Tuesday, September 29, 2009

Hide your internal Exchange server name on EHLO HELO - Change your SMTP banner

I had a single Exchange server 2007 (exchange1.intra) on my internal network.
This server had the CAS, Transport and Mailbox roles installed on it.
This server used an SMTP relay to send/receive emails (public name : mail.mycompany.com).
Emails sent to some recipient servers were rejected with the following error :

This came from the fact that some recipient servers double check the name of the server sending the email with a telnet/ehlo-helo request on it :
telnet mail.mycompany.com 25
> 220 exchange1.intra Microsoft ESMTP MAIL Service .....
exchange1.intra is different from mail.mycompany.com
You can check your mail server with useful online tools line MXToolBox

Unfortunately, you cannot change your SMTP banner on your Exchange server if it has the mailbox role installed on it.

In order to change your SMTP banner, you need to :

1- add another server (echange2.intra) to your Exchange organization with the mailbox role, move all mailboxes on it and remove the mailbox role from
echange1.intra.

2-
remove the default Exchange header (will hide that your server is running Exchange) on echange1.intra.
Run in the Exchange Management Shell the following command, where
send connector is the name of your send connector:
Get-SendConnector “send connector” | Remove-ADPermission -AccessRight ExtendedRight -ExtendedRights “ms-Exch-Send-Headers-Routing” -user “NT AUTHORITY\Anonymous Logon”

Restart the Exchange Transport service.

3- Set up your new banner with the name of the public server (mail.mycompany.com)
Open a command prompt on exchange1.intra :
cd C:\inetpub\AdminScripts
cscript adsutil.vbs set smtpsvc/1/connectresponse "mail.mycompany.com My Company"

4- Check on echange1.intra that in the send connector properties, you have filled the correct FQDN for helo/ehlo requests


Then the telnet feedback will be:
telnet mail.mycompany.com 25
> 220 mail.mycompany.com My Company

And your emails won't be rejected anymore.

PS : if you have an SMTP virtual server (IIS), don't forget to put
mail.mycompany.com in the masquerade domain and FQDN fields.



4 comments:

  1. i face the same problem, but i have 3 SERVER, MX, HUB+CAS in internal server and Edge server in DMZ ?

    ReplyDelete
  2. Sorry I never had to use an edge server but I believe it would be similar to my ISA in DMZ where you need to set the masquerade domain (in the connectors)

    ReplyDelete
  3. Solution, NEVER use exchange as final server.
    Post a linux server with a good postfix/sendmail config on it and relay from and to you exchange server.
    Saves you a lot of troubles.

    ReplyDelete
  4. In step 4, why change SEND connector instead of RECEIVE connector?

    ReplyDelete