Alan Doherty [Rated By ICRA] Level Double-A conformance icon, W3C-WAI Web Content Accessibility Guidelines 1.0
Valid CSS! Valid HTML 4.01 Strict

Alan Doherty's things anyone setting up exchange properly have to know


"This...is wrong tool.  Never use this."
		--- Zathras

---Rsk

Exchange the reason the bush administration lost all those important e-mails

or How to make exchange act more like a 'real' mail server

I'm a Network/IT Consultant based in Dublin.

I have seen a lot of bad setups in my time, and exchange seems to always be the most consistently mis-installed server in common use

So if your setting up exchange or checking up on your existing setups compitency heres some tips

backscatter

backscatter : the abuse sending of e-mails {bounces and auto-responses} to the innocents who's address' have been forged in the from part of e-mail sent to your mailserver

The correct and in this age of spam neccissary action is to reject the message, thus leaving the server attempting to send the mail the job of generating the bounce, or as 90% of connections are direct from spammers a 90% reduction in backscatter, and 100% reduction in your culpability.

ensure your server is rejecting not generating bounces for relay attempts and non-existant address'

Global-Impact: The abuse of others

Local-Impact: If this is left at its default, you, when discovered become DDOSed very quickly and generate a ton of abusive backscatter as spammers attempt/succeed to use your server

Local-Impact: Additionally you will eventually be noticed and widely blacklisted so your own mail to external sites is refused

Background: SMTP relay behavior in Windows 2000, Windows XP, and Exchange Server This explains that the rfc's allow exchanges bad behaviour, despite the fact all other well designed servers reject by default

Fixing Exchange 2003: Of course this How to configure connection filtering to use Realtime Block Lists (RBLs) and how to configure recipient filtering in Exchange 2003 shows how to fix the issue {the dnsblocklist stuff is up to your policy}

Create a recipient filter

When you use recipient filtering, you can prevent messages from being delivered to e-mail addresses that exist in your organization, and you can filter messages that are directed to e-mail addresses that do not exist in your organization. Recipient filtering only applies to messages that come from anonymous connections. read: incoming smtp

To create a recipient filter, follow these steps:

  1. Start Exchange System Manager.
  2. Expand Global Settings, right-click Message Delivery, and then click Properties.
  3. Click the Recipient Filtering tab.
  4. To filter e-mail based on a particular e-mail address, click Add, type the e-mail address, and then click OK.
  5. To filter messages that are directed to e-mail addresses that do not exist in your organization, click to select the Filter recipients who are not in the directory check box.
Apply the connection filter or the recipient filter or both to the appropriate SMTP virtual servers

You must enable the connection filters and the recipient filters on each SMTP virtual server where you want these settings to be applied.

To apply a filter to a SMTP virtual server, follow these steps:

  1. Start Exchange System Manager.
  2. Expand Servers, expand Server Name, expand Protocols, and then expand SMTP.
  3. Right-click the SMTP virtual server where you want to apply the filter, and then click Properties.
  4. On the General tab, click Advanced.
  5. Click the IP address that you want to apply the filter to, and then click Edit.
  6. In the Identification dialog box, click to select either the Apply Connection Filter check box or the Apply Recipient Filter check box.
  7. Click OK, click OK, click Apply, and then click OK.
  8. Restart the SMTP virtual server where you applied the filter.
  9. Repeat steps 2 through 8 for each virtual server where you want to apply the filter.

Fixing Exchange 2000: requires programming you can write a Microsoft Windows 2000 SMTP protocol event sink. For additional information, visit the following MSDN Platform SDK SMTP Server Events Web site

HOW TO: Prevent Mail Relay in the IIS 5.0 SMTP Server in Windows 2000 allows you to at least cut down bounces

Fixing exchange 5.5: XFOR: Restricting Routing in the Internet Mail Service

Fixing SBS 2003: this describes the symptoms/fix but ignore the bad advice of not adding recipient filters if not attacked yet, as A its dumb, B its not fair to your victims

Backscatter II, autoresponders

Global-Impact: If a local user is subscribed to public discussion lists, and sets up an out of office auto-reply, every message to the list from any user, will cause a second message from your user {and sometimes a fatal spiral of response's to these auto-response's}, obviously annoying the list-admin and all other subscribers

Local-Impact: The user will end up being blocked from re-joining the mailinglist {after he is manually removed for such abuse}

Local-Impact: Some blacklists add auto-responding servers like any other backscatter source

Local-Impact: Information Leackage, competitors and criminals can see when offices are unattended remotely

Fixing Any: Don't allow users to set up Auto-responders, or allow only for internal<>internal

Fixing Any: Ensure users absent for extended periods e-mail is re-directed to a coleague instead {increased customer satisfaction}, or is remotely checked by staff when on leave

Damage Reduction Exchange 2003: According to Out-of-Office messages are sent to distribution lists that are in the BCC field exchange autoresponds all mail, this you never want to do.

  1. Click Start, click Run, type regedit, and then click OK.
  2. Expand the following registry key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MSExchangeIS\ParametersSystem
  3. Right-click ParametersSystem, point to New, and then click DWORD Value.
  4. Type SuppressOOFsToDistributionLists, and then press ENTER to name the value.
  5. Right-click SuppressOOFsToDistributionLists, and then click Modify.
  6. In the Value data box, type 0x00000001, and then click OK.
  7. Close Registry Editor.

Do NOT check Sender-ID

Despite much confusing advice given online sender-id IS NOT the same as SPF, sender-id is a fundamentally flawed (from design upward) protocol, it will by accident catch SPF forgeries, but will also catch lots of legitimate by SPF non-forgeries due to its design flaws. (mailinglist/SRS-compliant forwards/most mail-via ESPs etc.)
Thus you SHOULD disable this 'feature' , 3rd party 'real SPF' plugins are available try those DO NOT check sender-id
If MS ever allow a feature to check mfrom and Disable PRA checks only (the broken part of the design) then use in this manner,

even IF your choice of mailserver cannot check SPF records still publish them to enable others to verify your email is unforged, also publish preventative sender-id records to stop those who havn't disabled the 'feature' from rejecting your non-forged indirect mails

Last updated Sept. 2017 Alan Doherty