Sophos Puremessage Exchange 2019

PureMessage began as a Unix-based, command-line mail filtering tool, and it still retains many aspects of its origins. PureMessage Utilities This section describes the general PureMessage utilities, which provide installation, startup, general configuration, update, and uninstall capabilities. Exchange 2019 is not supported with PureMessage for Exchange 4.0.4 which is a latest version. Please refer this article to have information on supported OS and exchange version. See Installation fails on Exchange servers which have been updated to Exchange 2013 Service Pack 1. Requires PureMessage for Microsoft Exchange 4.0.4 or higher - please see Information about Sophos PureMessage for Microsoft Exchange 4.0.4. Related information. System requirements for all Sophos products. PureMessage for Exchange. Endpoint (On Premises) Intercept X Endpoint. SafeGuard Encryption. Intercept X for Server. 2019 Sophos Ltd. Abusing the Exchange Postmaster to Expose Email Spam & Malware Filters Published on October 24, 2020 October 24, 2020. 14 Likes. 5 Comments.

Overview:

Sophos PureMessage for Microsoft Exchange provides you with integrated email gateway and Exchange mail store protection. Guard against email-borne threats such as spam, phishing, viruses and spyware. Control information sent and received both internally and externally. Protect your company against the loss of confidential information or inappropriate use of the email system.

Key benefits

  • Detects, disinfects, deletes or quarantines viruses, spyware, Trojans and worms
  • Blocks up to 98% of spam and protects against email scams, including phishing attacks
  • Employs Genotype technology to catch evolving spam campaigns and new virus variants
  • Provides consistent and automatic email policy enforcement
  • Prevents confidential and sensitive information being emailed out of the organization
  • Controls attachment types contained within inbound, outbound and internal email
  • Uniquely identifies archives, executables, music and video formats, using true file type recognition
  • Integrates seamlessly with Microsoft Exchange without compromising performance or integrity
  • Manages multiple Exchange or IIS servers and email policy from one console
  • Enables the use of Active Directory users and groups within email policy
  • Provides insight into email traffic profile and threat protection through a real-time dashboard
  • Uses an end-user spam quarantine for quick retrieval of legitimate messages
  • Updates automatically with the latest protection from SophosLabs
  • Includes 24/7 certified expert support. Contact us anytime for one-to-one assistance

Features:

Comprehensive multithreat protection

Prevent viruses Genotype virus detection technology proactively blocks families of viruses even before specific virus signatures are available.

Code scanning A range of technologies, including Dynamic Code Analysis, pattern matching emulation and heuristics, automatically check for malicious code.

Detect and quarantine Proactively block families of spam campaigns. Our genotype spam detection technology detects up to 98% of spam. The intuitive end-user interface and spam digests allows you to review quarantine contents.

Spam blocking The comprehensive multilanguage spam engine is constantly updated with new spam rules by SophosLabs.

Central management from a single console

Centralized management PureMessage provides an intuitive management console. Manage single or multiple Exchange server deployments from one location.

Activity monitoring You can quickly view the status of your servers, email throughput and quarantine areas, via the email security dashboard and activity monitor.

Cluster support A cluster-aware service within PureMessage provides you with support for Active/Passive Exchange clusters.

Manage single or multiple Exchange server deployments—from one location.

Corporate policy enforcement

Customizable policies Our policy engine allows you to set email policies to be configured for a specific email direction— inbound, outbound and internal.

Configurable user rules Integration with Microsoft Active Directory allows you to setup email policy rules for specific users and groups.

Available policies Ready-to-use policies can block all file types known to carry potential threats or monitor emails containing offensive language.

Keyword search Define your policies to search for phrases or regular expressions within emails and attachments, including all common office file formats.

Secured information Take advantage of consistent email policy enforcement. Prevent confidential or sensitive information from being accidentally or maliciously emailed outside or within your organization.

Comprehensive reporting and analysis

Visual reporting A graphical report tool lets you create configurable management reports, highlighting trends and any areas of concern.

Data analysis You can easily export report data for further analysis or inclusion into wider management reports.

Industry-leading expertise 24/7

Access our experts Our 24/7 support is highly acclaimed. SophosLabs—our global network of threat analysis centers— provides a rapid response to emerging and evolving threats.

Languages available

English, Japanese

Licensing

How you buy Sophos Protection for Microsoft Exchange is up to you. It's included in all of our Endpoint Protection licenses, Sophos Protection Suites, and our Email Security and Data Protection. Or buy it separately—your choice.

Our graphical reporting tool lets you create configurable management reports, highlighting trends and areas of concern.

Email Product Comparison:

Sophos Email Product Comparison
Sophos Email AppliancesPureMessage for UNIXPureMessage for Microsoft ExchangePureMessage for Lotus Domino
Network locationGatewayGatewayGateway and groupwareGroupware
Organization size

For organizations of all sizes:

  • ES1000 (processes up to 50,000 messages/hour)
  • ES5000 (up to 380,000 messages/hour)
  • ES8000 (up to 550,000 messages/hour)

Appliances can be clustered for scalability and multi-site environments.

50–25,000+ end users50–10,000+ end users50–10,000+ end users
Customer requirements
  • Appliance-based protection against spam, malware, and data leakage plus enforcement of custom messaging policies, with minimal administrative overhead
  • End-user spam quarantine functionality
  • More reliable and accessible support services
  • Complete protection from spam, malware and data loss, plus enforcement of custom messaging policies
  • Extensive user- or group-based policy flexibility
  • Delegated administration
  • End-user spam quarantine functionality
  • Spam and malware protection in a single or clustered Microsoft Exchange server environment
  • Virus protection for Exchange message stores using standard Microsoft APIs
  • Ability to control email traffic by attachment content, file type, size, email content
  • End-user spam quarantine functionality
  • Malware and spam protection in a single or replicated Domino server environment
  • Ability to control email traffic by attachment content, file type, size or message content
  • End-user spam quarantine functionality
Ideal customer profile
  • Organizations looking with limited in-house IT resources dedicated strictly to security
  • Organizations seeking to reduce the amount of time spent on email security
Large or complex organizations with established UNIX skills, diverse email management requirements (group, department, customer)
  • Higher education
  • Government
  • Managed email service providers
Small, medium and large organizations wanting:
  • Anti-virus protection for their Exchange message stores
  • A standard Windows gateway solution for spam, virus and spyware protection, and email content control
Small, medium and large organizations looking for:
  • Anti-virus and anti-spam protection for their Lotus Domino servers
  • Content filtering and disclaimers
InstallationEasy installation in any network – plug and protectSupports a range of single- and multi-server installation options
  • Easy installation – InstallShield Wizard
  • Out-of-the-box settings provide immediate protection from malware and spam
  • Easy installation – InstallShield Wizard
  • Recommended default policies can easily be enabled to provide protection
Supported platforms Management console
  • Web-based
Onboard software
  • Hardened FreeBSD operating system
  • Postfix MTA
Management console
  • Web-based
PureMessage software
  • Linux
  • Solaris
  • FreeBSD
  • Virtualization: Linux on VMWare ESX and Sun Solaris 10 containers
MTAs
  • Sendmail (8.13.6 inc): 8.11.6 or higher
  • Postfix (2.5.4 inc): 2.0.x and 2.1 or higher
  • Supports Sun Java™ System Messaging Server 6 and SunOne Messaging Server 5.2 on Solaris and SPARC
Management console
  • Windows XP/2003 and above
  • Active Directory (optional)
  • MMC 3
PureMessage services
  • Microsoft Exchange Server 2003/2007/2010
  • Microsoft SQL 2005/2008
  • IIS
Clustering
  • Exchange 2010: DAGs
  • Exchange 2007: SCC, CCR
  • Exchange 2003 R2: SCC, CCR
  • Exchange 2003 & earlier: SCC

