Tiny Deathstars of Foulness

By default, when you require an SSL certificate in IIS on an Exchange server, if users hit the page without providing an https:// in front they will get an error. Rather than require certificates, it’s better in most cases to redirect unsecured traffic to a secured login page. In order to do so, first configure the redirect. To do so, open IIS Manager and click on the Default Web Site.

At the bottom of the pane for the Default Web Site, click Features View if not already selected.
Screen Shot 2013-12-02 at 1.17.09 PM
Then open HTTP Redirect. Here, check the box for “Redirect requests to this destination” and provide the path to the owa virtual directory (e.g.

Screen Shot 2013-12-02 at 1.18.03 PMIn the Redirect Behavior section, select the “Only redirect requests to content in this directory (not subdirectories)” check box and set the Status code to “Found (302)”.

In the Actions pane to the right of the screen, click Apply. Then click on Default Web Site again and open the SSL Settings pane. Here, uncheck the box for Require SSL.

Screen Shot 2013-12-02 at 1.17.19 PMOnce done, restart IIS by right-clicking on the service and choosing Restart or by running iisreset:

iisreset /noforce

Next, edit the offline address book web.config file on the CAS, stored by default at (assuming Exchange is installed on the C drive) C:\Program Files\Microsoft\Exchange Server\\ClientAccess\oab. To edit, right-click web.config and click Properties. Then click Security and then Edit. Under Group, click on Authenticated Users. Then click Read & execute for Authenticated Users in Permissions. Then click OK to save your changes.

Finally, if you have any issues with any messages not working, start the IIS Manager. Then browse to the virtual directories and open HTTP Redirect. Then uncheck “Redirect requests to this destination” and click Apply. When you’re done, restart IIS again and test the ability to send and receive emails to make sure that mail flow functions without error from within the web interface.

December 6th, 2013

Posted In: Microsoft Exchange Server, Windows Server

Tags: , , , , , , , , ,

To automate the process of exporting Exchange mailboxes to .pst files, we’re going to use the exmerge tool using a Windows batch file. We can use a MAILBOXES.TXT file to choose which mailboxes we’ll be using and possibly a SUBJECTS.TXT or ATTACHMENTS.TXT to constrain our searches.

To run the exmerge, run as a typical GUI based merge but save the search. Once saved, you’ll be able to select a path, which we’ll call c:\tmpexmerge. In here, you should see an EXMERGE.INI as well as a MAILBOXES.TXT (and possibly a few other files.

In the MAILBOXES.TXT file you’ll see the CN information for the mailboxes selected in the previous:


You can copy and paste this line to add others, changing the last CN entry (or other pathing information if in other OUs:


Once you’ve saved the file, edit the EXMERGE.INI file if needed (you usually don’t need to edit this one. Then run exmerge.exe using the command line:

exmerge -F C:\tmpexmerge\EXMERGE.INI -B -D

This takes awhile, and even longer if you’re actually searching for keywords or doing multiple mailboxes, but not as long as it would take to do things manually. .PST files are saved using the file path in the exmerge.ini. Watch Task Manager to make sure the backup is still running. The -D option above opens the GUI exmerge to show what’s happening (kinda’).

September 10th, 2013

Posted In: Microsoft Exchange Server

Tags: , , , , , , , , , ,

One of the things that hasn’t changed in all these years with Exchange is Non-Delivery Reports. An NDR is an email that is sent when a message you send fails to go out. Exchange has had a consistent set of NDR status codes since version 5, just adding some here or there with changing technology (e.g. routing connectors, smarthosts, etc).

