Exchange2007:OWA and Documents

Lina-PC.Areyou.com:

=======

Windows 2003 server R2 and SP2

DNS:Primary Zone: areyou.com

Secondary zone: itsme.com

Exchange 2007 SP1 installed

User Mailbox admin@areyou.com is created.

=====

ExClientServer.itsme.com

Windows 2003 Server R2 and SP2
DNS: primary zone:itsme.com

Secondary zone: areyou.com
Hub Transport Role of Exchange 2007
=====

S2003ex1.itsme.com
Windows 2003 server R2 with SP2
Mailbox role
SharePoint service installed
admin@itsme.com mailbox is created.

=====

Firewall on all computers is turned off.
====
HTTPS://s2003ex1.itsme.com/owa



Logon as itsme\admin; you will have the documents items at the lower left of the screen window as shown:


On the Client Access server, access OWA properties. You will see the following:


If you uncheck the Windows File Shares and Windows SharePoint Services, the Documents item on OWA window will disappear.

The private access has the same function.

OWA and remote File Server access
You can only access internal servers either by Windows File Sharing or SharePoint Service. OWA identifies a server as internal if:

• You use the UNC path, such as file://lina-pc/Edrive.
• URL name without dot, such as http://s2003ex1/xxx
• URL with FQDN, such as http://s2003ex1.itsme.com/xxx, and with the configuration of OWA properties--ITSME.COM suffix and AREYOU.COM suffix are treated as internal.
  
  
  Pay attention to S2003ex1.itsme.com.
  
  If itsme.com suffix is not treated as internal, you can only open the location as http://s2003ex1/xxx

I can not open the http://s2003ex1/. I create a site space xxx in the SharePoint as shown below:

Make sure the user has the permission to access the SharePoint site xxx.





For UNC access, you must make sure the user has the necessary permission.

After configuring the OWA properties as above on Lina-PC.areyou.com and assigning areyou\admin to http://s2003ex1/xxx site. areyou\admin can open the location at http://s2003ex1/xxx from OWA window.

Exchange2007:Antispam

This summary is not available. Please click here to view the post.

Outlook2003:Retrieve Sender e-mail addresses from inbox and add it to the Sender Filtering list

This summary is not available. Please click here to view the post.

Exchange2007:Linked Connector

Linked Connectors

A receive Connector is linked to a Send connector. When the Receive Connector gets a message, it delivers the message to send connector.

1-->2-->3-->4



Exchange Hub Transport Server has 2 receive connectors and 2 send connectors.



ON exchange 2007 server: CHINA


Antispam server: Canada.itsme.com



New-SendConnector -Name mySend -LinkedReceiveConnector "Default China" -SmartHosts "canada.itsme.com" -SmartHostAuthMechanism "NONE" -DNSRoutingEnabled $False -MaxMessageSize unlimited



Pay attention to the port number assignment.


The send connector does not have a name space.

When a internal user sends mail, 1 -->2 route is selected as usual.

Exchange2007:Mutual TLS for domain security--Partner usage type of Send connector

Mutual TLS for domain security of Exchange 2007 provides a relatively low cost alternative to S/MIME and other message-level security solutions.

A trusted certificate authority must be in place. Both company A and B must trust the CA.

Partner Send connector only has Ms-Exch-Send-Headers-Routing permission. Follow my blog Exchange 2007:TLS and the following:

Domain A:
Assuming the toPartnerB send connector is created;
Set-SendConnector toPartnerB -DomainSecureEnabled:$true

Domain B: partner
Set-TransportConfig -TLSReceiveDomainSecureList DomainA.com
Set-ReceiveConnector 'Default B' -DomainSecureEnabled:$true -AuthMechanism TLS.
========
I didn't complete the LAB. It seems straight-forward and I don't think it worths my time to do lab, as long as I know it only implements the encryption security among two domains' transport servers.

Exchange2007:submission queue

The submission queue is to accept messages from other servers. A growing Submission queue deserves investigation. It may indicate that the categorizer of a Hub Transport server is experiencing difficulty resolving recipient addresses against the Active Directory. You should not conclude that the Edge Transport server is experiencing difficulty resolving recipient addresses against AD because Edge Transport server does not use AD.

Exchange2007: Exchange Servers authentication

www.1ask2.com
How do you understand the Exchange Servers authentication?

First, you must know that following truth:

Within the same forest, Exchange Servers universal group contains all the Exchange Servers in the forest. The default receive connector of a Hub Transport server has the following permissions assigned. You could use the ADSIEDIT.msc tool to find out.

At US.areyou.com transport server:

ADSIEDIT -- Configuration --Services --Microsoft Exchange --First Organization--Exchange Administrative Group--Servers--US--Protocols--CN=SMTP receive Connectors
Double-click CN=Default US --Security Tab
You will find the permissions assigned to Exchange Servers universal group.

With the same forest, a send connector in Hub transport server A can communicate with a receive connector in Hub Transport server B by Exchange Server Authentication because the Exchange Servers universal group granted on the default receive connector.
=============
How about cross-forest? Can we implement the Exchange Server authentication? Yes, we can!!!

The above diagram shows the two forests: areyou.com and itsme.com.

1. DNS

At US.Areyou.com,

areyou.com primary zone

Itsme.com secondary zone

At Canada.itsme.com,

Itsme.com primary zone

Areyou.com secondary zone

Make sure all the zones have the active directory records (SRV).

2. create two-way forest trust

At canada.itsme.com:

At US.Areyou.com:

To make your trust relationship works, at US.areyou.com computer, create a folder and assigns the permission to Sam@itsme.com user. at Canada.itsme.com, create a folder and assigns the permission to Jim@areyou.com user. If you could complete the permission assignment, you can move forward.

3.Default Receive Connector permission

At US.areyou.com, ADSIEDIT.msc:

Configuration --Services --Microsoft Exchange --First Organization--Exchange Administrative Group--Servers--US--Protocols--CN=SMTP receive Connectors--CN=Default US --Properties --Security --Add canada@itsme.com computer object to the ACL and assign the same permissions as Exchange Servers universal group.

At Canada.itsme.com, ADSIEDIT.msc:

Configuration --Services --Microsoft Exchange --First Organization--Exchange Administrative Group--Servers--Canada--Protocols--CN=SMTP receive Connectors--CN=Default Canada --Properties --Security --Add US.areyou.com computer object to the ACL and assign the same permissions as Exchange Servers universal group.

4.

At US.areyou.com, Exchange Management Console:

Accepted Domain: itsme.com Internal usage type

Send connector:

new-SendConnector -Name 'itsme.com' -Usage 'Internal' -AddressSpaces 'SMTP:itsme.com;1' -IsScopedConnector $false -DNSRoutingEnabled $false -SmartHosts 'canada.itsme.com' -SmartHostAuthMechanism 'ExchangeServer' -UseExternalDNSServersEnabled $false -SourceTransportServers 'US'

At Canada.itsme.com,

Accepted domain: areyou.com Internal Usage type

Send connector:
new-SendConnector -Name 'areyou.com' -Usage 'Internal' -AddressSpaces 'SMTP:areyou.com;1' -IsScopedConnector $false -DNSRoutingEnabled $false -SmartHosts 'US.areyou.com' -SmartHostAuthMechanism 'ExchangeServer' -UseExternalDNSServersEnabled $false -SourceTransportServers 'Canada'
=====

Why do we need the Exchange Servers authentication?

One example:

Exchange stamps a message with an X-header called X-MS-Exchange-Organization-OriginalSize, which indicates the original message size. When the message is transported to other transport servers, its size may increase because of format conversion, encoding, and agent processing. With the X-MS-Exchange-Organization-OriginalSize header, the down-stream transport rule will not block the message.

