A quick blog on an updated security publication for Exchange Server 2016 and 2019. This publication addresses the following vulnerability:
CVE-2021-1730: Microsoft Exchange Server Spoofing Vulnerability
A spoofing vulnerability exists in Microsoft Exchange Server which could result in an attack that would allow a malicious actor to impersonate the user.
As mentioned in the CVE report, this vulnerability can be mitigated in Exchange 2016 and Exchange 2019 by implementing a separate namespace for inline images. These images are served when using Outlook Web Access. Since I never see customers implementing this option, I will repeat these steps below to bring this to your attention.
First, pick a namespace to serve these images from, e.g. img.mail.contoso.com. Create a CNAME for this entry in the DNS, and point it to your OWA namespace, for example img.mail.contoso.com. Add this namespace to your existing SSL certificate (SAN) unless you are using a wildcard certificate and the chosen namespace is covered by it.
Next, configure the InternalDownloadHostName and ExternalDownloadHostName properties from OWAVirtualDirectory configuration, e.g.
Get-OwaVirtualDirectory | Set-OwaVirtualDirectory -ExternalDownloadHostName img.mail.contoso.com -InternalDownloadHostName img.mail.contoso.com
Configure the Exchange organization to use download domains:
Set-OrganizationConfig -EnableDownloadDomains $true
Finally, restart IIS or recycle the OWA application pool using Restart-WebAppPool MSExchangeOWAAppPool.