Category Archives: Email

Brightmail does not deliver email to Distribution group members

The Story

Note: This article assumes you have Brightmail Gateway

When you try to send an email to a particular Exchange Distribution group Group@domain.com the result is either users don’t exist or you might get the following error if you test with Microsoft Test connectivity online tool.

Error:

The server returned status code 554 – Transaction failed. The server response was: 5.7.1 Delivery not authorized

Other related errors

‘554 5.7.1: You are not allowed to connect’

clip_image001

Cause:

Because the group has been cached in the Symantec gateway with its old members, The result could be an error that users don’t exist or delivery is not authorized.

Solution:

To solve this problem, You need to go to Brightmail gateway Administration > Directory Integration and click on your AD Directory > Advanced and hit on Clear Cache.

This would cleared the cached group and take the most recently updated group and its members.

This should resolve the problem.

clip_image002

How to clear the DDS cache in Messaging Gateway

https://knowledge.broadcom.com/external/article?legacyId=tech132131

Install Exchange 2019 Core using PowerShell

You probably already know that Exchange 2019 RTM has been released and even CU1 is about to come too.

But what’s interesting about 2019 is that it has a lot of new features, some that lot of people wanted to have in legacy versions especially for security, performance, resiliency and scalability.

image

As per Microsoft Security has been improved to suit the needs of corporations removing all vulnerable ciphers and follow best practices.

Security: Exchange Server 2019 requires Windows Server 2019. In fact, we recommend installing Exchange Server 2019 onto Windows Server 2019 Server Core. Exchange Server 2019 installed on Windows Server 2019 Core provides the most secure platform for Exchange. You also have the option of installing Exchange 2019 onto Windows Server 2019 with Desktop Experience, but we have worked hard to make sure running Exchange on Server Core is the best choice for our code.

We’re aware all media for Windows Server 2019 and Windows Server, version 1809 has been temporarily removed and Microsoft will provide an update when refreshed media is available. Exchange Server 2019 will be fully compatible with version 1809, and the refreshed version.

We also built Exchange Server 2019 to only use TLS 1.2 out of the box, and to remove legacy ciphers and hashing algorithms. To understand how this affects coexistence with earlier versions, please reference our previous series of postson TLS.

Regarding Performance, Microsoft has released the following statement:

Performance: We’ve done significant work to allow Exchange Server to take advantage of larger core and memory packed systems available in market today. With our improvements, Exchange Server can use up to 48 processor cores and 256GB of RAM.

We’ve re-engineered search using Bing technology to make it even faster and provide better results, and in doing so have made database failovers much faster, and administration easier.

We’re adding dual storage read/write capabilities to Exchange Server 2019 using Solid State Drive (SSD) technology to provide a super-fast cache of key data for improving end user experience. We also talked about this in our Email Search in a Flash! Accelerating Exchange 2019 with SSDs session at Ignite.

We also changed the way database caching works to allocate more memory to active database copies, again improving the end user experience. You can learn more about Dynamic Database Cache from Welcome to Exchange Server 2019!video and slides.

The improvements we have made to Exchange Server 2019 will enable you to scale to a larger number of users per server than ever before, use much larger disks, and see the latency of many client operations being cut in half.

Installation:

Installing Exchange 2019 on Core is something that’s been recently supported, along with other features like in-place upgrade from Exchange 2016 to Exchange 2019.

In this guide we’ll go through the process of installing Exchange 2019 using PowerShell starting from naming the server, joining it to the domain and installing prerequisites of Exchange 2019.

Configuring Static IP address:

In order to give a static IP address to the machine from Windows Core we’ll be using the following script:

Assuming you have subnet 192.168.18.0 with mask /24 and gateway 192.168.18.1. we will use the below script to provide the machine with an IP.

$wmi = Get-WmiObject win32_networkadapterconfiguration -filter “ipenabled = ‘true'”

$wmi.EnableStatic(“192.168.18.69”, “255.255.255.0”)

$wmi.SetGateways(“192.168.18.1”, 1)

$wmi.SetDNSServerSearchOrder(“192.168.18.150”)

 

clip_image001

Join Domain

Exchange must be part of the domain which you’re using in your lab / Production environment. next we’ll be joining this machine to our domain using the following script:

First we’ll change the hostname, restart and then join the domain

clip_image001[4]

Change Computer name:

Rename-Computer -NewName “Exch2019” -DomainCredential WIN-EPM2CRB5MN9\administrator –Restart

clip_image001[6]

Join the domain

add-computer –domainname cloud-tech.net -Credential cloud-tech\administrator -restart –force

clip_image001[9]

After restarting

clip_image001[11]

Configuring Drives:

Since I am doing a lab test only, I will use the default C drive to install Exchange, but if you’d want to configure a second Drive please let me know and I will add that part as well.

clip_image001[13]

Diskpart

List volume

clip_image002

clip_image003

 

Installing Prerequisites – Exchange 2019 on Windows 2019 Core

Prerequisites

​EX2019 will require 2012R2 AD FFL​

Check out your windows Version first for compatibility

[System.Environment]::OSVersion.Version

clip_image001[15]

clip_image002[4]

 

 

 

 

 

GUI Version of Windows 2019

Install-WindowsFeature NET-Framework-45-Features, RPC-over-HTTP-proxy, RSAT-Clustering, RSAT-Clustering-CmdInterface, RSAT-Clustering-Mgmt, RSAT-Clustering-PowerShell, Web-Mgmt-Console, WAS-Process-Model, Web-Asp-Net45, Web-Basic-Auth, Web-Client-Auth, Web-Digest-Auth, Web-Dir-Browsing, Web-Dyn-Compression, Web-Http-Errors, Web-Http-Logging, Web-Http-Redirect, Web-Http-Tracing, Web-ISAPI-Ext, Web-ISAPI-Filter, Web-Lgcy-Mgmt-Console, Web-Metabase, Web-Mgmt-Console, Web-Mgmt-Service, Web-Net-Ext45, Web-Request-Monitor, Web-Server, Web-Stat-Compression, Web-Static-Content, Web-Windows-Auth, Web-WMI, Windows-Identity-Foundation, RSAT-ADDS

 

 

Windows 2019 Core

Install-WindowsFeature RPC-over-HTTP-proxy, RSAT-Clustering, RSAT-Clustering-CmdInterface, RSAT-Clustering-PowerShell, WAS-Process-Model, Web-Asp-Net45, Web-Basic-Auth, Web-Client-Auth, Web-Digest-Auth, Web-Dir-Browsing, Web-Dyn-Compression, Web-Http-Errors, Web-Http-Logging, Web-Http-Redirect, Web-Http-Tracing, Web-ISAPI-Ext, Web-ISAPI-Filter, Web-Metabase, Web-Mgmt-Service, Web-Net-Ext45, Web-Request-Monitor, Web-Server, Web-Stat-Compression, Web-Static-Content, Web-Windows-Auth, Web-WMI, RSAT-ADDS, Server-Media-Foundation

clip_image003[4]

clip_image004

After installing prerequisites, Installing UCMA

For UCMA on Windows Core you need to get a certain UCMA customized in order to work with Windows 2019 core.

http://tapfiles.azureedge.net/private/UCMA.zip?sv=2014-02-14&ss=2018-03-14T21%3A59%3A22Z&se=2019-01-01T22%3A58%3A56Z&sp=r&sr=b&sig=tgpQ84Wp3j%2FZmEOgPcdjcXgULLXMRX%2BDmCjoSbKOZbM%3D

After Extracting and copying the file to the C root drive

The setup file is called Ironmansetup.exe

clip_image005

clip_image006

clip_image007

clip_image008

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

After the Installation of UCMA, there will be another requirement,

Visual C++ Redistributable Packages for Visual Studio 2013

https://www.microsoft.com/en-us/download/details.aspx?id=40784

clip_image009

clip_image010

.\setup.exe /InstallWindowsComponents /CustomerFeedbackEnabled:False /LogFolderPath:C:\Logs\db4 /DbFilePath:C:\Mailbox\Database01\Database01.edb /MdbName:Database01 /DisableAMFiltering /IAcceptExchangeServerLicenseTerms /roles:mb,mt

 

clip_image011

 

clip_image015

clip_image016

clip_image017

clip_image018

clip_image019

 

 

Setting URLS

clip_image001[17]

I will be upgrading this with the latest Windows 2019 releases since this installation was done with Microsoft Windows 2019 Preview edition

For any consultation requirements please contact me admin@moh10ly.website or info@moh10ly.com

Thank you

Create 10 years Certificate template for Skype for Business, Exchange Server .etc

Having a certificate template that would last for years is a requirements that’s become more of a need during these days due to the amount of time it takes to renew the servers which are certificate dependent.

Some servers would automatically be renewed their Certificate using GPO’s auto enrollment however when this doesn’t work or if you don’t like dealing with GPO and its headache then the best way to solve this is to create a template that would last for sometime and leave you at peace.

Note that having a long term certificate (10 years for example) is not a good practice since encryption algorithm changes over the time and security related issues rise up every now and then so if you decided to go with this article and create 10 years template for your servers, you will need to keep an eye on latest news related to certificates, encryption and signature algorithm so they are not exploitable.

To begin with this article, I will tell a small story of a company that had suffered production disasters due to this might look tiny kind of problem.

A company called AP have deployed Lync 2013 (Currently Skype for Business) and decided to use the default CA (Webserver) template which lasts for 2 years by default.

This company called me when their Lync servers were all down and PSTN calls were not going through so the first thing that came to my mind is to check Services and as soon as I saw services were not able to run I checked the eventlog’s Lync tab.

