Active Directory & Office 365 Reporting Tool

Multi-Layered Defense: Enhance Exchange Server Security. Email systems are traditionally one of the main targets for cybercriminals. Mail system itself and end users are at risk. Protection of email servers, such as Microsoft Exchange Server, requires an integrated approach that includes many layers. Usage of firewalls for the network protection, spam filters to inspect the SMTP traffic, antiviruses and so on.

Would you like to know more about Multi-Layered Defense: Enhance Exchange Server Security? Let’s continue reading….

Protection Against External Threats Using Firewall

First layer of protection for Microsoft Exchange Server is a firewall. It blocks all connections besides the connections to the required ports. While planning the firewall configuration for Exchange Server, consider 2 types of traffic – client connections (initiated by web browser or by client software, such as Office Outlook) and email transport connections (initiated by email servers).

For the client connections, only inbound traffic should be opened, and the required ports are defined by the email clients used in your organizations and whether external connections are allowed. In the strictest scenario, users cannot use their mailboxes outside of the corporate network, and no port for client connection allowed. In less strict cases, users access their mailboxes from outside. Here, the best practice is to allow only email clients that support modern authentication, such as Office Outlook, Outlook on the Web and Outlook mobile. This approach is secure and considered as a best practice, it requires only HTTPS port (TCP 443) to be opened in firewall.

In case less secure protocols (such as IMAP, POP3 and HTTP) are used . You need to open ports for them as well. The detailed information about each supported port is here Network ports required for clients and services. 

For email transport connections, only SMTP port should be opened – TCP port 25 need to be opened in both directions. SMTP is a default protocol used for email communication and it is used by all email systems. In case both Edge Transport and Mailbox servers are used in your Exchange infrastructure, ensure to only allow client communications to Mailbox servers and only email transport connections – to Edge Transport. No additional ports are required. No extra traffic is allowed in your firewall. A common mistake to allow external DNS traffic. It brings additional risks and should be avoided. Instead, configure internal DNS server to resolve external domain names through forwarders and to ensure successful next hop resolution for the mail server.

Try our Active Directory & Office 365 Reporting & Auditing Tools

Try us out for Free.  100’s of reports available to gain control of your IAM.

Improve your AD & Entra ID security & compliance.

Email Filtering Using Antispam Tools

The second layer in the Exchange Server protection is the filtering of SMTP traffic. In case of usage of on-premises Exchange Server without implementation of third-party email filtering tools, expected design is the following:

In this architecture, Edge Transport server is located in the demilitarized zone (DMZ) and used as an email gateway, which filters all the external traffic. Messages are processed by multiple filters and those considered “clean” are forwarded to the Mailbox servers located in the local area network. In this scenario, enablement of antispam agents in Mailbox servers is not required and not recommended.

Edge Transport server contains seven email filtering agents, checking the incoming messages in the order listed below.

1. Connection Filtering Agent

The first agent checks the message(IP address of the sending server, and determines whether allow message or block it). No antispam mechanisms. As an admin, configure manual lists and use third-party list providers. Most popular DNS BL are Spam and Open Relay Blocking System (SORBS) and Spamhaus. Find others here: Wikipedia.

The providers form their lists based on the IP addresses that were reported as spam senders or potentially used to send spam. Example, mail servers that allow open (unauthenticated) relay. Configure Several different DNS BL providers and specify their priority like this:

  • Block list check – if the source IP address is presented in the block list, the message is discarded. The error message returned to sender is customizable. So configure different error message for each block list provider.
  • Allow list check – if the source IP address is presented in the block list, the message bypasses all other antispam agents.
  • If the source IP address is not presented in any list, the message is forwarded to the next filter (usually Sender Filter agent).

If the legitimate sender is blocked because their IP address is presented in DNS BL, their IT admin performs delisting procedure to be removed from the list. The detailed information is here Connection filtering procedures on Edge Transport servers.

2. Sender Filtering Agent

After connection filtering completed, the message is processed by the Sender Filtering agent. This agent performs filtering during the SMTP communication.

