Recently I was involved in a project to test outgoing e-mail disclaimers for only a specific group of users in our company. Normally this would be a no-brainer using the standard features in Exchange transport rules to add a disclaimer using specific criteria. However, while testing the disclaimers with a colleague, he observed that his tests worked fine when sent from a mailbox on Exchange 2007, but failed to work at all when coming from a mailbox on Exchange 2010.
So I began troubleshooting this issue and trying to find the cause of the problem. In our company we actually have 3 generations of Microsoft Exchange running in a co-existence scenario (2003, 2007 and 2010 – with 2013 coming soon). I tried everything I could think of to get the transport rule disclaimer to work, testing it on my own mailbox which is hosted on an Exchange 2010 server. Sure enough the disclaimers did not work for my account.
I poured over KB articles and forum posts scouring the internet for any tips that might at least point me in the direction. After several hours of searching I stumbled upon a forum post indicating that I should check the “remote domains” properties in the Exchange shell. So I ran the command “get-remotedomains | FL” and sure enough the “isInternal” value was set to “true”. Given that our transport rule disclaimers were conditional upon being sent to recipients who were “external” to our Exchange organization – of course none of the rules would work.
In order to resolve the issue, I ran the following command: “get-remotedomain | set-remotedomain -isinternal $false”
This allowed Exchange 2010 hub transport servers to recognize all email recipient domains not configured in our Exchange organization as “external”. A second round of testing revealed that this change did in fact resolve the issue and the transport rule disclaimers worked perfectly for everyone, both Exchange 2007 and 2010 mailboxes.
I am amused and slightly annoyed that the vast majority of forum posts and KB articles I found about how to use Exchange transport rules to send outbound disclaimers has no mention of this possible “gotcha”. I’m sure there are limited circumstances that would result in this issue which is probably why it was not mentioned in the articles I was reading, but I offer this as help to those who may face a similar situation.
I’m pleased to announce that I’m now able to access my exchange mailbox from anywhere in the world using RPC over HTTP(s). This was a lot easier to setup than I thought it would be, and following the steps provided by Daniel Petri helped a lot! I also utilized the RPCFrontend tool that he mentions in the link. This made things very easy and I got it working the first time I attempted the configuration.
What this means is that I can now access my mailbox on my Exchange server, from anywhere with the only requirement being an internet connection. I can just open Outlook, and go straight to my mailbox as if I were on my home network. I highly recommend this for anyone with Exchange servers, it makes remote connectivity so much easier and can be fully secured with SSL and other security options.
I ran into an interesting issue today, something that is an old leftover from early mail systems.? I was trying to e-mail my hosting provider back on a support ticket I had opened with them, but when I replied I got a bounce message saying my mail was rejected with the following message:
Your message did not reach some or all of the intended recipients.
I have been a long time user of GFI software, relevant to this post is their Mail Essentials for Exchange package. I find it to be a very powerful and easily setup anti-spam system for Exchange. I have had very little trouble with it, and it is packed with useful features. However, recently I had some configuration issues with my spam setup, with rollernet really, not even an issue with Mail Essentials, but it got me thinking about my spam filtration system.
I am now on a quest to find an open source anti-spam solution for Exchange. I’m open to Linux based solutions as a gateway of sorts, but would prefer something that resides on the Exchange server running under Windows. Don’t get me wrong, I have a great respect for SpamAssassin and other gateway type spam fitlers, but it gives the end user a much better experience if the anti-spam software can interact with the user, especially if it integrates with Outlook.
Surely there must be some kind of solution out there I could try. At the very least I might install a few different packages under Linux and route incoming mail through them, and from there go to Exchange for evaluation. I can use server virtualization to allow for an easy evaluation of various types of configurations. ASSP I hear is very good and there was one other package that I found last night that sounds promising. I think it could be beneficial to have an additional layer of spam protection at the gateway level before GFI gets the messages and does its thing. My only concern is false positives. Lots of services and companies on the internet today do NOT have the proper DNS/MX confiugration and even at a more basic level don’t have their network setup right. All these network issues can have a major impact on e-mail deliverability. Its always a risk then when dealing with spam filters that you may block legitimate messages. I am always watching spam logs to ensure that I keep an eye on how the system is doing. If web services and companies would do a little work to get their sytems in compliance with RFS’s for SMTP and DNS, and setup the proper network configuration and mail server options, it would be a much better world for mail delivery without false positives.
The holidays are over, vacation is through, I stink at rhyming…..ummm…..
Seriously, back to the old routine now. Plenty to do starting out this new year. Some really neat projects on the horizon for this year, including continued testing and deployment of Office Communications Server 2007, clustered Exchange 2003/2007 servers, new Citrix deployment, and more.
Server: Event ID 9646 (user exceeded maximum of 32 objects of the type session). Event ID 1021 (unable to connect…error 0x4de)
Client/Outlook: Unable to open your default e-mail folders. The Microsoft Exchange server computer is not available. Either there are network problems or the Microsoft Exchange server computer is down for maintenance. OWA would work ok when logged on as either the user or an Exchange admin account.