The errors were mostly referring to an expired certificate. upon renewing the certificates for all servers everything went back to normal but that took long downtime and delayed the company’s productivity.

Here came the idea of creating a long template which would last for 10 years, achieving this on Exchange is done through the following steps:


On CA Server Find and open the Certification Authority MMC

Right click on Certificate Templates and click Manage

clip_image001[4]

IN certificate templates console right click on Web Server and click Duplicate template

clip_image002[4]

Select Windows Server 2003 Enterprise

clip_image003[4]

clip_image004[4]

Enable “Allow private key to be exported”

clip_image005[4]

clip_image006[4]

Select Enroll for the Authenticated users

clip_image007[4]

Back to the Certificate Authority Console, Right click on Certificate Templates and click New -> Certificate template to issue and add the certificate template you created to the list.

clip_image008[4]

Web Server V2 is on top

clip_image009[4]

Let’s check it on Certserv IIS

clip_image010[4]

Certificate is generated for 5 years. The reason why the certificate is generated for 5 years is because the Certification Authority server’s Certificate is limited to 5 years.

So the CA certificate must be set to longer then the client’s requested Certificate limit.

clip_image011[4]

Certification Authority Issuing Certificate validity period extending

To change the Validity Period for the Root CA you can configure a CAPolicy.inf.  To create a CAPolicy.inf file that changes the lifietime of the certificate to 30 years, you would type the following into a text file, and save it with the name CAPolicy.inf in the

C:\Windows directory,:

[Version]

Signature= “$Windows NT$”

[Certsrv_Server]

RenewalValidityPeriod=Years

RenewalValidityPeriodUnits=30

From <http://blogs.technet.com/b/xdot509/archive/2013/06/06/operating-a-windows-pki-renewing-ca-certificates.aspx>

After this you will need to renew the CA certificate from the CA console : right click on your certification authority and choose All Tasks -> then choose -> Renew CA Certificate

clip_image012[4]

When you click on Renew CA certificate you will get the following prompt asking you to stop the CA to renew its Certificate, Click Yes

clip_image013[4]

Once you click on Yes the service will stop and you will get this window telling you if you would like to generate new public and private key it’s up to you to use a new or not but if you choose Yes the clients using the old Certificate might be provoked and you might need to install the new CA Certificate on all clients using GPO.

Click Ok

clip_image014[4]

After clicking OK you will see that you were able to generate the new CA Certificate and then you can issue clients certificates.

clip_image015[4]

In order to allow the CA to issue certificates that has longer than the default age (2 years) you must run the following command line on the CMD on the CA server.

clip_image016[4]

Run the certutil commands above to change the maximum lifetime of certs issued by the CA

certutil -setreg ca\validityperiodunits 30
certutil -setreg ca\validityperiod years
net stop certsvc net stop certsvc

Now when you try to generate a new certificate for your Exchange or any other app you should choose the new template which is 30 years valid.

clip_image018[4]

clip_image019[4]

Did you know that you can get hosted mail for free for your domain?

Yandex Offers Mail Accounts with Users’ Own Domain Names

 

This is probably an old news for some people but for me it’s the first time that I have heard/read about it! Yandex offers a free hosted email @YourOwnDomain.com! I have heard this only today from a friend who have been using it already on his own domain and the service quality is perfect and it’s 100{308b10a016e19a1cd6a208cbc3961927e16fc6766a4020d3c4ef54ea17925f0f} FREE.

 

While searching online, I came through this article that was published by Yandex in regard to this service. The article was published on the Internet on October 27, 2009.

Yandex offers domain owners an opportunity to create an electronic mail account with any name they choose, including their personal name, as in ivan@theterrible.ru or peter@thegreat.ru. Using Yandex’s email service for domain owners, anyone who owns a domain can now create an email account for themselves, as well as accounts for their family, friends or co-workers, and share a personalized domain name with them.

The owner of one domain can have up to a hundred accounts — enough to serve a small company or to be distributed among the staff of a secondary school. The users of the Yandex’s email service for domain owners can benefit from all the features available to the users of the Yandex.Mail service, such as a modern interface, spam protection and unlimited space. The email service for domain owners is accessible online or via email clients Outlook, The Bat and other.

To create an email account with a personalized name, domain owners can visithttp://pdd.yandex.ru (in Russian). The service is currently in beta testing. Feedback, questions (including requests for more than one hundred email accounts) and partnership ideas are welcome at domain@yandex-team.ru.

In addition to having a personalized email address, domain owners can also create websites with personal domain names on Yandex’s free web hosting service narod.ru. Now Yandex offers its users an opportunity to have both a free, up-to-date website and a free, convenient email account in their own domain.

 

I already have some domains that I didn’t use any email servers for them and it came to my mind to use this service for those both domains.

Here’s mine, I already set it up on two different domains and if you want you can send me a test email to info@moh10ly.website  

 

image

 

image

Hope this was useful for you.Winking smile

 

del.icio.us Tags: ,,,