March 12, 2021

But we need Microsoft Exchange!

no, you don't.

Dear Microsoft Exchange {user, admin, PHB},

Let me be very blunt here (it’s not like you haven’t had your fair share of warnings over the years). There are two things you don’t need:

  1. Having someone install a backdoor into your mailsystem.
  2. Having the same someone use that backdoor to fish for password reset mails.

When your server gets broken into, you don’t “fix” it by installing a patch and running some some kind of “cleaner” program afterwards. You take it offline, format the harddrive, then set it up from scratch. Sounds time consuming? It is! But it is also the only way to make sure that any rootkits, the attacker might have left, get nuked. Once compromised (and with Exchange, you now have to assume, it is), an installation is done for, kaputt, never to be trusted again. No exceptions, period! Got it?

Oh, you can’t install the security patch because your system is a monolithic lump, the patch comes as a binary blob, relies on previous patches being installed first, which weren’t because they bluescreen the machine when printing? Tough!

If your business relies on your mailsystem, then it also relies on your ability to run it securely. If you can’t run it securely, then all the unique selling points required extra features, you are constantly bitching about as absolutely necessary, become as useful as a hole in the head.