Monday, April 14, 2014

Protect your SMTP domain with SPF records

If you  haven’t created a SPF record to protect your SMPT domain on Internet this is for you.

SPF is not a single thing , it is two things. One thing is to verify incoming mail to your servers that they originate from a list of trusted servers. an example would be when your serves receive a mail that claims to be from domain.com , your server will do a lookup in DNS for information (the SPF record). This info will (if existing) have list of servers that are authorized to send mail with sender with SMTP address in domain.com domain. next step is for the receiving server to verify this SPF info together with header info in mail message and IP address of the sending server, if everything is OK it server will simply accept the email but if there is mismatch you have to decide and configure your server what to do, perhaps let email through anyway or mark it as spam.

The other thing is to create your own SPF record for others to verify mail claiming to come from your SMTP address space.

Easiest way to create your SPF record is to use one of the multiple wizards on Internet. Microsoft also has one https://www.microsoft.com/mscorp/safety/content/technologies/senderid/wizard/ which is quite good. Remember that no wizard will never provide you with good results unless you enter good information into it so next step is to find all servers that send SMTP mail with senders from the SMTP domain you want to edit the SPF record for, this is key for a proper working SPF deployment.
SPF record itself is a plain TXT record in the zone authoritative for the SMTP domain and you can enter information in a variety of ways, IP addresses, server name, MX or a combination of them.

some examples of SPF records in domain.com zone.
v=spf1 ip4:10.10.10.10 ~all
This means that only a server with IP 10.10.10.10 is allowed to send mail with senders addresses in domain.com zone.

v=spf1 mx ~all
only servers listed in the MX record are allowed

v=spf1 a mx ip4:10.10.10.10 ~all
Only servers with A records or MX records or IP equal to 10.10.10.10 is allowed

The all parameter:
all parameter in SPF is prefixed with different chars such as – ~ ? +
- means that the information must match, it is otherwise illegal.
~ means that it should match but could also mismatch.
+ means that it is absolutely fine for other servers than listed to send email for domain.com
? means either way, it may or may not originate from the servers specified.

Outsourced domain
Sometimes you need to let someone else deliver mail for your domain such as news mail sent from a provider or perhaps you have configured your Exchange in a hybrid setup with some users on on premise and some in Office 365. you can of course simply add the providers IP addresses to your SPF record but this impractical because could change without you knowing and they could also be multiple causing the SPF syntax to be invalid.

Why would SPF be invalid when you have a lot of information in it?
the RFC states that the receiving server must be able to figure out each SPF record with 10 or less NS queries.
solution for outsourced email or many NS queries is to use the include parameter.

v=spf1 mx include:provider.net ~all
this means either mail are authorized to come from servers listed as MX or whatever the spf record says in the provider.net zone. With this technique you can manage your servers and the provider can manage their environment independent and also making the verifying server only do 2 NS queries. first for your MX records and the other one for the SPF record in provider.net zone, now there is a new spf record giving us 10 additional queries to use.

Good practice in my opinion.
Collect information about all system that could send mail for domain.com.
Start with ?all parameter and try to log what’s happening. by logging I mean log what NS queries is done against the domain.com zone. this is a lot easier if you run and manage the NS hosting the domain.com zone than if it outsourced to a provider which might not be that helpful with statistics.
Don’t change to –all unless you are very sure that the spf record is correct.
Don’t use your production domain for bulk marketing mail, create a separate domain for this because if something goes wrong, only the marketing stuff will fail.
Verify your SPF syntax, here is on tool that can be used http://www.kitterman.com/spf/validate.html
If you have a lot of info in your SPF, use the include parameter.
Verify incoming email to your environment

make Exchange verify incoming email.
Install the ant spam agents which is already deployed if you’re using Edge. configure the SenderID transport agent.
Configure it with appropriate action.
Set-SenderIdConfig -SpoofedDomainAction StampStatus

spoofedDomainAction could be Delete, Reject of StampStatus. StampStatus is interesting since it will allow mail to be received but Exchange will stamp it and later in the transport pipeline the content filtering agent will consider this stamping and most likely classify the email as more likely to be spam.

Last, enable the SenderID agent with Set-SenderIdConfig -Enabled $true

The senderID agent has some other good to know configuration parameters. BypassedRecipients and BypassedSenderDomains which is self explainatory, there is also TempErrorAction which also has the Delete,Reject, StampStatus values.
TempErrorAction happens when the  verifying server encountered a transient error while checking the SPF, perhaps the spf syntax is incorrect, perhaps NS query timed out or something else that wasn’t considered to be normal.

