Recommended Security Best Practices for Helo

create share 451 Reputation points


What is the security best practice to provide for helo response and external NDRs in Exchange 2013? Should it show the server name or mx record only?


Exchange Server Management
Exchange Server Management
Exchange Server: A family of Microsoft client/server messaging and collaboration software.Management: The act or process of organizing, handling, directing or controlling something.
6,317 questions
{count} votes

4 answers

Sort by: Most helpful
  1. Andy David - MVP 115.3K Reputation points MVP

    See if this works for you:

    Get-RemoteDomain | Set-RemoteDomain -NDRDiagnosticInfoEnabled $false  

    This parameter is available only in on-premises Exchange.

    The NDRDiagnosticInfoEnabled parameter specifies whether diagnostic information is included in non-delivery reports (also known NDRs or bounce messages) that are sent to recipients the remote domain. Valid values are:

    $true: The diagnostic information of an NDR includes details that help administrators troubleshoot delivery problems. This detailed information includes internal server names. This is the default value.
    $false: The diagnostic information section in the NDR body as well as internal server headers from the attached original message headers are removed from the NDR.
    This parameter is meaningful only when the value of the NDREnabled parameter is $true.

    1 person found this answer helpful.
    No comments

  2. Kael Yao-MSFT 24,356 Reputation points Microsoft Vendor

    @create share

    To change the helo response to avoid showing the internal server name, you may need to configure the FQDN settings on your receive connector.
    Run the following command in EMS:

    Set-ReceiveConnector "Default Frontend <>" -FQDN <>  

    Or you can do it in EAC:

    And to prevent NDR attack,you may need to enable the sender filtering.
    Here are the documents on this topic for your reference:
    Using the Sender Filter agent to block messages
    Manage sender filtering

    If the response is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

  3. create share 451 Reputation points


    I am getting the below error while changing the response.


  4. create share 451 Reputation points

    I don't want to disable the NDRs but it is still showing the Internal Server Name in NDR even after changing the FQDN for Helo. I changed only for the Default Frontend connector.