Flashcards in Transport Services Deck (175)
Loading flashcards...
91
What is an Address Rewrite Entry?
A manually created rule that tells the Address Rewriting agents when and how to change e-mail addresses.
92
What is TLS?
Transport Layer Security
It is the successor to SSL. (Though, in casual terms, people often still refer to TLS as SSL.)
93
What is this?
STARTTLS
A command (verb) for the SMTP protocol to use TLS.
94
What are the three ways that Exchange can use TLS?
• Opportunistic
• Forced
• Mutual
95
How will Exchange function when it uses Opportunistic TLS?
• Accepts STARTTLS from other hosts.
• Sends STARTTLS to other hosts.
• Falls back to insecure if TLS isn't available.
• Works with untrusted certificates, such as self-signed certs.
• Provides Confidentiality for the e-mail in transit (if it's successful and doesn't fall back)
• Does NOT provide Authentication about the other host that Exchange is connecting to for sending or receiving that e-mail.
96
What configuration is required for Exchange to use Opportunistic TLS?
No configuration changes are required. It will do this by default.
97
How will Exchange function when it uses Forced TLS?
• Requires TLS for both inbound and outbound SMTP.
• Fails if TLS isn't available.
• Works with untrusted certificates, such as self-signed certs.
• Provides Confidentiality for the e-mail in transit.
• Does NOT provide Authentication about the other host that Exchange is connecting to for sending or receiving that e-mail.
98
What configuration is required for Exchange to use Forced TLS?
To require TLS, set the RequireTls attribute on send or receive connectors to $true.
99
How will Exchange function when it uses Mutual TLS?
• Requires TLS for both inbound and outbound SMTP.
• Fails if TLS isn't available.
• Fails if certificate can't be validated.
• Provides Confidentiality for the e-mail in transit
• DOES provide Authentication about the host Exchange is connecting to.
100
What is "Domain Secure"?
A term for when you have two Exchange Edge Transport servers in different organizations performing Mutual TLS.
When it occurs, Outlook displays a "Domain Secured" icon on messages.
Note, it is incredibly rare in the real world.
101
What is "Domain Security"?
Another term for "Domain Secure"
102
What does Domain Secure require?
• Edge Transport Servers on both ends of the connection
• Valid certificates on both servers, installed and enabled for SMTP
• There must not be any non-Exchange servers involved in the mail flow path (such as third-party spam filters).
• The domain to be secured must be specified in the "TLS Receive Domain Secure List" and/or the "TLS Send Domain Secure List"
• A "Parter" Send Connector and/or Receive Connector for the secured domain to use.
103
What is SPF?
Sender Policy Framework
• A DNS TXT record that receiving servers can look up to validate your sending server's IP address.
• Used to help prevent spoofing of your domain names by spammers.
• Not mandatory to implement, but recommended.
• SPF records are only a suggestion and the receiving server can ignore or override.
104
What does an SPF record consist of?
• The version of SPF (which also servers to indicate that this TXT record is an SPF record)
• One or more "Mechanisms"
• A Qualifier for each Mechanism
105
How is the version of an SPF record indicated?
In this format:
v=spf1
106
In an SPF record, what does this Mechanism mean?
all
• Matches any host
• Generally placed at the end of a record as a catch-all, to indicate what should be done for any hosts not defined in the SPF record.
107
In an SPF record, what does this Mechanism mean?
ip4:
• Matches a single IPv4 address or IPv4 network range
108
In an SPF record, what does this Mechanism mean?
ip6:
• Matches a single IPv6 address or IPv6 network range
109
In an SPF record, what does this Mechanism mean?
a
• Matches a host name or domain name
• So the receiving server will look up the A record of the domain in DNS, and if it resolves to the IP address that is making the inbound SMTP connection, then that's a match
110
In an SPF record, what does this Mechanism mean?
mx
• Matches against the MX records for the domain
• Useful to use if outbound mail for your organization is handled by the same server that MX records resolve to for inbound mail. A nice, simple way to construct your SPF record.
111
In an SPF record, what does this Mechanism mean?
ptr
• Uses reverse DNS to match the sending server's IP address to the host's name that it resolves to
• Not recommended because it causes a high load on DNS and can be quite slow.
112
In an SPF record, what does this Mechanism mean?
exists
• Simply checks if domain name that the e-mail is trying to send from actually exists
113
In an SPF record, what does this Mechanism mean?
include:
• Matches against the SPF record for another domain
• Usually used if outbound e-mail is routed through a cloud service, such as Exchange Online Protection.
• Basically saying: "as long as this other SPF record says it's ok, then it's ok by me."
114
In an SPF record, what does this Qualifier mean?
+
• Pass
• Meaning, e-mail from hosts indicated by the Mechanism should be accepted
• This is the default qualifier if none is provided.
115
In an SPF record, what does is mean if no Qualifier is specified on a Mechanism?
• It will use the default qualifier, which is + (Pass)
116
In an SPF record, what does this Qualifier mean?
-
• Fail
• Meaning, e-mail from hosts indicated by the Mechanism should be rejected
117
In an SPF record, what does this Qualifier mean?
~
• Soft Fail
• Meaning, e-mail from hosts indicated by the Mechanism can be accepted but treated as possible spam
118
In an SPF record, what does this Qualifier mean?
?
• Neutral
• Meaning, the receiving mail server is advised to do whatever it wants
119
What Anti-spam / Anti-Malware agents are installed by default on a Mailbox server?
Only the Malware agent.
120