SenderID, SPF, DKIM and DMARC in Exchange 2016 – Part II

In the previous blogpost I have been discussing how SPF works and how it uses public DNS to validate the authenticity of the sending SMTP servers. When SPF is implemented correctly a receiving mail server can validate is the sending mail server is allowed to send email on behalf of the sender or his organization.

In this blogpost I will discuss DKIM signing as an additional (and more complicated, and more difficult to spoof) step in email validation.

As a quick reminder, here’s how my lab environment looks like:

image

There’s an Exchange 2016 CU2 Mailbox server hosting several Mailboxes, and there’s an Exchange 2016 CU2 Edge Transport server. An Edge synchronization will make sure that all inbound and outbound SMTP traffic is handled by the Edge Transport server.

In my previous blogpost an SPF record was created and implemented with the following value:

v=spf1 a:smtphost.exchangelabs.nl ~all

so receiving mail servers can validate that my Edge Transport server is allowed to send email on my behalf, and when mail is originating from another mail server it might well be a spoofed message.

But for now let’s continue with DKIM. Continue reading SenderID, SPF, DKIM and DMARC in Exchange 2016 – Part II

SenderID, SPF, DKIM and DMARC in Exchange 2016 – Part I

SenderID has been used in Exchange as a means for anti-spam for quite some time, as far as I can remember this was first used in Exchange 2010. Related to SenderID is SPF (Sender Policy Framework). SPF looks like SenderID functionality, but it differs in the way how it checks email messages.

Both use public DNS records with TXT records where information is stored regarding the sending SMTP server, and this information is used by the receiving (Exchange) server to validate if the sending server is allowed to send email on behalf of the sender.

Getting more popular for fighting spam are DKIM (DomainKeys Identified Mail) and DMARC (Domain-based Message Authentication, Reporting & Conformance). Just like SenderID and SPF, these solutions use public DNS for additional information as well, but since encryption is used most Exchange admin have some doubts about the complexity of DKIM and DMARC.

In the upcoming blogpost I’ll discuss SPF, DKIM and DMARC as implemented in my lab environment which looks like this:

image

There’s an Exchange 2016 CU2 Mailbox server hosting several Mailboxes. The server is accessible via webmail.exchangelabs.nl and autodiscover.exchangelabs.nl (same IP address, behind a Kemp LM3600 load balancer) and configured with a Digicert UC certificate.

In addition to this there’s an Exchange 2016 CU2 Edge Transport server with FQDN smtphost.exchangelabs.nl. Besides the regular A and MX record, the IP address is also configured in Reverse DNS. The Edge Transport server is also behind a Kemp LM3600 load balancer, and it has a Digicert SSL Certificate with the same domain name. There’s an Edge Synchronization configured between the Mailbox server and the Edge Transport server, and all inbound and outbound mail is handled by the Edge Transport server. Continue reading SenderID, SPF, DKIM and DMARC in Exchange 2016 – Part I

POP3, IMAP4, Get-Service and Startup Type

When installing lots of Exchange servers, automation with PowerShell scripting can be very useful. This will ensure you get a consistent platform, and it reduces the chance of errors and misconfiguration.

For a customer I had to deploy 38 Exchange 2013 servers, and they were using POP3 and IMAP4 as well, so these services need to be installed on all Exchange 2013 servers.

By default, POP3 and IMAP4 are not running on an Exchange 2013 server, and the service Startup Type is set to Manual.

You can change the startup type to automatic using the Services MMC snap-in, but for 38 Exchange 2013 servers this isn’t funny anymore.

You can use the Get-Service cmdlet in Windows to retrieve information regarding Windows services, for example:

Get-Service –ServiceName MSExchangePOP3

Or add the Format-List option to get more detailed information:

image

You can use the –ComputerName option to retrieve similar information from another server:

image

There’s all kind of interesting information here, but the most important thing, the Startup Type information is missing here.

To retrieve the Startup Type information you can use the Get-WmiObjectcmdlet and filter on the service name, for example:

Get-WmiObject -Class Win32_Service -Property StartMode -Filter "Name='MSExchangePOP3'"

Please note the single and double quotes in the Filter option!

image

Again, you can use the –ComputerName option to retrieve this information from another server.

image

Note. On an Exchange 2013 (and Exchange 2016) server POP3 and IMAP4 are actually two services. There’s the CAS component (MSExchangePOP3) and the Mailbox server component (MSExchangePOP3BE). These services need to changed independently. The same is true for the IMAP4 service.

