Thursday, September 25, 2008

Removing internal SMTP headers

Every SMTP message leaves a trail of where it has been. The SMTP headers are part of the RFC and are often useful in troubleshooting.

However, the SMTP header also reveals things about your internal infrastructure such as your internal IP addresses and host names. For this reason, security people often recommend stripping them out of the a message that is leaving the organization. I have always been a bit "iffy" about doing this since, after all, the RFC says "put the headers in that there message." And, my additional argument is that not having this internal infrastructure information will not slow down a talented hacker or a hacker that has specifically decided to target your organization.

The information security people counter back that anything you do to slow down the intruders is worth doing. (We won't argue that point.)

Usually to strip out the internal SMTP headers, you need some type of 3rd party message hygiene / SMTP security software to this for you. However, Microsoft has a clever way to do this. You simply deny anonymous connections the right to read this particular message property. You can do with with the Exchange Management Shell on a Hub Transport that is Internet-facing (sends e-mail directly to the Internet or to a 3rd party message hygiene system. Let's say that my Send connector is called "E2K7 SMTP to Internet", here is the EMS command:

Remove-ADPermission "E2K7 SMTP to Internet" -User "NT Authority\Anonymous Logon" -ExtendedRights Ms-Exch-Send-Headers-Routing

If you are using the Edge Transport server, you can do something very similar, but you simply revoke the Edge Transport Server's group permissions to do read the message header information. Here is the EMS command necessary to revoke the SMTP connector to an Edge Transport server (called "E2K7 SMTP to Edge Transport")

Remove-ADPermission "E2K7 SMTP to Edge Transport" -User "MS Exchange\Edge Transport Servers" -ExtendedRights Ms-Exch-Send-Headers-Routing

Bharat Suneja has a good discussion on this.


At 4:28 AM, Blogger MJL said...

Good information, thanks. Could you include a screenshot of what the email header looks like after running this command please? I just want to hide/change the Message-ID field in the header and I think this command may be more than what I'd like to accomplish. Thank you!


Post a Comment

<< Home