Microsoft is touting Exchange Server 2007 as including major improvements in message content filtering and control; the collective set of antispam and anti-phishing features are now labeled as “message hygiene” functionality. At a high level, Exchange 2007’s message hygiene features look similar in many respects to Exchange Server 2003’s. Like Exchange 2003, Exchange 2007 includes an integrated antispam filter, built-in interfaces for antivirus scanning, and a host of features for message content protection, including the ability to block or drop connections according to the originating IP, the sender name, or the recipient. Exchange 2007 departs from Exchange 2003 by introducing some major new changes that are worth discussing in more detail. Let's take a look at some of those changes, and I'll discuss how they might affect your plans to deploy Exchange 2007.
The Edge Server
Arguably, the biggest difference between Exchange 2003's and Exchange 2007's message hygiene functionality is the introduction of a server role that exists solely for message hygiene. The Edge Transport server (or just “Edge”) role is a separate Exchange role that must be installed on a server that doesn't include any other server roles; the Edge role was designed to provide a separate bastion host for processing inbound email. This strategy makes excellent sense, given that the Edge role was expressly designed to have a minimal attack surface and to be directly exposed to Internet traffic.
Whereas Microsoft recommended against installing Exchange 2003 front-end servers in a network’s perimeter or demilitarized zone (DMZ), with Exchange 2007 Microsoft now explicitly recommends that Edge servers be positioned in just that configuration. Microsoft’s reasoning is that Exchange 2003 front-end servers require several additional ports to be open to the back-end servers, but the Edge server is altogether a different beast. It doesn’t have to be a domain member server (in fact, you can’t install it in a forest that has non-Edge Exchange servers in it), meaning that an attacker who compromises an Edge server can’t easily leverage that compromise into a domain attack. In addition, Exchange 2007 includes an extension to the Windows Security Configuration Wizard (SCW) that automates the process of hardening an Edge server to make it safe for use when directly exposed to the Internet. . . .
