Providing E-Mail Defense in Depth for Microsoft Exchange with the ISA 2004 Firewall SMTP Message Screener



Providing E-Mail Defense in Depth for Microsoft Exchange with the
ISA 2004 Firewall SMTP Message Screener


By Thomas W Shinder M.D.


There’s no doubt that spam is public enemy number one not only to the e-mail administrator, but also to the firewall administrator. Spam clogs Internet connections, wastes corporate bandwidth, reduces employee productivity and consumes valuable Exchange Server software and hardware resources. Spam, together with its evil cousins e-mail worms and viruses, represent the primary threats against corporate networks today.


The fact is we’re all in a war against spammers and e-mail borne viruses and worms. Spammers seem to show no remorse for their crimes and in many cases, are actually run by organized crime. Even a small time spammer can send out millions of e-mail messages at nominal cost to themselves, but when taken in aggregate, these small-time spammers steal valuable computer network resources from all law-abiding Internet citizens.


Since this is a war, you need to have more than one barrier to protect you against the spam and virus/worm attacks. In response to this war on spam and other dangerous e-mail messages, Microsoft recently announced their Exchange Edge Services.



The Microsoft Web site states that Exchange Edge Services “acts as a perimeter or edge guard.” Exchange Edge Services will install on a Microsoft Exchange Server and provide:



  • An SMTP Gateway (or more accurately, and SMTP relay)
  • E-mail message hygiene
  • Message Routing

  • In essence, it appears that the Exchange Edge Server provides a filtering SMTP relay with enhanced SMTP routing services allowing for advanced e-mail routing that can perform address re-write, masquerading, format conversion and other routing functions NOS (Not Otherwise Specified). It’s important to note that the Exchange Edge Server is not a firewall and we do not believe it should be placed on a physical or security zone perimeter. I mention this because I’ve encountered a number of people who think the Exchange Edge Server is some sort of “Exchange Firewall”. It is not.


    However, the Exchange Edge Service server will play a role in the war against spam as part of an e-mail defense in depth plan. In war, you must have many defense perimeters, with each downstream perimeter providing a higher level of protection than the upstream. This is certainly the case in an e-mail defense in depth plan. This is where the ISA Server 2004 firewall SMTP Message Screener becomes a key component in any firewall solution aimed at protecting Microsoft Exchange Servers.



    I’ve gone over the reasons why ISA firewalls are the firewalls for Microsoft Exchange Servers in many previous articles and will continue to demonstrate the truth of this conviction in future articles. The SMTP Message Screener is just another example of why this is true. The SMTP Message Screener provides your first line defense against spam and worm/virus payloads by screening mail for:



  • Keywords in the subject line or body
  • Attachments for file name, file extension or attachment size
  • Sender domain or user account

  • The SMTP Message Screener provides the front-line e-mail defense in depth by providing basic screening of e-mail and blocks them before they even get to the Exchange Edge Service server. This not only prevents highly malicious material from ever entering the network (because the mail is stopped at the edge of the corporate network), but also offloads the processing requirements for e-mail filtering from the Exchange Edge Server. The Exchange Edge Services server processes mail for spam and viruses and then forwards the vetted messages to front-end or back-end servers in the organization. There, the highest level of e-mail defense can be exerted at the server itself, where advanced mail filtering applications such as MailEssentials and MailSecurity can provide the most sophisticated and secure e-mail filtering services.


    This “layered” approach against spam and e-mail borne exploits is characterized by the figure below.



    Perhaps a better way to see the perimeter defense approach to e-mail defense in depth can be seen in the figure below, where each ring represents a progressive “harder” defense perimeter against spam and where the outer layers reduce the spam and worm/virus payload that needs to be handled by interior perimeter defenses.



    With this arrangement the ISA 2004 firewall provides protection for the Exchange Edge Services server and the front-end and back-end Exchange Servers that run advanced e-mail filtering applications such as MailEssentials and MailSecurity.


    In this article we will examine a method you can use to screen both inbound and outbound e-mail using the SMTP Message Screener. A great feature of ISA Server 2004 is that you can implement different SMTP Message Screener filtering options for inbound and outbound mail, since SMTP Message Screener configuration is done on a per publishing rule basis. When the SMTP Message Screener is installed on the ISA Server 2004 firewall machine, the firewall can act as both an inbound and outbound SMTP relay.


