Tips for Hardening your Exchange Server

GOBI IT Solutions – Email is the main means of communications for both critical and non-critical information in business today. Therefore, having a reliable email service should be the main concern of any business operator. Here are 10 ways to have a reliable Exchange server and secured email services.

Disable open relaying on all SMTP virtual servers: Open relay on your Exchange Server allows other Email servers to use your server as a gateway to others. This allows others to send spam Email which appears to be originated from your address, therefore you will be identified as a spam source.

Prevent anonymous access on internal SMTP virtual servers and dedicated SMTP virtual servers for IMAP and POP clients: Because all Exchange servers within your organization authenticate with each other to send mail, you do not need to enable anonymous access on your internal Simple Mail Transfer Protocol (SMTP) virtual servers. Additionally, all Post Office Protocol (POP) and Internet Message Access Protocol (IMAP) clients authenticate with your SMTP virtual server, so anonymous access is not required on a server that is used exclusively by POP and IMAP clients

Restricting Submissions to Distribution Lists and Users: Restrict who can send e-mail messages to an individual user or a distribution list. Restricting submissions on a distribution list prevents non-trusted senders, such as unauthorized Internet users, from sending mail to an internal-only distribution list.

Digitally sign and Encrypt your Email: Digitally signing and Encrypting your Email prevents anyone from intercepting and reading your Email and makes sure it is only opened by the person you sent the message to.

Educate your users not to open Email attachments from unknown users: Attachments could include programs that start sending Spam email messages to multiple users within your address list that could cause you troubles.

Backup your Exchange server periodically: Always backup your Exchange Server so when disaster happens you will be ready.

Deploy Front End Server: Deploy a Front End Server on the DMZ, and close unused ports on the DMZ. Here are the ports most used by Exchange services:


DNS 53


Kerberos 88

POP3 110

NNTP 119

RPC EndPoint Mapper 135

IMAP4 143

LDAP 389

Global Catalog 3268 /9

Secure Sockets Layer (SSL)




POP3 (SSL) 995 SSL

Consider using OWA "Form based Authentication": Deploy SSL certificate for you OWA access; this will add another layer of security to your Exchange environment.

Consider using RBL: Exchange 2003 has a feature of identifying Spam and open relays using RBL "Real Time Block Lists" .

Audit your Exchange server: It's important that you audit your Exchange server to track changes made to your server.

I hope this was a good source of information. Feel free to contact me for any additional question or remarks.

Thank you

Ehab Hamouda

System Engineer

GOBI IT Solutions


ITWorld DealPost: The best in tech deals and discounts.
Shop Tech Products at Amazon