Most SMTP sessions set up between servers go something like this.

Knock, knock.
Who’s there?
SMTP server.
SMTP server who?
SMTP server running specific information that could help an attacker!

When they should go something like this.

Knock, knock.
Who’s there?
SMTP server.
SMTP server who?
You figure it out!

When systems connect to your email system’s external connector, no matter what that connector is, the only thing they must see is a 220 response, which is the SMTP response code that indicates the server can accept email. As long as the response starts with a 220, whatever comes after that is just gravy. Unfortunately, most email systems are still polite, or proud, and tell you what they are. Here’s the default in a fully patched Exchange 2016 server.

220 EX1.example.com Microsoft ESMTP MAIL Service ready at Sun, 11 Jun 2017 13:22:31 -0400

It’s great to give you a name, and we’ll talk about why that is important in a moment, but telling us it’s Microsoft ESMTP is a bit more than we need, but tells someone doing reconnaissance exactly what they want to know. That’s not great, so in this post we’re going to talk about fixing that.

What should be in a banner

Per the RFCs, an MTA that can accept mail must respond when a connection is established over TCP 25 with the SMTP code 220. That’s it. You can put more in there, pretty much anything you want, as long as the first thing is the 220.

It’s a good idea to put the external FQDN of the server right after the 220. That way, if someone is trying to confirm they are either sending mail to the right place, or getting mail from the right place, and they compare the banner to the PTR record in DNS, it’s a match. You don’t have to do that, but it’s polite and doesn’t give away too much, and reduces the likelihood someone else will think you are spamming/spoofing. Some admins put disclaimers or warnings into their SMTP banners after the 220, and if that floats your boat, go for it.

What should not be in a banner

The make, model, and serial number of your server, your personal details, or anything else that helps an attacker identify what kind of system you have, including what is the default for most SMTP systems!

How to change the SMTP banner in Exchange 2013 or 2016

The process is the same in both Exchange 2013 and 2016, and requires you to open an Exchange Management Shell prompt (aka PowerShell) since this isn’t in the GUI. If you have multiple receive connectors, you will have to do this on each.

  1. Open an Exchange Management Shell session
  2. Run this cmdlet to see the name of the receive connector(s) you have on the server
    Get-ReceiveConnector | ft [enter]
  3. Run this cmdlet to set the banner, enclosing the receive connector name in quotes if it contains spaces
    Set-ReceiveConnector -Identity “ConnectorName” -Banner “220 YourTextGoesHere” [enter]
  4. So if you wanted to set your banner to just give the minimum information necessary to work and pass anti-spam testing of banner grabs, do this
    Set-ReceiveConnector -Identity “ConnectorName” -Banner “220 server1.example.com” [enter]
  5. Repeat as necessary for any other connectors.

It’s really that simple. The same commands should work on Exchange 2010 and even 2007, though if you are still running that one, you have much worse problems than a banner identifying what version of Exchange you are running.

But I’m a Kerio Connect user!

Kerio Connect actually makes this process as easy as a checkbox tick. If you want to make sure that you’re not displaying any extra information to whoever might be looking, all you need to do is go to Settings > Advanced options and under Miscellaneous you’ll see a check box saying: Show program name and version in network communications for non-authenticated users. Untick this box and restart Kerio Connect. It is as simple as that.

It’s time to take a quick look at the external connectors on all your email systems, and change the banners on any still running with defaults today. Make those attackers work at least a little bit!