TrendMicro Hosted Email Security: SPF DKIM and DMARC Part II

In my previous blog I showed you how I implemented Trend Micro Hosted Email Security (HES) in my Exchange 2010 environment. Interesting case, it’s an Exchange 2010 hybrid environment with mailboxes in on-premises Exchange 2010 as well as mailboxes in Exchange Online. Centralized mail transport is used, so mail to and from Office 365 always routes via HES and the on-premises Exchange 2010 servers to Exchange Online. In this blog I will focus on implementing SPF, DKIM and DMARC in Trend Micro Hosted Email Security.

SPF

SPF in itself is covered in more detail in a previous blog post “SenderID, SPF, DKIM and DMARC in Exchange 2016 – Part I” which can be found here: https://jaapwesselius.com/2016/08/19/senderid-spf-dkim-and-dmarc-in-exchange-2016-part-i/.

In this scenario, mail from the inframan.nl domain (including Office 365) is only routed via the Hosted Email Security environment so the SPF record is pretty simple:

v=spf1 include:spf.hes.trendmicro.com ~all

Set this TXT record in your public domain, start sending email and when checking the header information you’ll see your all good here:

image

DKIM

DKIM is a little more work to configure and takes a bit more time. DKIM is covered more in detail in part II of a previous series “SenderID, SPF, DKIM and DMARC in Exchange 2016 – Part II” which can be found here: https://jaapwesselius.com/2016/08/22/senderid-spf-dkim-and-dmarc-in-exchange-2016-part-ii/

DKIM is about signing header information using a private key, and to decipher the signature you need a public key which is stored in public DNS, accessible for every mail server on the Internet. No need to worry about the configuration, HES will deliver all the details.

In the HES console select Outbound Protection and select DomainKeys Identified Mail (DKIM) Signing.

image

Continue reading TrendMicro Hosted Email Security: SPF DKIM and DMARC Part II

TrendMicro Hosted Email Security: SPF DKIM and DMARC Part I

A couple of years ago I have been working with the TrendMicro Hosted Email Security (HES) solution and I was very satisfied with it. With the upcoming SPF, DKIM and DMARC awareness I was looking for online solutions that offer this kind of security measures and I found that HES now offers these solutions as well.

I have a hybrid Exchange environment with multi-role Exchange 2010 servers, Exchange 2010 Edge Transport servers and a hybrid configuration. There’s no dedicated Exchange 2016 server for this, the hybrid configuration just uses the existing Exchange 2010 servers. And this works well. There’s an additional namespace o365mail.inframan.nl, this is used solely for SMTP communication between Exchange Online and the on-premises Exchange 2010 servers (without the use of the Edge Transport servers). The configuration looks like this:

image

This a hybrid configuration with a centralized mailflow. All email is sent and received through the on-premises Exchange environment, including email from and to Office 365. So, email sent to the internet by users in Office 365 are sent first to the Exchange 2010 servers, and then via the Edge Transport servers to the Internet. This way you have full control over your Internet mail flow.

The Edge Transport servers don’t do a great job when it comes to message hygiene. You can configure Realtime Block Lists (RBL) like Spamhaus, configure content filtering using word lists and attachment filtering, but still (a lot of) spam ends-up in the user’s mailboxes. Therefore 3rd party solutions like Cisco Email Security Appliance (ESA, formerly known as IronPort) are used in front of on-premises Exchange solutions

Continue reading TrendMicro Hosted Email Security: SPF DKIM and DMARC Part I

Your browser is currently set to block JavaScript

I hate this…. And most likely you too otherwise you didn’t end up here

When logged on to an Exchange server, ready for starting the Hybrid Configuration Wizard, you try to logon to Exchange Online you end up with a warning (or ‘error’) message:

We can’t sign you in

Your browser is currently set to block JavaScript. You need to allow JavaScript to use this service.

To learn how to allow JavaScript or to find out whether your browser supports JavaScript, check the online help in your web browser.

Like the screenshot below:

image

To enable JavaScript on your computer you have to enable Active Scripting. To do so, go to Internet Options, select the Security tab and choose Custom Level.

image

image

Now scroll all the way down (or press page down 12 times ) and enable Active Scripting:

image

You will get a warning message “Are you sure you want to change the settings for this zone”, click Yes and click OK.

image

Restart your Internet Explorer browser and you can login on Exchange Online and continue with the Hybrid Configuration Wizard (or whatever you were trying to achieve).

Exchange 2016 CU7 and Exchange 2013 CU18

Microsoft has released its quarterly updates for Exchange:

  • Exchange 2016 CU17.
  • Exchange 2013 CU18.

It has been quiet around these updates, and they do not bring a whole lot of features.

Important to note is that the minimum Forest Functional Level (FFL) has been raised to Windows Server 2008 R2. Personally I think this is an indication that more exciting stuff is along the way, especially around Exchange 2016 (my personal expectation, don’t shoot the messenger :-))

There are schema changes in Exchange 2016 CU7, so when installing this update you have to execute the following commands:

Setup.exe /PrepareSchema /IAcceptExchangeServerLicenseTerms
Setup.exe /PrepareAD /IAcceptExchangeServerLicenseTerms
Setup.exe /PrepareDomain /IAcceptExchangeServerLicenseTerms

When it comes to the .NET Framework, Microsoft is working on a new .NET Framework release (version 4.7.1). The upcoming quarterly update of December 2018 will support this version of the .NET Framework.

More information (well, not a lot more) can be found here: https://blogs.technet.microsoft.com/exchange/2017/09/19/released-september-2017-quarterly-exchange-updates/

 

MigrationTransientException: Target database GUID cannot be used (Mailbox database size limits in Exchange Online)

If you are designing Exchange 2016 (or have been designing Exchange 2013) environment you are aware of the The Exchange 2016 Preferred Architecture (https://blogs.technet.microsoft.com/exchange/2015/10/12/the-exchange-2016-preferred-architecture/) and articles like Ask the Perf Guy: How big is too BIG? (https://blogs.technet.microsoft.com/exchange/2015/06/19/ask-the-perf-guy-how-big-is-too-big/) which explain pretty much how to design an Exchange solid (and large) Exchange environment.

When it comes to Mailbox databases, the recommended size limit for non-replicated databases is 200GB and for replicated databases 2 TB (when running 3 or 4 copies of a Mailbox database).

One can only guess how Microsoft has designed their Exchange servers in Exchange Online, but we can assume that the Preferred Architecture is written with their Exchange Online experiences in mind.

Sometimes error messages that are generated in Exchange Online can reveal more information. While moving mailboxes from Exchange 2010 to Exchange Online in a hybrid configuration the following error message was returned in a migration batch for a number of Mailbox databases:

Error: MigrationTransientException: Target database ‎’07bdf507-ab94-479b-aeb6-1bfef1458c4c‎’ cannot be used: Current database file size: 1502835900416 Current space available inside database: 100237312 Allowed database growth percentage: 90 Maximum database file size limit: 1622722691784 Is database excluded from provisioning: ‎’False‎’. –> Target database ‎’07bdf507-ab94-479b-aeb6-1bfef1458c4c‎’ cannot be used: Current database file size: 1502835900416 Current space available inside database: 100237312 Allowed database growth percentage: 90 Maximum database file size limit: 1622722691784 Is database excluded from provisioning: ‎’False‎’.

Obviously it’s telling us the migration cannot proceed since the target Mailbox (in Exchange Online!) has reached its size limit. The following sizes are reported:

  • Current database file size: 1502835900416 (1,502,835,900,416 bytes, approx. 1.5TB)
  • Current space available inside database: 100237312 (100.237.312 bytes, approx. 100MB)
  • Maximum database file size limit: 1622722691784 (1.622.722.691.784 bytes, approx. 1.6 TB)

So, the maximum size limit for Exchange 2016 in Exchange is not really used in Exchange Online, but it’s getting close, which is interesting to see.

What I don’t understand is why this issue occurs in the first place. To me it looks like a failing part in the provisioning service but I have to admit I’ve never seen this before in the last couple of years so I expect it’s only one Exchange server that’s failing here.

Microsoft UC Specialist