How to Stop Leakage of Internal Mail Server Name & IP in Mail head

TheMSsForum.com: The Microsoft Software Forum

Hello's,
I'm trying to figure out how to stop the "leakage" of my internal mail
server names and internal IP addresses.
I have 2 Backend Exchange 2003 SP2 servers. Outbound Mail is sent through a
smart host. When i send mail from either of these servers to an external
account e.g. Gmail and i view the email headers i see the local names of my
internal exchange servers and their internal/private IP addresses.
Could someone please tell me where this information is leaking from as i
would like to plug this hole.

For example: Received from Exchange1.abc.local (172.17.0.30) by
Mysmarthost.sales.com appears in the mail headers.

The server Exchange1.abc.local has a valid global FQDN defined
(Exchange1.sales.com) in the Virtual Server properties Yet the local name and
IP address show up in the headers.

Please advice and thanks in advance.
Sky.
Top

Re: How to Stop Leakage of Internal Mail Server Name & IP in Mail head by andy

andy
Sat Mar 15 15:58:27 CDT 2008

First, it's not a hole. That information will come from the SMTP received
headers typically because you're using an internal smarthost. The
information could come from lots of other places too. That's just how SMTP
works. There are 15 different ways to find out what your internal
information is if I'm in a position to make use of it. Security by
obscurity isn't.

You can buy gateway products that will do a more thorough job of scrubbing
information, but I'm not sure of the value.

"Bluehades" <Bluehades@discussions.microsoft.com> wrote in message
news:0C9528D1-3F6A-474A-AD99-6715C26C6DB3@microsoft.com...
> Hello's,
> I'm trying to figure out how to stop the "leakage" of my internal mail
> server names and internal IP addresses.
> I have 2 Backend Exchange 2003 SP2 servers. Outbound Mail is sent through
> a
> smart host. When i send mail from either of these servers to an external
> account e.g. Gmail and i view the email headers i see the local names of
> my
> internal exchange servers and their internal/private IP addresses.
> Could someone please tell me where this information is leaking from as i
> would like to plug this hole.
>
> For example: Received from Exchange1.abc.local (172.17.0.30) by
> Mysmarthost.sales.com appears in the mail headers.
>
> The server Exchange1.abc.local has a valid global FQDN defined
> (Exchange1.sales.com) in the Virtual Server properties Yet the local name
> and
> IP address show up in the headers.
>
> Please advice and thanks in advance.
> Sky.

Top

Re: How to Stop Leakage of Internal Mail Server Name & IP in Mail head by Rich

Rich
Sat Mar 15 16:19:47 CDT 2008

Bluehades <Bluehades@discussions.microsoft.com> wrote:

>Hello's,
>I'm trying to figure out how to stop the "leakage" of my internal mail
>server names and internal IP addresses.
>I have 2 Backend Exchange 2003 SP2 servers. Outbound Mail is sent through a
>smart host. When i send mail from either of these servers to an external
>account e.g. Gmail and i view the email headers i see the local names of my
>internal exchange servers and their internal/private IP addresses.
>Could someone please tell me where this information is leaking from as i
>would like to plug this hole.

It's not much of a hole. In fact, it's not a hole at all. If your
perimeter defenses are breached the IP addresses and names of anything
on your network is discoverable in very little time.

>For example: Received from Exchange1.abc.local (172.17.0.30) by
>Mysmarthost.sales.com appears in the mail headers.

Since the 172.17.0.0/16 network isn't routable it isn't accessible
from outside your network. The .local TLD isn't present in any root
server on the Internet, so the name isn't resolvable. If there's
hacker on your network a simple portscan would turn up your Exchange
servers in about 2 seconds -- they all identify themselves in the 220
SMTP banner.

>The server Exchange1.abc.local has a valid global FQDN defined
>(Exchange1.sales.com) in the Virtual Server properties Yet the local name and
>IP address show up in the headers.
>
>Please advice and thanks in advance.

The advice from anyone except an auditor (and they're just looking at
a checklist) or a paid consultant would be to not worry about this.

If you're really worried about it you can send your mail through
another relay that removes all traces from your email's headers (i.e.
it removes the "Received:" headers and the original "Message-id:"
header). I think that's overkill, myself.

--
Rich Matheisen
MCSE+I, Exchange MVP
MS Exchange FAQ at http://www.swinc.com/resource/exch_faq.htm
Don't send mail to this address mailto:h.pott@getronics.com
Or to these, either: mailto:h.pott@pinkroccade.com mailto:melvin.mcphucknuckle@getronics.com mailto:melvin.mcphucknuckle@pinkroccade.com
Top

Re: How to Stop Leakage of Internal Mail Server Name & IP in Mail by Bluehades

Bluehades
Tue Mar 18 14:45:04 CDT 2008

Many thanks for your prompt replies.
Sky.

"Rich Matheisen [MVP]" wrote:

> Bluehades <Bluehades@discussions.microsoft.com> wrote:
>
> >Hello's,
> >I'm trying to figure out how to stop the "leakage" of my internal mail
> >server names and internal IP addresses.
> >I have 2 Backend Exchange 2003 SP2 servers. Outbound Mail is sent through a
> >smart host. When i send mail from either of these servers to an external
> >account e.g. Gmail and i view the email headers i see the local names of my
> >internal exchange servers and their internal/private IP addresses.
> >Could someone please tell me where this information is leaking from as i
> >would like to plug this hole.
>
> It's not much of a hole. In fact, it's not a hole at all. If your
> perimeter defenses are breached the IP addresses and names of anything
> on your network is discoverable in very little time.
>
> >For example: Received from Exchange1.abc.local (172.17.0.30) by
> >Mysmarthost.sales.com appears in the mail headers.
>
> Since the 172.17.0.0/16 network isn't routable it isn't accessible
> from outside your network. The .local TLD isn't present in any root
> server on the Internet, so the name isn't resolvable. If there's
> hacker on your network a simple portscan would turn up your Exchange
> servers in about 2 seconds -- they all identify themselves in the 220
> SMTP banner.
>
> >The server Exchange1.abc.local has a valid global FQDN defined
> >(Exchange1.sales.com) in the Virtual Server properties Yet the local name and
> >IP address show up in the headers.
> >
> >Please advice and thanks in advance.
>
> The advice from anyone except an auditor (and they're just looking at
> a checklist) or a paid consultant would be to not worry about this.
>
> If you're really worried about it you can send your mail through
> another relay that removes all traces from your email's headers (i.e.
> it removes the "Received:" headers and the original "Message-id:"
> header). I think that's overkill, myself.
>
> --
> Rich Matheisen
> MCSE+I, Exchange MVP
> MS Exchange FAQ at http://www.swinc.com/resource/exch_faq.htm
> Don't send mail to this address mailto:h.pott@getronics.com
> Or to these, either: mailto:h.pott@pinkroccade.com mailto:melvin.mcphucknuckle@getronics.com mailto:melvin.mcphucknuckle@pinkroccade.com
>
Top