Tuesday, January 25, 2005

MS IT: Leveraging dual SMTP Virtual server approach for Exchange 2003 gateway perimeter system

Here is a good basics article posted by Konstantin Ryvkin on how to configure the Exchange Server 2003 Front End servers for better control and reporting of mail traffic.

The vast majority of modern messaging environments have a challenge of establishing and maintaining reliable and secure Internet e-mail connectivity.  While the task of enabling Internet e-mail routing is relatively straight forward and usually well documented for most messaging platforms (most people view it as narrow as creating a DNS MX record for inbound e-mail and designing an equivalent of an SMTP connector for outbound e-mail), making a robust Internet e-mail system can be quite challenging.    In this blog, I wanted to share some of the issues and challenges that Microsoft IT faced in the Internet e-mail area as well as demonstrate some solutions that were implemented in Microsoft’s own messaging environment to make Internet e-mail flow.  This solution is based on Exchange 2003 technologies, so it may be relevant to other environments that have Exchange 2003 performing gateway functions to send and receive mail from the Internet.


Before we jump into the technical details, let’s look at the problem area.  In addition to the fact that a typical SMTP gateway system is a popular point of enforcing e-mail hygiene policies (such as antispam and antivirus) it has the fundamental task of bridging two different e-mail transports – a reliable, trusted, authenticated, rich and mostly homogeneous transport of the internal messaging system; and an unreliable, anonymous, generally non trusted, highly heterogeneous SMTP transport on the Internet or in the DMZ.  For example in case of Exchange 2003, the internal SMTP transport is authenticated with Windows Integrated Authentication, Send-As permissions are enforced, Linkstate and EXCH50 blobs are exchanged and hopefully viruses are spam are already being cleaned for internal messages.  The external SMTP transport does not exhibit such characteristics.


In essence the focus point of this blog can be pictured by the following diagram.



Most Exchange 2000/2003 environments face the following challenges when connecting an Exchange gateway to the Internet or to the DMZ SMTP infrastructures:

  • Exchange SMTP gateway has to accept anonymous SMTP connections from the SMTP gateway in the DMZ or from the Internet.  Many of the environments do not want to expose Exchange SMTP authentication to the outside systems, to minimize the risk of password harvesting/guessing from the outside.
  • Exchange SMTP gateway has to accept authenticated SMTP connections from the internal Exchange servers and relay e-mail received from them to the Internet.  It may also have to accept and transmit system information, such as link state and EXCH50 info, from the internal Exchange servers, which requires authenticated connection.  Allowing anonymous SMTP authentication to the internal SMTP systems also may be undesirable as it opens a possibility of unauthorized e-mail submission to that gateway. Anonymous mail submission, even in the internal environment, also opens a possibility of sender address spoofing.
  • Exchange SMTP gateway administrator may want to enforce different actions (such as filtering, or archiving) to the SMTP e-mail that enters the environment versus e-mail that leaves the environment.  Inbound e-mail coming from the Internet is generally less trusted from the security perspective and often needs to be subject of additional security checks (such as spam filtering, content inspection).  Outgoing e-mail traffic is more trusted and some of the filtering/security controls may be waived for performance reasons.  In the end, you don’t expect your internal users to spam the Internet!
  • Environments want quick and easy metrics and reporting on the amount of e-mail that they send to the Internet versus the amount of e-mail that they receive from the Internet.  Those metrics, for example, are often used for capacity planning and also to justify the investment into spam filtering technologies.




While Exchange 2003 SMTP stack is fairy functional and efficient in the gateway role, its default configuration makes it quite challenging to accomplish the above tasks.  Consider the following diagram that represents a typical default configuration of Exchange 2003 based SMTP gateway:



While perfectly functional from the mail routing perspective the above design has the following limitations/concerns:

  • Both inbound and outbound mail go through the same virtual server making it difficult to enforce different policies, such as e-mail filtering, blocking or adding disclaimers.
  • Authentication is exposed to the external environment making it possible for password guessing from external systems
  • Relaying for authenticated users is allowed so knowledge of a single valid username/password allows external users to relay mail from the external hosts
  • Inability to restrict the default SMTP virtual server by IP (for example so that only SMTP servers located in the DMZ can submit mail). Restricting by IP will prevent all internal Exchange servers from connecting.
  • Anonymous SMTP is exposed to internal clients, that may quickly turn this gateway into mail server that internal users target with their SMTP applications to relay mail directly to the Internet bypassing established enterprise avenues for these functions
  • There is no easy way to calculate metrics for inbound e-mail versus outbound e-mail (you most likely have to go through the tracking logs to get this data)


A slight modification of this design that Microsoft IT implemented internally for its Exchange 2003 based gateways makes all the above items possible.



Exchange 2000 and 2003 allows creating multiple SMTP Virtual servers on a single Exchange computer.  Obviously those SMTP Virtual servers need to be logically separated. One SMTP Virtual server is designated as Inbound SMTP Virtual Server and is handling e-mail traffic from the Internet and another SMTP Virtual Server is handling outbound traffic. The easiest way to create multiple SMTP Virtual Servers is to assign them to different IP addresses.  In the case of a dual homed computer those IP addresses are assigned to different NICs.  In the case of a server with a single NIC multiple IP addresses can be assigned to that single NIC.


When you create multiple SMTP virtual servers, they must be properly bound to the respective IP addresses in Exchange ESM.


Hosting the SMTP connector for the Internet on the appropriate SMTP virtual server, ensures that only that virtual server passes outbound mail going to the Internet.  Pointing MX records or smarthosting SMTP servers in the DMZ to the IP address of the second SMTP Virtual Server ensures that all e-mail traffic going through it is inbound to the organization.

An important note is binding SMTP Virtual Server to IP addresses affects only inbound SMTP connections.  The source IP address of the outbound SMTP connections from such gateway server will be determined by the IP layer of the sending host.  For example if the gateway has two IP addresses, 172.16.x.1 and 10.x.x.1 and wants to communicate with the remote host 10.x.x.2, then the source IP address of the SMTP connection will be 10.x.x.1, regardless which SMTP Virtual server established the connection.


Having such design in place you can apply different filtering and other security policies to SMTP Virtual Servers separately.  For example if you want to implement sender filtering of specific internal aliases (to mitigate the problem of them being spoofed from the Internet) you can enable such filtering on the Inbound SMTP Virtual Server only.  Thus, outbound e-mail flow will not be affected by such filtering.


If you have a spam filtering solution that runs on Exchange 2003 gateway platform (such as IMF or Brightmail) you can bind that solution to the Inbound SMTP Virtual server.  This way your outbound mail won’t be scanned for spam which could result in performance wins.

With the two SMTP virtual server approach you can control inbound vs. outbound e-mail traffic through this gateway separately.


As an added benefit of the above design, you get more convenient monitoring of inbound and outbound Internet mail flow going through this gateway.  Performance Monitor has separate instances of SMTP counters for each SMTP Virtual Server. The counter for instance  #1 represents the first SMTP Virtual Server (in this case Outbound mail) and instance #2 maps to Inbound Internet mail.



It should be noted that such configuration should be used for Exchange gateway servers that do not host production mailboxes.  When the server is rebooted the first SMTP Virtual Server to start will own the local store’s SendQ, hence for mail originating from the mailboxes hosted on the server itself there is no guarantee which SMTP Virtual Server will be used to process such messages. This may affect the validity of metrics for inbound vs. outbound mail.



Anonymous said...

Can anyone recommend the well-priced RMM utility for a small IT service company like mine? Does anyone use Kaseya.com or GFI.com? How do they compare to these guys I found recently: N-able N-central software deployment
? What is your best take in cost vs performance among those three? I need a good advice please... Thanks in advance!

Anonymous said...

Reading these kind of posts reminds me of just how technology truly is ubiquitous in this day and age, and I am fairly certain that we have passed the point of no return in our relationship with technology.

I don't mean this in a bad way, of course! Ethical concerns aside... I just hope that as memory becomes cheaper, the possibility of downloading our brains onto a digital medium becomes a true reality. It's one of the things I really wish I could experience in my lifetime.

(Posted on Nintendo DS running [url=http://kwstar88.zoomshare.com/2.shtml]nintendo dsi r4i[/url] DS FFBrows)

Anonymous said...