Email server
Lotus Domino server R7, R8.0x, and R8.5 (32-bit/64-bit)
PureMessage software
Windows 2000 Server
Windows Server 2003 (32-bit/64-bit)
Windows Server 2008 (32-bit/64-bit)

*Lotus Domino server R6 is supported by PureMessage for Notes/Domino v3

Management consoleWeb-based: 'three-clicks-to-anywhere' navigation. Designed for management by exception – system notifies admin when attention is requiredWeb-based GUI and UNIX command line
  • Windows MMC snap-in
  • Exchange 2007-style layout
Domino-based interface
DatabaseNot applicablePostgreSQL 8 (bundled)SQL Server Express 2005 (bundled)
SQL Server
Domino databases
Multi-server capabilityUp to 10 appliances can be clustered for scalability and centrally managed in single- or multi-site environmentsHighly configurable – synchronized administration with option to distribute functions across multiple servers
  • Manage and monitor all email servers from one console
  • Supports Exchange clustering
  • Quarantine and reporting data from multiple servers can be stored in a single database
Supports Domino clustering
Quarantine managementAdministrator:
Powerful message tracking with single-point access to logs and onboard quarantine
End user:
Personal quarantine accessed via email digest or web interface
Administrator:
Consolidated and group-based view of quarantined items across all servers
End user:
Personal quarantine accessed via email digest or web interface
Administrator:
Consolidated view of quarantined items across all Exchange servers
End user:
Personal quarantine accessed via email digest or web interface. Active Directory single sign-on
Administrator:
Consolidated view of quarantined items across all Domino servers
End user:
Optional devolution of review and release of non-malware and non-spam quarantined files to end users
Allow lists and block listsOffers both administrator and end-user-defined allow and block listsOffers both administrator and end-user-defined allow and block listsAdministrator-defined allow and block listsAdministrator-defined allow and block lists
Policy enforcementOffers an easy-to-use, highly flexible policy wizard for defining custom policies for inbound and outbound email
  • Prioritize, activate, or deactive policy rules quickly and easily
  • Supplies customized policies for attachments and unwanted and malicious content
  • Searches for content within attachments created using common office applications
  • Routing to third-party encryption or archiving systems
  • Adds disclaimers (global, user or group)
  • Offers a fully configurable, highly flexible policy engine for inbound and outbound email
  • Supplies customized policies for attachments and unwanted and malicious content
  • Searches for content within common office applications
  • Adds disclaimers (global, user or group)
  • Integrates with third-party encryption or archiving systems
  • Enables customized policy for unwanted and malicious content and attachments
  • Set policies for inbound, outbound and internal email flows
  • Uses Active Directory users and groups within email policy
  • Search for content within common office applications
  • Adds disclaimers
  • Enables customized policy for unwanted and malicious content and attachments
  • Adds disclaimers
Spam thresholdsConfigurable policies for medium- and high- risk spamMultiple configurable policies and thresholdsConfigurable policies for medium- and high- risk spamMultiple configurable policies and thresholds
Reputation filteringSender Genotype blocks email from known bad senders at MTA or policy level, and proactively detects botnet sendersSender Genotype blocks email from known bad senders and proactively detects botnet senders. Blocks email from known bad senders at MTA or policy levelBlocks email from known bad senders as part of spam analysisBlocks email from known bad senders as part of spam analysis
Virus policyPolicy customization for viruses and encrypted, suspicious and restricted attachmentsPolicy customization for viruses and encrypted, suspicious and restricted attachmentsPolicy customization for viruses and encrypted, suspicious and restricted attachmentsPolicy customization for viruses and encrypted, suspicious and restricted attachments
Languages supported
  • Mail processing: anti-virus and anti-spam, fully internationalized
  • End-user interface: English, French, German, Italian, Spanish, Japanese, Traditional Chinese, Simplified Chinese and Swedish
  • Management console: English
  • Mail processing: anti-virus and anti-spam, fully internationalized
  • End-user interface: English, French, German, Italian, Spanish, Swedish, Japanese, Traditional Chinese
  • Management console: English
  • Mail processing: anti-virus and anti-spam, fully internationalized
  • Admin and end-user interfaces: English and Japanese
  • Mail processing: fully internationalized
  • Admin and end-user interfaces: English
Customization via Sophos ProServicesNoYes. Sophos Professional Services provides a range of customizationsNoNo
User directory managementFully synchronized and automated Active Directory integration, tools for manual integration with other LDAP-based directory servicesBuilt-in list management, plus LDAP or Active DirectoryFully synchronized and automated Active Directory integrationDomino directory integration

