Full of I.T.

Kevin Remde's IT Pro WebLog

Best of Q&A from Webcast: Implementing Exchange Server 2003 Security (Part 2 of 2)


Below I’ve pasted an edited and cleaned up copy of most of the Q&A from today’s webcast on Implementing Exchange Server 2003 Security (Part 2 of 2)

BIG thank you to Chris Avis for handling the Q&A on the backend, and who’s work this really represents.


Questions and Answers:

“Can I win one of those MP3 players today?”

You are entered into the drawing by attending, and filling out the survey. Stick around until the end of the webcast, and I will post the Survey slide.

“If I’m requiring SSL on my SMTP protocol of Exchange 2003 will I be able to receive e-mail from other servers from beyond my organization?”

It depends on where the certificate comes from.  If you use an internal Certificate authority that is not available to the general public, then you will have to get the certificates to any SMTP mail server that you wish to allow to connect.  If you get the certificate from a public CA,  the connecting SMTP server can request the certificate from the public CA and make the connections. It is generally not recommended to secure SMTP with SSL except for internal Server to Server communications – See the Following:
http://support.microsoft.com/kb/823019/en-us and http://support.microsoft.com/kb/823024/en-us

“The IMF are just available on SP2?”

No. There is a Version 1.0 of the IMF that you can load to a Pre-Exchange SP2 system. Exchange SP2 introduces and update to the IMF features and requires you remove IMF v1.0 before Install.

“IMF still doesn’t support Clustering, huh?  So, how do enterprise customers wanted to implement that feature?”

You would utilize a FE/BE Exchange Environment and implement the IMF on a FE Server.  Remember, the SCL assigned at the gateway is now attached to and follows the message. 

Evan Dodds has a good article on his blog about where/how to configure IMF.  But yes, unfortunately the initial IMF tagging of the SCL can’t happen on a clustered server.

“Is IMF installed by default after SP2 installation, or should we install it separately?”

It is installed by default but you still have to configure and enable it manually.

“If you install IMF v1 and get it set up, when you install SP2 I know you have to uninstall IMF. Will this remove your settings?”

Chris Answered: Yes it will.

I’m gonna have to disagree with Chris, though.  I didn’t lose my gateway / mailbox threshold settings when I moved to SP2.  So, the filter was configured.  However, I did have to re-apply that filter to my SMTP Virtual Server.

“So the only way to secure communication while using pop3 clients to send and receive email is to enable ssl on my clients is that right?  This is the only way that the passwords of my users will not be sent as clear text, right?”

You can use Transport Layer Security as well.  For securing Client to Server Communications, please see the following — http://support.microsoft.com/kb/823019/en-us

“FE to BE communication, is IPSec the best way to secure?”

It is the most secure method. Whether it is “best” or not depends on your scale and implementation. See the following as an example — http://support.microsoft.com/kb/821839/en-us

“Could you provide a few Good RBLs so that we can implement one of them.  Kevin’s Demo is a good concept, but add no good to implement it in the real environment. Wish to know which RBL Microsoft is using. Thx”

Use your favorite search engine [MSN] and look for — DNS BLOCK LIST

“How do u eval the perf of IMF if there are million of messengs coming into our FE?”

Use Performance Monitor. In fact, you’ll want to use PerfMon when establishing the baseline for your SCL ratings anyway. This is detailed in the IMF docs included in the V1.0 Download or in the Exchange SP2 Release notes.

“I don’t see the Intelligent Message Filtering tab. We are running E2K3 SP2. Do I need to enable it somewhere else so that tab shows up?”

You need to verify you are running Exch SP2 – View the properties of the Server name in the Exchange Server Manager.

“Is it recommended to implement IMF, instead of Outlook junk email filters? or, shall we depend on IMF and totally keep Outlook spam filter un-configured?”

It is recommended to use both actually. The IMF can help determine the actions of the Outlook Spam filter.  The Outlook filter really compliments the IMF by giving more individual control over specific email addresses or domains that you personally would accept or reject.

“Last presentation you mentioned a link to the slide deck would be available the next day, though I didn’t see it, will one be available tomorrow for today’s presentation, and will we be emailed the link or can you point us towards it?”

There have been several reports of the links not being sent yet. We are investigatiing and you should still see the emails in a day or so.

“Do you have an article on BE IPSec in non-clustered environments?”

See the following — http://www.microsoft.com/technet/prodtechnol/exchange/guides/E2k3ClientAccGuide/3f0c5658-dcfc-4e8f-b3c3-0b56dee3bd28.mspx

“Is there an article that has more information regarding the ContentFilterState reg key?”

See the following — http://support.microsoft.com/kb/907747/en-us

“Is there Micorosft official document, how to configure Exchange with SP2 working with Windows Mobile 5.0 (there is problem with certificate)?”

This would be a part of the SP2 Docs.

“So the 75GB [mailbox store limit increase in SP2] is for the Standard version or Enterprise?”


“How do you exempt a message from checking by the IMF? By IP address? By sender? By recipient?”

Please see the following for exempting messages from the IMF — http://support.microsoft.com/kb/867633/en-us

“Thanks for those fast and perfect answers.. :)”

Yeah.. thanks Chris!  J

“Is there an article describing how to implement cache mode feature of SP2?”

Cached Excahnge Mode is primarily implemented via the Outlook 2003 Client – See the Following — http://support.microsoft.com/kb/870926/en-us

“Is it possible to use other antispam products together with IMF?”

In most cases, yes….

“Does Exchange SP1 have to be installed for SP2 to be installed?”

No. Exchange SP2 includes Sp1 fixes.

“Do we need to do something on registry to increase exchange database?”

Yes – Sorry I didn’t make that clear in the webcast.
See the following — http://download.microsoft.com/download/f/b/5/fb5c54af-fe5c-48e9-be97-f9e8207325ab/Ex_2003_SP2_RelNotes.htm

“Does SP2 also support the 75GB mailbox size for Enterprise edition as well as Standard?”

See the release notes for this informatiion — http://download.microsoft.com/download/f/b/5/fb5c54af-fe5c-48e9-be97-f9e8207325ab/Ex_2003_SP2_RelNotes.htm

“Could you elaborate about the smtp sp2 on exchange running on windows server 2003 without sp1; I heard that smtp may not work.”

Not aware of this issue.  Sorry.

“I did check the properties of the E2K3 server and it’s shows Build 7638.2: Service Pack 2. I see the Sender tab, Receipient Filtering tab, Connection Filtering tab, etc…but not IMF tab. We did not have IMF v1.0 enabled when we’re were at E2K3 SP1.”

I suggest hitting the Exchange Newsgroups first and then making a call to Product support if you can’t get it resolved in the newsgroups.

“Someone mentioned that they couldn’t find the IMF tab in Exchange. I had the same issue, but released that the System Manager on my Exchange server worked fine, but the one on my DC still has the old Exchange snap-in (still need to upgrade it to sp2 too!).”

Ah!  Thanks for sharing that!

“I would like to catch all e-mail coming into my organization is it possible? of course without disturbing regular email delivery to users’ inboxes.”

Well.. it’s possible a number of ways.. either through external SMTP gateways, ISA Server 2004, or Exchange as a front end server. What you do on those gateways is really up to you and to the tools and their capabilities.

“What is the risk in turning on recipient filtering. I have seen warnings regarding this. Can the feature be used and the adverse affects stopped? I enabled this feature with one client I support and it greatly reduced SPAM.”

It reduced spam? That’s odd. I say that because recipient filtering is typically just blocking email from coming to someone internally. So.. that user probably saw a dramatic drop in spam (or really ANY) email coming into his/her mailbox from the outside.