Transport Rules provides an organization with the tools needed to enforce messaging policies across their Exchange organization. You may be familiar with Transport Rules in Exchange Server 2007, and the ability to inspect different parts of a message such as subject, body, and headers for specific words and/or text patterns. If you are not familiar with Transport Rules, you can find an overview in this previous blog post or in the Exchange 2007 documentation on TechNet.
In Exchange Server 2010, we have extended the word and text pattern matching functionality in Transport Rules to include the inspection of supported email attachments. Two new conditions (also known as 'predicates') have been added to Transport Rules:
Transport Rules with one of these conditions will parse the body of an attached document (including headers and footers, but not including metadata document properties), looking for word or pattern matches within the document. This enables better control of the information that flows through an Exchange Server 2010 organization. For example, your organization may have a policy that forbids documents containing confidentiality disclaimers from being sent outside of the organization. Transport Rules can be established to enforce that policy. In this example, let's say that the organization wants to bounce back any email with attached documents that contain "Contoso Confidential" in the document (e.g., in the page header or footer of the document). We might have a transport rule configured like this:
In the previous example, we are relying on documents having some classification text already embedded in them. To further automate the leakage protection process, we may want to look for specific text patterns in the document. We can do this by using regular expressions to find text patterns in the attached document (Please see the Exchange 2007 TechNet documentation for details on the regular expressions supported in Exchange 2007 and Exchange 2010). For example, your organization has a policy that forbids the transmission of social security numbers in email, and this includes social security numbers in attached documents. We might have a transport rule configured like this:
In the previous two examples, we focused on blocking messages that matched our criteria. There are several other actions available in transport rules, that can be invoked by these new conditions. These include:
Transport Rules attachment inspection supports the same file types as supported by Exchange Search. The attachment inspection feature relies on IFilters to get a text stream from the file attachments. The full set of IFilters installed with Exchange out of the box can be found in the server's registry, under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ExchangeServer\v14\MSSearch\Filters . File types include:
Note: for HTML and XML file attachments, Transport Rules only inspects the rendered content. It does not inspect content inside the markup tags (e.g. ).
Microsoft has tested and supports all of the default IFilters installed with Exchange Server 2010. Third-party IFilters can be added, which could extend the capability for inspecting additional file types. However, Microsoft has not tested third-party IFilters with Transport Rules, so it is highly advised that you fully test any third-party IFilters before deploying into your production environment. Additional files can be parsed by installing and registering the file type's IFilter on each Hub Transport server. For example, you can add support for inspecting PDF file attachments by downloading and installing the Adobe PDF IFilter. After that, simply register the IFilter DLL to the Exchange server registry location:
Now the Transport Rules engine will be able to inspect these file attachments for the key words and text patterns configured in the Transport Rule condition. The registry cache automatically refreshes every 30 minutes, but if you want the changes to be immediately applied, then restart the Exchange Transport Service on the Hub Transport Server where you made the change. At the Exchange Shell prompt: Restart-Service msexchangetransport
Note: 3rd party IFilters need to be 64-bit capable for Exchange server to use them.
Note: you can also remove support for specific file types by deleting the keys corresponding to that file extension from the above registry locations.
The attachment inspection conditions will only evaluate files that have a corresponding IFilter registered for that file type. If there is no IFilter for a given attachment, then that file is treated as "unsupported". The 2 conditions above will not trigger the rule action on unsupported attachments. For some organizations this may be desired: only act on messages with files that can be inspected. Other organizations may want a stricter control, and may wish to special handle any attachments that cannot be inspected. For this case, we introduced another Transport Rule condition in Exchange Server 2010:
For example, let's say that an organization wants to manually review any externally bound email with attachments that cannot be inspected by Transport Rules (e.g., with unsupported file types). We might have a transport rule configured like this:
This enables the compliance officer(s) to approve or reject the message for delivery to external recipients. You can also add your own exceptions in the rule to allow selected users to bypass the control (in the example above we've added an exception for members of the Trusted Senders group to be able to bypass the control).
In general, Transport Rules will not be able to access the contents of user encrypted files. The keys needed to decrypt the content are not available to the server. Exchange Server 2010, however, does support integration with Active Directory Rights Management Services(RMS) such that Transport Rules can decrypt and inspect the contents of Information Rights Management(IRM) protected email and attached Office documentswithin an organization.
Transport Rules attachment inspection won't support archive files in Exchange Server 2010. The Exchange team will look to add support for navigating and decompressing contents of archive files (e.g., arc, zip, tar, cab, etc.) in a future release. In the Exchange 2010 RTM release, archive files will be treated as "unsupported" files.
Yes, there is a Transport Rule condition that can be used for this in Exchange Server 2007 and Exchange Server 2010:
You can catch messages with attachment file types by adding the file extensions to match in this condition. For example:
Then set the rule action to bounce the message. Note that this only inspects the attached file name and not the attached file contents to determine the file type. If your goal is to prevent viruses by filtering out specific attachment types, regardless of how the file is actually named, then you may want to employ the Attachment Filtering Agentinstead.
You can catch messages with attachments larger or equal to specific size (in KB) and apply any of the Transport Rule actions. An organization may use this to prevent large files via email, and to encourage the use of SharePoint sites for collaboration instead.
No, it is not. The Transport Rule attachment inspection feature will be available in the Exchange Server 2010 final release.