Header firewall in exchange 2010

Share & Comment

Anyone who has worked with Exchange is sure to have come across message headers in emails. Helpdesk and other teams use it to troubleshoot transport issues in the environment. Message headers are exposed if you are using Outlook, but you do have to get the properties of the message.

Whenever you have examined a message header, you would have noticed that it contains internal Exchange server fqdn and IP addresses, which also exposes the AD domain details. In Exchange 2010, you can use header firewall to hide the internal server info. You do this by taking away the rights to send the internal details on a message header (ms-Exch-Send-Headers-Routing) on the send connector.

Let me explain with an example. I have a send connector named “Internet” to route all my emails to the outside world. If I don’t want external recipients to know about my internal server details through message headers, I need to remove the ms-Exch-Send-Headers-Routing permission set for anonymous users on the send connector. First, let us find the permissions set using the command below.

Get-SendConnector “Internet” | Get-ADPermission | Where-Object { $_.extendedrights –like “*routing*” } | fl user, *rights

Get header firewall info

As you can see, header firewall is turned off by default (the ms-Exch-Send-Headers-Routing permission is set for anonymous users). In order to activate header firewall and have a clean message header, run the following command.

Get-SendConnector “Internet” | Remove-ADPermission –User “Nt Authority\Anonymous Logon” –ExtendedRights “ms-Exch-Send-Headers-Routing”

Turn header firewall on

You can remove the same permission on the default receive connector, but I guess no one is worried about having another company’s info on the message header Winking smile. Check out Neil Hobson’s article for more info.

Share & Comment
Subscribe for Updates
Never miss a blog post again
About the author: Exchange Architect, Blogger, Husband & Dad. I have been in IT for the last 11 years, with Exchange Server becoming the prime area in the last few years. I am active on TechNet forums & Experts Exchange.

4 comments… add one

  1. Wojciech Sciesinski

    The correct first command is

    Get-SendConnector “Internet” | Get-ADPermission | Where-Object { $_.extendedrights –like “*routing*” } | fl user, *rights

    Wojciech Sciesinski

    1. Hi Wojcieh,

      Where exactly is the typo? Thanks.

      1. Fito Fs

        after routing*” you are missing the }

        You have it right in the screenshot.

        :)

        1. Thanks Fito, will update it soon ;)

Leave a Comment