Add download domain to IIS regarding Microsoft Exchange Server Spoofing Vulnerability CVE-2021-1730

WIND Internet 1 Reputation point
2022-08-26T08:26:02.517+00:00

After applying the update additional steps needed to be done for showing attached pictures in an e-mail using OWA. I performed all the steps mentioned under:

Are there other required steps to enable the protection from this vulnerability?

I guess I forgot something because now there's an error when I try to download/view the attached picture. The browser shows the download.domainname.nl url but with the error:

Not Found

HTTP Error 404. The requested resource is not found.

We already hava a certificate for this url so that's not the issue. I guess I have to add the download.domainname.nl url to IIS but I don't know how this works.

Exchange Server Management
Exchange Server Management
Exchange Server: A family of Microsoft client/server messaging and collaboration software.Management: The act or process of organizing, handling, directing or controlling something.
7,342 questions
{count} votes

2 answers

Sort by: Most helpful
  1. WIND Internet 1 Reputation point
    2022-08-30T09:23:11.12+00:00

    The issue has been solved by adding a Site Binding in IIS. Like I mentioned we already had a certificate for this. Attached images in an e-mail not load correcty in OWA and can be downloaded.

    0 comments No comments

  2. Joyce Shen - MSFT 16,641 Reputation points
    2022-09-01T08:24:50.043+00:00

    Hi @WIND Internet

    Thanks for sharing your solution to this problem and glad to know that your issue is resolved now! Since our forum has the policy that The question author cannot accept their own answer. They can only accept answers by others, and according to the scenario introduced here: Answering your own questions on Microsoft Q&A

    I would make a brief summary of this post so that other forum members could easily find useful information here:

    [Add download domain to IIS regarding Microsoft Exchange Server Spoofing Vulnerability CVE-2021-1730 - Summary]

    Issue Symptom:

    When try to download/view the attached picture. The browser shows the download.domainname.nl url but with the error:

    Not Found
    HTTP Error 404. The requested resource is not found.

    Solution:
    The issue has been solved by adding a Site Binding in IIS.

    Reference Links:
    Binding <binding>
    Configure Download Domains to address CVE-2021-1730 vulnerability

    You could "Accept Answer" for this summary to close this thread, and your action would be helpful to other users who encounter the same issue and read this thread. Thanks for your understanding!


    If an Answer is helpful, please click "Accept Answer" and upvote it.

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments No comments