Skip to content

Remove message header in Exchange Server

When you sent a message, a header will apply to the message. Most don’t know that the message header will tell the recipient more information than you think. For security reasons, you can remove Exchange internal hostnames and IP addresses from message header. In this article, you will learn how to configure a header firewall to remove internal hostnames and IP address from email header.

Send message to external recipient

Send an email from an Outlook client or Outlook Web Access (OWA) to an external recipient. In our example, we sent a message from Christopher’s mailbox to a Gmail email address.

Analyze message headers

Go to the Gmail inbox and open the message. Copy the message header and paste it in Message Header Analyzer by Microsoft. Click Analyze headers button.

We can see in the received headers that:

  • Message is sent from internal hostname EX01-2016.exoip.local
  • Internal IP address of EX01-2016
  • Message is received by Google
Remove message header in Exchange Server analyze headers before

Read more: Test outbound mail flow in Exchange Server »

For security reasons, you don’t want to give that much information. That’s why you want to remove Exchange internal hostnames and remove IP address from email header.

Get send connector name with PowerShell

Run Exchange Management Shell as administrator. Make use of the Get-SendConnector cmdlet. In our example, the name of the send connector to send internet mail is named Internet email.

[PS] C:\>Get-SendConnector

Identity       AddressSpaces Enabled
--------       ------------- -------
Internet email {SMTP:*;1}    True

Is it possible to find the send connector in Exchange Admin Center (EAC)? Yes, it is. Learn more in the next step.

Keep reading: Create send connector in Exchange »

Get send connector name in Exchange Admin Center

Click in the feature pane on mail flow. Click send connectors in the tabs. Find the connector in the list view.

Remove message header in Exchange Server send connector EAC

In the next step, we will edit the send connector to remove internal hostnames and IP addresses from email header.

Remove internal hostnames and IP addresses from message headers

Check the send connector permissions that are assigned to the security principals. Find the security principal NT AUTHORITY\ANONYMOUS LOGON. Note that the name can vary a little bit if you have a different language than English.

[PS] C:\>Get-SendConnector "Internet email" | Get-ADPermission | Where-Object { $_.ExtendedRights -like "*routing*"} | Format-table User,AccessRights,ExtendedRights

User                                   AccessRights    ExtendedRights
----                                   ------------    --------------
NT AUTHORITY\ANONYMOUS LOGON           {ExtendedRight} {ms-Exch-Send-Headers-Routing}
EXOIP\Exchange Servers                 {ExtendedRight} {ms-Exch-Send-Headers-Routing}
MS Exchange\Partner Servers            {ExtendedRight} {ms-Exch-Send-Headers-Routing}
MS Exchange\Hub Transport Servers      {ExtendedRight} {ms-Exch-Send-Headers-Routing}
MS Exchange\Edge Transport Servers     {ExtendedRight} {ms-Exch-Send-Headers-Routing}
MS Exchange\Externally Secured Servers {ExtendedRight} {ms-Exch-Send-Headers-Routing}
MS Exchange\Legacy Exchange Servers    {ExtendedRight} {ms-Exch-Send-Headers-Routing}

We have to remove the Ms-Exch-Send-Headers-Routing permission from the security principal NT AUTHORITY\ANONYMOUS LOGON. Again, if you have a different language, copy the correct security principal from the above output.

[PS] C:\>Get-SendConnector "Internet email" | Remove-ADPermission -AccessRight ExtendedRight -ExtendedRights ms-Exch-Send-Headers-Routing -User "NT AUTHORITY\ANONYMOUS LOGON"

Confirm
Are you sure you want to perform this action?
Removing Active Directory permission "Internet email" for user "NT AUTHORITY\ANONYMOUS LOGON" with access rights
"'ExtendedRight'".
[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [?] Help (default is "Y"): Y

Verify that the security principal NT AUTHORITY\ANONYMOUS LOGON is not showing in the output.

