Master Exchange 2007

powershell, automation & more…

Archive for October, 2009

Exchange 2007 allow relay authenticated users or printers or scanners or other device

Posted by shauncroucher on October 29, 2009

The Microsoft Exchange development team have documented the procedure for allowing an internal server to relay through Exchange. I won’t be covering this in any more detail as I believe the article is complete and I wouldn’t be able to add any extra value.

http://msexchangeteam.com/archive/2006/12/28/432013.aspx

However, I would like to include a couple of useful cmdlet’s that I have used a few times to add specific relay rights for users who authenticate to the receive connector from outside the organisation.

First of all, you need to make sure that the external users have a way of authenticating to the appropriate receive connector. In the ‘Permissions’ tab, ensure Exchange Users is selected and also ensure that the Authentication tab has an authentication mechanism they can use (such as Basic Auth)

Allow authenticated users to relay using anyalias@yourdomain.com

Get-ReceiveConnector “RECEIVECONNECTORID” | Add-ADPermission -User ‘NT AUTHORITY\Authenticated Users’ -ExtendedRights “ms-Exch-SMTP-Accept-Authoritative-Domain-Sender”

Allow authenticated users to relay using anyalias@anydomain.com

Get-ReceiveConnector “RECEIVECONNECTORID” | Add-ADPermission -User ‘NT
AUTHORITY\Authenticated Users’ -ExtendedRights “ms-Exch-SMTP-Accept-Any-
Sender”

CAUTION: Make sure you only do this for Authenticated Users and not Anonymous logon, because you can easily turn your server into an Open Relay using these commands with the wrong group.

As always,  make sure you have a good, complex password policy if you are allowing authentication to your Exchange server.

Shaun

Posted in Transport | 3 Comments »

How to bulk add Send-As and FullAccess permissions using exchange 2007 powershell using add-adpermission and add-mailboxpermission

Posted by shauncroucher on October 28, 2009

Some email administrators have been asking how to add the Send-As and FullAccess permission to many users at once for a particular user account.

Its quite a straightforward command to achieve this, but it should be noted that it is not the Add-MailboxPermission you use, it is the Add-ADPermission for the Send-As rights.

You can easily amend this for adding FullAccess rights in bulk

So, to add Send-As rights for user JoeBloggs to ALL Mailboxes in your organisation:

Get-Mailbox | foreach-object{$mbDN = $_
.distinguishedname; Add-ADPermission -identity $mbDN -User “DOMAIN\JoeBloggs”
-ExtendedRights “Send-as”}

The CSV Approach

And if you have a list of users\mailboxes OR both you wish to process:

Create a CSV with 2 colums. TheMailbox and TheUser

For instance lets say the CSV looks like this:

TheMailbox,TheUser
emp70,emp66
emp71,emp67
emp72,emp68

This will give user emp66 Send-As rights to user emp70’s mailbox, user emp67 to user emp71’s mailbox etc etc

$Thelist = Import-csv “C:\thelist.csv”

ForEach($theobject in $thelist) {$theMBDN = (Get-Mailbox $theobject.the
mailbox).distinguishedname; Add-ADPermission $thembDN -Extendedrights “Send As”
-User $theobject.theuser}

To Add Mailbox ‘FullAccess’ permissions using the CSV approach…

Just a few small changes needed…

ForEach($theobject in $thelist) {$theMBDN = (Get-Mailbox $theobject.the
mailbox).distinguishedname; Add-MailboxPermission $thembDN -Accessrights “FullAccess” -User $theobject.theuser}

Shaun

Posted in Mailbox\Recipient | 12 Comments »

Basic SMTP Telnet test exchange 2007 send connector send port 25

Posted by shauncroucher on October 26, 2009

This test is designed to TEST ‘outbound’ mail. That is, mail that you are trying to send to external recipients from your organisation. It is important to run this test from the Exchange server if possible to mimick the steps your exchange server goes through as accurately as possible.
 
Note you cannot use backspace or delete when using telnet, if you make a spelling mistake, start the command again after the error is generated.
 
