To a greater extent than the other chapters in this book, this chapter assumes that you will do some outside reading—a lot of it, in fact. That’s because the semantics and implementation requirements for messaging security are fairly strict, and there’s a ton of background material that you need to be familiar with to completely secure your Exchange environment against the particular threat model that your organization faces.

The first resource we recommend is the only book we know of written specifically on messaging security, Secure Messaging with Microsoft Exchange Server 2003 (Microsoft Press). The book was written by Paul Robichaux, one of the authors of the book you are now reading, and it deals with every aspect of Exchange security, including threat assessment, patch management, communications and message confidentiality, and providing secure mobile, remote, and wireless access to your Exchange servers. Sample chapters and other related materials are available at http://www.e2ksecurity.com.

Next is the Exchange TechCenter page that Microsoft maintains for Exchange security and protection:

This page contains links to the wealth of security documentation that Microsoft has produced for Exchange, including:

These documents, taken together, provide several hundred pages of extremely detailed information about Exchange security. Unfortunately, if you really want to gain an understanding of how to best secure your Exchange organization, you’ll have to read and absorb these documents, or hire people who have; there aren’t any shortcuts.

You want to ensure that your Exchange servers have the most up-to-date set of security patches.

Download the current version of Microsoft Baseline Security Analyzer (MBSA) tool from http://www.microsoft.com/mbsa. Follow the included instructions to install it on a Windows 2000, Windows XP, or Windows Server 2003 machine that belongs to a domain in the same forest as the servers you want to scan.

> mbsacli.exe /c batman /nSQL+Password

We’ve had the ability to check an individual machine for Windows updates since Windows 98 or so, but the built-in Windows Update functionality leaves quite a bit to be desired from an enterprise security standpoint. Instead of allowing individual users, or administrators, to apply ad-hoc patch combinations to individual machines, most companies want a standardized way of determining which patches are necessary, then loading them automatically. MBSA provides the measurement tool; other tools, like the Systems Management Server (SMS), Microsoft Software Update Service (SUS) or its forthcoming successor Windows Update Services (WUS), can be used to get the actual patches on the machine. WUS will actually extend the functionality of Windows Update to include patches for other Windows applications, such as Office and Exchange. There are also a number of third-party patch management applications that offer support for monitoring and managing Exchange servers.

MBSA added support for Exchange in Version 1.2. When you launch MBSA, the first thing it does is attempt to download the current version of the MSSecure.xml file (which is actually available as either raw XML or as a .CAB file). This file enumerates all the available security patches for various versions of Windows and key applications like Exchange. By checking for file versions, modification dates, and the presence of registry keys added when hotfixes are applied, MBSA can usually determine which patches are installed on a given machine. We say “usually” because there have been several well-known cases of patches for which MBSA either falsely reported a fix as being present or baselessly complained that a critical fix was missing. The latest version of MBSA, 1.2.1, has fixed most of these cases, but be forewarned that an MBSA report listing one or more security updates that “could not be confirmed” doesn’t necessarily spell impending doom.

For scanning Exchange servers, you’ll probably want to use the command-line version of MBSA in HFNetChek compatibility mode. This mode makes MBSA work like the HFNetChek tool from which it was partially derived; it’s useful because it allows you to feed it a text file containing a list of NetBIOS computer names or IP address (one per line, with a maximum of 255 lines per file). This makes it easy to script periodic checks of your Exchange servers, using a command line like this:

> mbsacli.exe -hf -fh 
HostsToScan.txt
 
> mbsacli.exe -hf -fip 
IPAddressesToScan.txt

One drawback of HFNetCheck mode is that you can’t use the MBSA-mode options like /n, so you trade off some flexibility in scanning behavior for flexibility in specifying which hosts should actually be scanned. MBSA supports a broad range of command-line options, which are well-described in its documentation.