Be safe and publish spf info in your DNS about your smtp domains and enable checking of the spf for incoming mail to your servers.

Tuesday, March 11, 2014

Have plenty of Public Folders and thinking Exchange 2013?

Think harder…
Microsoft some time ago published some information about modern public folder limitations in this TechNet article describing for example that you are only supported if you have less than 100 public folder mailboxes or no more than 10.000 folders.

Question is what you do when you have more than the limits mentioned? delete some, move some stuff to other solutions, don’t migrate to Exchange 2013 or at least do not migrate your public folders to 2013. None of the above don’t sound that appealing if you have decided to go for 2013. Easiest would be to leave public folders on your older Exchange but that has drawbacks as well such as not being able to enable Kerberos authentication or mapi/http. Exchange also behave a little strange sometimes when you’re using both Exchange 2013 and earlier version together.

Tuesday, February 25, 2014

Exchange Update Rollups and Service Pack released today

Exchange 2007 Service Pack 3 Update rollup 13 is now available for download from here. Read the corresponding KB2917522 for bugfixes which is almost zero.

Also Exchange 2010 SP3 UR5 was released and can be downloaded from here. The corresponding KB2917508 contains some interesting bugfixes and new functionality.

 

Exchange 2013 Service Pack 1 which is essentially CU4 but is named SP1 instead. it contains some new functionality such more DLP functionality and the big one, support for Windows Server 2012 R2 Domain Controllers, raising both Domain Function and Forest Functional Level to 2012R2, and installing Exchange 2013 SP1 on Windows 2012 R2.

Other new stuff is that Edge server is back. A new protocol used for client/server communication is introduced called MAPI/HTTP which is very similar to MAPI over RPC which is then tunneled over HTTP so in short, communication don’t rely on RPC layer which gives some advantages when it comes to authentication and reconnection of clients. It is disabled by default and you also need Outlook 2013 SP1 for leverage MAPI/HTTP.
If you use TMG or any other reverseproxy that filter on URL’s you need to add ‘/mapi/*’ as an allowed URL.

As usual there is the regular schema and AD prep stuff to do before you install the first SP1 server.

Release notes and What's new
Download link and KB2926248 link

Monday, February 17, 2014

ECP don not show all Organization Units in Active Directory

You may have seen this when you use Exchange 2013 ECP to create a mailbox and want to select a specific OU. Then for what it looks the OU picker don’t show all OUs, only some of them are shown.

Reason is that the ECP webapplication has a limit of not showing more than 500 OUs, rest of them wont simply be shown.

Don’t cry, there is a solution if you have some CPU cycles to spare. Edit the “web.config” in the ECP directory. Default path is “C:\Program Files\Microsoft\Exchange Server\V15\ClientAccess\ecp\”.

In the appsettings section, add the XML element
<add key="GetListDefaultResultSize" value="5000" />
where the 5000 is number of OUs you want to be shown.

When done recycle the MSExchangeECPAppPool to make ecp webapplication read the configuration and have it live and kicking.

Wednesday, January 29, 2014

The famous 9646 error on Exchange servers

Most Exchange administrators have at least one time seen an error with Event ID 9646 and some seen this many times.

An example might look like this.
Mapi session /o=Exchange_orgname/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=user with client type MOMT exceeded the maximum of 500 objects of type Folder.

another example might end with this:
.. exceeded the maximum of 250 object of type Folder View.

Why does this happen?
Exchange has some built-in thresholds for various things that try to stop bad user behavior or a client behaving badly to not use all resources on the server to make other users suffer.
You can try to change client configuration for users experiencing this problems by changing cached mode on/off and also for extra mailboxes opened, outlook add-ons might also cause this. upgrading clients to newer version might also help, but sometime you cant change what users do and you must change limits instead.

How to change limits
You change limits by registry values and Microsoft has a TechNet article that describe these values Exchange Store Limits. The key here is to read the error text and find what threshold exceeded its limit, then read the TechNet article and implement a new threshold by editing registry values.
One problem here is to decide what limits you should set, unfortunately you have to set a value and then see if its working or not.
To have it all working you must restart Exchange services so don’t count on this working until a restart is done.

Article don’t cover Exchange server 2013 but the same limits apply and also the same solution to add/edit registry values on your mailbox servers.