Blog Archives

Gotcha when adding Exchange transport rule disclaimers

Recently I was involved in a project to test outgoing e-mail disclaimers for only a specific group of users in our company.  Normally this would be a no-brainer using the standard features in Exchange transport rules to add a disclaimer using specific criteria.  However, while testing the disclaimers with a colleague, he observed that his tests worked fine when sent from a mailbox on Exchange 2007, but failed to work at all when coming from a mailbox on Exchange 2010.

So I began troubleshooting this issue and trying to find the cause of the problem.  In our company we actually have 3 generations of Microsoft Exchange running in a co-existence scenario (2003, 2007 and 2010 – with 2013 coming soon).  I tried everything I could think of to get the transport rule disclaimer to work, testing it on my own mailbox which is hosted on an Exchange 2010 server.  Sure enough the disclaimers did not work for my account.

I poured over KB articles and forum posts scouring the internet for any tips that might at least point me in the direction.  After several hours of searching I stumbled upon a forum post indicating that I should check the “remote domains” properties in the Exchange shell.  So I ran the command “get-remotedomains | FL” and sure enough the “isInternal” value was set to “true”.  Given that our transport rule disclaimers were conditional upon being sent to recipients who were “external” to our Exchange organization – of course none of the rules would work.

In order to resolve the issue, I ran the following command: “get-remotedomain | set-remotedomain -isinternal $false

This allowed Exchange 2010 hub transport servers to recognize all email recipient domains not configured in our Exchange organization as “external”.  A second round of testing revealed that this change did in fact resolve the issue and the transport rule disclaimers worked perfectly for everyone, both Exchange 2007 and 2010 mailboxes.

I am amused and slightly annoyed that the vast majority of forum posts and KB articles I found about how to use Exchange transport rules to send outbound disclaimers has no mention of this possible “gotcha”.  I’m sure there are limited circumstances that would result in this issue which is probably why it was not mentioned in the articles I was reading, but I offer this as help to those who may face a similar situation.

Advertisements

Goodlink 5 deployment issue

I have been working on deploying multiple Goodlink 5 messaging servers recently, and came across a problem with the user migration feature in Goodlink 5.  Normally if you have more than one Good messaging server, you have the option to “change good messaging server” when you right-click on a user account.  So in my deployment when I didn’t see this option enabled, I had to call Goodlink support.  What I found out made sense, but is definately irritating. 

I called Goodlink support before deploying Goodlink version 5 to ask about deployment options and get some advice on my project.  I asked about the user migration feature and using multiple GoodAdmin mailboxes, and was told that it should work fine.  Now here is where the issue comes in.  In my deployment scenario, I wanted to deploy multiple individual Goodlink 5 servers in various locations/offices around the world.  The limitation here is network bandwidth and latency, due to the fact that the offices getting these Goodlink 5 servers are spread across the globe on various speed networks, and some of the offices in Asia for example, have very high network latency and bandwidth is limited.  To help with this situation, I asked if it would be advisable to use multiple GoodAdmin mailboxes, one for each new Goodlink 5 server, that way, each location that got a Goodlink 5 server and had a local Exchange server, would get its own GoodAdmin mailbox homed on the local Exchange server.  This would increase performance, reduce the time it takes to re-connect all the mailboxes in the event of a reboot, and provided a better solution for my deployment project. 

When you use a single consolidated GoodAdmin mailbox, and you have more than one Goodlink server which is connected to the network on a low bandwidth link or one that has high latency, it is a good idea to have separate GoodAdmin mailboxes, to keep network traffic local to the office in question.  Its faster, more reliable, and if the central Exchange server that houses the consolidated GoodAdmin mailbox were to go down, all your Good Messaging servers would be rendered useless until the Exchange server is back online and the GoodAdmin mailbox is available again. 

So my scenario of using more than a single consolidated GoodAdmin mailbox was a good idea, still works well and does help with performance and all the other reasons I mentioned above.  The drawback is that in this configuration, from within the Good Messaging console, you only see the server you are connected to under the “Good messaging servers” folder.  This also means that the “change good messaging server” option is grayed out and unavailable.  The fact is that the GoodAdmin mailbox is what keeps track of how many servers you have, but they all have to be configured to use the same GoodAdmin mailbox in order for the server to “know” about the other Good Messaging servers you have in your network.  This basically means that the user migration option is not going to work for us. 