SMTP communication consists of several steps. After the establishing of the connection, sender server identifies sender mailbox using the Mail From command, and Sender Filtering agent checks the message in this step. It checks 2 things:

  1. Is sender email address presented? If it isn’t, the agent follows the action configured for such messages. Best practice is to block this kind of messages. Configured by setting the BlankSenderBlockingEnabled parameter of Set-SenderFilterConfig cmdlet to $true.
  2. Is sender email address or domain blacklisted? If it is, then agent either reject the message or add a stamp status to its headers that the message came from a blocked sender (depends on the agent configuration).

The detailed configuration is here Sender filtering procedures.

3. Recipient Filtering Agent

If the message passes the Sender Filtering agent, it receives the SMTP respond with code 250 from the receiving server, as you can see in the step 4 of the SMTP flow chart above. After that, sender server sends the RCPT TO header where the message recipients are specified. Here, Recipient Filtering agent takes an action: checks the recipient list to identify whether the following objects are presented:

  • Non-existent recipients. The filter checks whether recipient address presented in the corporate address book. It looks up for authorized domains, so if your Exchange Server has some relay domains, this feature should be disabled (by setting the RecipientValidationEnabled parameter of Set-RecipientFilterConfig cmdlet to $false value).
  • Recipients from the block list. The filter supports administrator-defined recipient block list, used for addresses that exist in the address book but shouldn’t receive any external messages.
  • Restricted distribution list. By default, all new distribution lists in Exchange Server are configured by internal usage and don’t support receiving messages from external senders. The message rejection for such groups is performed on Recipient Filtering level.

The message is processed, and for all the recipients that shouldn’t receive external messages (or non-exiting recipients), a 550 5.1.1 User unknown SMTP error code returned. For other recipients, server returns 250 2.1.5 Recipient OK response and continues message processing.

4. Sender ID Agent

Designed to prevent spoofing attack. The agent performs authentication of the sender relying on published sender policy framework (SPF) DNS records. Like this:

  • Exchange Server receives a message which appear to be sent from user@domain.com.
  • Sender ID agent checks the SPF record published for domain.com domain. SPF record lists the hosts that have the permission to send messages from using this domain name.
  • It checks the originating host of the message with the allowed senders from SPF. If host is not listed there, the message is considered spoofed.

The action for such message is customizable and should be configured using PowerShell. Tutorial for Sender ID agent configuration is here Sender ID procedures.

SPF only works if the sender domain has published SPF record in its DNS zone.

5. Content Filtering Agent

This one doesn’t provide the certain answer “Yes” or “No”. It analyzes the content of the message body and identifies the probability that the message is not legitimate. It checks and assigns a spam confidence level (SCL) from 0 (not a spam) to 9 (definite spam. Messages that should bypass the filter (for example, because of mail flow rules) get the -1 SCL rating. Based on this rating, IT admin configures actions applied to the message. Supported actions are Deliver to Junk folder (message delivered but put to the Junk E-mail folder), Quarantine (dedicated quarantine mailbox), Reject (delete message and send notification to the sending server) and Delete (delete the message without notifying anyone). An example config of Content Filtering agent like is:

  • Deliver messages with SCL rating 0-4 to the Inbox folder
  • Deliver messages with rating 5 to the Junk E-mail folder
  • Deliver messages with rating 6 to the quarantine mailbox
  • Reject messages with SCL rating 7
  • Delete the high confidence spam with rating 8-9

The configuration depends on your needs. For example, organizations in some industries must keep all the messages, so Reject / Delete actions are avoided and all filtered out messages go to quarantine. Detailed instructionsare here: Content filtering procedures. Quarantine mailbox configuration tutorial is here: Configure a spam quarantine mailbox in Exchange Server.

