Servicing Exchange Server 2019

Having HealtChecker more intgrated into Exchange Server was a good improvement. Many IT-professionals probably already used that script long before the integration too, but now is update way more simple.

Signing your domain (DNSSEC) and adding TLSA Dane records is becoming more common as well as using SPF, DKIM, DMARC, HSTS and adding a MTA-STS policy. This will raise you security rating upon testing at Qualys SSL Labs, Check TLS, internet.nl, etc. Most of this except DKIM is configured at the registrar and the MTA-STS policy can be lodged anywhere e.g. on another internet facing server in your domain or at a third party. If signing the top-domain used for DNSSEC is not supported by your registrar, you can delegate configuration and use the name servers at a third party, e.g, Cloudflare. Having TLS 1.3 can either be met by the loadbalancer and/or by using Windows Server 2022.

All these features is working well for outbound mail in interactions with servers such as Google, Mimecast or Enterprise Outlook that support rejection of mail, if your MTA-STS policy is not met. Using a mail security monitoring service such as Mailhardener.com, MxToolBox.com, etc. will also ease the report checking for secure mail flow and warn if mail were rejected, possibly this can be mail sent by hostile and illegitimate servers trying to use your domain.

Constant monitoring on daily basis and ever ongoing security hardening is key these days!

The not yet supported features for inbound mail on Exchange Server on prem, and thus rejecting any mail not meeting the sending server's MTA-STS policy, is really expected. All this is normal software craftmanship that really is hard to understand why Microsoft has not implented yet. Please add these on the list for he future! Having fluffy cloud services or weird features noone ever heard of seem less important unless the basic things are in place first.