This is not a problem, its just an inconvenience.  And it would have been nice to have known this initially when I talked with Good support eariler.  Lately no matter what company I deal with, I usually end up getting conflicting information about their products and features based on who you talk to.  The first time I call and get info on something, I hear one thing, then when I am working on the deployment and have a question or problem and call back, I hear something completely different.  This is irritating and can cause some major problems for large projects. 

RPC over HTTP(S) for Exchange 2003 – single server

I’m pleased to announce that I’m now able to access my exchange mailbox from anywhere in the world using RPC over HTTP(s).  This was a lot easier to setup than I thought it would be, and following the steps provided by Daniel Petri helped a lot!  I also utilized the RPCFrontend tool that he mentions in the link.  This made things very easy and I got it working the first time I attempted the configuration. 

What this means is that I can now access my mailbox on my Exchange server, from anywhere with the only requirement being an internet connection.  I can just open Outlook, and go straight to my mailbox as if I were on my home network.  I highly recommend this for anyone with Exchange servers, it makes remote connectivity so much easier and can be fully secured with SSL and other security options. 

Pasting links from OWA

I deal with Good support now and then for various technical issues with their mobile e-mail solution (Goodlink).  Today it appears they sent out a survey request to all of their customers, but I had to chuckle a little when I read the message and found they had pasted in the survey link through OWA.  If you read below, you will find the actual URL is missing the first h in the (http), and the actual linked URL is an Exchange OWA redirect link.  This happens when you copy a link from OWA and paste into another message.  By default in OWA, links point to the Exchange redirector and then take you to the link specified at the end of the redirect URL. 

I run into this issue myself from time to time and forget about this until I get a reply back to something I sent out with a complaint that the URL I sent does not work.  To get around I usually paste the link into notepad so I Can get a plain text copy of the link, and then I remove the Exchange redirector part.  I then paste in the plain text link which most e-mail programs and even OWA convert to a hyperlink automatically for you. 

I’m not trying to gripe about this flub, but find it humorous that such a mistake can be made by anyone and its nice to know I’m not the only person out there who forgets about this from time to time and sends out links that don’t work.  Now naturally a technically apt person could easily extract the correct link and get where they need to go, but the average person is going to reply and complain that you sent them a bad link.  Not just that, but now we all have the OWA logon link to their Exchange mailboxes.  (Don’t worry Good (motorola), I’ve hidden the actual OWA Link for your privacy) 🙂  (NOTE: I did receive a correction email from them shortly after receiving the message below).

Dear Valued Motorola Good Technology Group Customer:

Thank you for your recent inquiry into our support team. We appreciate the opportunity to serve you, and help you and your company meet your mobile messaging needs. To gauge the level of support you, and other customers are receiving, and to better understand where our strengths and weakness are, we are asking for your help.

By clicking on the following link and taking a brief six question survey, you will help us gauge the level of support we are providing our customers. This will allow us to know where our strengths are, and where we need improvement:

ttp://www.zoomerang.com/recipient/survey-intro.zgi?p=maskedsurveyidforprivacy <https://nosy.notmotorola.com/exchweb/bin/redir.asp?URL=http://www.zoomerang.com/recipient/survey-intro.zgi?p=maskedsurveyidforprivacy>

Please spend the two minutes it will take to respond to the survey questions so we will know how to better serve you in the future.

Sincerely,

The Good Technology Group Technical Support Team

Exchange 2003 | OWA | winmail.dat

I ran into an interesting issue today, something that is an old leftover from early mail systems.? I was trying to e-mail my hosting provider back on a support ticket I had opened with them, but when I replied I got a bounce message saying my mail was rejected with the following message:

————————-
Your message did not reach some or all of the intended recipients.

Subject: RE: myticketnumber]: message subject hidden for privacy reasons
Sent: 2/8/2008?3:16 PM
The following recipient(s) could not be reached:?myhostingprovidersemailaddress?on?2/8/2008?3:14 PM
The recipient could not be processed because it would violate the security policy in force
< smtp1.myproviderdomainname.com #5.7.0 smtp; 554-5.7.0 Reject, id=26006-18 – BANNED: multipart/mixed 554 5.7.0 | application/ms-tnef,.tnef,winmail.dat>

——————————-

So I did some digging online, and tested some things out.? I found that even if sending from OWA I still had this issue, so I knew it was a server configuration option I needed to look for.? The provider I am dealing with was quick to blame me of course, but my server config has not changed in years.? So I think they changed something on their side recently with the way their helpdesk processes mail, and thats what caused this issue.?