Another example:

When Exchange 2007 anti-spam agents process a message, it places x-headers such as Spam Confidence Level in the message header. If you examine a message header after it has passed through a hub transport server or Edge Transport server, you will see x-headers such as X-MS-Exchange-Organization-Antispam.

Telnet

Why can't I telnet the other e-mail server?

The Internet-facing SMTP messaging servers of many organizations are configured to validate the source IP address, the corresponding domain name system (DNS) domain name, and the reverse lookup IP address of any Internet host that tries to send a message to the server. If you connect a test computer to the Internet and try to send a test message to a remote messaging server by using Telnet on port 25, your message may be rejected. To satisfy security requirements that may be imposed by the remote messaging server, you can connect to the remote messaging server from your Edge Transport server. The accepted domains that are configured on the Edge Transport server have the appropriate DNS mail exchange (MX) records, address (A) records, and reverse lookup records that identify the Edge Transport server as a legitimate and traceable e-mail message source for those accepted domains on the Internet.

Find out the SMTP server IP address:

nslookup
set q=mx
Joymaininc.com

Non-authoritative answer:
joymaininc.com MX preference = 10, mail exchanger = postbox.postbox.joymaininc.com
postbox.postbox.joymaininc.com internet address = 76.77.74.135

Telnet 76.77.74.135 25 ----Fail
========
http://technet.microsoft.com/en-us/library/bb794845.aspx#Qdns

• Pointer (PTR) Record Validation
  A DNS PTR record is used to map an IP address to a host name or host names depending on the version of DNS that is being used. The receiving SMTP server will perform a reverse DNS lookup on the IP address of the sending SMTP server. If a PTR record has been configured, the host name will be sent back as the information requested. Then, the SMTP server performs a forward lookup on the host name. If the IP address of the sending SMTP server and IP address of the forward lookup match, the e-mail message is assumed to have come from a valid SMTP server, and the e-mail message is allowed. If the two IP addresses do not match or there is no PTR record, the e-mail message is rejected.

To fix this scenario, confirm that you have a properly configured PTR record for the primary IP address for the External network adapter.When applying network address translation (NAT), the primary IP address of the network adapter might be different from the IP address used. Make sure that external NIC's IP address is used in PTR.

How to configure Exchange 2003 SMTP server to perform reverse DNS lookup?
You can configure the Exchange server to reject incoming connections by specifying a domain name on the SMTP virtual server. When this is done, reverse lookups are performed on all connection attempts. This setting is available under Connection Control on the Access tab when you right-click the SMTP virtual server and then click Properties.

• HELO/EHLO Host Name Validation
  HELO/EHLO is a required SMTP command that is used to initiate the transfer of e-mail messages from one SMTP server to another SMTP server. The HELO command is used to identify the sending SMTP server, in the form of a host name, to the receiving SMTP server. The host name should be a fully qualified domain name (FQDN) that can be resolved on the Internet.
  Some SMTP servers validate the host name in the HELO command. The receiving SMTP server performs a forward lookup on the host name it received in the HELO command. If the IP address that is received back matches the sending SMTP server's IP address, the e-mail message is allowed. However, if the IP address does not match or no address is returned for the host name, the e-mail message is rejected.

configuring the HELO/EHLO command on your SMTP server--The host name should be an FQDN that is resolvable on the Internet. --exchange server documentation.
The host name resolves to the primary IP address of the external network adapter--NAT
To check that you have a properly configured PTR record, visit the following Web sites: http://www.dnsstuff.com/ and http://www.dnsreport.com/.

Exchange 2007
New-ReceiveConnector -RequireEHLODomain

RequireEHLODomain
Valid values for this parameter are $True or $False. The default value is $False. When the RequireEHLODomain parameter is set to $True, the remote computer must provide a domain name in the EHLO handshake after the SMTP connection is established. If the remote computer does not provide the domain name, the SMTP connection is closed.

DefaultDomain
This parameter specifies the domain name to append to values that are submitted to MAIL FROM: or RCPT TO: in the message envelope by a sending server if no domain name is provided.

