██╗  ██╗ ██████╗  ██████╗  █████╗ ████████╗ █████╗ ███╗   ██╗ █████╗      ██╗  ██╗
    ██║ ██╔╝██╔═══██╗██╔════╝ ██╔══██╗╚══██╔══╝██╔══██╗████╗  ██║██╔══██╗     ╚██╗██╔╝
    █████╔╝ ██║   ██║██║  ███╗███████║   ██║   ███████║██╔██╗ ██║███████║█████╗╚███╔╝ 
    ██╔═██╗ ██║   ██║██║   ██║██╔══██║   ██║   ██╔══██║██║╚██╗██║██╔══██║╚════╝██╔██╗ 
    ██║  ██╗╚██████╔╝╚██████╔╝██║  ██║   ██║   ██║  ██║██║ ╚████║██║  ██║     ██╔╝ ██╗
    ╚═╝  ╚═╝ ╚═════╝  ╚═════╝ ╚═╝  ╚═╝   ╚═╝   ╚═╝  ╚═╝╚═╝  ╚═══╝╚═╝  ╚═╝     ╚═╝  ╚═╝                                                                                 

    ──────────────────────────────────────────────────────────────────────────────────
                

Setting Up Email Servers: Part 1

March 4th, 2024

──────────────────────────────────────────────────────────────────────────────────

            

Introduction

When I was first getting into cybersecurity I spent a lot of time researching email server architecture and I had a lot of difficulty finding guides on how to set one up and what all the different acronyms meant. I believe that by learning how systems work is the corenerstone to being successful in securing them. The precursor to that, of course, is setting up a system for yourself! This post will hopefully help those new to the field learn how email servers work and how to set one up for yourself

We'll go over setting up Exchange on a windows server. In future posts, we'll go over hMail, and postfix, dovecot, and roundcube on a linux server.

Terms

Before we get started, let's go over some terms that you'll need to know:

SMTP - Simple Mail Transfer Protocol

 SMTP is responsible for the transmission of email messages. Operates in "store and forward".

  TCP port 25 - typically a relay port for forwarding messages

  TCP port 587 - (usually encryoted) submission port for clients to send messages (SSL or STARTTLSmode )

  TCP port 465 - a secure submission port for clients to send messages (depricated 'SSL')

LMTP - Local Mail Transfer Protocol

 LMTP is a protocol for transferring mail messages from a local message transfer agent (MTA) to a local message store.

 “final delivery” of messages to the mail store for access; an extension of SMTP, allows for multiple recipients for an email & updates send/fail status for each.

 LMTP is not necessary for the mail server to run

POP3(S) - Post Office Protocol

 POP3 is a protocol for retrieving email messages from a mail server. The protocol is designed to allow for offline access to email messages.

 Uses “store and retrieve” communication. POP3 is responsible for downloading messages from the server to your inbox. The message will disappear after its accessed

  TCP port 110 - unencrypted communication between client and server

  TCP port 995 - encrypted communication between client and server

IMAP(S) - Internet Message Access Protocol

 IMAP is a protocol for retrieving email messages from a mail server. The protocol is designed to allow for offline access to email messages.

 IMAP also retrieves email, like POP3; however, it allows for messages to be accessed, sorted and organized without them being downloaded. messages can be accessed on multiple devices.

  TCP port 143 - unencrypted communication

  TCP port 993 - encrypted communication

MTA - Mail/Message Transfer Agent

 Transfers messages using SMTP from one computer to another

MUA - Mail User Agent

 The user interface for accessing and sending emails. Some common MUAs are Outlook, Thunderbird, OWA (MS Exchange) portal.

MDA - Mail Delivery Agent

 Responsible for final delivery. Stores email as plaintext or passes along to a store database

MX Record - Mail Exchange Record

 This is the first lookup for an email server and will identify the hostname/s and priority of servers that receive mail for a domain when an SMTP server sends a message to a user in a domain. (If no MX record is found, it resorts to an A record, if no A record the send fails)

──────────────────────────────────────────────────────────────────────────────────
                
            

Simple Email Flow

When you send an email, it starts at your MUA. Your MUA uses SMTP to forward the message to an MTA, which may forward it to another MTA, etc. Once your message reaches its intended destination MDA, it will be stored on that server. From there the destination server will use either POP3 or IMAP to index the message in the recipient's mailbox!

