[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2401
  • Last Modified:

Limit ESMTP verbs on an exchange 2003 server

How Can I limit the ESMTP verbs on my exchange 2003 server to the following only:

AUTH, DATA, EHLO, ETRN, HELO, HELP, MAIL, NOOP, QUIT, RCPT, RSET,
SAML, SEND, SOML, and VRFY

I need to limit the verbs so I can pass traffic thru a Cisco ASA with Inspect ESMTP enabled. Disabling portocol inspection is not a desired answer, so please don't post that:
0
Jim_Coyne
Asked:
Jim_Coyne
  • 2
  • 2
  • 2
2 Solutions
 
nightmare2Commented:
I've never tried, but this should help you:
How to turn off ESMTP verbs in Exchange 2000 Server and in Exchange Server 2003
http://support.microsoft.com/kb/q257569

0
 
Jim_CoyneAuthor Commented:
From that article:
By default, this value is 7697601 (0x7574C1H). When you subtract the corresponding decimal value from this number, you can turn on or off the various ESMTP verbs. For example, when you turn off 8bitmime support, the value that results is SmtpInboundCommandSupportOptions value is 3503297 (0x3574C1H)

Ok, so what is the value for the following to be on?

AUTH, DATA, EHLO, ETRN, HELO, HELP, MAIL, NOOP, QUIT, RCPT, RSET,
SAML, SEND, SOML, and VRFY
0
 
SembeeCommented:
Your better option is turn off the Cisco inspect SMTP feature. Those options cause nothing but problems with SMTP delivery.

Simon.
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 
Jim_CoyneAuthor Commented:
It's not the inspect ESMTP (Cisco)  that is the issue. It's the exchange server using extra verbs.

protocol inspection stops attacks like this:

http://www.securityfocus.com/bid/13118
0
 
nightmare2Commented:
Your list contains mostly standard SMTP commands.
So you need to disable ESMTP as much as possible.

Install the Windows 2003 support tools from SUPPORT\TOOLS\SUPTOOLS.MSI

1. Telnet <ExchangeIP> 25
Type ehlo
Note the advertised verbs.
2. Open ADSIEdit and connect to a domain controller.
3. Open the Configuration Container.
4. Navigate to the following location:
Configuration/Services/Microsoft Exchange/ <Your Organization>/ Administrative Groups/<Your Administrative Group>/Servers/ <Your Exchange Server>/Protocols/SMTP/ <Your Virtual Server Number>  
5. Right-click the virtual server object, and then click Properties.
6. For Select a property to view: select msExchSmtpInboundCommandSupportOptions.
7. In the Edit Attribute: field, enter 352257
8. Click Set, Apply, and then OK.
9. Exit out of ADSIEdit.
10. Wait 15 minutes.
11. On the Exchange Server, issue these commands: 'net stop smtpsvc' and 'net start smtpsvc'
12. Telnet <ExchangeIP> 25
Type ehlo
Note that there are less advertised verbs.
13. Test your appliance.

Removing more ESMTP commands would require to disable the event sinks which is not recommended.
0
 
SembeeCommented:
I can tell you right now that you will have problems with email delivery. I have yet to work on a site that has used that feature that has not had issues with SMTP delivery.
If you get any issues with delivery the first response is always "is there anything between Exchange and the internet".

I am not aware of Exchange being compromised to date, neither has IIS 6. All compromises have occurred via third party applications that have been installed on the server. If the server is exclusive to Exchange then it shouldn't be a problem.

I have been working with Exchange for some time and this is the first time i have ever seen someone ask how to cripple the product in the name of security.

This is the result last time Cisco tried to do SMTP inspection on their firewalls (the original MS KB has been pulled)
http://web.archive.org/web/20050105134704/http://support.microsoft.com/?id=320027

Simon.
0

Featured Post

NFR key for Veeam Agent for Linux

Veeam is happy to provide a free NFR license for one year.  It allows for the non‑production use and valid for five workstations and two servers. Veeam Agent for Linux is a simple backup tool for your Linux installations, both on‑premises and in the public cloud.

  • 2
  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now