Exchange has a lot of NDR codes at this point. I keep a little list running in my collection of files I spotlight to find the answer to recurring questions (which happens to always be 42). When an email bounces in Exchange, these codes explain why without having to be overly verbose (usually the text is actually in the NDR but not in the error logs in Exchange). Anyway, my list:

  • 2.0.x: Codes that start with 2 are success codes. The message got to where it was supposed to go.
  • 4.0.x: Persistent failure codes, including the following:
  • 4.2.2: The percent receiving the message is over their quota.
  • 4.3.1: The server is out of memory or hard drive space in the queue or Information Store directories (or out of file IIS handlers).
  • 4.3.2: Message was deleted by an administrator.
  • 4.4.1: Target server isn’t responding or there’s no network connectivity.
  • 4.4.2: Connection dropped. Often due to switching or intermittent routing failures if there are a lot of these.
  • 4.4.6: Hop count exceeded. Check for loops, check your virtual server, DNS, etc.
  • 4.4.7: Message sat in a queue too long.
  • 4.4.9: DNS failure.
  • 4.6.5: Language problems. Might need to install additional language packs.
  • 5.x: Permanent error codes (usually) including the following:
  • 5.0.0: This is usually the most annoying as it’s the generic, catch all error for when Exchange can’t decide on another error to give. Check your routing groups, check the email address, check that an SMTP communication can flow between your server and the target, etc. Prepare to get no satisfaction from your testing.
  • 5.1.0: Destination address might be wonky; otherwise rebuild the Recipient Update Service.
  • 5.1.1: Server can’t resolve the recipient. See this a lot when I delete accounts.
  • 5.1.2: Results from a host unknown (550) SMTP code.
  • 5.1.3: Malformed email address (e.g. The previoius is usually a bad domain, this is usually something bad in front of the @.
  • 5.1.4: Hash tables detect duplicate SMTP addresses.
  • 5.1.5: Invalid mailbox. This happens when the SMTP address exists but the mailbox doesn’t.
  • 5.1.6: I’ve found this means there’s a message store problem. If more than one person is impacted, check mdb integrity.
  • 5.1.7: Senders mail attribute is bad. Check the sender’s mailbox info.
  • 5.1.8: Senders mailbox is bad. Every time I’ve seen this I’ve had to delete/readd the sender from Exchange or their mailbox.
  • 5.2.x: Size matters. Includes the following:
  • 5.2.1: Message is too large. Often a policy issue on the sender’s end.
  • 5.2.2: Recipient is over their quota.
  • 5.2.3: Message is too large. Often a policy issue on the receiver’s end.
  • 5.2.4: Distribution group is trying to send a message and can’t.
  • 5.3.x: MTA Errors, including:
  • 5.3.1: Mail system is full. Check free space for mdb directory.
  • 5.3.2: System not accepting mail. Usually something like a port or relay not working. Especially if you have smarthosts.
  • 5.3.3: The server the message is being sent to is out of space but SMTP is still running. I usually see this if the boot volume on the target/recipient server is not full but the queue directory is.
  • 5.3.4: Message is too large but can decide if policy issue is on sender’s or receiver’s end.
  • 5.3.5: The message is looping back (e.g. the server has an alias pointing back to your server, which tries to send again).
  • 5.4.0: DNS problem (can’t find MX or there are too many MX records listed). I’ve also seen this when users try to send to email addresses but forget the tld. I’ve never forgotten a tld. At least not sober…
  • 5.4.1: Receiving server isn’t responding.
  • 5.4.2: Bad connection to the other server in the SMTP communication.
  • 5.4.3: Routing error.
  • 5.4.4: Routing group error.
  • 5.4.6: The address is usually yourself with a weird reply-to situation (e.g. you’re sending to an alias of yourself and the message can’t deliver).
  • 5.4.7: Exceeded time limit to transfer message.
  • 5.4.8: You’re loopy. By default, SMTP should have a maximum of 20 hops for mail delivery. If Exchange detects a loop like this it’s usually been with an SMTP connector or a smarthost config. It’s usually my fault so I’ve seen this one many times.
  • 5.5.0: Generic. I usually find that if I get this error, I probably need to restart the SMTP service on both hosts. One of the two will fix the issue.
  • 5.5.1: Invalid smtp command. One of the servers is speaking some wonky kinda something. Shouldn’t be possible, but happens every now and then. Especially when there are people out there running weird mail servers.
  • 5.5.2: The target mail server sucks. An SMTP error due to a broken sequence of SMTP commands is all kinds of 1980s. But it happens sometimes. If you can send to others then check the amount of memory and space as a communication stream can die if either of the two hosts craps out due to hardware and comes back online.
  • 5.5.3: You have too many friends. Yes, there is a maximum number of people that can be in the sender field. Remove some and your message should go through.
  • 5.5.4: Invalid character in a domain name (e.g. &).
  • 5.5.5: Wrong protocol. This happens when you call a fax machine from an iPhone too. But in the computer world, http, even when encapsulated and running on port 25 simply can’t speak smtp.
  • 5.5.6: Your message content sucks. Yes, I get plenty of these. Regrettably my server doesn’t discern between intelligent emails and unintelligible emails, but it does notice when there’s invalid strings in the content/body of a message!
  • 5.6.0: Corrupt message content. Similar to above, but with attachments/MIME.
  • 5.6.1: Unsupported attachment (e.g. happened when the .ipa standard was first released by Apple).
  • 5.6.3: Anyone who tries to put more than 250 attachments in an email should be beaten. That’s the only way you’ll see this. Yes, I’ve seen it. No, I did not beat him. Yes, I regret that.
  • 5.7.1: Sender sucks (aka, doesn’t have permissions to send to recipient) or client was not properly authenticated.
  • 5.7.2: The array that comprises a distribution list can’t expand and so the server can’t send to the members in that list.
  • 5.7.3: Security problem. Check auth types on servers and proxy settings. Alternative recipient can cause this as well.
  • 5.7.4: Target server security problem. Check delivery settings.
  • 5.7.5: Try again with plaintext as this usually means there isn’t a handshake between cryptographic algorithms/hashes.
  • 5.7.6: Bad certificate.
  • 5.7.7: Message integrity issues, likely due to encrypted email.

