When you send an email message, the recipient can view the headers of the message and see all of the “hops” that the message went through on its journey from one mailbox to another.

message-headers-01

The header info is very useful in troubleshooting situations, because you can copy/paste it into tools like the message analyzer in the Microsoft Remote Connectivity Analyzer and look at things like delays in message transfer between servers along the route the message took.

message-headers-02

However, some organizations don’t want their internal Exchange server names and IP addresses exposed in the message headers of emails sent outside of their organization. To remove them, you can use a feature called the header firewall, which is explained in detail on TechNet.

The first step is to determine the name of your outbound send connector for internet email. In my environment an Edge Transport server is used for outbound mail, so the outbound send connector is named “EdgeSync – Datacenter1 to Internet” (Datacenter1 is the name of the Active Directory site the Edge server is subscribed to). I want to remove the message headers for outbound mail sent over that connnector only, and not impact the messages sent over other connectors to Office 365 or the Globomantics partner organization.

[PS] C:\>Get-SendConnector

Identity                                AddressSpaces                           Enabled
--------                                -------------                           -------
EdgeSync - DataCenter1 to Internet      {smtp:*;75}                             True
EdgeSync - Inbound to DataCenter1       {smtp:--;100}                           True
Outbound to Office 365                  {smtp:exchangeserverpro.mail.onmicro... True
Globomantics                            {SMTP:globomantics.biz;1}               True

The command to remove the message headers is as follows:

[PS] C:\>Get-SendConnector "EdgeSync - Datacenter1 to Internet" | Remove-ADPermission -User "NT AUTHORITY\ANONYMOUS LOGON" -ExtendedRights ms-Exch-Send-Headers-Routing

After running that command, I needed to wait for EdgeSync to run (or run it manually) before the change would take effect. After the change has taken effect, outbound messages no longer contain the internal server names and IP addresses in the headers. Only the Edge Transport server name and IP address are shown.

message-headers-03

message-headers-04

If you need to reverse the change, use Add-AdPermission instead of Remove-AdPermission.

[PS] C:\>Get-SendConnector "EdgeSync - Datacenter1 to Internet" | Add-ADPermission -User "NT AUTHORITY\ANONYMOUS LOGON" -ExtendedRights ms-Exch-Send-Headers-Routing

About the Author

Paul Cunningham

Paul is a former Microsoft MVP for Office Apps and Services. He works as a consultant, writer, and trainer specializing in Office 365 and Exchange Server. Paul no longer writes for Practical365.com.

Comments

  1. Benjamin

    Hi,
    is there a possibility, to hide the IP of a webserver which sends email through MS365/ExchangeOnline via ReceiveConnector?
    We allready placed the Webserver behind Cloudflare to hide the real IP to prevent DDoSing. But when this Webserver sends out Mails, it reveals the real IP of itself. Any way to prevent this?

  2. Sam

    Hallo
    is it safe to Add-ADPermission -Identity -User “NT AUTHORITY\ANONYMOUS LOGON” -ExtendedRights “ms-Exch-Send-Headers-Routing” ??
    I want to keep all headers from received emails for analyzing porpoises…

  3. Prabhu

    Dear Paul,

    I want remove outlook webmail server name and version from outbound messages . These messages are exposed to the internet.

    Is header firewall option prevent those messages.

    Thanks
    Prabhu

  4. Robert

    Before this feature existed, email with an MUA header and no internal received headers was almost exclusively spam. According to SpamAssassin’s rule statistics it’s still a very strong spam indicator and will take you about half-way to a spam classification.

  5. kimmoj

    Great info as always, Paul, even though this was years ago now. Works great with Exchange 2016 as well though. Nice to get those unsighthly internal things away from the mail headers. Much appreciated.

  6. Ronak

    Hi Paul,

    How can i do same thing with O365. i believe following command only works with on-prem exchange.

    Thanks,
    Ronak

  7. Chenh Hong

    Hi Paul, I ran the command. It worked only when we send out emails. But when a user set an Out-Of-Office or NDR send back to the sender, it still show the internal servername and IP address. How can I remove it from NDR or OOO?

    thank you

    1. Kyle

      For my opinion,you can use mailflow rules on EAC to remove ip address from mail header.

      such as X-Origination-IP

  8. Ricardo

    Hi Paul

    Does this change take some time for replication to take effect?

    Is there any way to force the change to be seen immediately?

    1. Remigiusz

      Run command:
      [PS] Start-EdgeSynchronization

  9. John

    Running the command – [PS] C:\>Get-SendConnector “EdgeSync – Datacenter1 to Internet” | Remove-ADPermission -User “NT AUTHORITY\ANONYMOUS LOGON” -ExtendedRights ms-Exch-Send-Headers-Routing

    I get an error unexpected token C:/Get-SendConnector in expression or statement at Line:1 char:27

    I changed the authors exchange to my exchange of course.

    Any ideas?

    1. Avatar photo
      Paul Cunningham

      “unexpected token C:/Get-SendConnector”

      The cmdlet is just Get-SenderConnector, not C:/Get-SendConnector.

  10. lee

    Hi Paul, after apply the above settings, outgoing email’s message header still got info of
    Received: from FQDN ([internal ipaddr] by xxx.yyy.zzz with SMTP id QMUhA0GVP6u3EzG

    I don’t mind to show the FQDN of my exchange2013 server, but I want to avoid showing the internal ipaddr of my exchange2013 server, wondering where have I done wrong & how to fix it?

    Can you give me some hints? Many thx!

  11. Sanya

    Hi Paul,

    I tried using the below command

    Get-SendConnector “Connector Name” | Remove-ADPermission -User “NT AUTHORITY\ANONYMOUS LOGON” -ExtendedRights ms-Exch-Send-Headers-Routing

    and verified the permission using below
    Get-SendConnector “Connector Name” | Get-ADPermission | where {$_.ExtendedRights –like “*routing*”} | fl user, extendedrights

    The specified permissions was removed for ANONYMOUS LOGON but still header information is available in outgoing email.

