432 Chapter 7 • Managing the Edge Transport Server Figure 7.46 The Content Filter Confi guration Settings If the feature is set to False for some reason, you can enable it by typing Set-ContenFilterConfi g –OutlookEmailPostmarkValidationEnabled $True and pressing Enter. Attachment Filtering As most of you are aware, Exchange Server 2003 didn’t include a function that let you fi lter out specifi c attachments. Instead you had to create your own SMTP OnArrival Event Sink, use a third-party product, or strictly rely on the OWA 2003 and Outlook 2003 attachment control feature. However, since you really should fi lter out unwanted attachment types on an SMTP gateway in your perimeter network (the DMZ or screened subnet) before they arrive at your internal network, the last two options aren’t recommend. An attachment fi ltering mechanism SOME INDEPENDENT ADVICE In recent years more and more focus has been placed on deploying messaging environments, where each individual e-mail message is ether digitally signed or encrypted, or even protected using Information Rights Management (IRM). Here in Denmark where I live, the governmental institutions have an especially strong desire for protecting messages while they’re in transit. If you’re doing the same in your organization or are planning to do so, you should bear in mind that stripping an attachment from a digitally signed, encrypted, or IRM-protected e-mail message will invalidate the message so that it becomes unreadable. One way to solve this problem in dealing with digitally signed or encrypted messages is to put up some kind of black box that takes care of signing and encrypting the messages after the attachment fi lter processes them. The company I work for got such a product, which is becoming more and more popular here in Denmark. The Attachment Filtering agent applies right after the Content Filtering agent and can be confi gured using the Add-AttachmentFilterEntry CMDlet. Unfortunately, there’s no way to confi gure Attachment Filtering via the EMC GUI; you will have to do so using the EMS. We don’t really know why this feature hasn’t been included in the GUI, but our guess is that the Exchange Product team didn’t have the time to integrate the feature in the GUI. If this is the case, we expect it to be included in Exchange Server 2007 Service Pack 1, but only time will tell. should have been a native feature in Exchange a long time ago, but fi nally the wait is over with the Edge Transport server in Exchange Server 2007. Let’s do attachment fi ltering at the server level (hooray!). You now have the possibility of fi ltering out messages based on attachment fi lename, fi lename extension, or fi le MIME content type. You even have the choice of fi ltering out both the message and the attachment or just stripping the attachment. You can even choose to delete both the message and the attachment “silently,” meaning that both will be deleted without notifying the sender of the message. Before you start to confi gure the Attachment Filter agent, you fi rst need to make sure that the agent is enabled. To do so, you will need to open the EMS and type Get-TransportAgent. On a default installation of an Edge Transport server, this agent should be enabled by default, but if it for some reason is disabled, you can enable it by typing Enable-TransportAgent -Identity “Attachment Filtering Agent” and then pressing Enter. Now that the agent is enabled, type Get-AttachmentFilterEntry | FL and press Enter. This will give you a list of all fi lename extensions and content types on which the Attachment Filtering agent can fi lter (see Table 7.3). Managing the Edge Transport Server • Chapter 7 433 434 Chapter 7 • Managing the Edge Transport Server Table 7.3 Filename Extensions and Content Types Type Name Identity ContentType Application/x-msdownload ContentType:application/x-msdownload ContentType Message/partial ContentType:message/partial ContentType Text/scriptlet ContentType:text/scriptlet ContentType Application/prg ContentType:application/prg ContentType Application/msaccess ContentType:application/msaccess ContentType Text/javascript ContentType:text/javascript ContentType Application/x-javascript ContentType:application/x-javascript ContentType Application/javascript ContentType:application/javascript ContentType x-internet-signup ContentType:x-internet-signup ContentType Application/hta ContentType:application/hta FileName *.wsh FileName:*.wsh FileName *.wsf FileName:*.wsf FileName *.wsc FileName:*.wsc FileName *.vbs FileName:*.vbs FileName *.vbe FileName:*.vbe FileName *.vb FileName:*.vb FileName *.url FileName:*.url FileName *.shs FileName:*.shs FileName *.shs FileName:*.shb FileName *.sct FileName:*.sct FileName *.scr FileName:*.scr FileName *.scf FileName:*.scf FileName *.reg FileName:*.reg FileName *.prg FileName:*.prg FileName *.prf FileName:*.prf FileName *.pcd FileName:*.pcd FileName *.ops FileName:*.ops FileName *.mst FileName:*.mst FileName *.msp FileName:*.msp FileName *.msi FileName:*.msi