──────────────────────────────────────────────────────────────────────────────────
                                
            

Setting Up Microsoft Exchange on Windows

Microsoft Exchange is quite a dousy to set up. There are many critical sub-services involved and many other infrastructural constraints that a system administrator should be aware of. This guide is based on Exchange versions older than 2016, so components have likely changed in newer versions

A key component of Setting up MS Exchange is having an Active Directory server available in your enviornment. There are quite a few dependencies to be mindful of as well, so your network and host firewalls may end up looking like Swiss cheese. Below is a simple diagram I made to illustrate the bare minimum that you will need to allow between your Exchange and AD servers

Sample Firewall Ruleset

NOTE: 2010 vs later versions>> POP/IMAP Service is under FrontEnd instead of ClientAccess and edgetransport is FrontEndTransport

Application	Direction	Protocol	Port	RemoteAddr
%installpath%\bin\edgetransport.exe	in	tcp	25,587	any
%installpath%\ClientAccess\PopImap\Microsoft.Exchange.Pop3Service.exe	in	tcp	110,995	any
%installpath%\ClientAccess\PopImap\Microsoft.Exchange.Imap4Service.exe	in	tcp	143,993	any
	in	tcp	443	any
	in/out	udp	53	AD
	in/out	tcp/udp	88	AD
many	in/out	tcp/udp	389	AD
C:\Windows\System32\svchost.exe	in/out	tcp	135	AD
many	in/out	tcp	3268	AD
any	in/out	any	any	127.0.0.1/8

*AD can attach C:\Windows\System32\lsass.exe to 389,3268 rule

*RPC can probably be excluded from the exceptions list above

──────────────────────────────────────────────────────────────────────────────────
                                
            

Critical Services & Description

Localhost -

Service	Description
ADTopologyService.exe	locates the AD DCs, Global Catalog Server and provides AD topology info for the exchange server. Runs on TCP port 890.
MSExchangeIS/store.exe	The information Store is the actual database engine (ESE) and manages the mailbox database. Service start type must be set to "Auto Start".
MSExchangeFrontEndTransport.exe	provides an SMTP proxy for inbound and outbound email messages to and from the internet (SMTP daemon basically). Runs on TCP ports 25 and 587
MSExchangeImap4Service.exe	provides IMAP4 clients with access to exchange server mailboxes and retrieves IMAP4 requests from the client access services. Runs on TCP ports 143 and 993. Set up note: you have to go into services and change start up type to automatic and start the service to enable IMAP4.
MSExchangePop3Service.exe	authenticates the client connection and passes the request to the appropriate mailbox server. RUns on TCP ports 110 and 995. Set up note: you have to go into services and change start up type to automatic and start the service to enable POP3
MSExchangeThrottling.exe	handles the limits on the rate of user operations to prevent any single user from consuming too many server resources
HostControllerService.exe/MSExchangeServiceHost	misc other tasks that keep exchange running
MSExchangeDelivery.exe & MSExchangeSubmission.exe	I think these have to be running to send out mail (otherwise they are just to manage mail going to and from other transport servers on the network)
inetsrv\w3wp.exe & noderunner.exe	IIS processes for OWA
MSExchangeMailboxAssistants.exe	Handles background processing functions for exchange server mailboxes

AD Established (AD:389/3268)

Service	Description
MSExchangeRepl.exe	provides a continuous replication service to copy log files from ad db to a server that hosts a passive copy of the db
Microsoft.Exchange.Directory.TopologyService.exe	locates the AD DCs, Global Catalog Server and provides AD topology info for the exchange server
Microsoft.Exchange.ServiceHost.exe	misc other tasks that keep exchange running
MSExchangeMailboxAssistants.exe	Handles background processing functions for exchange server mailboxes
(Exchange 2010) AddressBook	**ports 379,389 outbound to AD
(On like Exchange 2003) ActiveDirectoryConnector.exe	**ports 379,389 outbound to AD
MSExchangeTransportLogSearch.exe
Microsoft.Exchange.Search.Service.exe
I also think that there is a frontend imap/pop3 (and maybe smtp) connection as well	**the non-service exe

Other not so critical services (on localhost)

Service	Description
MSExchangeFastSearch.exe	handles content indexing and queuing of exchange server data
MSExchangeHMHost.exe	Health Manager Host

──────────────────────────────────────────────────────────────────────────────────
                                                
            

Exchange Management

Exchange has a few different management portals and shells that you can use to administer the server

https://localhost/ecp #Admin Portal for OWA
https:///owa #login portal for OWA

EMS	Exchange Management Shell	is the management shell that uses PowerShell modules specific to exchange, you can use this or the GUI EMC/EAC to administer the db’s & users.
EMC	Exchange Management Console	is the management console for Exchange in 2010-like versions.
EAC	Exchange Admin Center	is what the Admin Portal is called in later versions as it has the combined capability of the Admin Portal and EMC

Brief Installation Guide

For a more in-depth guide, see the Microsoft Documentation

First, you will need to install the prerequisites for Exchange. This includes the .NET Framework, Windows Management Framework, and the Unified Communications Managed API. You will also need to install the Remote Tools Administration Pack.

1. Google desired exchange version + SP #Service Pack or CU #cumulative update and download installer from Microsoft. This should be one of the first results
2. If Google Doesn’t Work >> the-eye.eu/public/MSDN/Exchange Server 2013
3. When installing from Microsoft under System Requirements, follow the link to the Prerequisite page and follow those instructions

4. Note: you must be connected to an Active Directory Domain and be signed in as an AD Domain Administrator when installing Exchange.
5. Unpack the Exchange Installer (I usually slap it in C:\Exchange). Note: the default is in your Downloads folder without an associated child folder *chaos* will ensue.
6. Run “setup.exe” and the installer snap-in will load >> follow the install (usually just go with the defaults (on 2013+ make sure you check Client Access, Mailbox, and Transport Roles) and if its Exchange 2010 there will eventually be an option to ‘automatically install required server features’ or something like that and you should select that).
7. If your install failed, make sure you have installed all of the prerequisites and are signed in as an AD domain administrator.
8. Restart your computer after it finishes installing if it doesn’t automatically do it. (Exchange 2010 is faster than newer versions (30min). 2016 takes a solid 2 hours. And 2013 is something in between).
9. So at this point your Exchange install should be functional.
10. Go into your Task Manager > Services and find the Microsoft Exchange POP3 and IMAP services and set them to start automatically and start them up
11. For the purposes of this tutorial, boot up the EMC in Exchange 2010 or go to the EAC in Exchange 2016 so we can make some changes that could easily be done through the EMS
12. Load in pre-existing domain users into exchange
1. 2010 - Recipient Configuration > Mailbox > New Mailbox (User Mailbox and add existing users)

2. 2016 - Recipients > Mailboxes > New > User Mailbox

13. Enable Plain Text Authentication on SMTP. Note, do not do this in the real world please.
1. 2010 - Server Configuration > Hub Transport Service > Right click to disable the Client whatever receive connector. Then edit the Default Connector. On the Authentication tab, uncheck every box. On the Allowed Users? tab, check all of the boxes (especially allowing anonymous users). You’re gonna have to restart the box but save that for after we edit pop3/imap.
14. Enable Plain Text Authentication on POP3/IMAP. Again, please dont do this in the real world. This just makes testing easier.
1. 2010 - Server Configuration > Client Access Configuration > Look at the bottom section and select the POP/IMAP header > click on POP3 & IMAP4 and configure the following: (leave defaults). Also - on the Binding tab remove the SSL ports at the bottom section.
   Restart Computer after you made these changes.

2. 2016 - servers > right click on name > properties > POP3/IMAP basic authentication

Your Exchange Email Server should now be good to go. I intentionally set up mine to be insecure by using plaintext authentication for security testing purposes, and to learn more about how Exchange works. If you are deploying this in the real world, please dont do what I did.

Troubleshooting Issues

Hopefully you were able to setup Exchange without issue. Before making this guide, I definitley had my fair share of issues.

Testing Connectivity

To test our services, we are going to be using telnet client, which is a command line utility. When using telnet, some terminals may be picky about backspaces, so be careful when typing commands

SMTP

telnet  25
                helo
                MAIL FROM:<> | RCPT TO:<> NOTIFY=success,failure
                DATA  Subject: Test   text  
                . 
                QUIT 

POP3

telnet  110
                USER   PASS  
                STAT //will give you number of messages in the inbox and then the size (bytes)
                LIST //will give you the breakout of these messages and their size (bytes)
                RETR <#> //will display the mail
                QUIT

IMAP

telnet  143
	            a01 LOGIN  
	            a02 logout

Installed, but No EMC / EMS ?