    To make this happen, you need to perform the following procedures:



    • Assign a second IP address to the internal interface of the ISA Server 2004 firewall
    • Install and configure the SMTP Service
    • Install the SMTP Message Screener
    • Create the SMTP Server Publishing Rules
    • Configure SMTP Message Screener logging
    • Test SMTP Filtering

    The figure below shows the sample network configuration we use in this article.



    The Outlook client on the internal network is configured to use the Exchange Server as its SMTP server. The Exchange Server on the Internal network behind the ISA Server 2004 firewall is configured to use the ISA Server 2004 firewall as its smart host. The external SMTP client is configured so that it resolves the e-mail domain name hosted by the Exchange server to the external address on the external interface of the ISA Server 2004 firewall.


    I will assume that you have already installed Windows Server 2003 and ISA Server 2004 on a machine with two network interfaces and you’re starting with the basic post-installation configuration of ISA Server 2004. In this example the ISA Server 2004 firewall starts with an internal IP address of 10.0.0.1/24 and an external IP address of 192.168.1.70/24. If you’re not familiar with installing ISA Server 2004, please check out my article Getting Up and Running with ISA Server 2004 over at http://isaserver.org/articles/isa2004beta2.html.


    The first step is to add a second IP address to the internal interface of the ISA Server 2004 firewall.


    Assign a second IP address to the internal interface of the ISA Server 2004 firewall


    We will add a second IP address to the internal interface of the ISA Server 2004 firewall machine. This allows us to publish the outbound SMTP relay on a different IP address than the inbound SMTP relay. While this is not required, it greatly simplifies tracking which relay is used by either internal or external clients.


    Perform the following steps to add a second IP address to the Internal interface of the ISA Server 2004 firewall machine:



    1. At the ISA Server 2004 firewall machine, right click on the My Network Places icon on the desktop and click Properties.
    2. In the Network Connections window, right click the LAN interface and click Properties.
    3. In the LAN Properties dialog box, scroll through the This connection uses the following items list and double click on Internet Protocol (TCP/IP).
    4. In the Internet Protocol (TCP/IP) Properties dialog box, click the Advanced button.
    5. In the Advanced TCP/IP Settings dialog box, click the IP Settings tab. In the IP addresses frame, click the Add button.
    6. In the TCP/IP Address dialog box, enter 10.0.0.10 in the IP address text box. Enter 255.255.255.0 in the Subnet mask text box. Click Add.



    1. The IP address 10.0.0.10 now appears second in the list of IP addresses. Click OK.
    2. Click OK in the Internet Protocol (TCP/IP) Properties dialog box.
    3. Click OK in the LAN Properties dialog box.

    Install and Configure the SMTP Service


    The IIS 6.0 SMTP service must be installed on the ISA Server 2004 firewall before the ISA Server 2004 SMTP Message Screener is installed. The SMTP service works together with the SMTP Message Screener to examine and block offending e-mail messages.


    Perform the following steps to install the IIS 6.0 SMTP service:



    1. Click Start and then point to Control Panel. Click Add or Remove Programs.
    2. In the Add or Remove Programs window, click the Add/Remove Window Components button on the left side of the window.
    3. On the Windows Components page, click Application Server in the list of Components and click Details.
    4. In the Application Server dialog box, click Internet Information Services (IIS) and click Details.
    5. In the Internet Information Services (IIS) dialog box, place a checkmark in the SMTP Service checkbox and click OK.



    1. Click OK in the Application Server dialog box.
    2. Click Next on Windows Components page.
    3. Click OK in the Insert Disk dialog box.
    4. Enter the path to the i386 folder in the Copy file from text box on the Files Needed dialog box.
    5. Click Finish in the Completing the Windows Components Wizard page.

    The next step is to configure the SMTP server service to support inbound and outbound relay:



    1. Click Start and point to Administrative Tools. Click Internet Information Services (IIS) Manager.
    2. In the Internet Information Services (IIS) Manager console, expand the computer name in the left pane of the console. Right click the Default SMTP Virtual Server and click Properties.
    3. In the Default SMTP Virtual Server Properties dialog box, click the Access tab.
    4. On the Access tab, click the Relay button in the Relay restrictions frame.
    5. In the Relay Restrictions dialog box, confirm that the Only the list below option is selected. Then click the Add button.
    6. In the Computer dialog box, select the Single computer option and enter the IP address of the Exchange Server in the IP address text box. In this example the IP address of the Exchange Server is 10.0.0.2. Click OK.



    1. Click OK in the Relay Restrictions dialog box.
    2. Click Apply and then click OK in the Default SMTP Virtual Server Properties dialog box.
    3. Expand the Default SMTP Virtual Server node in the left pane of the console and right click the Domains node. Point to New and click Domain.
    4. On the Welcome tot eh New SMTP Domain Wizard page, select the Remote option and click Next.
    5. On the Domain Name page, enter the domain hosted on the Internal network in the Name text box. This is the domain that you want the SMTP relay on the ISA Server 2004 firewall to accept incoming mail from Internet SMTP servers. In this example the Internal network domain is msfirewall.org, so we will enter that here. Click Finish.
    6. Double click on the msfirewall.org domain in the right pane of the console.
    7. In the msfirewall.org Properties dialog box, place a checkmark in the Allow incoming mail to be relayed to this domain checkbox. Select the Forward all mail to smart host option. Enter the IP address of the Exchange Server on the Internal network in the text box, enclosed in straight brackets. In our current example, the IP address of the Exchange Server on the Internal network is 10.0.0.2, so we will enter [10.0.0.2]. Click Apply and then click OK.



    1. Right click the Default SMTP Virtual Server node and click Stop. Right click the Default SMTP Virtual Server node and click Start.

    Install the SMTP Message Screener


    The SMTP Message Screener is an option ISA Server 2004 component. This feature integrates with the IIS 6.0 SMTP service to examine and block SMTP mail based on parameters you configure in the Message Screener.


    Perform the following steps to install the SMTP Message Screener on the ISA Server 2004 firewall computer:



    1. Close the Microsoft Internet Security and Acceleration Server 2004 management console.
    2. Locate the ISA Server 2004 installation media and double click on the isaautorun.exe file.
    3. In the autorun menu, click the Install ISA Server 2004 icon.
    4. Click Next on the Welcome to the Installation Wizard for Microsoft ISA Server 2004 page.
    5. On the Program Maintenance page, select the Modify option and click Next.



    1. On the Custom Setup page, click the Message Screener option and click This feature, and all subfeatures, will be installed on local hard drive. Click Next.



    1. Click Install on the Ready to Modify the Program page.
    2. Put a checkmark in the Invoke ISA Server Management when the wizard closes checkbox then click Finish on the Installation Wizard Completed page.
    3. Close the autorun menu.

    Create the SMTP Server Publishing Rules


    The SMTP Message Screener works with SMTP Server Publishing Rules. Each SMTP Server Publishing Rule is configured with a custom set of SMTP Message Screener parameters. This enables you to create different e-mail filtering policies for the inbound and outbound SMTP relays. This allows set different parameters for blocking mail depending on whether it is inbound or outbound.


    Perform the following steps to create the Server Publishing Rule that listens on the external interface of the ISA Server 2004 firewall:



    1. Open the Microsoft Internet Security and Acceleration Server 2004 management console and expand the server name in the left pane of the console. Click on the Firewall Policy node.
    2. Right click the Firewall Policy node and point to New. Click Server Publishing Rule.
    3. On the Welcome to the New Server Publishing Rule Wizard page, enter the name for the rule in the Server publishing rule name text box. In this example, we will name the rule Inbound SMTP Relay, as this rule will use the external interface of the ISA Server 2004 to accept incoming mail to be relayed. Click Next.
    4. On the Select Server page, enter the IP address on the internal interface of the ISA Server 2004 firewall that you want to publish. Enter 10.0.0.1, which is the primary IP address on the internal interface of the ISA Server 2004 firewall machine. Click Next.
    5. On the Select Protocol page, select the SMTP Server protocol from the Selected protocol list. Click Next.



    1. On the IP Addresses page, put a checkmark in the External checkbox and then click the Address button.
    2. In the External Network Listener IP Selection dialog box, select the Specified IP addresses on the ISA Server computer in the selected network option. Click the IP address on the external interface you want to use in the rule. In this example, the IP address is 192.168.1.70, then click Add. The IP address now appears in the Selected IP Addresses list. Click OK.



    1. Click Next on the IP Addresses page.
    2. Click Finish on the Completing the New Server Publishing Rule Wizard page.