Note you should use < > around email addresses as some email servers will not accept email addresses unless they are enclosed in <   >
 
Step 1

Use mxtoolbox.com to find the MX record of the mail server you wish to test.

So to find the mailserver accepting email  for bbc.co.uk, type bbc.co.uk in the MX Lookup box.
make a note of the hostname (or one of the multiple hostnames) returned as we need this for Step 2.
Step 2

Note: If you are using Vista or Windows 2008 telnet is not enabled by default. See this excellent article on petri http://www.petri.co.il/enabling-telnet-client-in-windows-server-2008-and-windows-vista.htm for details on how to enable Telnt on Vista or Windows 2008.  

Log onto your Exchange server and open up a command prompt.

Type the following:
 
telnet [HOSTNAME RETRIEVED IN STEP 1] 25
[Wait for 220 response]
 
EHLO [YOUR_DOMAIN_NAME_HERE]
[Wait for 250 response]
 
MAIL FROM:<ONE_OF_YOUR_ORGANISATION_EMAIL_ADDRESSES>
[Wait for 250 response]
 
RCPT TO:<[A_VALID_EMAIL_ADDRESS@THEIR_DOMAIN_NAME]>
[Wait for 250 response]

DATA
[Wait for 354 response]
This is a test message
.
(note the dot on its own to end the session)
 
You should now get a message that the email has been queued for delivery.

Screenshot of how this conversation should look:

Screeshot Telnet Windows SMTP test

Screenshot of a telnet session to a server and submit SMTP message

Posted in Transport | Leave a Comment »

Exchange 2007 Internal and External URL \ URL’s – Autodiscover Availability IMAP POP3 OOF OAB

Posted by shauncroucher on October 17, 2009

Exchange 2007 stores quite a few URL’s for the new Autodiscover feature and for other services such as the Availability service, IMAP, POP3, OOF and OAB.

In total there are at least 7 powershell commands that can be used to display the URL’s for Exchange.

If you are aware of any I have missed off the list please leave me feedback and I will update this post.

This article is designed to show you which commands you will need to find all the URL’s in your organisation. The script will run for ALL servers in your organisation where appropriate.

Cmdlets:

Get-WebServicesVirtualDirectory | fl Id*,*url*

Get-OwaVirtualDirectory | fl Id*,*url*

Get-ClientAccessServer | fl Id*,*uri*

Get-OabvirtualDirectory | fl Id*,*url*

Get-ImapSettings | fl Id*,*509*,*url*

Get-POPSettings | fl Id*,*509*,*url*

Get-UMVirtualDirectory | fl Id*,*url*

The vast majority of these are self explanatory. One that is often forgot are the POP and IMAP URL’s, both for the additional CAS calendaring services that are available by setting the ‘OwaServerUrl’ value.

References:

http://support.microsoft.com/kb/940726 Security warning when you start Outlook 2007…

http://www.msexchange.org/articles_tutorials/exchange-server-2007/management-administration/configuring-exchange-server-2007-web-services-urls.html – How to configure the Web Services URLs that are used by Outlook 2007

http://msexchangeteam.com/archive/2007/07/02/445698.aspx – More on Exchange 2007 and certificates – with real world scenario

Posted in Client Access | Leave a Comment »

Managing message size limits in Exchange 2007 using powershell

Posted by shauncroucher on October 11, 2009

The lists I have given below show the most common message size limits, however there are some attachment and header limits that the commands may not show you, so follow the links at the bottom of this article for further informationif you still have problems.

NOTE: Always include the qualifier ‘MB’ when using the management shell to specify message size restrictions.

NOTE: http://technet.microsoft.com/en-us/library/bb124345.aspx is the MASTER reference article for size restrictions for Exchange 2007 and most of the information below is plucked from there. The idea of this article is to extract and simplify some of the commands to get and set the settings.

Global Settings

Scope: RTM Only. Transport setting will change this automatically in SP1

Note: If the values found here and the values found using ‘get-transportconfig | fl M*ze’, the lowest value takes precedence.

