, like *, you can alternatively enter a list of acceptable mail addresses and aliases here, like

This has two advantages:

There is a drawback: you have to maintain a list of users in both Exchange and in CleanMail. This is a source of potential errors: if you fail to add an address, or if you mistype an address, that user won't get any mail. Therefore, if you use this CleanMail feature, test it immediately by sending test mails from outside of your network.

Closing Remarks

Your feedback is welcome! Please submit hints and suggestions to .