If you’ve seen one that isn’t in my list, let me know and I’ll add it!

Finally, keep in mind: friends don’t let friends run their own mail servers.

June 28th, 2013

Posted In: Microsoft Exchange Server, Windows Server

Tags: , , , , ,

Some iPhones can have a problem with some Exchange servers due to the fact that they are not fully manageable using ActiveSync Policies. The New-ActiveSyncMailboxPolicy commandlet is can be used with the -Name parameter to assign a name to the new ActiveSyncMailboxPolicy, which we’ll call iPhone. To allow devices that are not fully manageable to use ActiveSync, an ActiveSyncMailboxPolicy needs to be created where  -AllowNonProvisionableDevices is set it to $true. For example, if we were to create such a policy and call it iPhone we would use the following command:

New-ActiveSyncMailboxPolicy -Name iPhone -AllowNonProvisionableDevices $true

November 27th, 2009

Posted In: iPhone, Microsoft Exchange Server

Tags: , , ,

Exchange 2007 is often set to filter all spam and reject mail that is classified as spam. If you configure Exchange 2007 to do so then you still need an email address that does not get filtered. The reason is that in the body of your rejection emails, you need to provide a valid user with a means to contact you in order to get their mail through. To bypass the content filter for an email address can be done using a commandlet, Set-ContentFilterConfig. When using the Set-ContentFilterConfig you can use the -BypassedRecipients option to specify email addresses that the filter will not be applied to, which would then be followed by the email address to bypass. For example, if I wanted to do this for I would use the following cmdlet:

Set-ContentFilterConfig -BypassedRecipients

November 27th, 2009

Posted In: Microsoft Exchange Server

Tags: , , , ,

For those who have been waiting for a time when Entourage uses less bandwidth, has enhanced support for EWS features and well, works better, the time has come. The beta came and went and we waiting. And the wait is now over. Entourage Web Services Edition is now available for download. You only really need this if you have an Exchange Server 2007 environment and can support EWS.

August 13th, 2009

Posted In: Kerio, Mac OS X, Microsoft Exchange Server, Windows Server

Tags: , , , ,

In Exchange 2007, the Client Access Server (CAS) role accepts connections from clients in order to allow them access to the Exchange Server infrastructure (mailboxes, public folders, GAL, etc). CAS accepts connections from:

  • POP3 and/or IMAP4 clients
  • Outlook Web Access (OWA) and/or OWA Light clients
  • Exchange ActiveSync (EAS) clients

Entourage falls into this category, and so when you are deploying Exchange 2007 alongside Entourage you will point your clients at your host running CAS.  This is a change from previous versions, where you could enable IIS on any host and point clients there; however, it is similar in that CAS is very similar to the front end functionality that this option entailed.