6. Protocol Analysis Agent

Protocol Analysis agent (or Sender reputation and the Protocol Analysis agent) is the next filtering layer. It checks the characteristics of the sender. According to Sender reputation and the Protocol Analysis agent in Exchange Server, the agents considers the following information about the message sender:

  • HELO/EHLO command analysis. This command initiates the SMTP connection and contains the domain name and the IP address. The agent checks whether information is correct and isn’t suspicious. For example, if the address specified differs from the address used for connection, or if the sender generates many EHLO commands with different information. The message is considered as spam.
  • Reverse DNS lookup. The agent checks whether the originating IP address used to transfer the message matches the registered domain name using PTR DNS record.
  • SCL ratings. Agent checks the sender reputation based on the SCL ratings of the messages sent earlier. Senders with large number of messages with high SCL rating are considered as senders with bad reputation.
  • Open proxy test. Agent tries sends an SMTP sending request to the host to check whether open relay is enabled there. Presence of open relay affects the sender reputation negatively.

Based on the collected information, the Protocol Analysis agent assigns a sender reputation level (SRL), similar to SCL (0-9 value). The detailed steps are here: Sender reputation procedures.

7. Attachment Filtering Agent

Checks the attached files, and perform the configured action. The agent has some pre-configured filters that blocks attachment types potentially harmful and are customized by the administrator. Block the exact file names, and the file types, defined using extensions (like *.exe) or Multipurpose Internet Mail Extensions (MIME, used to specify the specific content, such as media). Unlike other agents, Attachment Filtering filter has an additional action – it is configured to remove the attachment but allow the message body. More details found here: Attachment filtering procedures on Edge Transport servers.

If you don’t have Edge Transport server and only use Exchange Server with Mailbox role, deploy limited anti-spam functionality. Mailbox servers support implementation of 4 filters out of 7 – Sender Filter, Sender ID, Content Filter and Protocol Analysis. This architecture is insecure and should be avoided. Better deploy some external email gateway that performs proper spam filtering. For example, purchase Standalone Exchange Online Protection to filter the message in the cloud before it gets delivered to on-premises infrastructure.

Protection Against Malware Threats

Further, with topic Multi-Layered Defense: Enhance Exchange Server Security, Exchange Server Transport Service contains built-in antimalware protection agent. It checks the messages after they pass the antispam filters. Its purpose is to find and neutralize different types of malware (viruses and spyware). It is a component of Mailbox server role, and requires regular updates, to keep its definitions up to date.

Antimalware protection can be customized using the policies. Create several different policies and apply them to the different set of users.  The instruction is  found here: Procedures for antimalware protection in Exchange Server, and detailed description here: Download anti-malware engine and definition updates.

As an alternative to built-in Antimalware protection tool, install third-party antivirus software. Additionally, have a reliable anti-virus solution on each of the user workstations, since there is always a possibility that the malware reach the end user.

End-user Education Role In Cybersecurity

Last layer of the Multi-Layered Defense of Exchange Server is the end-user education. Since no security measure guarantees 100% protection, it is important to ensure that users understand the email-related cybersecurity threats. Have a formal training that describes the typical tricks malicious actors use and it should be mandatory for all the employees. Additionally, phishing attack simulation services. These services send messages that looks like phishing emails, and provide you a report,  containing list of users who clicked on the link and require additional education.

That is it! Thank you for your time with our article Multi-Layered Defense: Enhance Exchange Server Security. Let’s wrap it up. 

Multi-Layered Defense: Enhance Exchange Server Security Conclusion

A solid defense strategy for Microsoft Exchange Server involves a comprehensive, multi-layered approach. The initial layer, a well-configured firewall, sets the foundation by selectively allowing necessary connections. The subsequent layer employs sophisticated email filtering mechanisms. Furthermore, the implementation of built-in or third-party antimalware protection adds an additional shield, actively scanning and neutralizing potential threats post-email filtering.  And, as usually, the human element remains a critical factor. End-user education serves as the ultimate layer in this multi-tiered defense. By fostering a culture of awareness and providing regular training, organizations create a more resilient defense against social engineering attacks and phishing attempts, ultimately reinforcing the security of their email infrastructure.


Try InfraSOS for FREE

Try InfraSOS Active Directory, Azure AD & Office 365 Reporting & Auditing Tool

Marat M

Marat M

System administrator with 14 years of practical experience. Specializes in Microsoft products such as Exchange Server, Active Directory, Microsoft 365 and Azure.

Leave a comment

Your email address will not be published. Required fields are marked *