Exchange 2003 | OWA | winmail.dat

I ran into an interesting issue today, something that is an old leftover from early mail systems.? I was trying to e-mail my hosting provider back on a support ticket I had opened with them, but when I replied I got a bounce message saying my mail was rejected with the following message:

————————-
Your message did not reach some or all of the intended recipients.

Subject: RE: myticketnumber]: message subject hidden for privacy reasons
Sent: 2/8/2008?3:16 PM
The following recipient(s) could not be reached:?myhostingprovidersemailaddress?on?2/8/2008?3:14 PM
The recipient could not be processed because it would violate the security policy in force
< smtp1.myproviderdomainname.com #5.7.0 smtp; 554-5.7.0 Reject, id=26006-18 – BANNED: multipart/mixed 554 5.7.0 | application/ms-tnef,.tnef,winmail.dat>

——————————-

So I did some digging online, and tested some things out.? I found that even if sending from OWA I still had this issue, so I knew it was a server configuration option I needed to look for.? The provider I am dealing with was quick to blame me of course, but my server config has not changed in years.? So I think they changed something on their side recently with the way their helpdesk processes mail, and thats what caused this issue.?

To resolve it, I went into my ESM, under global settings, internet message formats properties and changed the options to never use Exchange Rich text.? After applying this change, the issue was resolved and mail flow has been restored.?

I personally don?t like making server config changes due to problems with sending mail to just one outside recipient, but I deal with my hosting provider a lot and its a hassle to have to reply from a different mail account.?

Tags: Exchange, Internet+mail, email, winmail.dat

Getting on the VPS bandwagon

I am now switching all my websites over to a VPS environment.  I just signed up for VPS package with my web hosting provider and will be migrating my accounts over soon.  This should provide better uptime, performance, bandwidth, etc.  I also get more control over the server than I’ve had in the past.  At some point I may go with a dedicated server, but I think VPS will do nicely for now. 

Tags: hosting, web, VPS

Recovery from Identity Theft

My own experience with identity theft is nearly over now, but I’ve learned a few things during this experience.  First, its important to keep a close eye on your bank accounts, watching daily activity and looking for unrecognized charges.  In my case I found that the person using my card had my physical card info including the 3 digit number on the back.  So someone either had physical access to my card, or one of the few only vendors that I deal with that actually asks for the 3 digit code had some kind of security breach that they haven’t alerted me to yet.  So keeping an eye on your accounts is really a key element to protecting yourself and putting a stop to things before it gets out of hand. 

Fortunately we use online banking and have for years now, which is not only convenient but normally allows you to setup e-mail alerts and notifications for various levels of monitoring.  We first found that something was wrong by monitoring our checking account and saw some unrecognized charges.  Someone was buying website memberships and hosting services.  They racked up about $200 worth of charges on my account, but I cought it fast and was able to get all the charges refunded by the charging merchants. 

I was not happy with the way my current bank handled the whole situation.  They made me call the merchants and deal with the process of removing the fradulant charges on my own.  Any other bank when you report fraud they would be all over it, and I probably wouldn’t have had to do a thing.  So we now have a new bank and are in the process of switching everything over. 

I checked my credit report and everything looks fine, so far no one has used my information to get a loan or do anything else bad to my credit. 

Tags: financial, banking, identity+theft, fraud

DNS uh oh!

I will admit that I made a pretty bad oopsie recently regarding my DNS confiugration for my personal domains, specifically with the MX records. Recently I decided to cancel my no-ip backup mail service account, so I removed the no-ip mail servers from my MX records in my DNS zones. What I forgot was that I had setup my DNS on DNSExit.com rather than on my own hosting server. So the place I fixed the MX records made no difference at all, and last night or this morning when my no-ip account expired, they began rejecting mail for my domains. I was alerted to this issue by my loving wife who calmly told me she couldn’t get any email from her friends. I quickly identified the issue and made the necessary corrections on the DNSExit system and mail flow has been restored. There could be some DNS servers out there that have my DNS zone cached, so for up to 2 days, we still face missing some e-mail. Fortunately, the sender will get a bounce back and hopefully realize that something is wrong and they need to re-send their message later. This is the first major mail stoppage I’ve had in a LONG time. I plan to diagram my mail flow and DNS configuration so that I can reference this information in the future, since I don’t look at it every day, its easy to forget how things are setup.