There are certain design considerations CAS imposes, as well as benefits to how things were handled in Exchange 2003.  With Microsoft Outlook clients, you could migrate a mailbox between Exchange Servers and Outlook would read the new location of the mailbox automatically and reconfigure itself for the new server.  This has never been a feature of Entourage (although you can use a clustered pair), but now you point all clients to your CAS host and the mailboxes can then be moved between Storage Groups and Servers without having to touch the clients.  However, if you change CAS servers you may find yourself performing some client reconfiguration.

In smaller environments, where ports are directly coming into the server from the WAN, you won’t find the CAS role to be a big design consideration.  Clients can simply connect over port 80 or 443 (not including the LDAP lookups obviously).  But in larger environments where all data needs to be proxied in some way, you may find the move to a CAS role complicated.  Here, look to Microsoft’s IAS server, which would be placed into the DMZ and then allow connections from Entourage and other ActiveSync/OWA clients.

A number of people have been asking about ActiveSync clients, for Snow Leopard.  The same principles will apply for, provided it is a true ActiveSync client: simply point at your CAS host.

One of the key reasons why Exchange adoption is so prolific is Public folders.  Public folders are likely on their way out, giving way to replacing the concept with Microsoft SharePoint.  I’m not going to say I love nor hate the idea, but in many institutions Public folders have been around for a long time, and while you likely will have until 2016 (worse case) to retire them, sometimes it takes as long to retire something as it took to build it in the first place…  In the meantime, many of the common tasks for managing Public folders are going to require you to hop into PowerShell, so keep that PowerShell book close at hand if you find you’re doing a lot of work with Public folder management (New-PublicFolder -name BillyBob).  Just something to keep in mind.

Finally, Exchange 2007 has a number of features for automatic archiving of data.  Entourage has no features for auto-archive.  So consider leveraging Exchange’s built in features, or as we’ve seen in some environments, having an out-of-band solution for managing archiving of mail to pst (or whatever format you prefer).

April 16th, 2009

Posted In: Mac OS X, Microsoft Exchange Server

Tags: , , , ,

Your users sick of typing in their domain name in the OWA auth screen?  Well, here’s the PowerShell command to make it where they don’t have to any more:

Set-OWAVirtualDirectory -Identity “owa (default web site)” -LogonFormat username -DefaultDomain 

Since you’re not using as your mail domain swap that out with your domain name of course.  And if you want to use it for the other virtual directories of OWA, such as Exadmin then run it again swapping out the owa with the VD you’re using.  Oh, you can do it through the Exchange Management Console too, but the GUI isn’t as much fun.  But if you do decide to do it that way, fire up the mmc, click on Server Configuration, click on the Client Access role, click on your server, select the site (probably OWA), then click Properties and set authentication to forms based authentication.  From here, click User Name Only and then click on Browse to set your domain name.  When you’re done hit Apply and then restart IIS and test it out.

October 13th, 2008

Posted In: Microsoft Exchange Server

Tags: , ,

Find hidden users in the GAL using this powershell command:

Get-Mailbox | Where {$_.HiddenFromAddressListsEnabled -eq $True} | Select Name, HiddenFromAddressListsEnabled

April 5th, 2007

Posted In: Active Directory, Microsoft Exchange Server

Tags: , ,

Find all mailboxes with Send As permissions for someone other than yourself with Exchange PowerShell using this command:

Get-Mailbox | Get-ADPermission | where {($_.ExtendedRights -like “*Send-As*”) -and -not ($_.User -like “NT AUTHORITYSELF”)} | FT -Wrap

April 3rd, 2007

Posted In: Active Directory, Microsoft Exchange Server

Tags: , , , , , ,

Next Page »