When you send an email message, the recipient can view the headers of the message and see all of the “hops” that the message went through on its journey from one mailbox to another.
The header info is very useful in troubleshooting situations, because you can copy/paste it into tools like the message analyzer in the Microsoft Remote Connectivity Analyzer and look at things like delays in message transfer between servers along the route the message took.
However, some organizations don’t want their internal Exchange server names and IP addresses exposed in the message headers of emails sent outside of their organization. To remove them, you can use a feature called the header firewall, which is explained in detail on TechNet.
The first step is to determine the name of your outbound send connector for internet email. In my environment an Edge Transport server is used for outbound mail, so the outbound send connector is named “EdgeSync – Datacenter1 to Internet” (Datacenter1 is the name of the Active Directory site the Edge server is subscribed to). I want to remove the message headers for outbound mail sent over that connnector only, and not impact the messages sent over other connectors to Office 365 or the Globomantics partner organization.
[PS] C:\>Get-SendConnector Identity AddressSpaces Enabled -------- ------------- ------- EdgeSync - DataCenter1 to Internet {smtp:*;75} True EdgeSync - Inbound to DataCenter1 {smtp:--;100} True Outbound to Office 365 {smtp:exchangeserverpro.mail.onmicro... True Globomantics {SMTP:globomantics.biz;1} True
The command to remove the message headers is as follows:
[PS] C:\>Get-SendConnector "EdgeSync - Datacenter1 to Internet" | Remove-ADPermission -User "NT AUTHORITY\ANONYMOUS LOGON" -ExtendedRights ms-Exch-Send-Headers-Routing
After running that command, I needed to wait for EdgeSync to run (or run it manually) before the change would take effect. After the change has taken effect, outbound messages no longer contain the internal server names and IP addresses in the headers. Only the Edge Transport server name and IP address are shown.
If you need to reverse the change, use Add-AdPermission instead of Remove-AdPermission.
[PS] C:\>Get-SendConnector "EdgeSync - Datacenter1 to Internet" | Add-ADPermission -User "NT AUTHORITY\ANONYMOUS LOGON" -ExtendedRights ms-Exch-Send-Headers-Routing
Hi,
is there a possibility, to hide the IP of a webserver which sends email through MS365/ExchangeOnline via ReceiveConnector?
We allready placed the Webserver behind Cloudflare to hide the real IP to prevent DDoSing. But when this Webserver sends out Mails, it reveals the real IP of itself. Any way to prevent this?
Hallo
is it safe to Add-ADPermission -Identity -User “NT AUTHORITY\ANONYMOUS LOGON” -ExtendedRights “ms-Exch-Send-Headers-Routing” ??
I want to keep all headers from received emails for analyzing porpoises…
Dear Paul,
I want remove outlook webmail server name and version from outbound messages . These messages are exposed to the internet.
Is header firewall option prevent those messages.
Thanks
Prabhu
Before this feature existed, email with an MUA header and no internal received headers was almost exclusively spam. According to SpamAssassin’s rule statistics it’s still a very strong spam indicator and will take you about half-way to a spam classification.
Great info as always, Paul, even though this was years ago now. Works great with Exchange 2016 as well though. Nice to get those unsighthly internal things away from the mail headers. Much appreciated.
Hi Paul,
How can i do same thing with O365. i believe following command only works with on-prem exchange.
Thanks,
Ronak
Hi Paul, I ran the command. It worked only when we send out emails. But when a user set an Out-Of-Office or NDR send back to the sender, it still show the internal servername and IP address. How can I remove it from NDR or OOO?
thank you
For my opinion,you can use mailflow rules on EAC to remove ip address from mail header.
such as X-Origination-IP
Hi Paul
Does this change take some time for replication to take effect?
Is there any way to force the change to be seen immediately?
Run command:
[PS] Start-EdgeSynchronization
Running the command – [PS] C:\>Get-SendConnector “EdgeSync – Datacenter1 to Internet” | Remove-ADPermission -User “NT AUTHORITY\ANONYMOUS LOGON” -ExtendedRights ms-Exch-Send-Headers-Routing
I get an error unexpected token C:/Get-SendConnector in expression or statement at Line:1 char:27
I changed the authors exchange to my exchange of course.
Any ideas?
“unexpected token C:/Get-SendConnector”
The cmdlet is just Get-SenderConnector, not C:/Get-SendConnector.
Hi Paul, after apply the above settings, outgoing email’s message header still got info of
Received: from FQDN ([internal ipaddr] by xxx.yyy.zzz with SMTP id QMUhA0GVP6u3EzG
I don’t mind to show the FQDN of my exchange2013 server, but I want to avoid showing the internal ipaddr of my exchange2013 server, wondering where have I done wrong & how to fix it?
Can you give me some hints? Many thx!
Hi Paul,
I tried using the below command
Get-SendConnector “Connector Name” | Remove-ADPermission -User “NT AUTHORITY\ANONYMOUS LOGON” -ExtendedRights ms-Exch-Send-Headers-Routing
and verified the permission using below
Get-SendConnector “Connector Name” | Get-ADPermission | where {$_.ExtendedRights –like “*routing*”} | fl user, extendedrights
The specified permissions was removed for ANONYMOUS LOGON but still header information is available in outgoing email.