MBSA documentation (http://www.microsoft.com/technet/security/tools/mbsahome.mspx), Chapter 6 of Secure Messaging with Microsoft Exchange Server 2003 (Microsoft Press), and the Scripting with the Microsoft Baseline Security Analyzer V1.2 web site (http://www.microsoft.com/technet/security/tools/mbsascript.mspx)

You want to ensure that your Internet-facing Exchange SMTP server is properly secured.

Configuring SMTP authentication is a necessary part of securing your Exchange server. SMTP wasn’t originally designed to support authentication, so the IETF has retrofitted authentication via the SMTP AUTH verb as documented in RFC 2554. You can only control authentication at the virtual server level. The Authentication dialog pictured earlier in Figure 10-1 gives you control over which authentication methods a particular virtual server will accept.

In some cases, you might really want to allow only authenticated senders to use your SMTP server. For example, you might set up one virtual server that allows relaying (but only with authentication!) and another that accepts mail from servers on the Internet. In that case, make sure that the Anonymous access checkbox is turned off on the server where you want to require authenticated access.

One area that calls for particular caution is the prevalence of SMTP authentication attacks. These attacks, usually mounted by spammers, are essentially dictionary attacks that attempt to discover user passwords for use with SMTP servers that require authentication. Exchange 2000 and 2003 don’t log failed authentication attempts by default, so you won’t necessarily have an idea that you’re under attack. The logs maintained by the Internet Information Services (IIS) SMTP core don’t record authentication requests, so you can’t watch them for clues either. The only reliable way to monitor attempted attacks using this scheme is to look for packets originated by your Internet-facing mail servers on TCP port 25 with the string “535 5.7.3 Authentication unsuccessful” in them.

There are several protective measures you can take, though:

Recipe 4.7 for configuring diagnostic logging, Recipe 10.8 for controlling anonymous address resolution, Chapter 7 for other nifty SMTP tricks you can do (in particular, Recipe 7.19 for relaying control), MS KB 823019 (How to Help Secure SMTP Client Message Delivery in Exchange Server 2003), and MS KB 319267 (How to secure Simple Mail Transfer Protocol client message delivery in Exchange 2000 Server)

You want to protect traffic between your front- and back-end servers by using IPsec.

Deploying IPsec is fairly complex and one recipe can’t really do it justice. The important point for deploying IPsec between front- and back-end Exchange servers is that you must specify which types of traffic you want to protect:

IPsec policies are stored in a local policy database, so you can apply them to individual machines (as we do in this recipe). The local policy database can be linked to, and automatically refreshed from, a group policy object (GPO), so you can define IPsec policies at the site or domain level, or link them to OUs. This approach is valuable if your Exchange servers are in their own domains or OUs or are using group filtering on Windows 2003 DCs. If not, running scripts like the one shown in the command-line solution (or using the policy import and export features of netsh) is probably the fastest way to get IPsec protection in place on your servers.

Recipe 10.4 for setting IPsec between a front-end and a clustered back-end, Chapters 11 and 14 of Secure Messaging with Microsoft Exchange Server 2003 (Microsoft Press) for more on IPsec setup and administration, MS KB 253169 (Traffic that Can—and Cannot—Be Secured by IPsec), MS KB 254949 (Client-to-Domain Controller and Domain Controller-to-Domain Controller IPSec support), the TechNet “Step-by-Step Guide to Internet Protocol Security” for Windows 2000:

and the “Deploying IPSec” chapter of the Deploying Network Services Guide of the Windows Server 2003 Deployment Kit:

You have one or more front-end servers communicating with a clustered back-end server, and you want to protect IMAP, POP, or HTTP traffic passing between them.

You can use IPsec as described in Recipe 10.3 to protect IMAP, POP, and HTTP communications between front- and back-end servers. However, if the back-end server is a cluster, the ordinary setup method doesn’t work well. That’s because the security association (SA) established between the two servers has to be renegotiated when failover occurs. The default interval for SA renegotiation is five minutes, which means that until that interval elapses, the FE and BE will be unable to communicate. This can take up to six minutes: five minutes for the timer to elapse, plus one minute for the IKE protocol to decide that it needs to establish a new SA. In Exchange 2000, there was no way to fix this, meaning that Microsoft didn’t support the use of IPsec in this configuration. However, in Windows 2003, you can adjust the renegotiation interval down so that reestablishment takes a maximum of two minutes: one minute for the idle timer to expire, plus one minute for IKE renegotiation.

Recipe 10.3 for setting IPsec between front- and back-end servers, and MS KB 821839 (How to Configure IPsec on an Exchange Server 2003 Back-End Server That Is Running on a Windows Server 2003 Server Cluster)

You want to use a hardware SSL accelerator in front of your Outlook Web Access server.

To enable SSL offloading when you are not using forms-based authentication, perform both of the following procedures. If you are using forms-based authentication, you only need to make the registry modification.

There are two primary types of SSL acceleration devices. The first are plug-in cards that you put in your server. They provide an interface to the Windows CryptoAPI layer such that CryptoAPI calls made by applications like IIS and Exchange are offloaded to the cards. Examples include the HP/Atalla AXL600L and the nCypher nFast card. You don’t have to do anything special to make these cards work with Exchange. The other type of accelerator is usually built into a hardware IP management device. Examples of this type include the F5 Big-IP line, the Alteon 310, and the Cisco SCA 11000 series. These devices are the ones that require the measures described in the Solution section, at least in some cases. There are three scenarios in which you might be using SSL acceleration in conjunction with Exchange:

These devices can terminate the SSL connection, or they can pass it through directly to the target host. The most common configuration is usually to have the device terminate the session and establish a new one to the target Exchange server, as this facilitates load balancing. In this configuration, though, you have to apply the ExFeHttpsOnFilter trick described in this recipe, or OWA won’t have any idea that SSL was originally in use, so the links it generates will start with http:// and not https://.

These machinations all leave aside the larger question of whether it actually makes sense to buy the first kind of accelerator. Generally, SSL isn’t the bottleneck for front-end servers; the boundary we normally use is that if the server is handling more than 100 concurrent SSL handshakes per minute, it might make sense to buy an accelerator. The handshake is the most resource-intensive component of SSL traffic; once it’s completed, the ongoing encryption of passing traffic causes fairly low overhead.

MS KB 327800 (A new option that allows Exchange and OWA to always use SSL (HTTPS)) and MS KB 307347 (Secure OWA Publishing Behind ISA Server May Require Custom HTTP Header)

You want to enroll a user so she can use S/MIME with Exchange Server 2003.

S/MIME complements other methods of protecting Exchange email, because it alone provides end-to-end protection for the message from the time it’s sent until the recipient decrypts it. This protection includes protection against tampering and eavesdropping in transit and while the message is stored. In contrast, IPsec only provides protection for the message while it’s in transit between servers. However, the implementation footprint of S/MIME is pretty large: you have to have a CA that can issue certificates to your users, and you have to configure individual clients accordingly. This recipe deals only with the latter problem, and then only for the two most prevalent Exchange 2000 and Exchange Server 2003 clients. Table 10-1 shows some common clients and the degree to which they support S/MIME.

Chapters 3 through 7 of the Exchange Server 2003 Message Security Guide, “The Windows Server 2003 PKI” chapter of the Designing and Deploying Directory and Security Services Guide (http://www.microsoft.com/resources/documentation/WindowsServ/2003/all/deployguide), Microsoft Windows Server 2003 PKI and Certificate Security (Microsoft Press), Chapter 9 of Securing Windows Server 2003 (O’Reilly), Chapters 11 and 13 of Secure Messaging with Exchange Server 2003 (Microsoft Press); MS KB 883575 (Description of the known issues with using Outlook Web Access on a Windows XP SP2-based computer) and MS KB 883543 (The S/MIME control does not load in OWA when you are running the Exchange Server 2003 OWA client on a Windows XP Service Pack 2-based computer)

You need to create a custom DNS block list (DNSBL) instead of (or in addition to) using a third-party DNSBL service.

The idea behind DNSBLs is simple: when your server gets an inbound piece of mail, it can query a DNSBL server for the IP address of the sending server. If the IP address belongs to a known spammer, to an address block reserved for dial-up users, or some other range of IPs from which legitimate mail is unlikely to originate, the DNSBL server will return an address; if the IP address isn’t on the list, the query will fail. Based on this go/no-go indication, Exchange can then decide whether to drop the connection or to accept the message.

There are several popular and well-maintained DNSBL services such as SpamHaus and SpamCop. Most mail administrators who use DNSBLs use third-party lists, although those at larger sites will often download the zone data and run it on a local nameserver. You are free to create and maintain your own list if you prefer. This gives you a greater degree of control over the contents of the DNSBL, since some third-party services use rather relaxed standards to decide who is spamming. DNSBLs by themselves aren’t a complete anti-spam solution, especially given that a large percentage of current spam is sent by hijacked Windows machines connected to various ISPs; their IP addresses don’t fall into a contiguous block, and there’s little value in banning hundreds or thousands of individual client IPs. DNSBLs are instead useful as an additional protective layer to be relied on after other measures.

Managing a large amount of blocklist data through the GUI can become quickly cumbersome, especially if it changes on a frequent basis. You may want to look into other methods of managing DNS data: direct import of DNS zone files; use of the dnscmd.exe utility to programmatically update data in dynamic DNS zones; or using the MicrosoftDNS_Server, MicrosoftDNS_Zone, and MicrosoftDNS_ResourceRecord WMI classes. Although the details of these methods are out of the scope of this recipe, Matt Larson, Cricket Liu, and Robbie Allen provide a thorough reference to the many facets of running a Windows-based DNS server in their book DNS on Windows Server 2003, also available from O’Reilly.

Recipe 7.22 for configuring SMTP connection filtering to use a DNSBL, Chapter 10 of the Exchange Server 2003 Transport and Routing Guide, MS KB 823866 (How to configure connection filtering to use Realtime Block Lists and how to configure recipient filtering in Exchange Server 2003), and Chapter 8 of Secure Messaging with Microsoft Exchange Server 2003 (Microsoft Press)

You want to reduce the possibility of outside parties spoofing sender addresses.

When incoming SMTP mail arrives at an Exchange server, it is sometimes desirable to check SMTP addresses in the headers against the global address list. This allows mail sent from [email protected] to appear as “Paul Robichaux” in the mailboxes of other users in our organization. However, it also allows spoofed mail that claims to be from within the organization to have its headers resolved so that the mail looks more legitimate. The implementation and behavior of this feature varies between Exchange 2000 and Exchange Server 2003.

Header resolution only applies to messages that are passed into the message store via SMTP. If messages are submitted via SMTP and directly delivered to another system via an SMTP transport, Exchange will not modify the headers. Because the header resolution relies on matching the SMTP address with extended user MAPI properties in Active Directory, the message must first be passed into the information store for resolution to take place.

Remember that the value of this setting applies only to individual SMTP virtual servers. Microsoft recommends that you disallow anonymous resolution on any machine that accepts SMTP traffic from the Internet, so if you want to allow header resolution for some of your messages, you may need to create additional virtual servers.

MS KB 828770 (Resolve Anonymous Senders Functionality in Microsoft Exchange 2003) and MS KB 288635 (Resolve Functionality in Exchange 2000 Server)

You want to minimize the attack surface of your Exchange servers by disabling unnecessary services.

Code that isn’t running can’t be attacked. For that reason, it’s important to turn off unnecessary services on your Exchange servers, particularly those that face the Internet. This can be tricky, since some services are required for nonobvious circumstances. For example, if the Microsoft Exchange Management service isn’t running on a given server, message tracking won’t work on that server. Table 10-2 lists the key Windows and Exchange services whose state you need to control on your front- and back-end servers.

This list isn’t complete, of course, since there are many other Windows services that implement various features. However, Windows 2003 does a good job of disabling unneeded services, so in the table I’ve included two types of services: those provided by Exchange and those on which Exchange depends. For specific guidance on what a given Windows service does, you should consult the Threats and Countermeasures Guide for Windows 2003 or the Windows 2000 documentation. You should also consult the documentation for any Exchange add-ons; they may introduce additional dependencies. In general, Exchange back-ends require most of the Exchange services to be set to start automatically. In particular, the system attendant, information store, and routing engine services are required, although none of these is necessarily required on a front-end server.

You can make these settings changes in three ways: manually via the GUI, automatically via a script that uses the sc command to set the service start state, or via a security template applied as part of a GPO. Of these three, the last route is the best, because the GPO can be configured so that an administrator cannot easily override the start state defined in the policy. Of course, this makes it harder to turn on services when you have a legitimate reason to do so, and it also requires that you create group policy objects and apply them to your Exchange servers. This process is described in great detail in the “Hardening Exchange 2003 Servers” section of the Exchange Server 2003 Security Hardening Guide.

Chapter 6 of Secure Messaging with Microsoft Exchange Server 2003 (Microsoft Press), “Hardening Exchange 2003 Servers” in Security Operations Guide for Exchange 2000:

Security Hardening Guide for Exchange 2003:

and Chapter 7 of the Threats and Countermeasures Guide:

You want to enable RPC tunneling over HTTPS so that your Outlook 2003 users can use Outlook directly against your servers.

Setting up RPC over HTTPS is easier in Exchange Server 2003 SP1 than it was in the original release version, but it’s still a reasonably involved task that requires you to know a good bit about your Exchange topology, and to understand the underlying mechanics. There are three basic steps:

Using a graphical user interface

To install the RPC-over-HTTP proxy, do the following:

1. Log in to the front-end server using an account with Windows administrative privileges.

2. From the Control Panel, open the Add or Remove Programs applet.

3. Click Add/Remove Windows Components.

4. Select Networking Services and click the Details button.

5. Ensure that the RPC over HTTP Proxy box is checked and click OK.

6. Click Next (you may need to pop in your Windows Server 2003 CD during the install process).

To enable RPC-over-HTTP on an Exchange front-end server, do the following:

1. Launch the Exchange System Manager (Exchange System Manager.msc).

2. In the left pane, expand the appropriate Administrative Groups container, and then expand the Servers container.

3. Open the Properties dialog for the front-end server you’re configuring and switch to the RPC-HTTP tab.

4. Select the RPC-HTTP front-end server radio button and click OK.

5. You’ll see a dialog warning you that SSL is required for use with RPC-over-HTTP; click OK to close it.

6. Repeat steps 1-5 for each additional front-end server that you want to accept RPC-over-HTTP requests.

To configure an Exchange back-end server, do the following:

1. Log on to your Exchange server using an account that has Exchange administrative privileges.

2. Launch the Exchange System Manager (Exchange System Manager.msc).

3. In the left pane, expand the appropriate Administrative Groups container, and then expand the Servers container.

4. Open the properties dialog for the back-end server you want to configure and switch to the RPC-HTTP tab.

5. Select the RPC-HTTP back-end server radio button and click OK.

6. If you see a warning dialog telling you that you don’t have any RPC-HTTP front-end proxies, click OK to close it.

7. If you’re configuring a back-end server that also happens to be a domain controller, you’ll see a warning dialog that tells you that the ports aren’t configured right (see Figure 10-3). Click OK to configure the ports automatically, but be forewarned: you’ll need to reboot your server before the changes take effect.

8. Repeat steps 1-6 for each additional back-end server you want to configure.

Figure 10-3. The warning dialog produced when you enable RPC-over-HTTP on a domain controller

To configure SSL offloading for the front-end, do the following:

1. Log on to the RPC proxy server (which may be your Exchange front-end, or another Windows Server 2003 computer) using an account with administrative privileges.