FileName *.ps11xml FileName:*.ps11xml FileName *.ps11 FileName:*.ps11 Managing the Edge Transport Server • Chapter 7 435 Table 7.3 Continued Type Name Identity FileName *.ps1xml FileName:*.ps1xml FileName *.ps1 FileName:*.ps1 FileName *.msc FileName:*.msc FileName *.mdz FileName:*.mdz FileName *.mdw FileName:*.mdw FileName *.mdt FileName:*.mdt FileName *.mde FileName:*.mde FileName *.mdb FileName:*.mdb FileName *.mda FileName:*.mda FileName *.lnk FileName:*.lnk FileName *.ksh FileName:*.ksh FileName *.jse FileName:*.jse FileName *.js FileName:*.js FileName *.isp FileName:*.isp FileName *.ins FileName:*.ins FileName *.inf FileName:*.inf FileName *.hta FileName:*.hta FileName *.hlp FileName:*.hlp FileName *.fxp FileName:*.fxp FileName *.exe FileName:*.exe FileName *.csh FileName:*.csh FileName *crt FileName:*.crt FileName *.cpl FileName:*.cpl FileName *.com FileName:*.com FileName *.cmd FileName:*.cmd FileName *.chm FileName:*.chm FileName *.bat FileName:*.bat FileName *.bas FileName:*.bas FileName *.asx FileName:*.asx FileName *.app FileName:*.app FileName *.adp FileName:*.adp FileName *.ade FileName:*.ade 436 Chapter 7 • Managing the Edge Transport Server NOTE All attachment fi lter entries on an Edge Transport server use the same attachment fi ltering behavior—that means the same custom response message as well as action (reject, strip, or silent delete). If you only want to strip the attachment but allow the message through, you would need to use the command AttachmentFilterConfi gList –Action Strip. If you want to include a custom admin message in the text fi le that replaces the stripped attachments, you would need to use the command AttachmentFilterConfi gList –Action Strip –AdminMessage “The attachment in this message has been fi ltered as it’s not allowed in this organization.” Finally, to silently delete both the message and the attachment, use the command AttachmentFilterConfi gList –Action SilentDelete. You can add fi le extensions or fi lenames to this list using the Add-AttachmentFilterEntry CMDlet. For example, if you wanted to fi lter out zip fi les, you would need to run the following command: Add-AttachmentFilterEntry -Name *.zip -Type FileName. If you wanted to fi lter out messages with a specifi c MIME type, such GIF fi les, you would need to use the command Add-AttachmentFilterEntry -Name image/gif -Type ContentType. If you wanted to fi lter out messages that contain an attachment with a specifi c fi lename, say one called dangerous_ fi le, you would use the command Add- AttachmentFilterEntry -Name dangerous_ fi le -Type FileName. If you want to remove an attachment fi lter entry later, you do so using the Remove- AttachmentFilterEntry CMDlet. For example, if you wanted to remove the ZIP attachment fi lter entry, you would need to type Remove-AttachmentFilterEntry –Identity fi lename: *.zip. That’s pretty simple, right? To be able to use more advanced features such as scanning fi les in a ZIP fi le, you would need to install Forefront Security for Exchange Server (which we will talk a bit about later in this chapter) or a supported third-party product. As mentioned, you can choose to block a whole message, including the attachment (will return a delivery status notifi cation to the sender); strip the attachment but allow the message through (will replace the attachment with a text fi le explaining why the attachment was stripped); or silently delete both the message as well as the attachment (will delete both without notifying the sender). You can also confi gure a custom response message that will be included in the delivery status notifi cation, which is returned to the sender when a message and an attached fi le are blocked. This is done using the Set-AttachmentFilterListConfi g CMDlet. An example could be Set-AttachmentFilterListCo nfi g –Action Reject -RejectResponse “This message has been rejected since the attached fi le type isn’t allowed in this organization”. The last thing we’ll mention regarding the Attachment Filtering agent is that you can exclude a list of connectors from attachment fi ltering, which means that attachment fi ltering won’t be applied to messages fl owing through the specifi ed connectors. You can exclude one or more connectors using Set-AttachmentFilterListConfi g –Action Reject –ExceptionConnectors <Connector_GUID>. To get the GUID for a receive connector, type Get-ReceiveConnector | FL. . Filtering Agent” and then pressing Enter. Now that the agent is enabled, type Get-AttachmentFilterEntry | FL and press Enter. This will give you a list of all fi lename extensions and content types. the choice of fi ltering out both the message and the attachment or just stripping the attachment. You can even choose to delete both the message and the attachment “silently,” meaning that both. that takes care of signing and encrypting the messages after the attachment fi lter processes them. The company I work for got such a product, which is becoming more and more popular here in Denmark. The