Header firewall in exchange 2010

Anyone who has worked with Exchange is sure to have come across message headers in emails. Helpdesk and other teams use it to troubleshoot transport issues in the environment. Message headers are exposed if you are using Outlook, but you do have to get the properties of the message.

Whenever you have examined a message header, you would have noticed that it contains internal Exchange server fqdn and IP addresses, which also exposes the AD domain details. In Exchange 2010, you can use header firewall to hide the internal server info. You do this by taking away the rights to send the internal details on a message header (ms-Exch-Send-Headers-Routing) on the send connector.

Let me explain with an example. I have a send connector named “Internet” to route all my emails to the outside world. If I don’t want external recipients to know about my internal server details through message headers, I need to remove the ms-Exch-Send-Headers-Routing permission set for anonymous users on the send connector. First, let us find the permissions set using the command below.

Get-SendConnector “Internet” | Get-ADPermission | Where-Object { $_.extendedrights –like “*routing*” } | fl user, *rights

Get header firewall info

As you can see, header firewall is turned off by default (the ms-Exch-Send-Headers-Routing permission is set for anonymous users). In order to activate header firewall and have a clean message header, run the following command.

Get-SendConnector “Internet” | Remove-ADPermission –User “Nt Authority\Anonymous Logon” –ExtendedRights “ms-Exch-Send-Headers-Routing”

Turn header firewall on

You can remove the same permission on the default receive connector, but I guess no one is worried about having another company’s info on the message header Winking smile. Check out Neil Hobson’s article for more info.

8 thoughts on “Header firewall in exchange 2010”

  1. Hi,
    I applied a corrective and works great.
    but I still see a little information on my exchange server. (please see the image)
    Hoe can I hide this Exchange information?

    • Is this the message header from an internal email? If so, you need to apply the same config on the receive connector that accepts internal emails.

  2. The correct first command is

    Get-SendConnector “Internet” | Get-ADPermission | Where-Object { $_.extendedrights –like “*routing*” } | fl user, *rights

    Wojciech Sciesinski


Leave a Comment