locked
Exchange server support vulnerable smtp commands RRS feed

  • Question

  •  Hi team,

      We are using Exchange server 2016 with high availability at our company. Everything works fine.. We have been visited by auditors and among their findings they said our email server supported vulnerable mail server commands such as HELO, EHLO,etc.

    From my understanding these are "built in" commands used to communicate between mail client and smtp server for sending and receiving emails, am I wrong?....Is there a way to disable these commands being used?If yes what are the impacts of doing so?

    Thank you guys..

    ---KISWAGARA


    Someone from +255

    Saturday, March 18, 2017 8:02 AM

Answers

  •  Hi team,

      We are using Exchange server 2016 with high availability at our company. Everything works fine.. We have been visited by auditors and among their findings they said our email server supported vulnerable mail server commands such as HELO, EHLO,etc.

    From my understanding these are "built in" commands used to communicate between mail client and smtp server for sending and receiving emails, am I wrong?....Is there a way to disable these commands being used?If yes what are the impacts of doing so?

    Thank you guys..

    ---KISWAGARA


    Someone from +255


    Your auditors need to calm down. No, you can't disable those and if they are suggesting you do, then I would ask for your money back.

    Exchange 2007 reaches end of life on April 11th. What’s your plan to move?

    • Marked as answer by Kiswagara Saturday, March 18, 2017 12:32 PM
    Saturday, March 18, 2017 12:27 PM

All replies

  •  Hi team,

      We are using Exchange server 2016 with high availability at our company. Everything works fine.. We have been visited by auditors and among their findings they said our email server supported vulnerable mail server commands such as HELO, EHLO,etc.

    From my understanding these are "built in" commands used to communicate between mail client and smtp server for sending and receiving emails, am I wrong?....Is there a way to disable these commands being used?If yes what are the impacts of doing so?

    Thank you guys..

    ---KISWAGARA


    Someone from +255


    Your auditors need to calm down. No, you can't disable those and if they are suggesting you do, then I would ask for your money back.

    Exchange 2007 reaches end of life on April 11th. What’s your plan to move?

    • Marked as answer by Kiswagara Saturday, March 18, 2017 12:32 PM
    Saturday, March 18, 2017 12:27 PM
  • Hey Andy,

    Are these commands really vulnerable? 

    Wednesday, March 22, 2017 10:31 AM
  • all commands are vulnerable

    Wednesday, March 22, 2017 11:51 AM
  • Hello,

    It is absolutely possible to turn off the SMTP commands.Exchange server support this.Microsoft recommended  support is  here

    https://support.microsoft.com/en-us/help/257569/how-to-turn-off-esmtp-verbs-in-exchange-2000-server-and-in-exchange-se

    If you needed further support please do not hesitate to ask.

    Saturday, January 6, 2018 9:22 AM
  • Hello,

    It is absolutely possible to turn off the SMTP commands.Exchange server support this.Microsoft recommended  support is  here

    https://support.microsoft.com/en-us/help/257569/how-to-turn-off-esmtp-verbs-in-exchange-2000-server-and-in-exchange-se

    If you needed further support please do not hesitate to ask.


    No its not. That only disables ESMTP, and there is no reason to do that except when the other server doesn't support the verbs, not because there is a vulnerability. 
    Saturday, January 6, 2018 12:16 PM
  • you probably have anonymous enabled our your default connector
    Wednesday, January 10, 2018 2:05 PM