You can write a small script to create an overview of all Exchange servers with the Startup Type of all POP3 service, this will look something like:

$Servers = Get-ExchangeServer
ForEach ($Server in $Servers){
$Computer = $Server.Name
$Object = Get-WmiObject –Class Win32_Service –Property StartMode –Filter “Name=’MSExchangePOP3’”
Write-Host $Computer,$Object.StartMode
}

You can change the Startup Type of the POP3 service using the Set-Service command:

Set-Service –ServiceName MSExchangePOP3 –StartupType Automatic

And you can use the-ComputerName to change the Startup Type of a service running on another Server:

Set-Service –ServiceName MSExchangePOP3 –StartupType Automatic –ComputerName EXCH02

More information:

Use PowerShell to Find Non-Starting Automatic Services – https://blogs.technet.microsoft.com/heyscriptingguy/2012/12/18/use-powershell-to-find-non-starting-automatic-services/

Get-Service – https://technet.microsoft.com/en-us/library/hh849804.aspx

Set-Service – https://technet.microsoft.com/en-us/library/hh849849.aspx

Your OneDrive has not been setup

Since mid June 2016 I’m experiencing issues with my OneDrive for Business account and my next generation OneDrive app, where an error message is raised “Your OneDrive has not been setup”, like this:

clip_image002

This happens on my laptop (Windows 10) and on my Desktop PC (Windows 8.1). The strange thing is that it’s not consistent. Sometimes it works on one machine, sometimes on the other machine.

Tried resetting the OneDrive for business client using the following command:

%localappdata%\microsoft\onedrive\onedrive.exe /reset

clip_image004

But this didn’t work. When starting the OneDrive for Business client without the /reset option, it starts and wants to know which library do you want to sync:

clip_image006

Still no luck.

Reinstalled my laptop with Windows 10 Enterprise (April 2016 update, had to do this anyway) and joined it to Azure Active Directory. OneDrive for business worked for 24 hours, and then started again raising the error as shown in the first screenshot.

The best option however is to check the Microsoft portal (https://portal.office.com) with your tenant administrator account and check the Service Health page.

clip_image008

Where it states:

Service restored – Jun 29, 2016 12:38 PM

Final Status: Redirecting requests to an alternate infrastructure remediated impact. We’ve added more capacity and have rebalanced the service to avoid recurrence of this issue.

User Impact: Users may have been unable to sign in to OneDrive for Business when using the Next Generation Sync Client, and they may receive an error which states, “Your OneDrive has not been setup”. While we were focused on remediation, users may have been able to access the service using the OneDrive for Business website as an alternative method.

Scope of Impact: A few customers reported this issue, and our analysis indicated that impact was specific to a subset of your users.

Start Time: Tuesday, June 28, 2016, at 7:05 AM UTC

End Time: Tuesday, June 28, 2016, at 11:00 PM UTC

Preliminary Root Cause: The Next Generation Sync Client was encountering intermittent errors from a dependent component that handles user and service provisioning.

So, after a couple of days it turns out that this is a capacity planning issue at Microsoft, and the only thing I can do is wait until it’s working again.

The good news is that I can access the data online via the portal (logon using your normal user account) and continue working. The bad news is however that this is not something you can expect from a serious provider like Microsoft L

Azure AD Connect Unable to update this object

In earlier blog post I explained how to create user account on-premises and accompanying Mailboxes in Office 365. This is possible with or without an Exchange server on-premises. The latter works, but it’s not supported.

There are also scenarios where you have cloud identities in Office 365 that you want to connect to user accounts in an on-premises Active Directory, so basically converting the cloud identity to a synced identity. This is a common scenario for example when moving from one tenant in Office 365 to another tenant, of maybe when moving from Groupwise or Notes to Office 365.

Suppose we have a cloud identity in Office 365 for a user named Chong Kim, he has an E3 license, a username ckim@exchangelabs.nl and this is also his primary SMTP address.

clip_image002 Continue reading Azure AD Connect Unable to update this object