Manage Learn to apply best practices and optimize your operations.

Using cross-forest SMTP authentication with Exchange 2003

Learn how cross-forest SMTP authentication in Exchange 2003 ends email spoofing and alleviates the issues caused by a multiple-forest Exchange topology.

Another real security concern is the process called spoofing, in which a hacker or other user who has malicious intent pretends to be a valid Exchange user and sends email messages as if they were from that user. Identity theft is on the rise, and spoofing provides an easy method for hackers to obtain sensitive information from users within and outside of your organization.

This is tip #4 from "Securing Exchange Server 2003 -- 5 tips in 5 minutes," excerpted from Chapter 8 of the book Microsoft Exchange Server 2003 Delta Guide, published by Sams Publishing.

Most people don't look at the email address when they reply to a message. If the email appears to have come from a trusted source, users are likely to use the Reply button to respond to it. This address is usually not the correct reply email address either.

To ensure that malicious users do not spoof emails or send emails that appear to be from someone within your organization, Exchange 2003 provides tools and methods for combating this security risk.

First, Exchange 2003 requires authentication before it verifies a sender's name. In this scenario, a malicious user could try to send an email with a fake From address, but this email message would not go through until the user had been authenticated on Exchange and the name presented was checked against the global address list.

Although this provides an end to spoofed email messages, it can also cause problems when you have an Exchange topology that spans multiple forests. Remember from the architecture discussions in Chapter 2, "Architecture," that an Exchange organization can only span a single forest. If you have multiple Exchange organizations running in multiple forests, there is no authentication of the user and no way to check the sender address before sending an email message.

To make this particular security feature work in a multiple-forest topology, you need to configure all the forests involved so that you can authenticate the user and check the sender address before sending an email message. This works through cross-forest SMTP authentication.

The basic premise behind this setup is that you will configure an SMTP connector between each of the forests that is used to authenticate and check the user that is sending the email message against the appropriate global address list.

For detailed instructions on configuring cross-forest SMTP authentication, go to the Delta Guide series Web site and enter article ID A030801.

Securing Exchange Server 2003 -- 5 tips in 5 minutes

 Home: Introduction
 Tip 1: Configuring SSL for Exchange Server 2003
 Tip 2: Exchange Server 2003 Kerberos authentication
 Tip 3: Setting up RPC over HTTP for Exchange Server 2003
 Tip 4: Using cross-forest SMTP authentication with Exchange 2003
 Tip 5: Exchange Server 2003 client security enhancements

Microsoft Exchange Server 2003 Delta Guide This chapter excerpt from Microsoft Exchange Server 2003 Delta Guide, by David McAmis and Don Jones, is printed with permission from Sams Publishing, Copyright 2004.

Click here for the chapter download or purchase the book here.

Dig Deeper on Legacy Exchange Server versions

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.