Thanks for the marvelous posting! I certainly enjoyed reading it,
you are a great author. I will ensure that I bookmark your blog and will come back down the road.

I want to encourage yourself to continue your great writing, have a nice weekend!
Also see my web site > revival tent

Anonymous said...

Thanks for any other informative site. Where else could I am getting that kind of info
written in such an ideal approach? I've a challenge that I'm simply now working on, and I've been at the glance out for such info.
Review my blog post : Audio Visual

Anonymous said...

I loved as much as you will receive carried out right here.
The sketch is attractive, your authored subject matter stylish.
nonetheless, you command get got an edginess over that you wish be delivering the following.
unwell unquestionably come more formerly again since exactly the same nearly
a lot often inside case you shield this hike.
My web site :: winter garden florida general contractors

Anonymous said...

Inspiring story there. What happened after? Thanks!
Review my homepage :: neucopia review

Anonymous said...

Great blog! Do you have any helpful hints for aspiring writers?
I'm hoping to start my own website soon but I'm a little lost on everything.
Would you suggest starting with a free platform like Wordpress or go for a paid option?
There are so many options out there that I'm totally confused .. Any tips? Bless you!

Look into my webpage; lowepro
My web site > lowepro

Anonymous said...

I have read several just right stuff here. Definitely worth bookmarking for revisiting.
I wonder how so much effort you place to make this sort of wonderful
informative site.

Also visit my web blog ... jobs in uk
Also see my webpage :: job search

Anonymous said...

Very soon this web page will be famous amid all blogging people, due
to it's pleasant articles or reviews

Feel free to visit my web site: www.teenpornpost.com

Anonymous said...

Why users still make use of to read news papers when in this technological world everything is presented
on net?

Feel free to visit my blog post ... xvideos

Anonymous said...

I don't even understand how I stopped up right here, but I thought this submit used to be great. I don't recognize who you are however definitely you're going to a well-known blogger in the event you are not already. Cheers!

my blog post :: http://www.wildpartygirls.org

Anonymous said...

Fine way of describing, and good post to take data about my presentation subject,
which i am going to convey in institution of higher education.

My homepage ... www.cuteteenporn.net

Anonymous said...

This page certainly has all of the information and
facts I needed about this subject and didn't know who to ask.

Feel free to surf to my web site ... emergency fire damage restoration services North Carolinas

Anonymous said...

Consequently go on and placе in a a bit more
color іn their аlready multi-colored planet by havibg ɑ
special beneficial gift foг yߋur special much loved teenagers.
Ѕhe's figured out to achieve tɦe cluster up and
running once mօre sooner. Ϻake cеrtain that the list ƴou sekect notifys ʏou assuming tɦat
eνery οne of tthe ԝords аrе acknowledgedd frtom tɦe word sport tҺat yοu just enjoy.

my web ρage: scrabble free download

Anonymous said...

Hello, i think that i saw you visited my weblog thus i came to
“return the favor”.I am attempting to find things to improve my website!I suppose
its ok to use some of your ideas!!\

Look at my webpage Louis Vuitton Scarf Cheap

Anonymous said...

Fantastic goods from you, man. I have understand your stuff previous to and you are just extremely excellent.
I really like what you have acquired here, really like what you are saying
and the way in which you say it. You make it enjoyable and you still take care of to keep it sensible.

I can't wait to read far more from you. This is actually a
great website.

Here is my blog good exercise to lose weight

Anonymous said...

Nice post. I was checking constantly this blog
and I'm impressed! Very helpful info specifically the last part :) I care for such information much.
I was seeking this certain information for a long time.
Thank you and best of luck.

Stop by my web blog; seo

Anonymous said...

This can help you get the star of any hero and quests in Skyrim are designed to enable Chen to
get familiar with it. To do this for the newbie mobile
game at different stages of development. None of them according to your company, like earning
a minimum of iOS 4 is highly favorite and has been downloaded
more than a Flash game. But with the model NARR8 is banking on. By using this
power up. However, there are some of the Wii's better hardware.

My page - mutants genetic gladiators hack

Anonymous said...

e cig forum, e cigarette reviews, electronic cigarettes, electronic cigarettes, smokeless cigarettes, electronic cigarette