Exchange Server Configurations
Deploying antivirus software and making sure TCP port 25 is not available as an open relay for viruses are two main configuration areas that you must address for your Exchange environment.
Before you review the configuration recommendations, keep in mind several important policy recommendations:
Do not run e-mail clients on the Exchange server. If you are running an e-mail client on a computer that is running Exchange and it becomes infected, an infected client becomes an infected mail server.
Do not browse the Internet from the Exchange computer for the same reasons. A general best practice in reducing the attack surface is to minimize the applications running on an Exchange server.
Keep your Exchange servers up-to-date with the latest security updates from Microsoft.
Lock down your Exchange servers by following the recommendations in the Exchange Server 2003 Security Hardening Guide.
Deploy Antivirus Software at the SMTP Gateway or on the Mailbox Servers
At a minimum, you must deploy antivirus software designed for messaging systems at either the Simple Mail Transfer Protocol (SMTP) gateway or at the Exchange servers that host mailboxes. The two resources listed in the following Resources section explain the strategies you can use in planning your messaging antivirus deployment and the different types of message scanning available. The types of antivirus software you choose and where the software is deployed are determined by the balance between the cost you are willing to tolerate and the risk you are willing to assume.
For example, some organizations run antivirus messaging software at the SMTP gateway, antivirus file-level scanning at the Exchange server, and antivirus client software on the user desktop. This approach provides messaging-specific protection at the gateway, general file-level protection at the mail server, and protection at the client. Other organizations may assume greater cost and security by running the same scheme with the addition of antivirus software compatible with Exchange VSAPI 2.5 on the Exchange mailbox server.
Recommendations
Run client antivirus software on the desktop. If you are running antivirus software designed for messaging systems (it can parse and scan MIME) at the gateway or on the Exchange server, running a file-level scanner at the desktop is sufficient.
At a minimum, deploy antivirus software designed for messaging systems at either the SMTP gateway or at the Exchange servers that host mailboxes. For the most protection, run antivirus software at the gateway that scans the inbound MIME messages, and a scanner on the Exchange Server that uses VSAPI 2.5.
Resources
For information about planning an antivirus software strategy, see the Exchange Server 2003 Security Hardening Guide.
For a description of different types of antivirus software that you can run in an Exchange messaging environment, see the Microsoft Knowledge Base article 823166, "Overview of Exchange Server 2003 and Antivirus Software."
For more information about why running mail clients on an Exchange server is not recommended, see the Microsoft Knowledge Base article 266418, "Microsoft does not support installing Exchange Server components and Outlook on the same computer."
For more information about antivirus vendors who are Microsoft partners, see the "Exchange Server Partners: Antivirus" Web site.