**Make sure IPv6 is enabled (don’t ask why, I don’t know)
**Make sure your server meets all of the prereqs for your exchange version!
**Make sure you have at least the minimum supported version of exchange installed (see below). [Note: AD Server functional requirements are a bit more lax]

Option 1 - appwiz.cpl & change exchange installation
(If the install media is still on the system) go to appwiz.cpl and right click > change exchange server. Also make sure mgmt tools are checked.
Option 2 - Fix Installation with CU
If the EMC is broken, open it up and under help > find the version. The version will tell you the proper SP you need to download from Microsoft’s website. Google it.
Download the SP found ^
Run the SP and unzip it & run setup
Try repairing the install
Else check and uncheck the Mgt Tools & reinstall

For more information on troubleshooting, see the Microsoft Documentation

──────────────────────────────────────────────────────────────────────────────────
                                                
            

Logging and Backups

Exchange logging in older versions is not configured by default and has to be enabled.

For POP3 and IMAP logs, navigate to the configuration files located:

C:\Program Files\Microsoft\Exchange Server\ClientAccess\PopImap\
                                                                Microsoft.Exchange.Imap4.exe.config
                                                                Microsoft.Exchange.Pop3.exe.config

and add the following line to the bottom of each file:

add key="ProtocolLog" value="true"

Once these lines are added, reset the service via the management console:

Restart-service MSExchangePop3 && Restart-Service MSExchangeImap4     

To change the location of the log files and set their name to Pop3Logs and Imap4Logs, via the management console, run the following commands:

Set-PopSettings -ProtocolLogEnabled $true -LogFileLocation "C:\Pop3Logs"
Set-ImapSettings -ProtocolLogEnabled $true -LogFileLocation "C:\Imap4Logs"
                

It is also possible to adjust these settings via the management GUI.

SMTP

In MS Exchange 2010, from the EMC go to Server Config > Hub Transport > {server name} properties > log Settings

Click on Default (25) & Client (587) and make sure protocol logging level is set to Verbose

In MS Exchange 2016, in the EAC go to Servers > server name > transport logs

Note: log setting locations may vary in other versions.

Default Log Locations

SMTP logs are located in C:\Program Files\Microsoft\Exchange Server\V14\TransportRoles\Logs\ProtocolLog\SmtpSend and SmtpReceive as well as C:\Program Files\Microsoft\Exchange SErver\V14\TransportRoles\Logs\Hub\ProtocolLog

POP3 and IMAP logs are located in C:\Program Files\Microsoft\Exchange Server\V14\Logging\PopImap or Pop3 and Imap4

Note: C:\Program Files\Microsoft\Exchange Server\V14\ is the default installation path. This may vary depending on where you initially installed exchange and what version you are using.

Event Viewer Filters

Located in "Application Log". Note: these wont show the emails sent, but will show issues.

• MSExchangeAL - Addressing Email
• MSExchangeIS - IIS Access
• MSExchangeSA - AD related Exchange Stuff
• MSExchangeTransport - SMTP
• MSExchangePOP3Svc -
• MSExchangeIMAP4Svc -

Located in "System Log"

• SMTPSvc
• W3Svc - IIS
• MSExchangeIS Mailbox Store - DB Engine
• ClusSvc - Cluster Service

Backups!

Exchange 2010 and later versions have a built-in backup utility that can be used to backup the server. It is recommended to backup the server before making any changes to the server.

To set this up:

1. Install WindowsBackupFeatures:

#CMD:
servermanagercmd -i Backup-Features
#Powershell
Import-Module servermanager && Add-WindowsFeature Backup-Features

2. In task manager, Disable MicrosoftExchangeReplication Service
3. Run the command "ntbackup", and run a full server backup. backup once, and specify location
4. Re-enable MicrosoftExchangeRepl service in task manager

For more information on setting up backups, see the Microsoft Documentation

──────────────────────────────────────────────────────────────────────────────────
                                                
            

Conclusion

Setting up an email server can be a daunting task, but it is a great way to learn about how systems work and how to secure them. Hopefully this guide helps demystify Microsoft Exchange for you. Happy learning!