Environment: Exchange 2013 Server
Email Spam Gateways : Clearswift and Mimecast
You need to run the command on ALL your Mailbox server and EDGE server.
Get-SendConnector “Your Connector Name to Internet” | Remove-ADPermission -User “NT AUTHORITY\ANONYMOUS LOGON” -ExtendedRights ms-Exch-Send-Headers-Routing
Hi Paul, \need help with one question,,
in NDR messages how can we mask or customize specific line that says : “the following organization rejected your message: <>”
reason i’m asking is that I have looked all over the documentation available and couldn’t find any source to address this request.
Thanks
mahelsay
Have you found the solution to this problem?
There exists a tool named HeaderRewriter that allows an Exchange administrator to substitute any substring in the following SMTP headers of outgoing messages:
•Message-ID
•In-Reply-To
•References
Hi Paul,
We have a case when the emails sent out from our Exchange is adding data to the header which is causing the emails to be rejected by receiving server because of a limitation(i.e., header size exceeded). We are using Connector to send emails sent to short address to redirect it to long address. We are using Office 365(Hybrid). Is it possible that the connector is adding some data which is causing the receiving end to reject it. When an email is directly sent to long address , no issues are caused.
Please advise.
Hi Experts ,
Get-SendConnector shows me the following 2 send connectors:
EdgeSync – Default-First-Site-Name to Internet {smtp:*;100} True
EdgeSync – Inbound to Default-First-Site-Name {smtp:–;100} True
Is this default connector which gets created by default ? Please advsise
We send the emails to internet directly without smart host. We have recently saw an issue where emails send to the *@gmail.com were not delivered with the NDR : The IP address sending this message does not have a PTR record setup. As a policy, Gmail does not accept messages from IPs with missing PTR records. Please visit https://support.google.com/mail/answer/81126#authentication for more information. g8si1635946otb.321 – gsmtp
The command to remove the message headers needs to be run on which send connector
Get-SendConnector “XXXXXXX” | Remove-ADPermission -User “NT AUTHORITY\ANONYMOUS LOGON” -ExtendedRights ms-Exch-Send-Headers-Routing
works perfectly
I’ve used Get-SendConnector “My send connector” | Add-ADPermission -User “NT AUTHORITYANONYMOUS LOGON” -ExtendedRights ms-Exch-Send-Headers-Routing but still see the received headers in outgoing emails.
Sorry i meant I’ve used Get-SendConnector “My send connector” | REMOVE-ADPermission -User “NT AUTHORITYANONYMOUS LOGON” -ExtendedRights ms-Exch-Send-Headers-Routing but still see the received headers in outgoing emails.
Hello,
I am trying to remove Received Headers from outbound emails. I try the cmd Get-SendConnector “My send connector” | Add-ADPermission -User “NT AUTHORITYANONYMOUS LOGON” -ExtendedRights ms-Exch-Send-Headers-Routing
And i have run the edgesync service using the cmd Start-EdgeSynchronization -Server Mailbox01
But my send connector still show Received Headers.
Could u help me please to find solution to this problem
You’ve used Add-ADPermission. To remove the permission you need to use Remove-ADPermission as shown in the article.
Great,
Thanks!
Thanks, Paul for your posts! Is there a way to customize or rewrite Message-ID header to eliminate internal server name as well?
I also use a Transport Rule to remove x-originating-ip header. Do you think it’s Ok?
Thank you!
I don’t understand what outcome you’re trying to achieve.
Hi Paul,
The x-originating-ip holds the information of the client IP Address that was used to send the email, would you recommend displaying this information in the header or denying it by creating a rule in Exchange that removes this from outgoing email headers, will this have any impact on email flow to external recipients?
Thank you, been following your publications for years and I thank you very much for the value you bring to all Email Administrators Life.
Regards,
Clement
If we are using other gateway for outbound email like (Cisco ESA) then how we can do this??
Header firewall is an Exchange Server capability. You’ll need to consult your vendor’s documentation to see whether any similar feature exists for them.
Hello
If this command does not work under PowerShell:
Get-SendConnector
What’s the cause ?
Michel
You need to use the Exchange Management Shell.
I was doing this previously using transport rules in Exchange 2007, which I replicated on the 2013 Edge servers. This method looks much simpler and cleaner, though.
Paul, you mentioned at the beginning of the article that you the header firewall feature, but it seems to be you only need to run the command you ran. I am not clear about how to apply that feature.
What am I missing?
Follow the link to TechNet that I included in the post and all should become clear.
Worked perfectly. Thank you, Paul
Thanks.
Maybe add steps to this article for hiding SMTP banner text on the receive connector?
https://technet.microsoft.com/en-us/library/bb124740(v=exchg.150).aspx
Yes, but be cautious as I’ve seen that cause Gmail to start rejecting email due to IPv6 requirements. If for some reason you can’t meet the IPv6 requirements they’re looking for, setting the SourceIPAddress on send connector (for Edge Transport scenarios) to the public IPv4 address of the server seems to fix it up.