Exchange admins: Is it time to rethink your email address policy?

Exchange admins: Is it time to rethink your email address policy?

Most Exchange Server administrators may not spend a lot of time thinking about email address policies. In fact, once Exchange is up and running, you probably won't touch the policy again unless a corporate merger or similar event forces you to change company email addresses. But the email address policy may affect your organization's overall security more than you originally thought.

Although more advanced authentication mechanisms are available, most users still authenticate by using a traditional username and password combination. If a hacker can figure out a username, he has one-half of the information needed to log in as a legitimate user.

The problem is that email addresses often have some correlation to usernames. For example, my email address

    Requires Free Membership to View

    Login

    When you register, you’ll also receive targeted alerts from my team of editorial writers and independent industry experts with the latest news, tips, and advice to help you do your job more efficiently and effectively. Our goal is to keep you informed on the hottest topics and biggest challenges faced by Exchange professionals today working with Exchange, Outlook and other related technologies.

    Margie Semilof, Editorial Director

    By submitting your registration information to SearchExchange.com you agree to receive email communications from TechTarget and TechTarget partners. We encourage you to read our Privacy Policy which contains important disclosures about how we collect and use your registration and other information. If you reside outside of the United States, by submitting this registration information you consent to having your personal data transferred to and processed in the United States. Your use of SearchExchange.com is governed by our Terms of Use. You may contact us at webmaster@TechTarget.com.

Premium Access

Register now for unlimited access to our premium content across our network of over 70 information Technology web sites.
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

This was first published in July 2009

is Brien@brienposey.com. It's easy to guess that my logon name is Brien. Therefore, it's a good idea to change my email address to a different format than one that includes my logon name.

Modifying a user's email address policy will change his email addresses. If your email address policy was created using Exchange Server 2003, you'll have to use either System Manager to perform the modification or you'll need to upgrade the policy using the Set-EmailAddressPolicy command.

Modifying your Exchange email address policy

You can modify your email address policy by opening the Exchange Management Console and selecting the Hub Transport container from the Organization Configuration section. Next, select the Email Address Policies tab, select your email address policy and click Edit.

The email address policy is comprised of a single text string that dictates the format of the email address. You can use Microsoft's pre-canned address or you can create a custom SMTP address. If your goal is to improve security, I recommend creating a custom SMTP address, which can only be done via the Exchange Management Shell.

To create a custom SMTP email address policy, create a text string that consists of hard-coded text blocks and different variables. A list of the available variables are show in Table 1.

 

Variable Function
%G First name
%I Middle initial
%S Last name
%D Display name
%M Exchange alias
%<x>S The first X letters of the user's last name. For example %2S would represent the first two letters of the user's last name.
%<x>G The first X letters of the user's first name. For example, %3G would represent the first three letters of the user's first name.


Table 1. Available variables for creating a custom SMTP email address policy.

Although you can see which variables are available, you may still be a bit unclear on how to use them. Here's an example:

First name: Brien
Middle initial: M
Last name: Posey
Display name: Brien Posey
Domain: Contoso.com

Table 2 shows what the email address looks like based on various email address policy strings.

 

String Resulting email address
%G.%S Brien.Posey@contoso.com
%1G%S BPosey@contoso.com
%G%I%S BrienMPosey@contoso.com
%G%1S BrienP@contoso.com


Table 2. Samples of various email address policy strings.

About the author: Brien M. Posey, MCSE, is a five-time recipient of Microsoft's Most Valuable Professional award for his work with Exchange Server, Windows Server, Internet Information Services (IIS), and File Systems and Storage. Brien has served as CIO for a nationwide chain of hospitals and was once responsible for the Department of Information Management at Fort Knox. As a freelance technical writer, Brien has written for Microsoft, TechTarget, CNET, ZDNet, MSD2D, Relevant Technologies and other technology companies. You can visit Brien's personal website at www.brienposey.com.

Do you have comments on this tip? Let us know.

Please let others know how useful this tip was via the rating scale below. Do you know a helpful Exchange Server, Microsoft Outlook or SharePoint tip, timesaver or workaround? Email the editors to talk about writing for SearchExchange.com.

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.

Back to top