    Environment: Exchange 2013 Server
    Email Spam Gateways : Clearswift and Mimecast

    1. Kyle

      You need to run the command on ALL your Mailbox server and EDGE server.

      Get-SendConnector “Your Connector Name to Internet” | Remove-ADPermission -User “NT AUTHORITY\ANONYMOUS LOGON” -ExtendedRights ms-Exch-Send-Headers-Routing

  12. Mahelsay

    Hi Paul, \need help with one question,,

    in NDR messages how can we mask or customize specific line that says : “the following organization rejected your message: <>”

    reason i’m asking is that I have looked all over the documentation available and couldn’t find any source to address this request.

    Thanks
    mahelsay

    1. Zeeshan Afzal

      Have you found the solution to this problem?

  13. Victor

    There exists a tool named HeaderRewriter that allows an Exchange administrator to substitute any substring in the following SMTP headers of outgoing messages:
    •Message-ID
    •In-Reply-To
    •References

  14. Syed Ahmed

    Hi Paul,

    We have a case when the emails sent out from our Exchange is adding data to the header which is causing the emails to be rejected by receiving server because of a limitation(i.e., header size exceeded). We are using Connector to send emails sent to short address to redirect it to long address. We are using Office 365(Hybrid). Is it possible that the connector is adding some data which is causing the receiving end to reject it. When an email is directly sent to long address , no issues are caused.
    Please advise.

  15. Exch_starter

    Hi Experts ,
    Get-SendConnector shows me the following 2 send connectors:
    EdgeSync – Default-First-Site-Name to Internet {smtp:*;100} True
    EdgeSync – Inbound to Default-First-Site-Name {smtp:–;100} True

    Is this default connector which gets created by default ? Please advsise

    We send the emails to internet directly without smart host. We have recently saw an issue where emails send to the *@gmail.com were not delivered with the NDR : The IP address sending this message does not have a PTR record setup. As a policy, Gmail does not accept messages from IPs with missing PTR records. Please visit https://support.google.com/mail/answer/81126#authentication for more information. g8si1635946otb.321 – gsmtp

    The command to remove the message headers needs to be run on which send connector
    Get-SendConnector “XXXXXXX” | Remove-ADPermission -User “NT AUTHORITY\ANONYMOUS LOGON” -ExtendedRights ms-Exch-Send-Headers-Routing

  16. Cardin

    works perfectly

  17. asmaaa515687

    I’ve used Get-SendConnector “My send connector” | Add-ADPermission -User “NT AUTHORITYANONYMOUS LOGON” -ExtendedRights ms-Exch-Send-Headers-Routing but still see the received headers in outgoing emails.

    1. asmaaa515687

      Sorry i meant I’ve used Get-SendConnector “My send connector” | REMOVE-ADPermission -User “NT AUTHORITYANONYMOUS LOGON” -ExtendedRights ms-Exch-Send-Headers-Routing but still see the received headers in outgoing emails.

  18. asmaaa515687

    Hello,

    I am trying to remove Received Headers from outbound emails. I try the cmd Get-SendConnector “My send connector” | Add-ADPermission -User “NT AUTHORITYANONYMOUS LOGON” -ExtendedRights ms-Exch-Send-Headers-Routing
    And i have run the edgesync service using the cmd Start-EdgeSynchronization -Server Mailbox01
    But my send connector still show Received Headers.
    Could u help me please to find solution to this problem

    1. Avatar photo
      Paul Cunningham

      You’ve used Add-ADPermission. To remove the permission you need to use Remove-ADPermission as shown in the article.

  19. Armando

    Great,

    Thanks!

  20. Alexey

    Thanks, Paul for your posts! Is there a way to customize or rewrite Message-ID header to eliminate internal server name as well?

    1. Alexey

      I also use a Transport Rule to remove x-originating-ip header. Do you think it’s Ok?
      Thank you!

        1. Clement Kumar

          Hi Paul,

          The x-originating-ip holds the information of the client IP Address that was used to send the email, would you recommend displaying this information in the header or denying it by creating a rule in Exchange that removes this from outgoing email headers, will this have any impact on email flow to external recipients?

          Thank you, been following your publications for years and I thank you very much for the value you bring to all Email Administrators Life.

          Regards,
          Clement

  21. Irshad Ahmed

    If we are using other gateway for outbound email like (Cisco ESA) then how we can do this??

    1. Avatar photo
      Paul Cunningham

      Header firewall is an Exchange Server capability. You’ll need to consult your vendor’s documentation to see whether any similar feature exists for them.

  22. Michel

    Hello
    If this command does not work under PowerShell:

    Get-SendConnector

    What’s the cause ?

    Michel

  23. Mark

    I was doing this previously using transport rules in Exchange 2007, which I replicated on the 2013 Edge servers. This method looks much simpler and cleaner, though.

  24. Noel

    Paul, you mentioned at the beginning of the article that you the header firewall feature, but it seems to be you only need to run the command you ran. I am not clear about how to apply that feature.

    What am I missing?

    1. Avatar photo
      Paul Cunningham

      Follow the link to TechNet that I included in the post and all should become clear.

  25. Ray

    Worked perfectly. Thank you, Paul

    1. Avatar photo
      Paul Cunningham

      Yes, but be cautious as I’ve seen that cause Gmail to start rejecting email due to IPv6 requirements. If for some reason you can’t meet the IPv6 requirements they’re looking for, setting the SourceIPAddress on send connector (for Edge Transport scenarios) to the public IPv4 address of the server seems to fix it up.

Leave a Reply