Opportunistic TLS

We had to upgrade our mail gateway/anti-spam software on Sunday because one of our vendors requires us to use encryption when exchanging emails with them.  The easiest solution is to use opportunistic TLS, where the server will always try to connect to the other server using the TLS protocol.  If the other server supports TLS, then traffic is encrypted.  If not, then the email is sent using just regular SMTP without encryption.

This is actually the first time I’ve even heard of opportunistic TLS, I’m used to seeing S/MIME and PGP when reading about email encryption.  What I like about this is encryption/decryption is done on the server side so the users don’t have to do anything different when sending emails and we don’t have to issue a certificate to each user and manage the keys.

If you’re using Exchange Server 2007, opportunistic TLS is already enabled by default.  You can check this by entering Get-SendConnector “Send Connector Name” | Format-List in the Exchange Management Shell.  Look for the IgnoreStartTLS parameter, if it’s set to false then opportunistic TLS is enabled.

To check whether a server supports TLS, telnet to the server on port 25 and check if the server supports the STARTTLS command, for example:

telnet mail.global.frontbridge.com 25

This server supports TLS

Here’s an example of the header of an email that was delivered with TLS enabled (I modified the IP addresses and names for privacy reasons):

Received: from mailgateway01 (1.2.3.4) by mailserver01.domain.com (1.2.3.5)
with Microsoft SMTP Server (TLS) id 8.1.263.0; Mon, 16 Mar 2009 18:05:18
-0400
Received: from mail.global.frontbridge.com ([65.55.88.22]) by mail.somedomain.com
([1.2.3.4]) with ESMTP (TREND IMSS SMTP Service 7.0; TLS:
TLSv1/SSLv3,128bits,AES128-SHA) id 06456c96000057da for <jdoe@microsoft.com>;
Mon, 16 Mar 2009 18:05:16 -0500

Exchange 2007 SP1: Message rejected as spam by Content Filtering

Error Message: “550 5.7.1 Message rejected as spam by Content Filtering.”

One of our users reported that after we applied Service Pack 1 and Update Rollup 1 to Exchange Server 2007, some of the emails that he has scheduled to send daily were getting rejected with the message above.

I guess the integrated anti-spam in Exchange got updated as well.

You can configure Content Filtering in Exchange to bypass specific users or domains.

Open the Exchange Management Shell:

# To check the Content Filter configuration, type in:

Get-ContentFilterConfig

# To set the Bypassed Senders (example):

Set-ContentFilterConfig -BypassedSenders donotspamme@calazan.com, jdoe@abc.com

# To set the Bypassed Sender Domains (example):

Set-ContentFilterConfig -BypassedSenderDomains calazan.com, *.xyz.com

Important Note: BypassedSenders and BypassedSenderDomains are multivalued properties. When you use the Set-ContentFilterConfig cmdlet, it will overwrite the values of those properties. If you just need to add more senders or domains, please follow the example below.

# To add Bypassed Senders:

$x = Get-ContentFilterConfig

$x.BypassedSenders += “jsmith@google.com”, “bhope@yahoo.com”

# To remove Bypassed Senders (can only be done one at a time):

$x = Get-ContentFilterConfig

$x.BypassedSenders -= “jsmith@google.com”

# To empty the list:

Set-ContentFilterConfig -BypassedSenders $null

Exchange Management Tools SP1: Service Remote Registry failed to reach status “Stopped”

I got this error while upgrading the Exchange Management Tools on my Windows XP computer at work to Service Pack 1. I checked the services and the Remote Registry service is stuck at “Stopping” status.

To fix this, simply set the Remote Registry service’s startup type to Manual, reboot your computer, try installing Exchange Server 2007 SP1 Management Tools again and it should now install successfully. The Remote Registry service will automatically start and the startup type will go back to Automatic after the installation.

Upgrading to Exchange Server 2007 SP1

We just upgraded from Exchange 2007 RTM to Exchange 2007 SP1 yesterday morning and I’m happy to say that the upgrade went very smoothly. It took about 20 minutes.

Here are some things to consider:

1. Install .NET Framework 2.0 SP1 before upgrading. This may not be required but Microsoft recommends it.
2. If you have more than one Exchange server, Microsoft recommends that you upgrade the servers running the Mailbox server role last. Upgrade your servers in the following order:
   1. Client Access servers
   2. Unified Messaging servers
   3. Hub Transport servers
   4. Edge Transport servers
   5. Mailbox servers
3. If you have third party software running on the Exchange server, stop the services/processes for those software before running the SP1 installation (e.g. antivirus, Backup Exec Remote Agent, etc.).
4. Check the compatibility of other software that use/connect to the Exchange server. Some examples:
   1. BlackBerry Enterprise Server. We have BES version 4.1.3 and I can confirm that this version works with Exchange 2007 SP1. E-mails, contacts, calendar, tasks, notes, Out-of-Office are synchronizing properly. No issues so far. I’m assuming that higher versions would also work.
   2. Symantec Backup Exec 11d. Make sure that you upgrade the Exchange Management Tools on the server running Backup Exec to Service Pack 1 as well (and install other patches for Exchange that you have installed on your Exchange server) or you may get this error: Unable to complete the operation for the selected resource using the specified options. The following error was returned when opening the Exchange Database file: ‘-514 The version of the log file is not compatible with the ESE version.’ Go here for more details: http://seer.entsupport.symantec.com/docs/289970.htm.

5. Read the release notes.

Update Rollup 1 for Exchange Server 2007 Service Pack 1 (KB945684) was also just released three days ago and you may want to install this as well.

Exchange 2007: Mapi session exceeded the maximum of 32 objects of type “session”

Error Message: “Mapi session “/o=Organization/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=JohnSmith” exceeded the maximum of 32 objects of type “session”".
Source: MSExchangeIS
Event ID: 9646

On the client side, the user is unable to connect to Microsoft Exchange or getting this error:

Unable to open your default e-mail folders. The Microsoft Exchange Server computer is not available. Either there are network problems or the Microsoft Exchange Server is down for maintenance.

This usually happens when the user loses network connectivity while Outlook is still open. The Exchange server wasn’t able to close the sessions properly so they just stayed there even when they are not in use.

By default, Exchange only allows up to 32 MAPI (Outlook) sessions per user. To fix this problem, you must close some of the sessions.

What to do:

1. Download and extract Sysinternals’ TCPView (free) on the Exchange server
2. Open the Exchange Management Shell and type in the following command to get a list of all the opened sessions. Make a note of the IP Addresses:
   Get-LogonStatistics jsmith | Sort-Object clientipaddress | Format-Table username,clientipaddress,logontime
3. Open Tcpview.exe on the server. Sort it by Remote Address, then sort it by Process.
4. Look for the IP Addresses from Step 2 in the Remote Address column (if you only see hostnames, go to Options -> uncheck Resolve Addresses) and close their connections for the store.exe process (right-click and choose Close Connection, you can select multiple connections by holding the Shift or Ctrl key)
5. Run the command from Step 2 again and you will see that the sessions disappeared. The user should now be able to connect to the Exchange server again.