To resolve it, I went into my ESM, under global settings, internet message formats properties and changed the options to never use Exchange Rich text.? After applying this change, the issue was resolved and mail flow has been restored.?

I personally don?t like making server config changes due to problems with sending mail to just one outside recipient, but I deal with my hosting provider a lot and its a hassle to have to reply from a different mail account.?

Tags: , , ,

Open Source Anti-Spam for Exchange

I have been a long time user of GFI software, relevant to this post is their Mail Essentials for Exchange package.  I find it to be a very powerful and easily setup anti-spam system for Exchange.  I have had very little trouble with it, and it is packed with useful features.  However, recently I had some configuration issues with my spam setup, with rollernet really, not even an issue with Mail Essentials, but it got me thinking about my spam filtration system. 

I am now on a quest to find an open source anti-spam solution for Exchange.  I’m open to Linux based solutions as a gateway of sorts, but would prefer something that resides on the Exchange server running under Windows.  Don’t get me wrong, I have a great respect for SpamAssassin and other gateway type spam fitlers, but it gives the end user a much better experience if the anti-spam software can interact with the user, especially if it integrates with Outlook. 

Surely there must be some kind of solution out there I could try.  At the very least I might install a few different packages under Linux and route incoming mail through them, and from there go to Exchange for evaluation.  I can use server virtualization to allow for an easy evaluation of various types of configurations.  ASSP I hear is very good and there was one other package that I found last night that sounds promising.  I think it could be beneficial to have an additional layer of spam protection at the gateway level before GFI gets the messages and does its thing.  My only concern is false positives.  Lots of services and companies on the internet today do NOT have the proper DNS/MX confiugration and even at a more basic level don’t have their network setup right.  All these network issues can have a major impact on e-mail deliverability.  Its always a risk then when dealing with spam filters that you may block legitimate messages.  I am always watching spam logs to ensure that I keep an eye on how the system is doing.  If web services and companies would do a little work to get their sytems in compliance with RFS’s for SMTP and DNS, and setup the proper network configuration and mail server options, it would be a much better world for mail delivery without false positives. 

Back to the old routine

The holidays are over, vacation is through, I stink at rhyming…..ummm…..

Seriously, back to the old routine now.  Plenty to do starting out this new year.  Some really neat projects on the horizon for this year, including continued testing and deployment of Office Communications Server 2007, clustered Exchange 2003/2007 servers, new Citrix deployment, and more. 

Exchange diagnosis

Symptoms

Server: Event ID 9646 (user exceeded maximum of 32 objects of the type session).  Event ID 1021 (unable to connect…error 0x4de)

Client/Outlook: Unable to open your default e-mail folders.  The Microsoft Exchange server computer is not available.  Either there are network problems or the Microsoft Exchange server computer is down for maintenance.  OWA would work ok when logged on as either the user or an Exchange admin account. 

Diagnosis:

   Google searches of the events and error messages yield very little help.  A second round of google searching and pressing further through the search results yielded a page from MS indicating to ensure that the user had “view information store status” rights granted at the server or mailbox store level. This lead me to a diagnosis of permission problems on the mailbox.

   Proceeded with treatment by administering re-application of full mailbox permissions for the user and ensuring “view information store status” was selected in the allow column.  Attempting to open outlook again immediately after still yielded errors as described in the symptoms.  It wasn’t until a few minutes later when about to attempt a different method of treatment that the solution was revealed.  Before trying to create a whole new information store and move the user for testing, I decided to open outlook again.  This time, it opened no problem and did not give any errors or show any signs of a problem.  Apparently the original solution was the correct solution and the treatment was correct, I just didn’t wait long enough for the change to take effect.  Further attempts to work on the problem would have been useless as the issues was already fixed, I just didn’t know it yet. 

