Monday, July 26, 2010

sending spam to junk email folder on Exchange 2007/2010

When configuring actions on detected spam on Exchange 2007 and 2010, there is no option to send it to the junk email folder when configuring it on the EMC. This is absurd. It looks like this (shown here are the actions on the content filter):

As stupid as it is, the way you can configure an SCL to be sent to the junk e-mail folder is through the PowerShell.

This command will send all junk with an SCL of 4 or higher to junk e-mail:

Set-OrganizationConfig -SCLJunkThreshold 4

I put this command on all my Exchange servers. I also disable all outright rejection of spam. Users hate it when legitimate email gets rejected. All spam goes into the junk email folder.

More info on this issue is located here:

Tuesday, July 13, 2010

allowing anonymous sending on SBS 2008 (for scan to email copiers or other devices)

I had put an SBS 2008 box in place for a client. I had to alter settings as the old mail server had allowed anonymous sending on the LAN. I tried a bunch of differnet credential combinations and ports and SSL options and none of them worked. Then I found this post, which walked me through created a receive connector that allowed anonymous senders on the IP addresses you specify.

The short version of the article.

Go to EMC.
Go to Server Configuration -> Hub Transport
Highlight your server in the top middle field and choose new receive connector on the right side
Call the connector "copier" without quotes and type is custom
Note sure if this is necessary, but add the internal FQDN in the bottom box such as contoso1.contoso.local
Leave the local network settings alone
In remote network settings, remove the existing content. Add a single entry for the IP address of the copier like
Hit NEW.
Now, right click on the connector you just created and clear all check boxes on the authentication tab.
On the permission groups tab, check the box for anonymous users.

Then open the Exchange PowerShell and run this command:

Get-ReceiveConnector "copier" | Add-ADPermission -User "NT AUTHORITY\ANONYMOUS LOGON" -ExtendedRights "ms-Exch-SMTP-Accept-Any-Recipient"

On your copier, you can now send over port 25 without SSL and without the need for sending credentials either.

Saturday, July 10, 2010

adding a UCC (mulitple name) SSL certificate to SBS 2008

Adding a single name SSL certificate to SBS 2008 is pretty easy using the "add a trusted certificate" wizard in SBS 2008. But it's not as easy if you want a UCC SSL certificate - should you have a DNS host that doesn't support SRV records.

I found sembee's blog post on this exact topic here. His steps are a little convoluted, but here's a short version with just the need to know info:

You're not going to use the wizard. You'll use the powershell.

You'll go to Digicert's wizard for UCC creation:

Then use the Powershell command it creates on your SBS 2008 box. It'll create a CSR file on the root of your C drive.

Take that CSR file to your SSL cert provider (godaddy or whoever). Buy the UCC cert and put in the CSR as needed.

After your cert is approved, download the cert and use this command to import the certificate:
Import-ExchangeCertificate -Path “D:\Shares\Install\SSL Cert\mail_ExternalDomaiName_com.crt” -FriendlyName “CompanyName UCC Cert”
(altered as appropriate of course for the actual path of your SSL cert)

Also follow the necessary instructions provided by the cert provider about intermediate certification authorities if applicable. Restart the MS Exchange Transport service and run an iisreset.

Then go back to the "add a trusted certificate wizard" in the SBS console and tell it that you'll use an already existing certificate and choose the cert that you just imported.

EDIT - this all makes sense, and I should see this working as I see the certificate in the personal store of the certificates MMC, so I should be able to add the UCC cert in the "add a trusted certificate wizard" - but I don't see it there, so I'm going to go the more manual route and follow these instructions: