News Stay informed about the latest enterprise technology news and product updates.

Cross-Forest SMTP Authentication

The following is tip #5 from '8 Exchange 2003 security tips in 8 minutes.'

The following is tip #5 from "8 Exchange 2003 security tips in 8 minutes" excerpted from a chapter in David McAmis and Don Jones' book, Microsoft Exchange Server 2003 Delta Guide , published by Sams Publishing. Return to the main page for more tips on this topic.

Another real security concern is the process called spoofing, in which a hacker or other user who has malicious intent pretends to be a valid Exchange user and sends e-mail messages as if they were from that user. Identity theft is on the rise, and spoofing provides an easy method for hackers to obtain sensitive information from users within and outside of your organization.

Most people don't look at the e-mail address when they reply to a message. If the e-mail appears to have come from a trusted source, users are likely to use the Reply button to respond to it. This address is usually not the correct reply e-mail address either.

To ensure that malicious users do not spoof e-mails or send e-mails that appear to be from someone within your organization, Exchange 2003 provides tools and methods for combating this security risk.

First, Exchange 2003 requires authentication before it verifies a sender's name. In this scenario, a malicious user could try to send an e-mail with a fake From address, but this e-mail message would not go through until the user had been authenticated on Exchange and the name presented was checked against the global address list.

Although this provides an end to spoofed e-mail messages, it can also cause problems when you have an Exchange topology that spans multiple forests.

Remember from the architecture discussions in Chapter 2, "Architecture," that an Exchange organization can only span a single forest. If you have multiple Exchange organizations running in multiple forests, there is no authentication of the user and no way to check the sender address before sending an e-mail message.

To make this particular security feature work in a multiple-forest topology, you need to configure all the forests involved so that you can authenticate the user and check the sender address before sending an e-mail message. This works through cross-forest SMTP authentication.

The basic premise behind this setup is that you will configure an SMTP connector between each of the forests that is used to authenticate and check the user that is sending the e-mail message against the appropriate global address list.

For detailed instructions on configuring cross-forest SMTP authentication, go to the Delta Guide series Web site and enter article ID A030801.

Get more "8 Exchange 2003 security tips in 8 minutes." Return to the main page.

About the authors:

David McAmis is an enterprise architect and partner in a consulting firm in Sydney, Australia. David has written a number of books and more than 100 articles that have appeared in magazines and journals.

Don Jones, MCSE, CTT+, is an independent consultant and founding partner of BrainCore.Net. Don is the author of more than a dozen books and the creator and series editor of Sams Publishing's Delta Guide series. He is also a contributing editor and columnist for Microsoft® Certified Professional Magazine, the Microsoft technology columnist for, and a speaker at technology conferences.

Dig Deeper on Exchange Server setup and troubleshooting

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.