DomainSecureEnabled

Domain MX Record Validation
Some receiving SMTP servers attempt to match the IP address that the e-mail message came from to the MX record of the sender's domain. In this case, the receiving SMTP server queries DNS for the MX record for the sender's domain. A forward lookup is performed on the host names and the receiving SMTP server attempts to match the IP address of the sending SMTP server to an IP address from a MX record. If there is a match, the e-mail message is allowed. However, if a match is not found, the e-mail message is rejected.
http://support.microsoft.com/kb/300171
The mail servers of some Internet domains require that you create a valid PTR record that points the sending server's IP address to the local SMTP domain namespace. Sometimes these mail servers require that the PTR record match the actual FQDN of their SMTP Virtual Server on Exchange. Typically, this is the MX record. These Internet domains include AOL.com, Qwest.net, Mindspring, Earthlink, and Hotmail. To send mail to these domains, create a valid PTR or a reverse lookup record on your company’s external or Internet DNS server.

Exchange2007:Accepted domain

This summary is not available. Please click here to view the post.

Exchange2007: HUB Site

In the HUB-SPOKE network, it is a fully-routed network, which means each server can communicate directly with any other servers without a server in between. DC A can communicate directly with DC B, D, and C. Exchange 2007, by default, uses the direct point-to-point communication. What does it mean? After ADLink, CDLink, and BDLink are created, test the exchange communication. With the Transport service stopped at Site D, you can send messages from Site A to Site B and C.


Implementing the HUB-SPOKE communication --force all message delivery to be relayed through the SITE D.


Open Exchange Management Shell on "DC D", run the following:


Set-AdSite -Identity "Site D" -HubSiteEnabled $true

With the Transport service stopped on Site D, you send messages from Site A to B and D. You will find that the messages are queued at Site A.

Why would you choose to implement the HUB SITE, which incurs more servers in message delivery?

Possible reason: company's internal policy

or connectivity may prevent direct SMTP relay between sites. I does not see that yet.

In the following configuration, a message sent to Tom@SiteD will first stop at Hub Site and then be relayed to Site D. However, the message sent to Joe@SiteC will be directly delivered to Site C because it has the least cost path.

If you increase the cost between Site A and B to 100, the Hub Site will never be used. An Active Directory site is never used as a hub site if it is not on the least cost routing path between two other sites.

Active Directory: how to understand IP Site Links?

A site link is a logical path. A site link don't correspond to the actual path taken by network packets on the physical network.

What does it mean? The diagram shows that Site A, B, C, and D are physically connected through T1 or other leased line. It is a full mesh topology. How many site links do you create? Only the DEFAULTIPSITELINK is enough. Each site can communicate directly with other site at a uniform cost, which is defined on the DEFAULTIPSITELINK object.

The physical connection might be as shown below. Because connections among routers have the same bandwidth and speed, and each router can directly reach another one, all four sites can bind to the one site link: DEFAULTIPSITELINK. Communication among sites shares the uniform cost and same schedule.The cost should reflect the physical network connection. For example, 100 for 10Mbps network and 10 for the 100Mbps network.

Because there are too many routes for the KCC to consider, you need to disable Bridge all site links and manually create site link bridges.

In the HUB-SPOKE network, you should create 3 site links: ADLink, DBLink, and DCLink.

What does the fully-routed network mean for a hub-spoke topology?

The following network is a fully-routed network as well as a hub-spoke topology. A fully-routed network is that every host can reach another host in the network . From this diagram, I have better understanding of the site. A site relates to a physical network but only for Active Directory. A site defines a set of well-connected domain controllers.

Site Link Bridge

In a fully-routed network, IP site links are transitive. After the three IP site links:ADLink, DBLink, and DCLink are created, a link with cost of ADLink plus DBLink and a link with cost of DClink and DBLink are automatically created.

In the above modified diagram, SITE B, C, and D can bind to one IP Site Link.

Not fully-routed network or disjointed network--that is, not connected to each other through any other router.

