Recipient verification with Exchange 2016: PMG accepts unknown recipients and stores spam in quarantine

[Covalenco_S]

Hello,

I am migrating from Exchange 2010 to Exchange 2016 and I have an issue with recipient verification on Proxmox Mail Gateway.

Environment:

- Proxmox Mail Gateway 9.1.0
- Old mail server: Exchange 2010
- New mail server: Exchange 2016 CU23
- PMG receives mail from the Internet and relays it to Exchange
- Relay domain: example.com
- PMG transport: example.com -> 192.168.10.247:25
- Use MX: No
- Verify Receivers: Yes (450)
- Before Queue Filtering: tested both No and Yes

With Exchange 2010 recipient verification worked correctly. If an external sender sent mail to a non-existing address, PMG received a 550 response from Exchange during recipient verification and rejected the message.

After migrating to Exchange 2016, PMG verifies the recipient via SMTP callout, but Exchange 2016 initially responds with:

250 2.1.5 Recipient OK

even for non-existing recipients.

Then PMG accepts/scans the message. If the message is spam, PMG may move it to spam quarantine, even though the recipient does not exist.

Example PMG log for a non-existing recipient:

2026-06-17T02:31:40 mx1 pmg-smtp-filter: SA score=13/5 ...
2026-06-17T02:31:40 mx1 pmg-smtp-filter: moved mail for <last_f@example.com> to spam quarantine
2026-06-17T02:31:40 mx1 postfix/lmtp: status=sent (250 2.5.0 OK)

On Exchange 2016 the message is later rejected internally:

FAIL ROUTING
550 5.1.10 RESOLVER.ADR.RecipientNotFound; Recipient not found by SMTP address lookup

So the message is not delivered to a wrong mailbox, but the problem is that PMG has already accepted and processed it.

This creates a possible disk space problem: an attacker could send many large spam messages to random non-existing recipients, and PMG could store them in quarantine.

I tested:

1. PMG -> Exchange 2016 Frontend port 25
Result: Exchange returns 250 Recipient OK during verification.

2. PMG -> custom Exchange HubTransport connector on port 2526, allowed only from PMG and with AnonymousUsers
Result: still 250 Recipient OK during verification.

3. PMG -> Exchange backend/default HubTransport port 2525
Result: Exchange rejects with:
530 5.7.57 SMTP; Client was not authenticated to send anonymous mail during MAIL FROM

I also configured LDAP in PMG. The LDAP profile works and PMG can see AD users and addresses. However, “Verify Receivers” seems to use SMTP recipient verification against the relay host, not LDAP recipient validation.

Questions:

1. Is there a supported way in PMG to reject recipients that do not exist in LDAP before spam quarantine/filtering?
2. Can PMG use its LDAP profile as a recipient map for relay recipient verification?
3. Is there a recommended configuration for Exchange 2016/2019 behind PMG so SMTP Verify Receivers works like it did with Exchange 2010?
4. If this is not currently possible from the GUI, is there a safe template/custom Postfix configuration recommended by Proxmox?

My goal is:
- valid recipients should be accepted and delivered to Exchange;
- invalid recipients should be rejected by PMG before quarantine;
- spam for non-existing users should not be stored in PMG quarantine.

Thank you.

 

[yrzorg]

I used this article to solve it. This will only work if you have a single Exchange server setup. Also, I'm not entirely sure if this approach works in a DAG environment.
On PMG, the only thing you need to do is change the relay port from 25 to 2525.

Spoiler: Here is how what it looks like on PMG

2026-06-17T10:48:58.945721+03:00 vm-pmg postfix/cleanup[3195210]: E679480C6B: message-id=<20260617074858.E679480C6B@mydomain>
2026-06-17T10:48:58.948563+03:00 vm-pmg postfix/qmgr[2544517]: E679480C6B: from=<double-bounce@mydomain>, size=222, nrcpt=1 (queue active)
2026-06-17T10:49:03.982240+03:00 vm-pmg postfix/smtp[3194573]: E679480C6B: to=<unknownuser@mydomain>, relay=192.168.99.9[192.168.99.9]:2525, delay=5, delays=0/0/0.02/5, dsn=5.1.10, status=undeliverable (host 192.168.99.9[192.168.99.9] said: 550 5.1.10 RESOLVER.ADR.RecipientNotFound; Recipient not found by SMTP address lookup (in reply to RCPT TO command))
2026-06-17T10:49:08.982178+03:00 vm-pmg postfix/qmgr[2544517]: E679480C6B: removed

 

[Covalenco_S]

I used this article to solve it. This will only work if you have a single Exchange server setup. Also, I'm not entirely sure if this approach works in a DAG environment.
On PMG, the only thing you need to do is change the relay port from 25 to 2525.

Spoiler: Here is how what it looks like on PMG

2026-06-17T10:48:58.945721+03:00 vm-pmg postfix/cleanup[3195210]: E679480C6B: message-id=<20260617074858.E679480C6B@mydomain>
2026-06-17T10:48:58.948563+03:00 vm-pmg postfix/qmgr[2544517]: E679480C6B: from=<double-bounce@mydomain>, size=222, nrcpt=1 (queue active)
2026-06-17T10:49:03.982240+03:00 vm-pmg postfix/smtp[3194573]: E679480C6B: to=<unknownuser@mydomain>, relay=192.168.99.9[192.168.99.9]:2525, delay=5, delays=0/0/0.02/5, dsn=5.1.10, status=undeliverable (host 192.168.99.9[192.168.99.9] said: 550 5.1.10 RESOLVER.ADR.RecipientNotFound; Recipient not found by SMTP address lookup (in reply to RCPT TO command))
2026-06-17T10:49:08.982178+03:00 vm-pmg postfix/qmgr[2544517]: E679480C6B: removed

Thank you, this was exactly the missing part.

I tested your suggestion and it solved the issue.

What I had before:
- PMG transport to Exchange 2016 on port 25
- Verify Receivers enabled on PMG
- Exchange 2016 answered 250 Recipient OK even for non-existing recipients
- PMG accepted the message and spam for unknown recipients could end up in quarantine

What fixed it:
1. Installed the Exchange Anti-Spam agents on the Exchange 2016 server:
& $env:ExchangeInstallPath\Scripts\Install-AntiSpamAgents.ps1

2. Restarted MSExchangeTransport.

3. Enabled Anonymous users on the HubTransport receive connector:
Default MEX, port 2525

4. Changed PMG transport for my domain to:
Exchange IP:2525
Use MX: No

5. Restricted the Exchange receive connector RemoteIPRanges to only PMG and internal Exchange servers.

Now PMG recipient verification works correctly.

For a non-existing recipient, PMG gets:
550 5.1.10 RESOLVER.ADR.RecipientNotFound; Recipient not found by SMTP address lookup

and rejects it at RCPT stage with NOQUEUE, so the message is not accepted and does not go to quarantine.

Valid recipients are delivered normally.

Thanks again for pointing me to the correct Exchange 2016 / port 2525 setup.

 

[yrzorg]

Thank you, this was exactly the missing part.

A quick side note: When you add a new user on the primary Domain Controller, it takes some time for the information to sync with Exchange. If someone sends an email to this new user before Active Directory replication is complete, Exchange will reject it, stating that the user does not exist.

If I remember correctly, PMG will cache this negative response for 7 days (until its local database is cleared).

To fix this, wait for the AD replication to finish (or force it manually), then go to PMG -> Administration -> Queues and click "Discard address verification database".