Pages

Friday, June 20, 2008

Using Exchange 2007 Header Firewall

Each time an SMTP email is passed from one server to another, the receiving server records the hand-off in the SMTP headers of the email. This is usually recorded like this:
Received: from ex01.companyabc.com (10.12.1.81) by edge.companyabc.com (12.5.1.168) with Microsoft SMTP Server id 8.1.278.0; Fri, 20 Jun 2008 15:17:46 -0700
Customers often do not like their internal email infrastructure exposed in the SMTP headers for security reasons. It displays private information, such as internal IP addresses and SMTP versions that can be used by bad guys for targeted attacks. In the example above, SMTP Server id 8.1.278.0 tells me that edge.companyabc.com at public IP 12.5.1.168 is running Exchange Server 2007 SP1.

You can remove this information from the SMTP headers on Exchange 2007 using a concept called Header Firewall. This is done using the remove-adpermission cmdlet in the Exchange Management Shell. If you use Exchange 2007 Edge server(s), run the following one-liner:

Remove-ADPermission -id "EdgeSync - companyabc to Internet" -User "MS Exchange\Edge Transport Servers" -ExtendedRights Ms-Exch-Send-Headers-Routing

Note: Replace "EdgeSync - companyabc to Internet" with the name of the Internet bound send connector. You can run the Get-SendConnector cmdlet to display the names of all the Exchange send connectors.

For Exchange 2007 implementations that do not use Edge servers, use the following:

Remove-ADPermission -id "companyabc to Internet" -User "NT Authority\Anonymous Logon" -ExtendedRights Ms-Exch-Send-Headers-Routing
Again, replace "companyabc to Internet" with the name of the Internet bound send connector.

Essentially, you want to remove the rights of the last user account that will handle the outbound SMTP from reading the Ms-Exch-Send-Headers-Routing attribute in Active Directory. For Edge servers that will be the MS Exchange\Edge Transport Servers user account and for everything else it will be NT Authority\Anonymous Logon. Doing so will remove all the internal relay entries in the header before the last Exchange server, making the email appear like it originated from that last server.
at

3 comments:

  1. AnonymousJanuary 27, 2010 at 1:36 AM

    Hello,

    I have followed the instructions above(remove-adpermission cmdlet) however outgoing messages still have my private IP address included in them.

    Am I missing anything? Do I need to reboot any services for this change to take effect?

    Thanks,
    Ali

    ReplyDelete
  2. JeffJanuary 27, 2010 at 9:08 AM

    I don't have an Exchange 2007 infrastructure to test with anymore, but I did test this on Exchange 2010.

    The Remove-ADPermission -id "companyabc to Internet" -User "NT Authority\Anonymous Logon" -ExtendedRights Ms-Exch-Send-Headers-Routing EMC command works, whether or not you use an Edge Transport server. I ran this directly on my Exchange 2010 Edge Transport server.

    The effect is immediate and does not require you to restart any services or the server itself.

    ReplyDelete
  3. AnonymousJanuary 31, 2012 at 10:40 AM

    which user parameter is correct? "NT Authority\Anonymous Logon" or "MS Exchange\Edge Transport Servers"

    thanks

    ReplyDelete

Thank you for your comment! It is my hope that you find the information here useful. Let others know if this post helped you out, or if you have a comment or further information.