Tuesday, September 29, 2009

Hide your internal Exchange server name on EHLO HELO - Change your SMTP banner

I had a single Exchange server 2007 (exchange1.intra) on my internal network.
This server had the CAS, Transport and Mailbox roles installed on it.
This server used an SMTP relay to send/receive emails (public name : mail.mycompany.com).
Emails sent to some recipient servers were rejected with the following error :

This came from the fact that some recipient servers double check the name of the server sending the email with a telnet/ehlo-helo request on it :
telnet mail.mycompany.com 25
> 220 exchange1.intra Microsoft ESMTP MAIL Service .....
exchange1.intra is different from mail.mycompany.com
You can check your mail server with useful online tools line MXToolBox

Unfortunately, you cannot change your SMTP banner on your Exchange server if it has the mailbox role installed on it.

In order to change your SMTP banner, you need to :

1- add another server (echange2.intra) to your Exchange organization with the mailbox role, move all mailboxes on it and remove the mailbox role from echange1.intra.

2- remove the default Exchange header (will hide that your server is running Exchange) on echange1.intra.
Run in the Exchange Management Shell the following command, where send connector is the name of your send connector:
Get-SendConnector “send connector” | Remove-ADPermission -AccessRight ExtendedRight -ExtendedRights “ms-Exch-Send-Headers-Routing” -user “NT AUTHORITY\Anonymous Logon”

Restart the Exchange Transport service.

3- Set up your new banner with the name of the public server (mail.mycompany.com)
Open a command prompt on exchange1.intra :
cd C:\inetpub\AdminScripts
cscript adsutil.vbs set smtpsvc/1/connectresponse "mail.mycompany.com My Company"

4- Check on echange1.intra that in the send connector properties, you have filled the correct FQDN for helo/ehlo requests


Then the telnet feedback will be:
telnet mail.mycompany.com 25
> 220 mail.mycompany.com My Company

And your emails won't be rejected anymore.

PS : if you have an SMTP virtual server (IIS), don't forget to put mail.mycompany.com in the masquerade domain and FQDN fields.
Posted by at
Labels:

5 comments:

  1. AnonymousApril 4, 2011 at 7:56 AM

    i face the same problem, but i have 3 SERVER, MX, HUB+CAS in internal server and Edge server in DMZ ?

    ReplyDelete
  2. ChristopheApril 13, 2011 at 6:16 PM

    Sorry I never had to use an edge server but I believe it would be similar to my ISA in DMZ where you need to set the masquerade domain (in the connectors)

    ReplyDelete
  3. AnonymousApril 15, 2013 at 4:18 PM

    Solution, NEVER use exchange as final server.
    Post a linux server with a good postfix/sendmail config on it and relay from and to you exchange server.
    Saves you a lot of troubles.

    ReplyDelete
  4. ImadAugust 31, 2013 at 6:29 AM

    In step 4, why change SEND connector instead of RECEIVE connector?

    ReplyDelete
  5. AnonymousDecember 5, 2022 at 8:42 AM

    Affiliate marketing is both the simplest and hardest technique round. Affiliates, typically playing bloggers or streamers, develop a big following after which direct their viewers in the 파라오카지노 direction of|in course of} online on line casino platforms for a fee. Providing up-to-the-minute info just like the working total of a progressive jackpot will add more vitality to the on line casino.

    ReplyDelete

Subscribe to: Post Comments (Atom)