[PS] C:\>Get-SendConnector "Internet email" | Get-ADPermission | Where-Object { $_.ExtendedRights -like "*routing*"} | Format-table User,AccessRights,ExtendedRights

User                                   AccessRights    ExtendedRights
----                                   ------------    --------------
EXOIP\Exchange Servers                 {ExtendedRight} {ms-Exch-Send-Headers-Routing}
MS Exchange\Partner Servers            {ExtendedRight} {ms-Exch-Send-Headers-Routing}
MS Exchange\Hub Transport Servers      {ExtendedRight} {ms-Exch-Send-Headers-Routing}
MS Exchange\Edge Transport Servers     {ExtendedRight} {ms-Exch-Send-Headers-Routing}
MS Exchange\Externally Secured Servers {ExtendedRight} {ms-Exch-Send-Headers-Routing}
MS Exchange\Legacy Exchange Servers    {ExtendedRight} {ms-Exch-Send-Headers-Routing}

Analyze message headers after adjustment

Send an email to an external recipient. After that, analyze the received headers in the message.

The Exchange Server internal names and IP addresses from message headers are not showing. But, the internal hostname EX01-2016.exoip.local is still available. Why is that happening?

Remove message header in Exchange Server analyze headers after

It’s showing the Exchange internal hostname if you did not set an FQDN on the send connector.

Add FDQN to send connector

We recommend setting an FQDN on the send connector. You can do that in Exchange Admin Center or with PowerShell.

Specify send connector FQDN with PowerShell

Check the send connector FDQN. We can see that the FDQN is empty.

[PS] C:\>Get-SendConnector -id "Internet Email" | Format-Table Name,Fqdn

Name           Fqdn
----           ----
Internet email

Set the send connector FDQN and verify that it’s configured with the second cmdlet.

[PS] C:\>Get-SendConnector -id "Internet Email" | Set-SendConnector -Fqdn:mail.exoip.com


[PS] C:\>Get-SendConnector -id "Internet Email" | Format-Table Name,Fqdn

Name           Fqdn
----           ----
Internet email mail.exoip.com

Do you want to add the FDQN in Exchange Admin Center? See the next step.

Specify send connector FQDN in Exchange Admin Center

Double-click the send connector in the list view. Click scoping in the left menu and add the FDQN. Click the button Save.

Remove message header in Exchange Server add FDQN send connector EAC

Analyze message headers after FDQN adjustment

Send an email to an external recipient and analyze the received message header. This time it’s showing the submitting host as mail.exoip.com.

Remove message header in Exchange Server analyze headers after fqdn

We did successfully remove internal IP addresses and hostnames from message header.

Keep on reading: Migrate Exchange mailboxes with CSV file »

Conclusion

In this article, you learned how to remove message header in Exchange Server. Remove ms-Exch-Send-Headers-Routing permission from default Exchange security principal Anonymous User Account. Make sure to add an FQDN to the send connector. After that, send an email and analyze the received headers with Message Header Analyzer. Confirm that both internal IP and internal hostnames are not showing anymore.

Did you enjoy this article? You may also like List all SMTP addresses with PowerShell. Don’t forget to follow us and share this article.

ALI TAJRAN

ALI TAJRAN

ALI TAJRAN is a passionate IT Architect, IT Consultant, and Microsoft Certified Trainer. He started Information Technology at a very young age, and his goal is to teach and inspire others. Read more »

This Post Has 9 Comments

  1. Hi Ali, thank you for the article!
    I have already perform the above article, but I have issue with SMTP ip address, still it show in the email headers. Any solution for that?

  2. thank you for the tutorial
    i followed all the tutorial but i still have headers even in internal messages via properties of mails
    i want to omet that also from our exchange application even if we use mail gateway is it possible
    thank you in advance

  3. Hi and thank you for the article! I need to know if i have another accepted domain for sending mail is it possible to create 2 different internet connector and show submitting host correct for domain A and domain B instead see same submitting host for both?

  4. Hello,

    Thanks for the information, what could be the reason why the information is still standing even though I have done all the actions? Send connector redirects on mail gateway. Maybe I need to do something there too?

    Regards

    1. Hi Again, Additional information: when I checked it after 8 hours, I saw that the server name information was gone, it has improved. But internal ip information stays.

      1. Hi Onur,

        You’re welcome.

        If you use a mail gateway, you should see that header instead. Most of the vendors will let you remove the headers. Consult the vendor if you don’t see that option in the documentation.

Leave a Reply

Your email address will not be published. Required fields are marked *