2. Open the Registry Editor (regedit.exe).

3. Navigate to HKEY_LOCAL_MACHINE SoftwareMicrosoftRpcRpcProxy.

4. Right-click on RpcProxy and select New→ DWORD to add a new DWORD value named AllowAnonymous.

5. In the right pane, right-click the AllowAnonymous entry and select Modify.

6. In the Value data field, type 1 and click OK.

7. Quit the Registry Editor.

8. Use the Services snap-in or command line to stop and restart the World Wide Web Publishing Service (w3svc).

To configure a single-server Exchange Server 2003 organization, do the following:

1. Log in to your Exchange server and follow the previous steps for configuring an Exchange back-end server.

2. Open the IIS Manager snap-in (%SystemRoot%system32inetsrviis.msc).

3. Locate and expand the target server’s Default Web Site object, then right-click the RPC virtual directory and select Properties.

4. Switch to the Directory Security tab and click the Edit button in the Authentication and access control group.

5. Clear the Enable anonymous access checkbox; set the Basic authentication (password is sent in clear text) and Integrated Windows authentication checkboxes. Click OK.

6. Click OK.

7. Open the Registry Editor (regedit.exe)

8. Navigate to HKEY_LOCAL_MACHINE SoftwareMicrosoftRpcRpcProxy.

9. Right-click the ValidPorts value and select Modify. You’ll need to change its value to open ports 6001 and 6004 to your server, for which you’ll need the NetBIOS and fully qualified domain names of your server. Format the string like this:

                           <serverNetBIOS>:6001;<serverFQDN>:6001;<serverNetBIOS>:6004;<serverFQDN>:6004;

   where <serverNetBIOS> is the NetBIOS name of your Exchange server and <serverFQDN> is the full DNS name (e.g., someserver.oreilly.com).

If your Exchange back-end server is also a global catalog server, you have to force the directory service to use the correct TCP port for queries. To do so, follow these steps:

1. Open the Registry Editor (regedit.exe).

2. Navigate to HKEY_LOCAL_MACHINESystemCurrentControlSetServicesNTDSParameters.

3. Right-click on Parameters and select New→ Multi String Value. Name the new value NSPI interface protocol sequences.

4. Right-click the new NSPI interface protocol sequences value and select Modify. Change the value to contain ncacn_http:6004.

5. Quit the Registry Editor and restart the server.

One of the biggest new features of Exchange Server 2003 is its ability to work with Outlook 2003 to tunnel remote procedure call (RPC) traffic inside of ordinary-looking HTTP packets. This might not seem like a big deal, but it is. Microsoft has long recommended against allowing random Internet clients to send RPCs directly into your network—a number of serious vulnerabilities in the Windows NT RPC stack led to this policy, and it’s very rare to find exceptions. That means that Outlook, which uses RPCs to exchange MAPI data with the server, needs an unobstructed path between the Outlook machine and the Exchange server. Previously, there were three primary ways to accomplish this: allow raw RPC traffic from the Internet, use ISA Server to publish the RPC interfaces, or allow Outlook users to establish VPN connections to the corporate network. This new feature adds a fourth way: when enabled, Outlook 2003 takes its RPC requests and encapsulates them in an HTTP packet, which it then sends using HTTP (preferably with SSL) to an RPC proxy server. This server breaks apart the HTTP packet and redirects the RPC requests to the Exchange back-end server, returning any results to the client in an encapsulated HTTP packet.

The advantages of this are obvious: it allows the Outlook client to connect without needing a VPN (and thus without any special configuration or, worse, proprietary VPN clients on the client machine), but it doesn’t allow raw RPC traffic from the Internet. If you wish, you can use ISA Server to perform application-level inspection of the RPC packets as they come in, but that’s not mandatory. However, there are some prerequisites: to use RPC-over-HTTP, you must have Exchange Server 2003 running on Windows Server 2003, and all GCs that Exchange or the clients will talk to must also be running Windows Server 2003. Outlook 2003, running on Windows XP SP1 or later, is required as the client.

Overall, the configuration and setup process for RPC-over-HTTP is fairly straightforward; it was greatly improved with the release of SP1, which introduced the RPC-HTTP tab in the server properties dialog. One significant speed bump is that the server SSL certificate installed on the RPC proxy must match the common name that the client uses to connect. Let’s say you’ve configured a client to connect to exchange.robichaux.net, and that your RPC proxy is named spiderman.robichaux.net and has a certificate by that name. Because the names don’t match, the SSL handshake will fail (as described in MS KB 822594). To fix this, either change the RPC proxy name specified on the Outlook client or get a new certificate for the RPC proxy itself.

What about SSL offloading? This term is a little misleading in this context. It would probably be more proper to talk about SSL termination, since the steps in this recipe are required when you want to terminate an inbound RPC-over-HTTPS connection at an ISA server (or other firewall), then pass the unencrypted traffic to the RPC proxy server, then to the back-end server. In most configurations, it’s easier to either allow SSL bridging so that the proxy sees an SSL connection or to put the proxy service on the firewall machine so that the termination happens at the proxy.

“Configuring Outlook 2003 for RPC over HTTP” topic in the Outlook 2003 Resource Kit (http://www.microsoft.com/office/ork/2003/three/ch8/OutC07.htm), Exchange Server 2003 RPC over HTTP Deployment Scenario Guide (http://www.microsoft.com/technet/prodtechnol/Exchange/guides/E2k3RPCHTTPDep/1583ab17-f7d1-41c1-ba52-37ec276e3644.mspx), MS KB 833401 (How to configure RPC over HTTP on a single server in Exchange Server 2003), MS KB 841652 (How to configure an RPC over HTTP topology on computers that are running Exchange Server 2003 with Service Pack 1), MS KB 827330 (How to troubleshoot client RPC over HTTP connection issues in Office Outlook 2003), MB KB 833003 (Description of the RPC over HTTP feature and the AllowAnonymous registry entry in Windows Server 2003), and MS KB 822594 (Remote Procedure Call over HTTP Is Not Successful or Reverts to TCP)

You want to enable the use of Transport Layer Security (TLS) encryption for your SMTP traffic.

SMTP itself doesn’t include any provision for encrypting traffic, but the Internet Engineering Task Force (IETF) has approved a number of extensions to SMTP, including the STARTTLS verb (described in IETF RFC 2487). STARTTLS is used for one end of an SMTP connection to signal the other end that it can handle encrypting the channel. Some SMTP servers support it, and some do not; in addition, many mail user agents (including Outlook, Outlook Express, Eudora, and various PDA mailers) support using STARTTLS to secure email between client and server. TLS is especially useful in conjunction with authenticated SMTP mechanisms that transmit credentials in the clear (see Recipe 10.2); the combination is often necessary when using SMTP authentication with non-Microsoft SMTP implementations.

The problem with TLS in Exchange is that Exchange doesn’t support opportunistic TLS. Most UNIX TLS implementations can be configured to try to negotiate a TLS session first, then to accept mail anyway if the TLS negotiation fails. Exchange can’t do this. If you enable TLS at the Exchange virtual server level, it will refuse to accept any mail from senders who aren’t using TLS. That means that if you enable this on your default virtual server, you’ll start throwing away lots of inbound mail from servers that are not using TLS. There’s no way to make Exchange use fully opportunistic TLS. For that reason, Microsoft recommends that you enable TLS only for specific domains that you know can respond in kind through the use of SMTP connectors. You do this by setting up SMTP connectors directly to those domains you wish to use TLS with and enable TLS for those connectors only. For example, you might set up a connector just for traffic to your company’s law firm, then force TLS usage on that connector. Result: all SMTP mail between you and your lawyers would be encrypted.

You can force Exchange to use TLS for all outbound mail on a particular virtual server. This might seem to have the desired effect of protecting your outbound mail from eavesdropping; however, if you enable this option, Exchange will still refuse to communicate with any servers that don’t have TLS enabled, so outbound mail to those destinations will stack up in your outbound queues. Again, the answer is to use SMTP connectors to specify those domains where Exchange should use TLS.

