While creating an architecture for a client, it was revealed that they have a system in place at the moment that, for inbound email, holds all messages with attachments overnight, which are then released in the morning by the security personnel. The value this process provides is an open question, but I'm trying to determine if this can be done in Exchange 2007. Just suspending queues is pretty straightforward, but they way they do it now is they only hold messages with attachments- plain text messages are allowed to go through.
Any ideas on how/if this can be accomplished in E2K7?
Thanks,
Andy
It should it be possible to create an Edge Transport rule that sends all emails with attachments to a specific "security mailbox". If the mail is ok with the security guys, they can go ahead and forward the messages.
I'm not sure if your customer would like that idea though.... what sort of mail system do they use now?
- Joel
They're using Sendmail with home-brewed scripts & add-ons to do this (along with some other funky stuff). What's happening now is that basically messages with attachments are "frozen" until the morning, then released, when it's simply a "one button" affair to release them; I can't see them going for them being forwarded to a mailbox. I've been looking for something along the lines of doing a "get-message", then manipulating those messages somehow, but I don't see any way to determine which messages have attachments using PowerShell.
I can dig around a little later today.... but perhaps you can look at this from the other side. Is there a legitimate reason for this process? Is there another way to address their concerns? Perhaps by blocking certain types of files or providing more levels of antivirus (using multiple engines in Forefront)?
Those are good points, and I raised them the 1st time they explained this process to me . I'm working those angles simultaneously, but I'm also proactively trying to come up with a way to do this in case I can't convince them to go with a different approach. So far, the response from their security people is "This was a measure that was implemented and approved by management after our department was down for days due to the Melissa virus. This is an operational requirement". I've asked them to provide instances from the last 3-5 years where this process has caught something that wasn't already caught by the multiple levels of scanning they're doing, but they're of the mindset "that it's still possible".
I hope you win their business Andy, because it appears they need your expertise!
Perhaps showing them some deployment whitepapers on best practices may help.
One other thought I had was can you use a transport rule to set the SCL up to a point where it is quarantined? Then the admin can go to the quarantine mailbox and release the required email?
Oh, and also... I'm also tinkering with ForeFront for Exchange and the ForeFront Security Management Console to see what they can offer for this as well.
Now, that's a cool thought... that may work, and it could be scripted. I've been focused on trying to manipulate the queues.
This part of the engagement is to come up with a high-level architecture for them, that can then be taken & used as the template for a detailed design. So, I don't really have to come up with a complete solution at the moment- just a high-level blueprint that's feasible to design against.