You must update Exchange Server to a newer CU build to get the latest security…
Remove message header in Exchange Server
When you sent a message, a header will apply to the message. Most don’t know that the message header will tell the recipient more information than you think. For security reasons, you can remove Exchange internal hostnames and IP addresses from message header. In this article, you will learn how to configure a header firewall to remove internal hostnames and IP address from email header.
Table of contents
Send message to external recipient
Send an email from an Outlook client or Outlook Web Access (OWA) to an external recipient. In our example, we sent a message from Christopher’s mailbox to a Gmail email address.
Analyze message headers
Go to the Gmail inbox and open the message. Copy the message header and paste it in Message Header Analyzer by Microsoft. Click Analyze headers button.
We can see in the received headers that:
- Message is sent from internal hostname EX01-2016.exoip.local
- Internal IP address of EX01-2016
- Message is received by Google
Read more: Test outbound mail flow in Exchange Server »
For security reasons, you don’t want to give that much information. That’s why you want to remove Exchange internal hostnames and remove IP address from email header.
Get send connector name with PowerShell
Run Exchange Management Shell as administrator. Make use of the Get-SendConnector cmdlet. In our example, the name of the send connector to send internet mail is named Internet email.
[PS] C:\>Get-SendConnector
Identity AddressSpaces Enabled
-------- ------------- -------
Internet email {SMTP:*;1} True
Is it possible to find the send connector in Exchange Admin Center (EAC)? Yes, it is. Learn more in the next step.
Keep reading: Create send connector in Exchange »
Get send connector name in Exchange Admin Center
Click in the feature pane on mail flow. Click send connectors in the tabs. Find the connector in the list view.
In the next step, we will edit the send connector to remove internal hostnames and IP addresses from email header.
Remove internal hostnames and IP addresses from message headers
Check the send connector permissions that are assigned to the security principals. Find the security principal NT AUTHORITY\ANONYMOUS LOGON. Note that the name can vary a little bit if you have a different language than English.
[PS] C:\>Get-SendConnector "Internet email" | Get-ADPermission | Where-Object { $_.ExtendedRights -like "*routing*"} | Format-table User,AccessRights,ExtendedRights
User AccessRights ExtendedRights
---- ------------ --------------
NT AUTHORITY\ANONYMOUS LOGON {ExtendedRight} {ms-Exch-Send-Headers-Routing}
EXOIP\Exchange Servers {ExtendedRight} {ms-Exch-Send-Headers-Routing}
MS Exchange\Partner Servers {ExtendedRight} {ms-Exch-Send-Headers-Routing}
MS Exchange\Hub Transport Servers {ExtendedRight} {ms-Exch-Send-Headers-Routing}
MS Exchange\Edge Transport Servers {ExtendedRight} {ms-Exch-Send-Headers-Routing}
MS Exchange\Externally Secured Servers {ExtendedRight} {ms-Exch-Send-Headers-Routing}
MS Exchange\Legacy Exchange Servers {ExtendedRight} {ms-Exch-Send-Headers-Routing}
We have to remove the Ms-Exch-Send-Headers-Routing permission from the security principal NT AUTHORITY\ANONYMOUS LOGON. Again, if you have a different language, copy the correct security principal from the above output.
[PS] C:\>Get-SendConnector "Internet email" | Remove-ADPermission -AccessRight ExtendedRight -ExtendedRights ms-Exch-Send-Headers-Routing -User "NT AUTHORITY\ANONYMOUS LOGON"
Confirm
Are you sure you want to perform this action?
Removing Active Directory permission "Internet email" for user "NT AUTHORITY\ANONYMOUS LOGON" with access rights
"'ExtendedRight'".
[Y] Yes [A] Yes to All [N] No [L] No to All [?] Help (default is "Y"): Y
Verify that the security principal NT AUTHORITY\ANONYMOUS LOGON is not showing in the output.
[PS] C:\>Get-SendConnector "Internet email" | Get-ADPermission | Where-Object { $_.ExtendedRights -like "*routing*"} | Format-table User,AccessRights,ExtendedRights
User AccessRights ExtendedRights
---- ------------ --------------
EXOIP\Exchange Servers {ExtendedRight} {ms-Exch-Send-Headers-Routing}
MS Exchange\Partner Servers {ExtendedRight} {ms-Exch-Send-Headers-Routing}
MS Exchange\Hub Transport Servers {ExtendedRight} {ms-Exch-Send-Headers-Routing}
MS Exchange\Edge Transport Servers {ExtendedRight} {ms-Exch-Send-Headers-Routing}
MS Exchange\Externally Secured Servers {ExtendedRight} {ms-Exch-Send-Headers-Routing}
MS Exchange\Legacy Exchange Servers {ExtendedRight} {ms-Exch-Send-Headers-Routing}
Analyze message headers after adjustment
Send an email to an external recipient. After that, analyze the received headers in the message.
The Exchange Server internal names and IP addresses from message headers are not showing. But, the internal hostname EX01-2016.exoip.local is still available. Why is that happening?
It’s showing the Exchange internal hostname if you did not set an FQDN on the send connector.
Add FDQN to send connector
We recommend setting an FQDN on the send connector. You can do that in Exchange Admin Center or with PowerShell.
Specify send connector FQDN with PowerShell
Check the send connector FDQN. We can see that the FDQN is empty.
[PS] C:\>Get-SendConnector -id "Internet Email" | Format-Table Name,Fqdn
Name Fqdn
---- ----
Internet email
Set the send connector FDQN and verify that it’s configured with the second cmdlet.
[PS] C:\>Get-SendConnector -id "Internet Email" | Set-SendConnector -Fqdn:mail.exoip.com
[PS] C:\>Get-SendConnector -id "Internet Email" | Format-Table Name,Fqdn
Name Fqdn
---- ----
Internet email mail.exoip.com
Do you want to add the FDQN in Exchange Admin Center? See the next step.
Specify send connector FQDN in Exchange Admin Center
Double-click the send connector in the list view. Click scoping in the left menu and add the FDQN. Click the button Save.
Analyze message headers after FDQN adjustment
Send an email to an external recipient and analyze the received message header. This time it’s showing the submitting host as mail.exoip.com.
We did successfully remove internal IP addresses and hostnames from message header.
Keep on reading: Migrate Exchange mailboxes with CSV file »
Conclusion
In this article, you learned how to remove message header in Exchange Server. Remove ms-Exch-Send-Headers-Routing permission from default Exchange security principal Anonymous User Account. Make sure to add an FQDN to the send connector. After that, send an email and analyze the received headers with Message Header Analyzer. Confirm that both internal IP and internal hostnames are not showing anymore.
Did you enjoy this article? You may also like List all SMTP addresses with PowerShell. Don’t forget to follow us and share this article.
Is there a way to remove message header for NDR and DSN.
set-RemoteDomain “Default” -NDRDiagnosticInfoEnabled $false
Hi Ali, thank you for the article!
I have already perform the above article, but I have issue with SMTP ip address, still it show in the email headers. Any solution for that?
thank you for the tutorial
i followed all the tutorial but i still have headers even in internal messages via properties of mails
i want to omet that also from our exchange application even if we use mail gateway is it possible
thank you in advance
Hi and thank you for the article! I need to know if i have another accepted domain for sending mail is it possible to create 2 different internet connector and show submitting host correct for domain A and domain B instead see same submitting host for both?
Hi Davide,
You’re welcome.
That’s possible. You need to configure sender based routing. It will route emails based on the sending domain.
Hello,
Thanks for the information, what could be the reason why the information is still standing even though I have done all the actions? Send connector redirects on mail gateway. Maybe I need to do something there too?
Regards
Hi Again, Additional information: when I checked it after 8 hours, I saw that the server name information was gone, it has improved. But internal ip information stays.
Hi Onur,
You’re welcome.
If you use a mail gateway, you should see that header instead. Most of the vendors will let you remove the headers. Consult the vendor if you don’t see that option in the documentation.