Sunbelt Software status

I previously mentioned that I’ve been trying to get the new Sunbelt Exchange Archiver installed for an evaluation and I’ve also mentioned the old “IHateSpam” product and the predecessor “Ninja” in previous blog posts.  Here is an update on my status…

Sunbelt Exchange Archiver:

   I am still unable to get the archiver to work, my issues at this point are with the database connection.  No matter what I try, I can’t get the database connection to function.  I finally did get the product to install but now you have to configure everything before it can start the services.  As usual the Sunbelt documentation is sub-par and contradicts what support tells you.  I will probably have to get a support rep on the phone and do a remote install session just to get the product running. 

Sunbelt Ninja:

   I upgraded my Exchange servers in my company to the latest build of Ninja which includes their new “STAR” engine.  This replaces the old Sunbelt heuristic filter with a definition based system like the cloudmark engine.  I was told by Sunbelt that their new engine “does not cause false positives” before I did the upgrade.  Pre-upgrade testing showed no problems with system resources such as CPU utilization and spam catch rates were the same as previous tests on the old version.  The problem comes in when deploying in production.  I found soon after enabling the new engine that we were having problems with lots of false positives and even some internal mail was being filtered and going to user’s quarantine.  I ended up having to disable their new engine and things are working much better now.  I also resolved an issue with the anti-spoofing feature that was marking lots of external mail as spoofed. 

   I think in general Sunbelt Software is on the weak side in the following areas:

1. Documentation, frequently I find their documentation is incomplete, does not answer questions users would have upon installing, and contradicts other documentation related to steps in the process and also their support staff directly. 

2. Internal testing, I know they test their products before releasing to the general public.  However its been my experience that there are always unexpected issues when installing or upgrading any of the three Sunbelt Products I’ve used.  Like with Ninja and their STAR engine causing false positives, and marking internal mail as spam when its not supposed to.  Not to mention the default configuration causes high CPU utilization on the host server.

Unfortunately there are not many other alternatives to do the job that Sunbelt’s software does.  I know there is no perfect software, and with software comes its share of bugs.  One last complaint would be in diagnosing errors.  I know that in Ninja when we would turn logging to high in order to diagnose problems (and you have to turn logging to high as the system logs only useless information in the low setting), the extra disk activity is a huge drain on system performance.  This alone is enough to make users complain.  But in order to get any useful information from the software, you have to perform this step.  Also, the queue folders often start to build as mail backs up into the queue.  Most of the time I am certain this is caused by Ninja or more specifically the SMTP event sink it uses.  Mail backs up into the SMTP queue folder and before you know it, you’ve got hundreds of messages stuck and not being delivered.  Of course you restart the services and try to clear the queue since its obviously a big deal, but then you don’t get any logging as to what caused the problem.  Support has no idea, and tells you to run a snapshot which is useless unless your logging level is set to high. 

Ninja also accounts for a large boost in disk activity, and shows a marked increase in the disk queue when viewed in perfmon.  This causes general GUI slowness and delays when opening MMC consoles. 

I will say that when Ninja works, it works well, but the slightest problem or glitch and your entire mail flow system can be affected.  I suppose this is a risk with any spam filter, but we’ve had a long history with Sunbelt products and it seems that the core issues we had with previous version of their spam filter have carried over into Ninja in one form or another. 

Sunbelt Exchange Archiver

I am working on evaluating trying to evaluate the new Sunbelt Exchange Archiver from Sunbelt Software.  It was just officially released yesterday (11–19–07) and made available for download from their website.  I went ahead and downloaded it yesterday, and spent most of my day today trying to get it installed and working so I can take a look at it first hand.  Right off the bat I had problems getting it installed.  The servers I’m using are test servers on an isolated network, so they are not routinely patched and maybe that is playing a role in my issues.  What I do know is that mcvcr71.dll was not properly registered and caused the installer to fail.  After giving up on fixing that for now, I went to another test server and trie the install.  On the second machine I got past the mcvcr71.dll issue and this time had an error when attempting to create a mailbox for the superuser account. 

I’m waiting for a call back from Sunbelt support to help me get the product installed.  I’m impressed by the software’s functionality and apparent ease of use.  I have a few questions about deploying it in a global diverse network, and need to get more information from them for testing and putting together a deployment plan.  I watched their hour long product walk through via LiveMeeting, and really liked what I saw.  I’ll post more about my experiences with this product as I go along.