Header firewall in exchange 2010

Anyone who has worked with Exchange is sure to have come across message headers in emails. Helpdesk and other teams use it to troubleshoot transport issues in the environment. Message headers are exposed if you are using Outlook, but you do have to get the properties of the message.

Whenever you have examined a message header, you would have noticed that it contains internal Exchange server fqdn and IP addresses, which also exposes the AD domain details. In Exchange 2010, you can use header firewall to hide the internal server info. You do this by taking away the rights to send the internal details on a message header (ms-Exch-Send-Headers-Routing) on the send connector.

Let me explain with an example. I have a send connector named “Internet” to route all my emails to the outside world. If I don’t want external recipients to know about my internal server details through message headers, I need to remove the ms-Exch-Send-Headers-Routing permission set for anonymous users on the send connector. First, let us find the permissions set using the command below.

Get-SendConnector “Internet” | Get-ADPermission | Where-Object { $_.extendedrights –like “*routing*” } | fl user, *rights

As you can see, header firewall is turned off by default (the ms-Exch-Send-Headers-Routing permission is set for anonymous users). In order to activate header firewall and have a clean message header, run the following command.

Get-SendConnector “Internet” | Remove-ADPermission –User “Nt Authority\Anonymous Logon” –ExtendedRights “ms-Exch-Send-Headers-Routing”

You can remove the same permission on the default receive connector, but I guess no one is worried about having another company’s info on the message header . Check out Neil Hobson’s article for more info.