Transport Agents versus SMTP Event Sinks
Exchange Server 2000 and 2003 both used the IIS SMTP Service for email transport. ORF hooked specific events occuring the IIS SMTP Service using a programming interface called SMTP Event Sinks and this provided filtering both for IIS servers and Exchange 2000/2003.
Exchange 2007, however, no longer relies on IIS SMTP. Instead, it uses its own MSExchangeTransport service for email transport. Also, a new programming interface was introduced, called Transport Agents.
SMTP Event Sinks and Transport Agents are quite different beasts for programmers, because:
- SMTP event sinks are COM servers. ORF’s SMTP event sink is called the ORF SMTP Module, which is a lightweight component that connects IIS SMTP to the ORF Service. Event sinks can be written in any native programming language that supports creating COM servers—for instance, originally, the ORF SMTP Module was written in Borland Delphi and was just recently ported to C++ (for 64-bit compatibility).
- Transport Agents are .NET managed objects. This means that they have to be written in a .NET managed language, such as C# or Visual Basic.NET, but not in C++ or Borland Delphi.
…from this, it is quite obvious that ORF requires a new Exchange Transport Agent component, written in a managed language, but the list of changes does not stop here, because the Transport Agent API is different from the SMTP Event Sink API…
- Some events have no 1:1 mapping. The ORF SMTP Module hooks 3 events of the IIS SMTP. The first event is when the SMTP client issues the RCPT TO recipient specification command on an incoming SMTP connection. This is the Before Arrival filtering point. The second event hooked is when the email transfer was just finished on an inbound SMTP connection (On Arrival filtering point). The third, optional event is what ORF hooks when it has an outbound binding to an SMTP virtual server. This event is triggered when a MAIL FROM sender specification command is submitted by the local server on an outgoing connection. ORF uses this event to collect the outbound email sender / recipient addresses and to store this information in the Auto Sender Whitelist.
Using Exchange 2007 Transport Agents, you can hook the first two events (using an agent subtype called SMTP Receive Agents), but not the third one, because there is no way to hook events occuring on outbound connections. For some reason, Microsoft has decided that this feature is not important to have in Exchange 2007.
Consequently, ORF will have to hook a different type of event to monitor the outbound emails. This event type of called a Routing Event and it is invoked for both inbound and outbound emails. In this type of event, it is the responsibility of the caller to decide whether the email is outbound, which is not an obvious task.
- Some properties that ORF previously relied on do not exist. The ORF SMTP Module queries the SMTP authentication status and the authenticated user’s name from IIS to allow whitelisting of authenticated SMTP sessions. In Exchange 2007, the user name is not available and the authenticated status can be Anonymous, Organization and Partner. It is not entirely clear at the moment what these mean (yes, I did not do my homework :), but we suppose that anything other than Anonymous should be considered authenticated. It also looks possible to hook the authentication event itself to get the authenticated user’s name (where it makes sense), but most likely we will not do that—it would be too little gain for the price paid.
There is another issue with the Pickup folder path that I will talk about in another article.
- And then there are new properties with no matching pair in SMTP event sinks, such as AntispamBypass, which “indicates whether the session is a connection with a partner configured for anti-spam bypass”. We are not sure yet how to categorize this, but this check will be probably part of the AUTH Whitelist.
A very nice new property is called LastExternalIPAddress, which would have been terribly useful in the previous Exchange versions. It is basically what ORF determines on IIS using the Intermediate Host List. So far it seems we will not rely on this property, however, because it adds no extra value compared to the Intermediate Host List, which we will continue to use due to its other roles.
- Transport Agent changes are not as instant as SMTP Event Sink changes. IIS could install and uninstall SMTP Event Sinks on the fly, however Exchange 2007 requires changing the MSExchangeTransport service on virtually any transport agent change.
Of course, this above is only a limited list of the most visible changes only, but you will see more in the next article of the series when I will talk about the management changes.