This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(172.8, 57.99999999999999%, 26%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECS%3C/text%3E%3C/svg%3E)
Hi,
What is the security best practice to provide for helo response and external NDRs in Exchange 2013? Should it show the server name or mx record only?
Thanks.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(246.4, 22%, 33%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EKY%3C/text%3E%3C/svg%3E)
Just checking in to see if above information was helpful.
Please let us know if you would like further assistance.
If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
See if this works for you:
https://learn.microsoft.com/en-us/powershell/module/exchange/set-remotedomain?view=exchange-ps
Get-RemoteDomain | Set-RemoteDomain -NDRDiagnosticInfoEnabled $false
-NDRDiagnosticInfoEnabled
This parameter is available only in on-premises Exchange.
The NDRDiagnosticInfoEnabled parameter specifies whether diagnostic information is included in non-delivery reports (also known NDRs or bounce messages) that are sent to recipients the remote domain. Valid values are:
$true: The diagnostic information of an NDR includes details that help administrators troubleshoot delivery problems. This detailed information includes internal server names. This is the default value.
$false: The diagnostic information section in the NDR body as well as internal server headers from the attached original message headers are removed from the NDR.
This parameter is meaningful only when the value of the NDREnabled parameter is $true.
@create share
Hi,
To change the helo response to avoid showing the internal server name, you may need to configure the FQDN settings on your receive connector.
Run the following command in EMS:
Set-ReceiveConnector "Default Frontend <>" -FQDN <>
Or you can do it in EAC:
And to prevent NDR attack,you may need to enable the sender filtering.
Here are the documents on this topic for your reference:
Using the Sender Filter agent to block messages
Manage sender filtering
If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
Hi,
I am getting the below error while changing the response.
Hi,
Please uncheck the "Exchange Server authentication" box in the following screenshot and try it again.
If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
I don't want to disable the NDRs but it is still showing the Internal Server Name in NDR even after changing the FQDN for Helo. I changed only for the Default Frontend connector.