Global Settings stored in Active Directory (access using ADSIEdit)
Configuration –> Services –> Microsoft Exchange –> [DOMAINNAME] –> Global Settings –> right client
Message Delivery –>
Check the settings below. They are in KB
msExchRecipLimit (default 5000)
submissionContLength (default 10240) (MaxSendSize)
delivContLength (default 10240) (MaxReceiveSize)

Transport Setting

Scope: Organisational limits for ALL EX2003 / EX2007 servers in the entire organisation.

To show current settings:
get-transportconfig | fl M*ze

To Alter:
Set-TransportConfig -MaxRecipientEnvelopeLimit -MaxReceiveSize MB -MaxSendSize MB

Also check there are no Transport Rules to check the Attachment size of messages.

Connector Limits

Scope: Will affect all messages using the specified connector. Either Send,Receive or Foreign.

To retrieve current settings:

get-ReceiveConnector | ft Id*,M*ze
Get-SendConnector | ft Id*, M*ze
Get-ForeignConnector | ft Id*, M*ze

To Alter:

Set-ReceiveConnector “” -MaxMessageSize MB
Set-SendConnector “” -MaxMessageSize MB
Set-ForeignConnector “” -MaxMessageSize MB

‘Server Specific’ Limits and Outlook Web Access (OWA) limits

Scope: Hub/Edge servers with Transport Rule AND Client Access Servers for the OWA restrictions.

Check there are no transport rules that have ‘server specific’ attachment size over restrictions

CAS servers provide OWA for users to access mail using a web browser. The underlying engine is ASP.NET.

ASP.NET uses the maxRequestLength setting to determine the maximum amount of data that the Web browser can submit to the Client Access server
The setting can be found in the web.config file.

See http://technet.microsoft.com/en-us/library/aa996835.aspx for instructions on changes needed here.

‘Multiple Sites’ and ‘E2000 \ E2003 Co-Existence’ Settings

Scope: Will affect messages using the site links and the routing group connectors for delivery. The settings themselves
DO NOT affect least-cost routing decisions.

* Note that Exchange 2007 RTM does not support site link or routing group connector size limits and routing loops
may occur if they are set. SP1 and above does support size limits though.

Active Directory site links:

Get-AdSiteLink | ft Name,M*ze
Set-AdSiteLink “Site link name” -MaxMessageSize MB

Routing Group connectors:

Get-RoutingGroupConnector | ft Name,M*ze
Set-RoutingGroupConnector “Name of routing group connector” -MaxMessageSize MB

‘Users and Groups’ Settings
—————————

Scope: All the above is for Transport level restrictions, but you need to check the MaxMessageSize setting for the user mailbox/contact and
also the groups they may belong to.

Get-Mailbox “name of mailbox user” | fl M*ze
Get-MailUser “name of user” | fl M*ze
Get-MailContact “name of contact” | fl M*ze
Get-DynamicDistributionGroup “name of dynamic dist” | fl M*ze
Get-DistributionGroup “name of dist” | fl M*ze
Get-MailPublicFolder “name of public folder” | fl M*ze

Manually SET a limit (if ‘unlimited’)

Some exchange administrators have reported that the limits indicate ‘unlimited’ in one or more of these location, and once they change to a value (such as 100MB), the problems disappear. If you are unsure, I would recommend setting a limit rather than leaving as ‘unlimited’.
Shaun

References:

http://www.msexchange.org/articles-tutorials/exchange-server-2007/management-administration/exchange-2007-message-size-limits.html – Exchange 2007 Message Size Limits

http://technet.microsoft.com/en-us/library/bb124345.aspx – Managing Message Size Limits

http://technet.microsoft.com/en-us/library/bb310771.aspx – How to Modify Exchange 2003 Global Message Size Limits in Exchange 2007 RTM

http://technet.microsoft.com/en-us/library/bb125223.aspx – Message Routing in a Coexistence Environment

http://technet.microsoft.com/en-us/library/bb738125.aspx – How to Configure Message Size Limits for Internal Routing

http://technet.microsoft.com/en-us/library/aa996835.aspx – How to Manage Maximum Message Size in Outlook Web Access

Posted in Mailbox\Recipient, Transport | 8 Comments »