Go Beyond Encryption with a TunnelWritten by Carl E. Reid on April 30, 2009
Protection of email traffic flowing between hub servers and separate servers that store mail box accounts is established through encryption in an Exchange 2007 environment. So interception of emails transported between the hub and mail server is nearly prevented with an Exchange journaling system in place. Although email traffic is encrypted, there are other steps required to tighten security with the Exchange journaling mail box.
What still keeps the Exchange journaling system susceptible to attack is the ease of anyone being able to spoof an email. Being able to compose an email message outside of Microsoft Outlook lets you specify the sender, rather than having Outlook do it. Exchange must authenticate the message, but you can set your display name to anything you want. This can create the illusion that a message was sent by someone else. A spammer’s daily routine includes using this technique regularly.
When you send an email message using Microsoft Outlook, it combines the sender, subject and body with various SMTP mail delivery control commands. Then Outlook sends out the message to the server. Although isn’t usually practical, a person can actually use the same commands to manually send a message from the command line or from a script without using Microsoft Outlook.
For the cyber criminal, spoofing an email message is only half of the equation. A hacker must also know the email address of the mailbox that’s being used as the journal repository. With these two factors in place, it’s fairly easy for a hacker to sneak a spoofed message into the journaling mailbox. By changing certain properties of an email (i.e. From, return path, reply to fields etc.), the bad guys can make an email appear to be from someone other than the actual sender. The result is the email appears to come from a fake email address indicated in the “From” field, when it actually comes from a totally different source.
Other journaling defense methodologies include the protecting Exchange email archives from spoofing attacks. The key component to protecting your archives against these types of attack is a clear understanding that there is a difference between the sender and the display name. The display name is the name the email recipient sees. It has no value in authenticating the user. The user’s true identity is connected to the account’s globally unique identifier (GUID).
Within the same Exchange Server organization an email recipient can be deceived by a spoofed display name, when an authenticated email user sends a spoofed message to that email recipient’s mail box. The Exchange server is not fooled. It knows exactly who actually sent the message, because of how the sender was authenticated.
This authentication process is significant, because journaling always sends messages to the designated recipient mail box in a consistent manner regardless of who sent or received the message being placed in the journal mail box. For example, let’s say email user #1 sends a message to email user #2. The Exchange mail server is also set up to journal a copy of the message to a mail box called “Journal”. In this scenario, email user #1 or email user #2 won’t send the message to the Journal mailbox. The email will be sent to the Exchange hub server. Then the Exchange hub server sends the message as a Microsoft Exchange message on behalf of the message’s original sender.
If we know that all email messages sent to the journaling mailbox are only supposed to be from Microsoft Exchange, some easy steps can be taken to prevent anyone else or any other entity from sending messages to this mail box. Not publishing the mailbox in the directory is one way to do this.
A further step would be to ensure that only the Exchange server can place items into the journaling mail box. Below is the process for creating a tunneling mechanism only between the Exchange server and the journal mail box. This ensures the journal mail box does not accept email from any outside entity.
- Open the Exchange Server Management console.
- Select Recipient Configuration > Mailbox.
- Right click on the journal mail box and choose Properties from the menu. This causes the console to display the mailbox’s properties sheet.
- Go to the properties sheet’s “Mail Flow Settings” tab
- Select the Message Delivery Restrictions option.
- Click the “Properties” button to display the Message Delivery Restrictions dialog box. At this point you can require that all senders to this mailbox be authenticated. You can also choose to accept only specific senders. For the journal mail box, accept only messages from Microsoft Exchange.