CSS-Exchange VS postfix

The MaxServicePointIdleTime property I changed because of what I saw suggested here: https://github.com/microsoft/CSS-Exchange/issues/1581.

This is actively exploited, patch immediately. Microsoft also provided a script that checks Exchange items for malicious messaging items: https://github.com/microsoft/CSS-Exchange/blob/a4c096e8b6e6eddeba2f42910f165681ed64adf7/docs/Security/CVE-2023-23397.md

Microsoft has released a PowerShell script that can be run on Exchange infrastructure to scan email files for malicious UNC paths, however, patching is the preferred mitigation strategy.

I would expect that installing the URL Rewrite 2 module shouldn't cause any problems -- E2013 as such doesn't care about it. In fact, Microsoft's own EOMT script for the Hafnium mitigations suggests installing it. It'll likely require a reboot, though, or at the very least an IIS restart.

Yep, the August security update and OS updates were installed on all four nodes. But the order in which they were installed may have been different... I don't recall. Someone just posted above that this is a known problem with Windows 2012/R2: https://github.com/microsoft/CSS-Exchange/pull/1166

Which is the latest I can find on Github. This server is running Exchange 2019 CU 11. It has the March updates (KB5012698), but not the May one (KB5014261). You can also verify from the build number it's not up to date. There are no vulnerabilities reported and the only thing in "red" is that TCP keepalive warning.

https://github.com/microsoft/CSS-Exchange/issues/535 Even the maintainer David Paulson of the ExchangeHealtcheck script opened an issue on this matter, only waiting on feedback of the Exchange Team.

FWIW C can do it too to some extent, here's postfix: https://github.com/vdukhovni/postfix/blob/master/postfix/src...

Postfix.

But that’s only an MTA i hear you cry, Exchange does both MTA & MDA! Bear with me.

Postfix is software to learn from. It might be written in C but the architecture is the epitome of beautiful modular design. It’s not just the meticulous separation of concerns, the care and attention to detail, everything from string handling to memory management is pristinely handled. https://github.com/vdukhovni/postfix

Even at runtime the beauty of the architecture allows for a sysadmin to choose (via master.cf) exactly how the components should be composed to fit their needs. The defaults are crafted for minimum fuss if you just need to get it running ASAP. The software is ergonomic in addition to being artfully crafted.

So what does all this care and attention get you? Only 9 CVEs in 22 years, only 3 of which are code exec, only 2 of which are (maybe) remote code exec, only 1 of which is unauth user RCE - but very hard in practice to exploit.

Maybe it’s just not that popular? It was 1/3 of all SMTP servers on the internet according to a 2019 scan.

So it’s the best MTA ever to exist, but what about MDA? Well, that was the whole point. Compose well crafted components together to build a system. You especially don’t run part of your mailserver’s web interface in kernel space because, well i’m not sure why IIS/Exchange does that :-)