Within an organization there is often communication that occurs between staff that should remain confidential and kept within the business only.  However any time confidential information is placed in an email there is the risk that someone will accidentally send the information outside of the business.

Exchange Server 2007 and Outlook 2007 use a feature called Message Classification to prevent this accidental information leakage from occurring.

What are Message Classifications?

A message classification is simply metadata added to an email message that describes the intended use or audience of the message.  Message classifications can be created or customized to suit any type of business with any type of classification need.

When combined with Exchange Server 2007 Transport Rules message classifications can be used to enforce email policies such as the forwarding of confidential information.

Enabling Message Classifications

Although it it possible to create your own message classifications, Exchange Server 2007 ships with several default classifications that will suit most businesses.  These message classifications must be exported to an XML file and distributed to clients.Run the Export-OutlookClassification.ps1 script from C:\Program Files\Microsoft\Exchange Server\Scripts.

[PS] C:\>.\Export-OutlookClassification.ps1 > c:\msgclass.xml

The file must now be placed somewhere for the client PC’s to access it.  Although a network share can be used it is more reliable to distribute the file to the local hard drive of each computer.

Next, create the following registry keys to reference the classifications file.

[HKCU\Software\Microsoft\Office\12.0\Common\Policy]
"AdminClassificationPath"="c:\\admin\\msgclass.xml"
"EnableClassifications"=dword:00000001
"TrustClassifications"=dword:00000001

When Outlook 2007 is next launched by the end user they will have access to the message classifications when composing new messages.

Creating Transport Rules

With message classifications in use it is now possible to configure Transport Rules to protect confidential emails from being sent outside of the company.  Launch the Exchange Management Console and navigate to Organization Configuration/Hub Transport.  Click on the Transport Rules tab and then start a new Transport Rule.

Give the rule a meaningful name, for example “Block Outbound Confidential Emails”.

Set the conditions for email sent outside the organization and classified as “Company Confidential”.

Configure the rule action to send a bounce message to the original sender with a message that makes it clear to them why the message was blocked.  Don’t forget to also configure the rule actions to drop the message as well.

If there is any reason for an exception, such as allowing the CEO to send confidential emails to outside partners, you can configure it as well.  Otherwise just complete the Transport Rule wizard.

Testing the Transport Rule

You can test the new Transport Rule by simply sending any email classified as “Company Confidential” to an outside email address.  The Exchange server will return an error message to the sender.

Limitations of Message Classifications

The important thing to note here is that message classifications require some implementation effort, must be deliberately used by end users when sending emails, and only prevent accidental exposure of confidential information.  For example, a user who receives a classified message is free to remove that classification when they forward the email to an outside recipient.  Of course, such deliberate acts are almost impossible to guard against anyway.  Still, message classifications provided a decent option for enforcing email policies.

How to Protect Confidential Emails with Exchange Server 2007

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

Microsoft Exchange Server 2007 ships with some useful tools for testing the health of the different server roles.

These tools come in the form of PowerShell cmdlets that can be executed from the Exchange Management Shell.

The tools are very handy both during implementation of new Exchange systems as well as when investigating faults.

General Tests

Test-ServiceHealth – tests the health of the Exchange services on the server and lets you know if any required services for the installed roles are not running.

Test-SystemHealth – this is the command line version of the Exchange Best Practices Analyzer, and will alert you to any error conditions or configurations that deviate from best practices.

Test-Path – this is not strictly an Exchange test.  Test-Path is useful when building scripts and is used to verify the existing of an element such as a file, folder, or registry key, returning a simple True/False answer.

Client Access Server

Several of the Client Access Server tests utilise a system-managed test mailbox which you must first create by running the new-TestCasConnectivityUser.ps1 script from C:\Program Files\Microsoft\Exchange Server\Scripts.

Incorrect Client Access Server configuration can cause a wide range of problems within an Exchange Server 2007 organization so these tests are essential during any Exchange implementation.Test-ActiveSyncConnectivity – tests the Client Access Server by performing an ActiveSync synchronisation for a specified mailbox to verify that ActiveSync is configured and functioning correctly.

Test-ImapConnectivity – tests the IMAP service and IMAP connectivity for mailboxes in the organization.  IMAP is useful for non-Microsoft email clients and mobile devices that do not support ActiveSync.

Test-OutlookWebServices – tests the AutoDiscover service, which is the service that allows Outlook 2007 clients to automatically configure the Outlook profile for a user based on Active Directory information rather than needing manual configuration of user name and server name.

Test-OwaConnectivity – can be used to test Outlook Web Access connectivity for specific IIS virtual directories, mailbox users, or URLs.

Test-PopConnectivity – tests that the POP3 service is running and that POP3 connectivity is available.  POP3 is most commonly used in service provider scenarios where mail is not intended to be stored on the server once the client has downloaded it.

Test-WebServicesConnectivity – tests the basic functionality of Outlook Anywhere (formerly known as HTTP-over-RPC), which provides remote mailbox access for Outlook clients over SSL connections.

Hub Transport Server

Test-EdgeSynchronization – tests whether the subscribed Edge Transport servers are current and up to date.  This is only useful in environments that have deployed the Edge Transport server role, which is not a required role for Exchange Server 2007.

Test-IPAllowListProvider – tests the configuration of an IP Allow List provider for the Hub Transport server Connection Filter agent, which is a part of the Exchange Server 2007 anti-spam component.

Test-IPBlockListProvider – same as previous, but tests a configured IP Block List provider instead.

Test-SenderID – performs a SenderID (an anti-spam framework) lookup against a specified IP address to determine whether that IP is authorised to send mail for that domain.

Mailbox Server

Test-Mailflow – uses the System Mailbox on the Mailbox server to test that mail can be sent and received, as well as allow you to test whether mail can be sent between different Mailbox servers within an acceptable latency period.  Use this to verify end to end mail flow within your organization.

Test-MAPIConnectivity – uses the System Mailbox to test that the mailbox database is online and can be logged in to.

Test-ExchangeSearch – uses the System Mailbox to test that the Exchange search service is running and indexing email correctly.

Test-ReplicationHealth – only applicable to clustered Mailbox servers, and tests that all cluster elements (nodes, network, disks, resources etc) are functioning, and that data replication is healthy.

Unified Messaging

Test-UMConnectivity – tests the operation of the Unified Messaging role as well as connected telephony systems.  Only applicable to environments with Exchange Server 2007 Unified Messaging, which is not a required role.

Testing Exchange Server Health with PowerShell

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators