Solved: DHAP prevention and NDR from Exchange

kaloyan-velkov · ‎01-23-2025

Hello community,

We have the following scenario:

We have to enable NDRs being sent from the Exchange server in case the message isn't sent to a recipient (invalid recipient, full recipient mailbox, etc.), but we have a feeling that this will create the possibility that this will lay the ground for Directory Harvest Attacks. Thus, we want to enable the DHAP service in the Mail Flow Policy.

As per our understanding, for DHAP to be enabled, we need to create an LDAP accept query and set it to bounce or drop the messages when the recipient is invalid. After the threshold is hit the ESA should drop the connection and the sending party should be timed out for an hour and send an alarm that a potential Directory Harvest Attack is happening.

We have the following questions:

Is it possible for the Exchange server to receive the emails, even if the recipient is invalid, so it can send out its message that the mailbox is invalid ?

Is it possible to send some kind of message to the sender from the ESA if the recipient is invalid and the message doesn't reach the Exchange server (as it is cut off during the ESA filtering)?

Ken Stieers · ‎01-23-2025

No the Exchange server won't get the email and therefore can't send the NDR. That's the point of the LDAP accept query, to not procees mail that is going nowhere.

The ESA can send the NDR if you configure it to do so.

View solution in original post

Ken Stieers · ‎01-23-2025

No the Exchange server won't get the email and therefore can't send the NDR. That's the point of the LDAP accept query, to not procees mail that is going nowhere.

The ESA can send the NDR if you configure it to do so.