Features & Capabilities
Email Appliances
(Hardware/Virtual)
PureMessage for UNIXPureMessage for Microsoft ExchangePureMessage for Lotus Domino
Deployment
Network Gateway or Mail ServerNetwork GatewayNetwork GatewayExchange Server/ClusterDomino Server/Cluster
Threat protection
Sophos Anti-virus
Zero-day protection
Malicious URL blocking
Spam protection
Sender Genotype Reputation Filtering
Live Anti-spam
Data protection
Integrated policy-based SPX Encryption
Integrated TLS encryption
Content filtering rules
Offensive content blocking
Content aware DLP
SophosLabs managed DLP dictionaries
Management
Real-time dashboard
Policy based reporting
Support
Managed appliance service
24/7/365 Support
Free updates/upgrades
Free updates/upgrades3 yearsN/AN/AN/A

Specifications:

What you need

Console

Operating systems

Sophos Puremessage Exchange 2019

  • Windows XP/2003 and above

Memory

  • 256 MB minimum, 512 MB recommended

Disk space

  • 150 MB

Clustering

  • Exchange 2010: DAGs
    Exchange 2007: SCC, CCR
    Exchange 2003 R2: SCC, CCR
    Exchange 2003 & earlier: SCC

Services

Operating systems

  • Windows 2003 (32-/64-bit)
  • Windows Small Business Server 2003
  • Windows Server 2008 (32-/64-bit)
    Microsoft Exchange versions
  • Exchange 2003/2007/2010

Microsoft SQL versions

  • SQL 2005/2008/R2
  • SQL Mirroring

Memory

  • Exchange 2003
  • 1 GB minimum, 2 GB recommended
  • Exchange 2007/2010
  • 2 GB minimum, 4 GB recommended

Disk space

  • Up to 2 GB

Documentation:

Sophos Email Protection

Download the Sophos PureMessage for Microsoft Exchange Data Sheet (PDF).

Download the Sophos Email Product Comparison (PDF).

Ik multimedia all products v2.0.dmg 2017. Download the Sophos Email Security and Data Protection Data Sheet (PDF).

Pricing Notes:

  • Pricing and product availability subject to change without notice.
PureMessage for Microsoft Exchange - 1 Year Renewal
PureMessage Exchange (AV, AS, content) - 200-499 Users - 1 Year - Renewal
- Anti-virus only
*Price per user. Quantity must be 200 or greater.
Special Pricing Requests Available. Please call or contact us!
#PMEI1CTAA
List Price: $14.50
Add to Cart to see sale price!
PureMessage Exchange (AV, AS, content) - 500-999 Users - 1 Year - Renewal
- Anti-virus only
*Price per user. Quantity must be 500 or greater.
Special Pricing Requests Available. Please call or contact us!
#PMEJ1CTAA
List Price: $11.50
Add to Cart to see sale price!

For more than 1,000 Users, please use Quote Request Form!

PureMessage for Microsoft Exchange - 2 Year Renewal
PureMessage Exchange (AV, AS, content) - 200-499 Users - 2 Year - Renewal
- Anti-virus only
*Price per user. Quantity must be 200 or greater.
Special Pricing Requests Available. Please call or contact us!
#PMEI2CTAA
List Price: $21.75
Add to Cart to see sale price!
PureMessage Exchange (AV, AS, content) - 500-999 Users - 2 Year - Renewal
- Anti-virus only
*Price per user. Quantity must be 500 or greater.
Special Pricing Requests Available. Please call or contact us!
#PMEJ2CTAA
List Price: $17.25
Add to Cart to see sale price!
2019

For more than 1,000 Users, please use Quote Request Form!

If your organisation uses Microsoft Exchange On-premise (i.e. Exchange Server 2010/13/16/19) or Exchange Online then you're likely broadcasting sensitive information through the default Postmaster Non-Delivery Report (NDR). Read on to find out what the impact is and how to detect if this affects you.

Today I want to shine light on an extremely widespread and seemingly unknown security risk that plagues organisations who utilise Microsoft Exchange On-premise or Online. This risk is the result of a misconfiguration that allows threat actors to see what spam and malware filtering technologies are in-use, the rules, the actual scoring and the version of said filtering technologies - all without any form of user interaction.

The ability to see this information undermines the very purpose that mail spam and malware filters are used for. With this information, threat actors can deliver custom-built spear-phishing campaigns with the knowledge that their emails will end up in users mailboxes.

How?

Sophos Puremessage Exchange 2019 Calendar

Through abuse of the Exchange Postmaster.

Sophos Email Security

Under normal circumstances the Postmaster is used for delivering system-generated messages and notifications to message senders. Most commonly these system-generated messages are created when there's a problem delivering a message. In this instance, Exchange sends a Non-Delivery Report (NDR) to the message sender that indicates there was a problem.

The information included in the default NDR is designed to be useful for both users and administrators. It's important to note this, because its exactly this dual functionality that makes it vulnerable to abuse.

What Information is included in a Postmaster NDR?

The information that's included in an NDR can be separated into two sections:

  1. User information section: This section appears first and attempts to explain (in non-technical terms) why delivery of the message failed.
  2. Diagnostic information for administrators section: This section provides deeper technical information to help administrators troubleshoot the issues that caused the delivery failure. It's in this section that the issue lies.

The Diagnostic information for administrators section included by Exchange On-premise has an untampered extract of the Original Inbound Message Headers - including all mail relays and any sensitive headers not for external viewing.

What's the problem with this?

Modern mail filters are designed with interoperability front-of-mind. Because of this, mail headers are typically used as the vehicle to communicate information along the mail relay process. E.g. your malware filter may want to inform your spam filter of its findings. And then your spam filter may want to add additional headers which indicate the message has been scanned against X, Y, Z criteria - and so on all the way to Exchange.

When coupled with the fact that any external user can extract this information through delivery of an email to a non-existent user (e.g. [email protected]<target-domain.com>) we have a big issue with the Exchange NDR process that's enabled by default.

Diving into the Message Headers

If we look at a few example message headers that various spam & malware filtering technologies include in the mail relay process (that are visible in the NDR), we can immediately see the issue:

Proofpoint SEG

Cisco IronPort

Sophos PureMessage

Equipped with this data, threat actors can methodically build a custom spear-phishing email with near-certainty that the email will appear in the targets mailbox - bypassing all forms of spam and malware you may have in-place.

Wrapping Up

Sophos Puremessage Exchange 2019 Features

Email phishing is among the most prominent method used to breach organisations today. Often used to harvest user credentials, trick users into sending money to illicit entities and compromise endpoints through delivery of malware. Spam and malware filters are our front-line defence when dealing with this never-ending issue and as such we need to ensure the technologies in-use and the way they operate is fundamentally hidden from threat actors seeking to slip into your perimeter.

If you haven't already, I recommend reviewing your email infrastructure to ensure the default NDR within Exchange On-premise (all versions from 2010 - 2019) or Online is either disabled or altered to include a bespoke message which doesn't include sensitive information (click here for Microsoft guidance on how this can be done).

Sophos Puremessage Exchange 2019 2020

If you're unsure on whether your email infrastructure is vulnerable, you can use the free service available at canibespoofed.com to identify this for you.

Sophos Puremessage Exchange 2019 Release

Finally, if you have any questions or need additional advice on how to detect or mitigate this security risk, please feel free to comment on this article or reach out direct.