DKIM record in WordPress DNS

So, today I found out that outbound mail from my jaapwesselius.com did not have a DKIM signature (after mail was blocked by prodigy.net). I have my jaapwesselius.com running on WordPress.com. To do this, WordPress requires to have DNS hosted with them. No problem, but adding a DKIM record in WordPress DNS is not possible, it fails with a TXT records may not exceed 255 characters error message as shown below:

The solution is relatively simple. You can add a CNAME record for the original DKIM record. For example, have safemail._domainkey.jaapwesselius.com point to something like safemailhop.exchangelabs.nl (I own that domain too, and DNS is hosted at my provider Argeweb).

CNAME: safemail._domainkey.jaapwesselius.com safemailhop.exchangelabs.nl

Create a new TXT record safemailhop.exchangelabs.nl and add the original DKIM record (from my jaapwesselius.com domain) to it et voila, that’s it.

Check with https://mxtoolbox.com/dkim.aspx reveals that it works:

And some header information:

Note. Yes I know, p=NONE in the DMARC record could (should/must) be changed to quarantine or even REJECT, but I’m still in development 😊

A reboot from a previous installation is pending. Please restart the system and then rerun Setup

While installing the Exchange 2019 Management Tools (only the Management Tools) on a server, I ran into the error message “A reboot from a previous installation is pending. Please restart the system and then rerun Setup”

Normally a reboot fixes this problem, but unfortunately this time it did not fix it.

The option to reboot is also logged in the registry of the server. There is a key called PendingFileRenameOperations located in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager which in this case has a certain data that was not cleaned up previously:

When you check the data you can even see which process did not clean up. Remove the data from the key (or remove the entire key) and continue with the installation.

Quarterly Updates: Exchange 2016 CU19 and Exchange 2019 CU8

On Tuesday December 15, 2020 Microsoft has released its quarterly updates for Exchange server, specifically Exchange 2019 CU19 and Exchange 2019 CU8.

Nothing special, but a few remarks:

  • In contrast to earlier communication from Microsoft, CU19 is not the last CU released by Microsoft. The final CU for Exchange 2016 will be released in March 2021.
  • The issue with opening attachments in a shared mailbox using OWA (as explained in a previous blogpost https://jaapwesselius.com/2020/11/02/open-attachment-in-shared-mailbox-using-owa/) in fixed in these CUs.
  • De December security updates for Exchange Server (https://jaapwesselius.com/2020/11/02/open-attachment-in-shared-mailbox-using-owa/) are also included in these CUs.
  • When running a hybrid deployment or when using Exchange Online Archiving in combination with Exchange on-premises, make sure you run the latest CU or one version older (i.e. Exchange 2013 CU23, Exchange 2016 CU18/CU19 or Exchange 2019 CU7/CU8)
  • No schema changes in these CUs but there are changes to AD, so make sure you run the Setup.exe /PrepareAD command
  • And as always, test thoroughly in your lab environment, and when deploying make sure your servers are in maintenance mode (especially the DAG).
Exchange VersionKB ArticleDownload
Exchange 2019 CU8KB4588885Volume License
Exchange 2016 CU19KB4588884Download
Exchange 2016 CU19 UM Language PackDownload

More information can be found on the Microsoft website: December 2020 Quarterly Exchange Updates – https://techcommunity.microsoft.com/t5/exchange-team-blog/released-december-2020-quarterly-exchange-updates/ba-p/1976527

Remove Exchange Hybrid Configuration

After decommissioning the Resource Forest I still have an Exchange 2016 environment on-premises, but all my mailboxes are in Office 365. Users are provisioned in Active Directory, Remote Mailboxes are provisioned in Exchange 2016 and everything is synchronized to Office 365 using Azure AD Connect.

Do I still need an Exchange Hybrid Configuration? Unless there are plans to move resources back to Exchange on-premises there’s no need for a Hybrid Configuration. To stay in a supported configuration, an Exchange server on-premises is still needed for management purposes, but only Azure AD Connect is needed and not a full hybrid configuration.

Note. If you want to use the on-premises Exchange server for SMTP relay purposes you don’t need the Hybrid configuration either. Just make sure you have a SMTP Send Connector that points to Exchange Online Protection and you’re good.

Removing the Hybrid configuration consists of the following steps:

  • Disable Autodiscover SCP in Exchange
  • Remove the Hybrid Configuration from Active Directory
  • Remove Connectors in Exchange Online
  • Remove the Organization Sharing from Exchange Online
  • Disable OAuth

Disable Autodiscover SCP in Exchange

When all Exchange resources are in Exchange Online you no longer need the on-premises Service Connection Points (SCP) for Autodiscover. But make sure you have the correct CNAME records for Autodiscover that point to Autodiscover.outlook.com.

To disable the SCP records in Active Directory, execute the following command in Exchange Management Shell:

Get-ClientAccessServer | Set-ClientAccessServer -AutoDiscoverServiceInternalUri $Null

Remove the Hybrid Configuration from Active Directory

Removing the Hybrid Configuration from Active Directory is just one PowerShell command in Exchange Management Shell:

Remove-HybridConfiguration -Confirm:$false

There’s one pitfall here, this will also remove the outbound to Office 365 Send Connector from Exchange. If you want to keep SMTP relay from on-premises to your mailboxes in Exchange Online you have to manually recreate this connector (use yourdomain-com.mail.protection.outlook.com as a smarthost for this)

Remove Connectors in Exchange Online

In the Exchange Online Admin Center, remove the outbound SMTP connectors that point from Exchange Online to your on-premises Exchange organization. If you want to keep SMTP routing, keep the inbound SMTP connector, otherwise you can remove this as well.

Remove the Organization Sharing from Exchange Online
To remove the Hybrid Organization Sharing from Exchange Online navigate to Organization | Sharing in the Exchange Admin Center and remove the organization sharing.

Disable OAuth on-premises

When used before you can disable the OAuth configuration as well from Exchange on-premises and Exchange Online.

In Exchange on-premises Management Shell, execute the following command:

Get-intraOrganizationConnector | Set-IntraOrganizationConnector -Enabled $False

And to do this in Exchange Online Management Shell, execute the following (same) command:

Get-IntraorganizationConnector | Set-IntraOrganizationConnector -Enabled $False

These are the steps needed to remove the Hybrid Configuration from your Exchange environment.

Note. Microsoft recommends to leave the Exchange Hybrid option in Azure AD Connect.

Summary

In this blogpost I explained how to remove the Hybrid Configuration from your Exchange environment after you have moved all resources to Exchange Online.

The on-premises Exchange server is still needed for management purposes. After removing the Hybrid Configuration you can still manage your recipient Exchange Online using the on-premises Exchange server, all changes are replicated through Azure Active Directory.

Is that last Exchange server on-premises still needed? Yes, you need it for managing your recipients in Exchange Online. When you have Azure AD Connect running in your environment, the objects are managed in on-premises Active Directory. The source of authority is Active Directory. As long as Microsoft hasn’t fixed the source of authority problem, an Exchange server on-premises is still needed.

Security Updates Exchange Server December 2020

On December 8, 2020 Microsoft released a number of security updates for Exchange server. Despite the fact that Exchange 2010 is out of support at all, an important security update for Exchange 2010 was released as well.

Exchange versionKB ArticleDownload
Exchange 2010 SP3 RU31KB4593467Download
Exchange 2013 CU23KB4593466Download
Exchange 2016 CU17KB4593465Download
Exchange 2016 CU18KB4593465Download
Exchange 2019 CU6KB4593465Download
Exchange 2019 CU7KB4593465Download

Notes:

  • The security updates are specific for each Cumulative Updates.
  • The upcoming CU’s for Exchange 2016 and Exchange 2019 will contain this security fix.
  • Install the security updates from an elevated command prompt.