Setting Message Delivery Limits
One
of the most important security measures you can implement on your SMTP
connectors is setting message delivery limits. Message delivery limits
prevent users from sending large messages through Exchange that can tie
up Exchange resources (processing time, queue availability, disk
storage, and more). When this occurs, the results can be just as bad as
experiencing a DoS attack. Implementing these limits also encourages
users to use alternative delivery methods, such as file shares,
compression of attachments, and even document management portals.
In
previous versions of Exchange, delivery limits were configured within
the Exchange System Manager. Now, in Exchange 2007, these limits are
set on specific Send and Receive Connectors using the Exchange
Management Shell.
To determine the current
maximum message size on a particular connector, perform the following
procedure. For this example, you will work with a Receive Connector. To
perform the same tasks on a Send Connector, replace the receiveconnector command with sendconnector.
1. | Start the Exchange Management Shell.
|
2. | Get a list of the existing connectors by using the following command:
A list of existing Receive Connectors is returned. For this example, use a connector named “Default VMW-EXCHANGE1.” |
3. | To view the configuration of a specific connector, use the following command:
get-receiveconnector "default vmw-exchange1" |format-list |
A detailed configuration of the connector is returned, and looks similar to what is shown in Figure 1.
By default, the maximum message size is set to 10MB. To change this maximum message size, perform the following procedure:
1. | In the Exchange Management Shell, type the following command:
set-receiveconnector "default vmw-exchange1" -MaxMessageSize 20MB |
2. | If you now view the configuration of the specific connector (as shown previously), you will see that the new maxmessagesize limit has been implemented.
|
Note
Configuring
a different sending and receiving message size limit can cause
potential problems. For example, if you configured a 5MB limit on sent
messages, but a 10MB limit on received messages, a user might receive
an email from an external source with a 9MB attachment. They would be
able to receive the message, but any attempts to forward it to a
co-worker would fail because of the sending restriction. A good best
practice is to set these limits to the same size.
Another
important message delivery limit that can be used to secure Exchange
Server 2007 involves the number of recipients that a message can be
sent to at any one time. Limiting the maximum number of recipients
limits internal users’ ability to essentially spam the enterprise with
large numbers of emails.
Configuring the
maximum number of recipients per message is done similiarly to the
setting the maximum message size previously. The default setting is
5,000, but you can configure it to whatever number you desire. For this
example, you will change this setting to 500 recipients. To do so,
perform the following command in the Exchange Management Shell by
typing the following command:
set-receiveconnector "default vmw-exchange1" –MaxRecipientsPerMessage 500
The majority of the
configuration settings for the Send and Receive Connectors must be
configured through the Exchange Management Shell.
Configuring Authoritative Domains
When
an Exchange organization is responsible for handling message delivery
to recipients in a particular domain, the organization is called authoritative
for that domain. Configuring an authoritative domain in Exchange 2007
is a two-step process: First, you create an accepted domain, and
second, you set the domain type as authoritative.
An
accepted domain is any SMTP namespace that the Edge Transport server(s)
in your organization sends messages to or receives messages from. Your
organization might have one or more domains, so you might have more
than one authoritative domain.
Note
If
you have subscribed your Edge Transport server to the Exchange
organization using the EdgeSync process, do not perform these
procedures directly on the Edge Transport server. Instead, perform the
steps on a Hub Transport server and allow it to replicate to the Edge
Transport server during the next synchronization.
To create an authoritative domain, perform the following command in the Exchange Management Shell on your Hub Transport server:
New-AcceptedDomain –Name "CompanyABC" –DomainName companyabc.com –DomainType Authoritative
Note
You
must be logged on as an account that is a member of the Exchange
Organization Administrators group and that is a member of the local
Administrators group on the server. Also, replace this name with your
own domain name in place of companyabc.com in the example.
