How to Configure Safelist Aggregation

Microsoft Exchange Server 2007 will reach end of support on April 11, 2017. To stay supported, you will need to upgrade. For more information, see Resources to help you upgrade your Office 2007 servers and clients.


Applies to: Exchange Server 2007, Exchange Server 2007 SP1, Exchange Server 2007 SP2, Exchange Server 2007 SP3

Topic Last Modified: 2016-11-10

This topic provides an overview about how to configure safelist aggregation and provides instructions about how to use the Exchange Management Shell to configure safelist aggregation. For basic configuration, see the procedures in this topic. For more information about how safelist aggregation works, see Safelist Aggregation.

You cannot reverse the changes that are made by this procedure. Make sure that you understand the changes that are made by Safelist Aggregation before you complete this procedure.

When you configure safelist aggregation, follow these steps:

  • Use the Update-Safelist cmdlet to update safelist information for Microsoft Office Outlook users.

  • Schedule periodic updates of safelist aggregation to make sure that the most up-to-date safelist aggregation information is in the Active Directory directory service.

  • Verify that the Microsoft Exchange EdgeSync service is replicating safelist aggregation data to the Active Directory Application Mode (ADAM) directory service. This step is optional.

  • Verify that content filtering is enabled on the servers where you are running anti-spam features and that safelist aggregation is functioning correctly.

You use the Update-SafeList cmdlet to run a command that reads the safelist collection from the Outlook user mailbox, hashes each entry, sorts the entries for easy search, and then converts the hash to a binary attribute. Finally, the command compares the binary attribute that was created to any value that is stored on the attribute. If the two values are identical, the command does not update the user attribute value with the safelist aggregation data. If the two attribute values are different, the command updates the safelist aggregation value. This logic, where the binary values are compared before updates, is intended to significantly minimize resource use on Active Directory replication.

Be mindful of the network and replication traffic that you may generate the first time that you run this command. If you run the command on multiple mailboxes where safelists are heavily used, you may generate a significant amount of traffic. We recommend that if you run the command on multiple mailboxes, you should run the command during non-peak, non-business hours.

Safelist aggregation data contains both the user's Safe Senders List and the user's Safe Recipients List. When you use the Update-Safelist cmdlet, you can specify whether you update the Safe Senders List or the Safe Recipients List, or both. However, only Safe Senders List data is used by the safelist aggregation feature; the safelist aggregation feature does not act on Safe Recipients List data. Therefore, to reduce storage and replication bloat in Active Directory, we do not recommend running the Update-Safelist cmdlet with the Type parameter set to the SafeRecipients or Both values. The default value for the Type parameter is SafeSenders. Safe sender data is used by the safelist aggregation feature.
Microsoft Exchange Server 2007 Service Pack 1 (SP1) provides functionality that allows you to specify whether to include the safe domain data to the anti-spam agents on the Edge Transport server by using the Update-SafeList cmdlet. In most cases, we do not recommend that you include domains because users may include the domains of large Internet service providers (ISP), which could unintentionally provide addresses that may be used or spoofed by spammers.

For more information about how to use the Update-Safelist cmdlet, see Update-SafeList.

By scheduling periodic updates to safelist aggregation data, you help make sure that the most up-to-date safelist aggregation data is in Active Directory. As explained in Safelist Aggregation, the update logic is optimized to reduce redundancy: Only safelist collections that have been updated by the user since the last time the Update-Safelist cmdlet was run will be updated.

You can use the AT command in the Exchange Management Shell to schedule regular updates for safelist aggregation. We recommend that you schedule daily updates on each mailbox.

The following code shows an AT command that updates all mailboxes daily at 11:00 P.M. on all the servers by using a batch file that is named SafeList.bat.

at 23:00 /every:M,T,W,Th,F,S,Su  cmd /c "D:\SafeList.bat"

The following code shows the contents of the SafeList.bat file:

"<drive>:\Windows\System32\WindowsPowershell\v1.0\powershell.exe" -psconsolefile "d:\Program Files\Microsoft\Exchange Server\v14\bin\exshell.psc1" -command "get-mailbox | where {$_.RecipientType -eq [Microsoft.Exchange.Data.Directory.Recipient.RecipientType]::UserMailbox } | update-safelist"

For more information about how to run the AT command, see Microsoft Knowledge Base article 313565, How To Use the AT Command to Schedule Tasks.

After you run the Update-Safelist cmdlet on the user mailboxes in your organization, you can view the corresponding user objects in the ADAM directory to verify that the Update-Safelist cmdlet has updated the user objects and that the Microsoft Exchange EdgeSync service has replicated the data to the ADAM directory.

For more information about how to configure the Microsoft Exchange EdgeSync service to replicate data from Active Directory to the ADAM directory on the Edge Transport servers, see Using an Edge Subscription to Populate ADAM with Active Directory Data.

The Update-Safelist cmdlet can update two attributes on each user object:

  • msExchSafeRecipientsHash   This attribute stores the hash of the Safe Recipients List collection for the user.

  • msExchSafeSendersHash   This attribute stores the hash of the Safe Senders List collection for the user.

If a hexadecimal string, such as 0xac 0xbd 0x03 0xca, is present on the attribute, the user object was updated. If the attribute has a value of <Not Set>, the attribute was not updated.

You can search for and view the attributes by using the ADAM Active Directory Service Interfaces (ADSI) Edit snap-in.

The safelist aggregation feature relies on content filtering to recognize the senders on an Outlook user's Safe Senders List.

Verify that content filtering is enabled on each Edge Transport server on which the anti-spam and antivirus features are running. By default, content filtering is enabled.

Use the following command to enable content filtering:

Set-ContentFilterConfig -Enabled:$true

You can view and enable content filtering in the Exchange Management Console as follows:

  1. In the console tree, click Edge Transport.

  2. In the result pane, click the Anti-spam tab, click Content Filtering, and then in the action pane, click Enable.

To test whether safelist aggregation is functioning, create an e-mail account by using a free Web-based e-mail provider and add that account to your Safe Senders List in Outlook. Use the Update-SafeList cmdlet to run a command that reads the safelist collection from that mailbox, and then send a message that includes a word or phrase that is specifically blocked in your content filtering configuration. If safelist aggregation is functioning, the message should arrive in your Outlook Inbox.

For more information, see the following topics:


Community Additions