    The next step is to create the Server Publishing Rule that accepts outbound relay from the Internal network Exchange Server:



    1. Open the Microsoft Internet Security and Acceleration Server 2004 management console and expand the server name in the left pane of the console. Click on the Firewall Policy node.
    2. Right click the Firewall Policy node and point to New. Click Server Publishing Rule.
    3. On the Welcome to the New Server Publishing Rule Wizard page, enter the name for the rule in the Server publishing rule name text box. In this example, we will name the rule Outbound SMTP Relay, as this rule will use the external interface of the ISA Server 2004 to accept incoming mail to be relayed. Click Next.
    4. On the Select Server page, enter the IP address on the internal interface of the ISA Server 2004 firewall that you want to publish. Enter 10.0.0.10, which is the secondary IP address on the internal interface of the ISA Server 2004 firewall machine. Click Next.
    5. On the Select Protocol page, select the SMTP Server protocol from the Selected protocol list. Click Next.
    6. On the IP Addresses page, put a checkmark in the Internal checkbox and then click the Address button.
    7. In the External Network Listener IP Selection dialog box, select the Specified IP addresses on the ISA Server computer in the selected network option. Click the IP address on the Internal interface you want to use in the rule. In this example, the IP address is 10.0.0.10, then click Add. The IP address now appears in the Selected IP Addresses list. Click OK.
    8. Click Next on the IP Addresses page.


    9. Click Finish on the Completing the New Server Publishing Rule Wizard page.


    We’re now ready to configure the SMTP Message Screener. Each Publishing Rule can be configured with different SMTP Message Screener settings.


    Perform the following steps on the Outbound SMTP Relay Server Publishing Rule:



    1. Right click the Outbound SMTP Relay rule and click Configure SMTP.



    1. Click on the General tab in the Configure SMTP Protocol Policy dialog box. Place a checkmark in the Enable support for Message Screener checkbox.
    2. Click on the Keywords tab. Click the Add button. In the Mail Keyword Rule dialog box, enter resume in the Keyword text box. Select the Message header or body option. Select the Hold message option from the Action list. Click OK.



    1. Click Apply and then click OK in the Configure SMTP Protocol Policy dialog box.

    Perform the following steps on the Inbound SMTP Relay Server Publishing Rule:



    1. Right click the Inbound SMTP Relay rule and click Configure SMTP.
    2. Click on the General tab in the Configure SMTP Protocol Policy dialog box. Place a checkmark in the Enable support for Message Screener checkbox.
    3. Click on the Keywords tab. Click the Add button. In the Mail Keyword Rule dialog box, enter mail enhancement in the Keyword text box. Select the Message header or body option. Select the Hold message option from the Action list. Click OK.



    1. Click Apply and then click OK in the Configure SMTP Protocol Policy dialog box.
    2. Click Apply to save the changes and update the firewall policy.
    3. Click OK in the Apply New Configuration dialog box.

    Create the Outbound SMTP Access Rule


    Perform the following steps to create the outbound SMTP Access Rule that enables the ISA Server 2004 firewall to relay SMTP mail is receives from the internal Exchange Server to SMTP servers for other domains on the Internet:



    1. In the Microsoft Internet Security and Acceleration Server 2004 management console, expand the computer name in the left pane of the console and click the Firewall Policy node. Right click on the Firewall Policy node, point to New and click Access Rule.
    2. In the Welcome to the New Access Rule Wizard page, enter a name for the rule in the Access Rule name text box. In this example we will call this Outbound SMTP from Local Host. Click Next.
    3. On the Rule Action page, select the Allow option and click Next.
    4. On the Protocols page, select the Selected protocols option from the This rule applies to list, then click Add.



    1. In the Add Protocols dialog box, click on the Common Protocols folder and then double click on the SMTP protocol. Click Close.
    2. Click Next on the Protocols page.
    3. On the Access Rule Sources page, click the Add button. In the Add Network Entities dialog box, click the Networks folder and then double click on Local Host. Click Close.
    4. Click Next on the Access Rule Sources page.
    5. On the Access Rule Destinations page, click the Add button. In the Add Network Entities dialog box, click the Networks folder and double click on the External network. Click Close.
    6. On the User Sets page, accept the default value, All Users, and click Next.
    7. Click Finish on the Completing the New Access Rule Wizard page.
    8. Click Apply to save the changes and update the firewall policy.
    9. Click OK in the Apply New Configuration dialog box.

    Configure SMTP Message Screener Logging


    The SMTP Message Screener logs all messages moving the inbound and outbound SMTP relays. This logging feature helps you troubleshoot and access the e-mail messages moving through the server and confirm that the SMTP Message Screener is doing what you expect it to do.