The 11.100.0.0 network and 11.200.0.0 network are not connected through a router. They are the disjointed network.

Netcard1: IP Address: 11.100.1.1 Mask: 255.255.0.0 Default Gateway: 11.100.0.1 Netcard2: IP Address: 11.200.1.1 Mask: 255.255.0.0 Default Gateway: 11.200.0.1

To reach the 130.20.0.0 network from 11.100.0.0 site, you could add a static route in the multihomed computer:

route add 130.20.0.0 MASK 255.255.0.0 11.200.0.1

The 11.200.0.1 is the interface IP address of the right router.

If your IP network is not fully routed, you must disable Bridge all site links for the IP transport and configure site link bridge objects.

Exchange2007:Hub Transport Role and Send Connector

Within the same exchange organization, you don't need to configure the send and receive connectors that allow messages to flow between the Hub Transport Servers between sites as this is done authomatically when you install the hub transport role on a server.

Send Connector
Send connector represents a logical gateway through which outbound messages are sent.

When you configure a Send connector, you must select at least one source server for that Send connector. The source servers are the transport servers that are associated with that connector to handle message delivery.

Transport Servers handle message delivery.

The source server for a Send connector can be a Hub Transport server, an Edge Transport server, an Edge Subscription, or an Exchange Server 2003 or Exchange 2000 Server bridgehead server.

AA,BB,CC, and DD host Hub Transport Role. Send Connector is defined with address space: *.com. AA and BB hub transport servers are associated with the send connector. CC and BB hub transport servers are not associated with it.
Userbox Jane@itsme.com is hosted at AA mailbox server. When Jane@itsme.com sends mail to kkk@yahoo.com. Because the AA transport role coexists with jane's mailbox role, AA transport server always handles the message delivery unless it is unavailable. If AA transport role is not available, BB transport server delivers the message. --Fault tolerance

CC and DD hub transport servers cohost their mailbox roles. When mailbox users on CC send messages to kkk@yahoo.com,aaa@hotmail.com, ddd@cnn.com, etc, the CC hub transport server forwards them to the hub transport servers associated with the send connector. AA and BB can load balanced the message delivery. The AA and BB must be in the same site to load balanced.
Both AA and BB hub transport servers must have direct Internet connections and can resolve the MX records of the Internet domains.
=======
With the same Exchange Organization, you don't manually create the send connector. When messages from Site A will be relayed to Site B, the Site A hub transport server will contact the hub transport server in Site B.
Each site must have at least one Hub Transport Server.

Message Relay from Hub Transport Server to an Edge Transport server

Mailbox users from Site B send message out to Internet. Hub Transport server in Site B routes them to Site A. The Hub Transport server in Site A relays them to Edge Transport server, which uses DNS name resolution (MX). If there are more than two edge transport servers as the source transport servers on the send connector, load balancing and fault tolerance can happen.


==


Send connector and source transport server

If you configure a send connector with name space:* and its source transport server includes one from Site A, one from Site B, and one from Site C, local transport server will always handle the mail delivery for mailbox users in its site. For example, when tom@siteA sends messages to Internet, the messages will be delivered by the Transport Server in Site A.

However, if the source transport server of the Send Connector does not include the Transport server in SITE C, when Joe@SITEC sends messages to Internet, the messages will be relayed to either SITE A or B for delivery, not both. The least cost site link path will be chosen.

Exchange2007: TLS

W2008.areyou.com forest and domain

Exchange 2007 SP1
DNS:

mx record is created for areyou.com

canada.itsme.com forest and domain:

Exchange 2007 SP1

DNS

mx record is created for itsme.com.

EdgeComputer: standalone

with primary suffix: areyou.com

The Host (A) record is created in areyou.com zone.

Install Certificate Service in EdgeComputer.

====

Do the following for both Canada.itsme.com and W2008.areyou.com computers:

http://edgecomputer.areyou.com/certsrv

download the CA certificate, open it, and install it as shown below:

For the local CA, it is important that the CA certificate is put into Trusted Root Certificate Authorites.

