Skip to main content

Secure the Edge: Protecting Exchange 2007 Connectors

Many small companies employ a service such as AppRiver to provide affordable messaging security, but not many take the time to properly secure their Exchange connectors afterwards.

A very common configuration for SMBs, particularly those running Microsoft Small Business Server, is to throw all the Exchange services on one box, forward ports 25, 80, and 443 to it, plug in your MX records, and call it a day. However, any experienced messaging administrator will tell you that it's a security concern to have your mailboxes sitting on the same server that has a publicly accessible SMTP service. Basically, you are inviting anyone and everyone to come put files on your server. Couple this with the fact that many businesses are running their servers with no messaging security component, such as Trend Micro's "Worry-Free Business Security Advanced" or Microsoft's Forefront for Exchange, and you have a recipe for quickly piling up unwanted mail, or worse.

Although a large enterprise might normally setup an edge server in a DMZ to receive mail, that's not a realistic option for the small business. So, in swoops a service such as AppRiver to save the day, providing you affordable hosted messaging security by acting as the middle-man for incoming (and usually outgoing) mail between you and the rest of the internet. Problem solved, right? Wrong. Normal, RFC-abiding mail servers may send all your mail to the secure hosted system you specified in those MX records starting with the lowest number, but not the wise spammer. He'll find port 25 open on your network and start spamming away, completely bypassing the filter. Here's how to avoid that and ensure your Exchange server only communicates with your filtering service.

Step 1: Lockdown Receive Connector
Fire up your Exchange console and drill down to Server Configuration > Hub Transport. You should already have one "Internet" connector there. Although Microsoft recommends you simply change this one, I like to leave it in place as a quick way to "re-enable" inbound mail from all sources should you ever need to.

Start by creating a new Receive Connector (Action > Server > New Receive Connector ...). Give it a logical name and specify that this will be a "Custom" connector. You should be able to keep the defaults where they are unless this is a multi-homed server and you only wish to receive mail on one interface. Don't forget to set your HELO response banner to the external FQDN (e.g. mail.domain.tld). This would also be a good time to mention that proper PTR and MX records are important.

Now that you have your connector in place, right-click on it and let's change the properties. First, you'll want to remove the entry for in the "Receive mail from these IP addresses" box. Enter all of the IP addresses provided by your hosted filtering service (AppRiver's can be found here).

Leave all the authentication mechanisms off and what we have is an external connector that will only listen to mail coming from AppRiver. Now you can disable your internet connector and test the configuraion.

Step 2: Lockdown Send Connector
Outbound filtering is a great feature that most hosted filtering providers offer. Sometimes this feature has to be requested, but it will help prevent your users from forwarding spam or sending viruses to other networks.

 Create a new Send Connector (Action > New Send Connector). Assign a name and use the "Custom" option for the type of connector.

Add a new SMTP address space, using an asterisk (*) for the address. This will tell Exchange to use this connector for all destinations. In the network settings, select the option to "Route mail through the following smart hosts". Use the FQDN or IP of the smart host you were given by your filtering provider (, for example) after clicking "Add".

Your provider will tell you if they require authentication (AppRiver does not), which will need to be specified in the "Configure smart host authentication settings" screen. After your send connector is setup, just disable the existing Internet connector and enable your new custom connector.

Of course, you can do all of this from the command line in EMS if you like. If you are curious about those commands, you can view the shell command output from any of these actions when looking at the completion screen in EMC.


  1. Very Useful Article ... EdbMails EDB to PST Converter Tool is an effective & reliable tool provides impeccable recovery. This tool recover & repair all damaged .edb files and then transfer them into usable format that is PST. It supports all versions of Windows and restore PST files in your location. It restores all files in original formats such as HTML, Text, RTF, etc. It is preview of all damaged or corrupted EDB files before restoration. Free availability of trial version with the help of you can easily understand the complete procedure of recovery.

    For more information visit: Convert EDB to PST


Post a Comment

Popular posts from this blog

Outlook Credential Prompt When Opening Exchange 2013 Public Folder

After completing an Exchange 2007 > 2013 migration recently, I was left with one issue that was preventing us from stamping the project as a roaring success and moving on:

Outlook 2013 users were sometimes receiving a single pop-up prompt for credentials whenever they opened the Public Folder (we have only one). One. Single. Prompt.

Google was frustratingly unhelpful because searching for "outlook prompts for username and password when opening public folders" or something similar just resulted in a lot of folks who were always getting a pop-up that wouldn't go away. It was usually caused by an authentication failure of some sort.

However, we were in a different boat - Users got the prompt once when they first launchedOutlook and opened their public folders, but after entering it they could continue - authentication worked. Next time they logged in to their PC, it would happen again. Not a show stopper, but it definitely generated its share of support calls.

Repairing Mailbox Corruption in Exchange 2010

I recently got through recovering an SBS 2011 server after Active Directory face-planted in the middle of a workday. When I say recover, I mean I repeated the entire migration, using a cleaned up secondary DC - it was a fun weekend (expect another post about that experience). Although I thought we were in the clear, I got a call from the client about 24 hours after we had verified everything was working. He indicated that his iPhone had suddenly stopped receiving mail in the inbox (calendar, contacts, sent items were still fine) and throws up an error after spinning in circles for a few minutes that it "cannot connect to mail server".

SCEP Policy Update Troubleshooting

Because I'm a glutton for punishment, I recently started rolling out System Center Configuration Manager 2012 R2 SP1 and System Center Endpoint Protection across our VDI environment. There are always some considerations to be made in a pooled desktop / gold image type environment when loading software that uniquely identifies devices, but lucky for me SCCM/SCEP handled this just fine without any tweaking. However, there were some nuances to how SCEP policies are applied that caused some serious hair-pulling before I spotted the issues.