UPDATE | 8-27-07

It turns out I thought I had fixed everything but hadn’t. I noticed I still wasn’t receiving the normal amount of mail I normally would on my shorehost.com domain. After checking again, I found I had forgotten yet another backup DNS service that I use and had not yet removed the no-ip MX records from that provider. So I fixed that, and I’m happy to report that mail is now flowing normally now. However for several days there, since approximately Aug 23rd, incoming mail to my personal domains was affected and mail was bounced back to the senders. So if anyone sent me or my wife anything important, please re-send!!! This is the first major outage caused by an “oopsie” that I’ve ever had on my personal mail system.

Changes to my blog

Last night I implimented a few changes to my blog. I added several new plugins that will make the site much more functional. Here is a list of the changes:

1. Share This – you will now notice a “share this” link in each post. This will allow you to more easily share any post on my blog with your favorite services, such as technorati, etc. There are many other services listed, and it makes the whole process much easier.

2. Blog Stats – I installed this plugin to get better information on the stats of my blog. I tried Google Analytics, but didn’t like the interface much. So I’m giving this a try to see if I can get better stats. I already have access to several other stat apps since I use cpanel on my hosting server, but I want to get some other information as well.

3. Gallery2 plugin – I added this so I can post about new pictures in my picture gallery on my main website. With this plugin, I can easily browse my albums and simply click an image to easily link to it and post a pic in my blog.

4. Random redirect – I added this just for fun, and made a post about it. Its a link that will take you to a random blog post on my site. Its toally for fun and I probably won’t use it much, but its still pretty cool. Stumbleupon type random post finder.

5. Search Everything – I haven’t enabled this one yet, but when I do, its going to be cool. It will let you search everything on my blog in one simple search box.

6. Twitter tools – I enabled this so that each time I make a blog post, Word Press makes a post to my twitter account. Again, not very useful, but totally for fun.

7. Updated today banner – I haven’t actually gotten this to work yet, but when it does work, its supposed to add a neat little banner to my blog saying its been updated today. I’m still working on this one.

Big Scare

Early this week I had a big technical scare. On Friday of last week I had noticed some problems with my hosting server. I contacted support and they said they were doing maintenance and would have the server back up in 3 hours of less. It came back up and I went about my business. Well then I noticed some pictures in my picture gallery were corrupt. So I submitted another trouble ticket. They ended up restoring a backup of my account which put me over quota which gave me another scare, but I was able to fix that one on my own. Then I thought my blog had been wiped out, but fortunately it hadn’t. I was just jumping to conclusions before really looking into it. So finally everything is ok except for some picture gallery issues which I should be able to fix without a problem.

E-mail server during transition

Moving presents some unique challenges you don’t run into any other time. Specifically regarding hosting my own e-mail server. Over the past few days, I’ve been contemplating how I should handle moving to a new location with an entire weekend where I will not have internet access or a location at which to setup and run my e-mail server. I started checking into online paid mail services and searched for some open source solutions for a free solution. I stumbled upon a free beta service from Google. I think its under Google Apps for Domains. What this lets me do is setup my MX records for mail delivery on my domains, and route all mail to servers hosted by Google. I can pre-configure my accounts and settings so that I can do an immediate switch over. Once I had all my settings configured, I proceeded to change my MX records. I was surprised at how many servers are available from Google, they have 7 or 8 servers available for mail services. I configured all of them plus my two backup mail servers at no-ip.com. This way in the extremely unlikely event that the godaddy mail servers go down (all 7 or 8 of them), mail will still fail over to my backup mail servers and queue for later delivery. The good thing is that POP3 access is available from Google, so I can get to my email during the weekend transition. I plan to export both my mailbox and Liz’s mailbox in Exchange to a PST file, then configure outlook on my laptop with profiles for both of our personal accounts. I can setup the PST files so we can get to all of our old messages, and still access new mail through POP3. I am going to leave the mail on the Google servers, and once I am all moved in and have my mail server setup and running, I can have my Mail Essentials POP3 downloader get all the mail I left on Google’s servers. I may take my time getting it set back up at the new house, since I want to have Verizon come install FIOS so I can drop Road Runner. With FIOS I can get twice the upload speed of Road Runner, plus 5 more MB of download speed. So its a way better deal and about the same price. Once I have tested FIOS and made sure it will work ok for my needs, I’ll drop RR.

Home Network – Part 3

Microsoft Active Directory:
My home network is built on Microsoft’s Active Directory. I use active directory to organize my user accounts (all two of them), my computer and group policies. With group policies I can set common variables for all my workstations, servers, etc. This way I don’t have to hand configure everything, its all automatic. Group Policies are a great way to manage your network workstations or servers. There are other solutions here, some people like to run Linux at home, and I’ll admit, I do too from time to time. I love linux, but there are still too many apps I use that require Windows. From time to time I demo some of the latest Linux distributions and try things out. I think its great, and if I had a 4th computer to run it on, I’d probably run a linux server or desktop as well. Some people like novell, some people like MAC, its up to you. This is just how I am doing thing. I have group policies set to add customization to my desktop mainly. Things like a browser title, automatic update settings, common software distribution, etc.

Domains, e-mail and more:
I guess I can’t go much further without explaining how I also do my domain names and websites. I’ll write more about this topic later on as a how to and what you should know for getting your own domain and website. But for now, I’ll keep it simple. I own several domain names which I use for various purposes. I have one domain that is for all my server equipment, like my hosting server that hosts my website and some other websites I host for people (for free unfortunately). These servers are in a data center and I simply “rent” the server from them on a month to month basis because its cheap and does what I want it to do. Plus they take care of maintenance and problems. Then I have a primary domain name I used to use for my hosting company’s website. The backend server domain ended with a .net and the primary domain is a .com. These extensions can be anything you like, but I stuck with a traditional format. Then I have a third domain for my personal website which is mainly for my family and my blog, etc. Here is where the bulk of my incoming and ougoing e-mail comes from, the other two domains are mainly for servers and a now closed hosting company. I do have some other domains, but don’t really used them yet. I’ll be expanding that later on as well.

E-mail:
So now you know I have a shared hosting server which hosts my websites and most functions of my domain names. Now when it comes to e-mail, you’d naturally assume this server also handled mail for my domains as well right? If you said yes, you’d be wrong. I’m using a service called Rollernet which is a mail forwarding service. Since my ISP restricts incoming traffic on port 25, it was necessary to setup SMTP on a non-custom port. However, this causes a problem because when someone on the internet sends me an e-mail, most mail servers only send mail on port 25. So if I’m running SMTP on a non-custom port, how do I get my mail? Here is how. Rollernet’s servers are listed as the MX records for my domains. This means, that when you send me an e-mail, its actually received on port 25 by rollernet. They take the mail, queue it, do some scans on it for viruses, spam etc, then they forward that mail to my home mail server on a custom SMTP port. Of course I have this port setup in my cable modem and firewall to allow it to be forwarded to my mail server which resided on my LAN. Now here is the complicated part. My home mail server received mail on a custom SMTP port and is received by NoSpamToday, which is my SMTP level SPAM filter. NoSpamToday (NST for short), filters for SPAM, viruses etc, and basically makes sure that the message is valid before it allows it in to my mailbox. Now NST is not a mail server, its just a SMTP server, so another component is needed here, thats where 602 Lan Suite (LS for short) comes in. NST received a message for me on a custom SMTP port. Once it makes sure that the message is valid, it then forwards that message to 602LS which receives the message on the standard SMTP Port 25. 602LS receives the message and performes a few checks of its own, like scanning it again for viruses, doing aother SPAM check and finally delivering it to my mailbox. 602LS also has a built in webmail server, so I can check my webmail from anywhere in the world. This is also where port forwarding comes in as the ports for webmail need to be setup to route to my home mail server from the outsite. Using my public DNS zone, I can add a record for webmail to my domain, so I can go to http://webamil.mydomain.com/mail and get to my web interface. This way I don’t have to use DynDNS or any of those services, since my public IP on my cable modem rarely changes. Now if it were to change, I’d have to manually update that in my DNS zone. So watch out for that if your using this scenario. I am aware of it and know what to do, so for me its not a big deal, but if your new to this, don’t set this up and wonder why it breaks 9 months later. Keep an eye on your public IP.

Lets now talk about outgoing mail. I don’t know if your like me, but I find myself in situations at work and abroad where I find that my company network or hotel network restricts SMTP servers to their own servers and won’t let you send mail using your own SMTP configuration. For example, at work I run a simple server monitor that sends alerts. But my company has a firewall in place that limits outgoing SMTP traffic on port 25. Now I bet your wondering where the SMTP component from IIS comes in to the picture from my previous post. Here it is. I am running IIS on my mail server but only the SMPT component. So I setup Microsoft’s SMTP service to listen on a custom port (different from my incoming SMTP port for normal e-mail from Rollernet). This way, I can setup my monitoring server to use my custom SMTP server at home to send the alerts. So in my situation, my monitor program detects a problem with a server in my office, it sends an alert to my home mail server on a custom SMTP port. My SMTP server then relays that message to my shared hosting server which then sends it to the desired recipient on a standard SMTP port. This way, I can use SMTP wherever I am, still get my messages or alerts sent and accomplish my tasks. This custom SMTP service is protected by a username and password and relaying with it is denied. Relaying on NST is also forbidden. Ok, so how about my home PC? Ok, simple, we use outlook on our home PC, so outlook is setup to send/receive mail from 602LS through POP3 and standard SMTP. We send a message from outlook, it is received by my home mail server on port 25, which then forwards that mail to my shared hosting server. Some ISPs also restrict outgoing SMTP traffic, so here you may need to setup a custom port on your public SMTP server and configure your mail server to send all outgoing mail over a “SmartHost” or custom SMTP configuration. My shared hosting server then delivers the mail over standard SMTP to the recipient’s mail server.

So in summary, yes this is a complicated setup, and no it may not be for everyone. But I will say this, there is a degree of pride that goes into setting soemthing like this up. Now I’m a Microsoft Engineer, so I’ve been doing networking for a long time. No this is not the way to go about setting up a business or large company. Obviously I’d recommend using Exchange or more powerful mail servers and betters ISP connections. But if your a techie and want to setup a really cool home network, this guide might just help point you in the right direction.

Other Services:
Lets talk remote access. So how do I manage this home network when I’m not home. Easy, RDP. There are lots of people around that don’t like RDP, its not very secure, and has its issues like any other software or technology. For me however, its perfect. I simply forward port 3389 from my cable modem to my firewall and from my firewall to my PC, I can remotely manage any machine on my home network. Now I took it a step further, and actually setup a custom RDP port on my other machines, like my servers and second desktop. This has the advantage of being easy to individually RDP into any machine on my home network without first having to remote into my home pc and then into another machine. In conjunction with DNS for easy naming, its a snap. All you need to remember is the custom port number for each machine. I only have a few so its no big deal, if you have many machines I’d recommend finding a better way, such as VPN. Through RDP I can remote control, and virtually manage any server or desktop on my home network.

Web management: I also use a program called Remotely Anywhere (www.remotelyanywhere.com). Its a great application that runs as a service on Windows. With it, you can remote control, Transfer files, totally manage all aspects of the machine right from a web browser. Its very robust and powerful, with tons of additional features too numberous to mention. Its one of the best web based remote control/management solutions I know of. This can also be setup on a custom port, so it will need port forwarding configured for it as well.

FTP: I used to have a NAS server with FTP setup so I could FTP directly to my RAID5 storage device. Now that its gone, I don’t really use FTP anymore so I removed it. I use an FTP site on my shared hosting server temporarily if I ever need to send anything through FTP. I can grab it from home later.

Internet Access: Because my cable modem and firewall do NAT, its very easy to provide for internet access to my workstations and servers on my home network. The firewall is the gateway on my network, and Microsof’t DNS handles all DNS related operations on my network. My DNS server is configured to forward all requests for external host names to my ISP’s DNS server. It then caches the results and can reply much faster to any requests my workstations or servers make. Internet access is basically a simple NAT solution provided by my firewall and cable modem.

Points of Failure:
With a system like this there are other considerations that need to be taken into account. Amoung them are power, redundancy, damage, replacement, etc. For example, if my power goes out what happens. Well for me I have my critical equipment on a UPS. Since this is a home network and not a critical system, the UPS will keep my servers and internet connection up and running for 5 minutes. This should be sufficient as long as the power isn’t out for long, which is isn’t usually. What if my firewall or cable modem goes bad. Well then I have a problem, as with my ISP I have to have them come and activate a new cable modem. So I’d first have to buy a replacement and then have them install it. This can be done usually by the next day. So what if my mail server or other network equipment is damaged. Well, for mail, if my home mail server becomes unavailable, mail will queue at rollernet, so I won’t loose any e-mail. I can even redirect that mail to my shared hosting server if I wanted to so I could get to it. If some of my network gear fails, it will obviously need to be replaced. I’d try to repalce it with exactly the same modem so that if it had a configuration with it, I could easily restore a backup config file to immediately get my network back up and running.