====

Canada.itsme.com

Exchange Management Shell

New-ExchangeCertificate -GenerateRequest -Force -FriendlyName "Itsme.com Certificate" -SubjectName "DC=Itsme,DC=COM,CN=canada.itsme.com" -DomainName itsme.com,itsme -Path c:\itsme.req

http://edgecomputer.areyou.com/certsrv



Request a certificate --Advanced Request--

Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file.



Open the c:\itsme.req in notepad.exe and copy the certificate and past it in the box.

Additional Attributes must be set to EnhancedKeyUsage:Server Authentication

Switch to EdgeComputer.areyou.com

Certificate Authority--Pending Approval--Issue the Certificate

Switch back to Canada.itsme.com computer;

HTTP://edgecomputer.areyou.com/certsrv

View the status of a pending certificate request and download the certificate and save it as certnew.cer.

At Exchange Management Shell:

[PS] D:\>Import-ExchangeCertificate -Path C:\certnew.cer Enable-exchangeCertificate -Services smtp

===

Do the same procedure for W2008.areyou.com computer.

====

At Canada.itsme.com,

create a user: itsme\smart and add it to the Exchange Servers universal group.

Create a Send Connector with Internal Type, Address Space: Areyou.com, Smart Host:w2008.areyou.com, authentication as shown:

========

At W2008.itsme.com,

create a user: areyou\smart and add it to the Exchange Servers universal group.

Create Send Connector with Internal type, Address Space:Itsme.com, Smart Host:canada.itsme.com, authentication as shown above.

===

When a mail user from areyou.com domain sends mail to itsme.com domain, the TLS will be used. How can you tell? Try to remove the Trusted Certificate Authority from the Local Computer Store; mail flow is broken. That means the mail will not flow to other side.

Exchange2007 organization to Exchange2007 organization--create a trusted communication

This summary is not available. Please click here to view the post.

Exchange2007: Exchange Servers group, ExchangeLegacyServers Group, Partner group

What are the benefits when the send connector or receive connector is configured with the Exchange Servers group, or ExchangeLegacyServers group, or Partner group?

Routing Header
When a messaging server (e.g. Hub Transport Server) delivers a message, it stamps a header field into the message, such as The Received: header, which typically includes the name of the messaging server and a date-timestamp. The following resend fields may insert into the message Resent-Date:, Resent-From:, Resent-Sender:, Resent-To:, Resent-Cc:, Resent-Bcc:, and Resent-Message-ID:.

Routing headers that are inserted into messages can be used to misrepresent the routing path that a message traveled to reach a recipient.

X-Header
An X-header is a user-defined, unofficial header field that exists in the message header.
Messaging applications, such as anti-spam, antivirus, and messaging server applications may add their own X-headers to a message.

The X-header fields contain details about the actions that are performed on the message by the transport server, such as the spam confidence level (SCL), content filtering results, and rules processing status. Revealing this information to unauthorized sources could pose a potential security risk.

examples of X-Header

X-MS-Exchange-Forest-RulesExecuted--This X-header lists the transport rules that were performed on the message.


X-MS-Exchange-Organization-OriginalArrivalTime--This X-header identifies the time when the message first entered the Exchange organization.

Header firewall prevents the spoofing of these X-headers by removing them from inbound messages that enter the Exchange organization from untrusted sources. Header firewall prevents the disclosure of these X-headers by removing them from outbound messages that will go to untrusted destinations outside the Exchange organization. Header firewall also prevents the spoofing of standard routing headers that are used to track the routing history of a message.

So far, I do not see how to use the X-Headers and why we need them? First, check the receive connector at Edge Transport role server. Does it includes the ms-Exch-Accept-Headers-Routing?

Exchange2007:ReceiveConnector--ms-Exch-SMTP-Accept-Authoritative-Domain-Sender

This summary is not available. Please click here to view the post.

Configuring Exchange 2007 as a smart host

This summary is not available. Please click here to view the post.