How to Configure the SMTP Application Filter
To make an Exchange Server computer accessible to other SMTP servers on the Internet,you must configure a publishing rule that publishes the Exchange Server computer using the SMTP port. When you configure a rule that uses SMTP, the SMTP application filter is enabled for that rule automatically. The SMTP application filter accepts the traffic, inspects it, and forwards it to internal SMTP servers only if the SMTP filter allows it.
What Is SMTP Command Filtering?
SMTP servers use a set of commands (also called verbs) to initiate an SMTP connection between servers and then to transmit SMTP messages. The SMTP application filter filters SMTP traffic by examining these SMTP commands.
The SMTP filter can be configured to disable specific SMTP commands. When an SMTP server or client uses a command that is defined but disabled, the filter stops the command and closes that connection. For example, if you disable the VRFY command, ISA Server will block all SMTP connections that use this command. When a client uses a command that is not recognized by the SMTP filter, the connection is also denied. For example, the SMTP filter does not define the TURN command, so TURN commands will be blocked by the SMTP filter.
Each SMTP command also has a maximum length that specifies the number of bytes allowed for each command. If an attacker sends a command that exceeds the number of bytes allowed for the command, ISA Server drops the connection and prevents the attacker from communicating with the SMTP server. For example, the default maximum length for the RCPT TO command is 266 bytes. If an SMTP connection uses a longer RCPT TO command than this limit, the connection is dropped.
How Message Screener Filters Messages
The Message Screener must be installed on a server running the Microsoft Internet Information Services (IIS) 5.0 or IIS 6.0 SMTP service. The Message Screener component can be installed on the computer running ISA Server, on a computer running Exchange Server, or on any other IIS 5.0 or IIS 6.0 SMTP server in the internal network or in a perimeter network (also known as a demilitarized zone, or DMZ).
SMTP Message Screener can be configured to filter incoming mail based on the following:
1- The information in the MAIL FROM SMTP command The MAIL FROM command specifies the source SMTP address for the e-mail message. This is used for sender and domain name filtering.
2- The information in the Content-Disposition header field for each attachment This field commonly contains the attachment file name and extension. SMTP Message Screener can filter attachments by extension, by name, or by size.
3- Keywords in the message subject or body This is used for filtering the message subject and the body, either text/plain or text/html content type.
SMTP Message Screener can be configured to delete e-mail messages, hold e-mail messages for later inspection, or forward e-mail messages to a specific e-mail account for further examination and analysis.
To make an Exchange Server computer accessible to other SMTP servers on the Internet,you must configure a publishing rule that publishes the Exchange Server computer using the SMTP port. When you configure a rule that uses SMTP, the SMTP application filter is enabled for that rule automatically. The SMTP application filter accepts the traffic, inspects it, and forwards it to internal SMTP servers only if the SMTP filter allows it.
What Is SMTP Command Filtering?
SMTP servers use a set of commands (also called verbs) to initiate an SMTP connection between servers and then to transmit SMTP messages. The SMTP application filter filters SMTP traffic by examining these SMTP commands.
The SMTP filter can be configured to disable specific SMTP commands. When an SMTP server or client uses a command that is defined but disabled, the filter stops the command and closes that connection. For example, if you disable the VRFY command, ISA Server will block all SMTP connections that use this command. When a client uses a command that is not recognized by the SMTP filter, the connection is also denied. For example, the SMTP filter does not define the TURN command, so TURN commands will be blocked by the SMTP filter.
Each SMTP command also has a maximum length that specifies the number of bytes allowed for each command. If an attacker sends a command that exceeds the number of bytes allowed for the command, ISA Server drops the connection and prevents the attacker from communicating with the SMTP server. For example, the default maximum length for the RCPT TO command is 266 bytes. If an SMTP connection uses a longer RCPT TO command than this limit, the connection is dropped.
How Message Screener Filters Messages
The Message Screener must be installed on a server running the Microsoft Internet Information Services (IIS) 5.0 or IIS 6.0 SMTP service. The Message Screener component can be installed on the computer running ISA Server, on a computer running Exchange Server, or on any other IIS 5.0 or IIS 6.0 SMTP server in the internal network or in a perimeter network (also known as a demilitarized zone, or DMZ).
SMTP Message Screener can be configured to filter incoming mail based on the following:
1- The information in the MAIL FROM SMTP command The MAIL FROM command specifies the source SMTP address for the e-mail message. This is used for sender and domain name filtering.
2- The information in the Content-Disposition header field for each attachment This field commonly contains the attachment file name and extension. SMTP Message Screener can filter attachments by extension, by name, or by size.
3- Keywords in the message subject or body This is used for filtering the message subject and the body, either text/plain or text/html content type.
SMTP Message Screener can be configured to delete e-mail messages, hold e-mail messages for later inspection, or forward e-mail messages to a specific e-mail account for further examination and analysis.