Google searches of the events and error messages yield very little help. A second round of google searching and pressing further through the search results yielded a page from MS indicating to ensure that the user had “view information store status” rights granted at the server or mailbox store level. This lead me to a diagnosis of permission problems on the mailbox.
Proceeded with treatment by administering re-application of full mailbox permissions for the user and ensuring “view information store status” was selected in the allow column. Attempting to open outlook again immediately after still yielded errors as described in the symptoms. It wasn’t until a few minutes later when about to attempt a different method of treatment that the solution was revealed. Before trying to create a whole new information store and move the user for testing, I decided to open outlook again. This time, it opened no problem and did not give any errors or show any signs of a problem. Apparently the original solution was the correct solution and the treatment was correct, I just didn’t wait long enough for the change to take effect. Further attempts to work on the problem would have been useless as the issues was already fixed, I just didn’t know it yet.
I previously mentioned that I’ve been trying to get the new Sunbelt Exchange Archiver installed for an evaluation and I’ve also mentioned the old “IHateSpam” product and the predecessor “Ninja” in previous blog posts. Here is an update on my status…
Sunbelt Exchange Archiver:
I am still unable to get the archiver to work, my issues at this point are with the database connection. No matter what I try, I can’t get the database connection to function. I finally did get the product to install but now you have to configure everything before it can start the services. As usual the Sunbelt documentation is sub-par and contradicts what support tells you. I will probably have to get a support rep on the phone and do a remote install session just to get the product running.
I upgraded my Exchange servers in my company to the latest build of Ninja which includes their new “STAR” engine. This replaces the old Sunbelt heuristic filter with a definition based system like the cloudmark engine. I was told by Sunbelt that their new engine “does not cause false positives” before I did the upgrade. Pre-upgrade testing showed no problems with system resources such as CPU utilization and spam catch rates were the same as previous tests on the old version. The problem comes in when deploying in production. I found soon after enabling the new engine that we were having problems with lots of false positives and even some internal mail was being filtered and going to user’s quarantine. I ended up having to disable their new engine and things are working much better now. I also resolved an issue with the anti-spoofing feature that was marking lots of external mail as spoofed.
I think in general Sunbelt Software is on the weak side in the following areas:
1. Documentation, frequently I find their documentation is incomplete, does not answer questions users would have upon installing, and contradicts other documentation related to steps in the process and also their support staff directly.
2. Internal testing, I know they test their products before releasing to the general public. However its been my experience that there are always unexpected issues when installing or upgrading any of the three Sunbelt Products I’ve used. Like with Ninja and their STAR engine causing false positives, and marking internal mail as spam when its not supposed to. Not to mention the default configuration causes high CPU utilization on the host server.
Unfortunately there are not many other alternatives to do the job that Sunbelt’s software does. I know there is no perfect software, and with software comes its share of bugs. One last complaint would be in diagnosing errors. I know that in Ninja when we would turn logging to high in order to diagnose problems (and you have to turn logging to high as the system logs only useless information in the low setting), the extra disk activity is a huge drain on system performance. This alone is enough to make users complain. But in order to get any useful information from the software, you have to perform this step. Also, the queue folders often start to build as mail backs up into the queue. Most of the time I am certain this is caused by Ninja or more specifically the SMTP event sink it uses. Mail backs up into the SMTP queue folder and before you know it, you’ve got hundreds of messages stuck and not being delivered. Of course you restart the services and try to clear the queue since its obviously a big deal, but then you don’t get any logging as to what caused the problem. Support has no idea, and tells you to run a snapshot which is useless unless your logging level is set to high.
Ninja also accounts for a large boost in disk activity, and shows a marked increase in the disk queue when viewed in perfmon. This causes general GUI slowness and delays when opening MMC consoles.
I will say that when Ninja works, it works well, but the slightest problem or glitch and your entire mail flow system can be affected. I suppose this is a risk with any spam filter, but we’ve had a long history with Sunbelt products and it seems that the core issues we had with previous version of their spam filter have carried over into Ninja in one form or another.
I am working on
evaluating trying to evaluate the new Sunbelt Exchange Archiver from Sunbelt Software. It was just officially released yesterday (11–19–07) and made available for download from their website. I went ahead and downloaded it yesterday, and spent most of my day today trying to get it installed and working so I can take a look at it first hand. Right off the bat I had problems getting it installed. The servers I’m using are test servers on an isolated network, so they are not routinely patched and maybe that is playing a role in my issues. What I do know is that mcvcr71.dll was not properly registered and caused the installer to fail. After giving up on fixing that for now, I went to another test server and trie the install. On the second machine I got past the mcvcr71.dll issue and this time had an error when attempting to create a mailbox for the superuser account.
I’m waiting for a call back from Sunbelt support to help me get the product installed. I’m impressed by the software’s functionality and apparent ease of use. I have a few questions about deploying it in a global diverse network, and need to get more information from them for testing and putting together a deployment plan. I watched their hour long product walk through via LiveMeeting, and really liked what I saw. I’ll post more about my experiences with this product as I go along.