    Perform the following steps to configure the SMTP Message Screener logging feature:



    1. In the Microsoft Internet Security and Acceleration Server 2004 management console, expand the computer name in the left pane of the console and click the Monitoring node.
    2. Click the Logging tab in the Details pane. Expose the Task Pane if it is not already open. In the Task Pane, click the Tasks tab. On the Tasks tab, click the Configure SMTP message Screener Logging link.
    3. In the SMTP Message Screener Logging Properties dialog box, note that the only logging format available is the File format. Select the ISA Server file format from the Format list. Confirm that there is a checkmark in the Enable logging for this service checkbox. Click the Options button.



    1. In the Options dialog box, confirm that the ISALogs folder option is selected. Make a note of the Log file storage limits that are configured by default, and how it Maintains log storage limit by. Change the value in the Delete files older than (days) from 7 to 30. Confirm that there is a checkmark in the Compress log files checkbox.



    1. Click OK in the Options dialog box.
    2. Click Apply and then click OK in the SMTP Message Screener Properties dialog box.
    3. Click Apply to save the changes and update the firewall policy.
    4. Click OK in the Apply New Configuration dialog box.

    Test SMTP Filtering


    Now that the SMTP Server Publishing Rule and SMTP Message Screener configurations are in place, we’re ready to test the effectiveness of the Message Screener.


    Perform the following on the external client machine to test the inbound SMTP relay function:



    1. On the external client computer, open Outlook Express. If presented with the e-mail account Wizard, cancel out of the Wizard so that you can manually configure the e-mail account.
    2. In the Outlook Express application, click the Tools menu and click Accounts.
    3. In the Internet Accounts dialog box, click the Add button. Click the Mail command.
    4. In the Your Name text box, enter your name. Click Next.
    5. In the E-mail address text box, enter an e-mail address. In this example we will enter [email protected] Click Next.
    6. On the E-mail Server Names page, confirm that POP3 is selected in the My incoming mail server is a X server list. Enter a bogus entry in the Incoming mail (POP3, IMAP or HTTP) server text box. In this example we will enter blah.com. In the Outgoing mail (SMTP) server text box, enter the IP address that the External SMTP Relay Server Publishing Rule is listening on. In this example, the External SMTP Relay Server Publishing Rule is listening on the address 192.168.1.70, so we will enter that value into this text box. Click Next.
    7. On the Internet Mail Logon page, enter a bogus account name in the Account name text box. In this example, we will enter the name Administrator. In the password box, enter a random password. Click Next.
    8. Click Finish on the Congratulations page.
    9. Click Close in the Internet Accounts dialog box.
    10. Click the Create Mail button in the Outlook Express button bar.
    11. In the New Message dialog box, enter the address [email protected]. Enter mail enhancement in the Subject text box. Click the Send button in the button bar.
    12. Return to the ISA Server 2004 firewall machine. Click Start and click Windows Explorer. Navigate to C:\Inetpub\mailroot\Badmail. You will see three files with the file extensions .BAD, .BDP and .BDR. These entries represent components of the blocked e-mail message. You can view them using the Notepad application.
    13. Navigate to the C:\Program Files\Microsoft ISA Server\ISALogs folder. Double click on the ISALOG_Date_EML_xxx.iis file and double click on it. Select to open the file with the Notepad application. There you will see entries in the log regarding how the SMTP Message Screener processed the connection.
    14. You can repeat the above steps on the CLIENT on the Internal network. In the e-mail message, include in the subject or body of the message the word resume. You will find that message is blocked and logged by the SMTP message screener. You can also send e-mail messages without the blocked words and the outbound SMTP relay will forward the mail to the external e-mail user.

    Note that the Exchange Server is configured to use the ISA Server 2004 firewall as its smart host and the smart host address in this example is 10.0.0.10.


    Summary


    In this article we discussed the issue of e-mail defense in depth and how the ISA Server 2004 SMTP Message Screener is a key component of any firewall infrastructure used to protect an Exchange Server. We then went over a detailed step by step example of how you configure the ISA Server 2004 firewall to be an inbound and outbound filtering SMTP relay that blocks SMTP messages based on specific SMTP filtering policies set for inbound and outbound connections. This article provided powerful rationale, and a continuing chain of evidence for why ISA firewalls are the firewalls for Microsoft Exchange Servers.


    I hope you enjoyed this article and found something in it that you can apply to your own network. If you have any questions on anything I discussed in this article, head on over to http://forums.isaserver.org/ultimatebb.cgi?ubb=get_topic;f=23;t=000020 and post a message. I’ll be informed of your post and will answer your questions ASAP. Thanks! –Tom

    Leave a Comment

    Your email address will not be published.

    Scroll to Top