Security: What about security, how secure is this setup? Very secure. Even considering I have ports forwarded into my LAN from the outside. This often makes security experts very nervous and for good reason, but again, this is not the NSA, I don’t have anything on my home network worth anything to anyone but me. That is not an excuse for having bad security. First, I have a double NAT solution, so even if someone could hack in past my cable modem, they couldn’t get further than my firewall. If they could get past my firewall by some miracle, they would not be able to access anything on my network, since all network traffic between workstations and server is encrypted through Kerberos. The worst they could do if map out my network and find my IP addresses. DOS attacks are also a possability, but there isn’t much that can be done about that anyway. Again, I’m not saying good security isn’t important, and the measures I’ve taken are sufficient for my needs. Please don’t think I’m advocating bad security measures.

Thanks for taking time to read this post, I know it was long. Keep an eye out for more tech posts in the near future. I’ll also post some images giving you a visual of how all this works. Here is a simple visual aid of what I’m talking about above.]]>

Home Network – Mail setup change

1. Changed MX records for my two main public domain names to route mail only to my mail redirection service’s mail servers.

2. Installed noSPAMtoday on sisko and configured to listen on my custom port (the port the SMTP redirection service uses to send mail to my home mail server).

3. Changed 602 LAN Suite to listen for SMTP on port 25.

4. Configure noSPAMtoday to send good mail to 602LS on port 25. So it now acts as a true SPAM Proxy.

Using this new configuration, I’m no longer accepting mail directly on my shared hosting server. Mail now gets routed to my SMTP redirection service. Mail gets queued on their servers and then sent directly to my home mail server (Sisko) on a custom SMTP port. NoSPAMToday is installed on Sisko listening on that custom SMTP port which if forwarded into my LAN from my firewall. NoSPAMToday does RBL checks, basyian checks, and various other checks for SPAM Messages. Right now I have it set to reject/deliver, so it still sends a bounce message to the SPAM sender, but goes ahead and delivers the message to me anyway. I’m going to leave it setup like this for a week or to in order to ensure that I have everyone I receive mail from either on my whitelist, or ensure NoSPAMtoday does not mark them as SPAM. Once I’m happy with the results, I’ll switch modes to reject/delete so I won’t even see messages it considers SPAM anymore. I’ll only receive valid wanted email.

Once a message is validated by NoSPAMtoday, it then gets sent through normal SMTP on port 25 to sisko on the internal LAN. 602 LAN Suite then accepts the mail and delivers to the appropriate mailbox. Right now it accepts mail for my two main E-mail addresses, and for Liz. The free version of NoSPAMToday is free for non-commercial use for up to 10 E-mail addresses.

Once 602 LS has my mail, I can download them with POP3 or use its built in webmail application. I usually stick with POP3 since my company uses fatpipe technology which causes a problem with my originating IP address, making webmail inaccessible since my public IP address changes at any given time. 602 LS is configured on its own internal domain and has a default masquerade domain of my main public domain name. User accounts in 602 LS are standalone user accounts, and are not physically related to my public domains. When we send mail, the identity information in our outlook profiles handles the E-mail addressing and name information. 602 LS is then configured to send mail out using my shared hosting server, but can be configured to send directly to the recipient mail server should the hosting server go down. My SMTP redirection service has two physical servers on different subnets served by multiple ISPs, so its unlikely that I’ll ever loose any E-mail. Even if sisko goes down, mail will spool at my redirection service.

Pretty cool stuff! Maybe overkill for a 2-3 user home network??
]]>

SMTP redirection on home network

Ok, I know this is nothing to the average guy, but to me, a tekkie, this is cool. I’ve finally setup my home network the way I want it (See previous post about home network). So now I just got SMTP redirection setup so I can use my home mail server to receive incoming SMTP mail. I’ve got a few public domains, which I now have 3 MX records for, one for my hosting server, and two for rollernet.us which I use for SMTP port redirection. Since my ISP (Road Runner) blocks incoming port 25, I have rollernet.us redirect port 25 to my home server on a different port. Allowing me to have redundant MX records in case of an emergency. The main hosting server will do the bulk of the mail operations, the others are just for backup. I’m still looking for a decent secondary DNS service to use. I’m using 602 Lansuite as my mail server, since they have a free 5 user version that is very robust and easy to use. It gives me webmail, web based admin, external pop3 mail downloading and assignment to any internal mailbox, plus all kinds of other features. My next trick is going to be working on getting VPN to work. I want to be able to VPN into my home network. However, my cable modem is somewhat inadequate and has not yet let me accomplish this goal.