MS KB 329061 (XADM: Exchange Server Cannot Communicate with Non-TLS Domains), and MS KB 829721 (How to Help Protect SMTP Communication by Using the Transport Layer Security Protocol in Exchange Server)

You want to change the service connection banner displayed to new SMTP, IMAP, or POP sessions.

The usual rationale for changing the SMTP banner is to prevent advertising the fact that your server is running Exchange; by stripping this revealing information, so the theory goes, potential attackers will not realize they have connected to an Exchange server and will not try any Exchange-specific attacks they may know about.

This theory sounds great right up until the time you connect your modified server to the Internet. What really happens is that the attacker replies to the ESMTP banner with a properly formatted EHLO response; why not, since they are going to need to do so no matter which attack they wish to launch? They then see the list of extended SMTP verbs supported by the server and immediately realize they are dealing with Exchange thanks to the Exchange-specific ESMTP features. Even more commonly, they are not looking for software-specific vulnerabilities, but configuration errors that will allow them to relay messages through your server; they do not care what software you are running, only whether you have properly closed down relay access. This rationale is less applicable to the POP and IMAP services because they don’t implement any significant Exchange-specific features.

Because the Exchange SMTP, IMAP, and POP services extend the underlying IIS services, this recipe depends on the version of Windows on your Exchange server, not the version of Exchange. Although you cannot install Exchange 2000 on Windows Server 2003, you can run Exchange Server 2003 on Windows 2000 (see Chapter 1 for more details).

By default, the SMTP banner is a string concatenated from the following elements:

For example:

220 host.fdqn.tld Microsoft ESMTP MAIL Service, Version: 6.0.3790.211 
ready at  Wed, 8 Dec 2004 22:52:28 -0800

When you change the banner property, Exchange will still display the SMTP result code, the FQDN, and the date/time stamp. Setting the ConnectResponse property to a value of “ESMTP This space for rent” would thus produce:

220 host.fdqn.tld ESMTP This space for rent Thu, 9 Dec 2004 00:52:01 -0800

Whatever connection string you use, be sure to include the string ESMTP in it or else you may disable Extended SMTP functionality on connections with other systems. Some SMTP implantations will not assume the presence of Extended SMTP functionality unless they see the string ESMTP in the initial banner; without it, they will not send an EHLO on the initial connection. This behavior is based on an unwritten rule that many early ESMTP implementations used, though it was never codified in any RFC.

MetaEdit was originally part of the IIS 4.0 Resource Kit. The latest version, 2.2, works on both Windows NT 4.0 and Windows 2000 Server, but will not work on Windows Server 2003 due to the comprehensive changes in the metabase for IIS 6.0.

Editing the metabase for IIS 6.0 is a bit easier. You can use the MetaBase Explorer utility, also part of the appropriate resource kit, or you can take advantage of the ability to directly edit the metabase in XML form. While this feature permits easier scripting capabilities, it is outside the scope of this book. Microsoft provides an example of this functionality in Chapter 6 of the Exchange Server 2003 Technical Reference Guide.

MS KB 281224 (XCON: How to Modify the SMTP Banner), MS KB 301386 (How To Install MetaEdit 2.2 on Windows NT 4.0 or Windows 2000), MS KB 555080 (Changing the SMTP Banner on a Windows 2003 Server Using Metabase Explorer), MS KB 303513 (How to modify the POP or IMAP banner), Chapter 6 “SMTP Transport Architecture” of the Exchange Server 2003 Technical Reference Guide (http://www.microsoft.com/technet/prodtechnol/exchange/guides/E2k3TechRef/b4938c19-f27d-4657-a55a-823a8184e690.mspx), and the IIS Metabase Property Reference (http://www.microsoft.com/resources/documentation/iis/6/all/proddocs/en-us/ref_mb_aambref.mspx)