Securing Routing Group Connectors

Securing Routing Group Connectors

A collection of messaging servers connected via high-speed bandwidth (512KB or higher) in Exchange Server 2003 is defined as a routing group . By default, one routing group is created. Anytime a server is added to a routing group the connections between the servers are automatically configured.

Another purpose for the routing group is communicating with other routing groups through specialized connectors. When routing groups communicate with other routing groups, they do so through designated servers most commonly known as bridgehead servers . Exchange Server 2003 provides many such connectors that can connect to other Exchange servers as well as foreign messaging environments, such as Lotus Notes. The most common connector in Exchange Server 2003 is the SMTP connector. As the name implies, the SMTP connector uses the SMTP protocol, but other connectors use SMTP by default as well. Other commonly used routing groups include the X.400 and the routing group connectors.

Using X.400

X.400 is a long-standing messaging standard that Exchange Server 2003 uses for compatibility with older or foreign messaging systems. It can be configured using either X.25 or TCP/IP.

From a security perspective, X.400 has been superceded by SMTP. One of the key reasons is because SMTP supports strong authentication whereas X.400's authentication is much weaker. For instance, X.400 supports the use of passwords, but the passwords are transmitted in plain text. Use the SMTP connector instead of the X.400 connector whenever possible.

Securing SMTP Connectors

Exchange Server 2003's SMTP connector can be used to connect to the Internet, to other Exchange servers, to other Exchange organizations, or to other messaging systems. With regard to security there are several key considerations to take in account, including content restrictions, authentication, encryption, and relaying.

Outbound Security Controls

Outbound security controls can be set on the SMTP connector and are very similar to those mentioned earlier in the section "Using Authentication Controls." These controls provide authentication (anonymous, Basic, and Integrated Windows Authentication) and encryption (using TLS) options. The basic difference between these options and those for the SMTP virtual server is that only one authentication method can be selected.

To configure outbound security controls for the SMTP connector, do the following:

1. In the ESM, expand the administrative and routing groups.

2. Under the defined routing group for the messaging environment, expand the Connectors folder to reveal the SMTP connector.

3. Right-click the SMTP connector and select Properties.

4. Click the Outbound Security button on the Advanced tab.

5. Select the authentication method and whether not the connector will use TLS. By default, the SMTP connector uses anonymous access.

Integrated Windows Authentication with TLS offers the strongest and securest form of authentication for outbound security and is therefore recommended.

Using the Internet Mail Wizard

The Internet Mail Wizard is designed to create a secure, reliable, nonrelaying Internet mail SMTP connector. This wizard is not only for inexperienced Exchange Server 2003 administrators, but it is also very useful for even the most experienced . It walks the administrator through the creation of an Internet mail SMTP connector.

To use the Internet Mail Wizard, do the following:

1. Open the ESM by choosing System Manager from the Start, All Programs, Microsoft Exchange menu.

2. Right-click the Exchange organization name and select Internet Mail Wizard.

3. Click Next twice to bypass the Welcome and Prerequisites for Internet Mail windows.

4. Select the Exchange Server 2003 server to create the SMTP connector. The wizard then checks whether the server meets the prerequisites. Click Next when it has completed and passed.

5. Choose whether this connector will send or receive Internet email, as shown in Figure 13.10 and then click Next.

   Figure 13.10. Using the Internet Mail Wizard.

   

6. Review the domains that will receive email for this Exchange organization and then click Next. Domains can be added or removed at this point if necessary.

7. Select the SMTP virtual server that will be the bridgehead for outbound Internet email and then click Next.

8. Specify whether to use DNS or a smarthost to send Internet email. If DNS will be used and the Exchange Server 2003 will not resolve DNS addresses, enter the external DNS servers. If a smarthost is used, enter the hostname or IP address enclosed in brackets (for example, [192.168.1.20] ). Click Next to continue.

9. Specify whether to allow delivery to all domains or to specific domains and then click Next.

10. Review the configuration and then click Next.

11. Click Finish when done. Optionally, check the check box to view a detailed configuration report.