Per has earlier written about SenderID and we of course implemented the required SPF records at Inceptio. But then we needed to change our E-mail server publishing to another Firewall with another IP Scope / ISP and the trouble began. Usually changing the IP address of a DNS record takes some time to replicate (Actually technically it needs to expire in the cache on the DNS servers around the world, but that’s another story).
So changing the IP address required changing our A record for mail.inceptio.dk - which should be enough as our SPF record points to mail.inceptio.dk (And all A records) –
"v=spf1 a mx mx:mail.inceptio.dk -all"
After changing the firewall configuration, the A record and waiting a few hours everything seemed to work fine, email was flowing in- and outbound and rpc/https worked - I was happy ;-)
Then I received an e-mail with the text "Sender is forged (SPF Fail)" appended to the subject line. At first I thought it was a matter of DNS cache expiration and that time would solve the problem – but then a few hours later a mail bounced with the error “**Message you sent blocked by our bulk email filter**”.
For troubleshooting I used the SPF testing tool from dnsstuff (That provides other great tools as well) and a few others with only positive results. After a bit of troubleshooting I decided that synthetic testing method of dnsstuff wouldn’t give me an answer to the problem. Instead I used port25’s automated testing tool, which basically is an e-mail address called check-auth@verifier.port25.com that you send an e-mail to. A few minutes later you will receive an authentication report that includes compliance checks for the Sender ID standard and Yahoo’s DomainKeys (Also check their site for other resources).
In my case the problem was that the new firewall used a different outbound IP address than I expected. Changing the configuration of the firewall solved the problem and now its working fine again (Actually the whole situation reminded me about the problems we had back in the NT4/W2K and Exchange 5.5. days, with e-mails bouncing due to Exchange clusters using the Host IP address instead of the Exchange Virtual IP address because of problems with the gethostbyname() method as I described in my old article Tips for Clustering Exchange Successfully).
Friday, December 23, 2005
Wednesday, December 21, 2005
LCS 2005 Configuring Certificates guide updated
Microsoft has updated their "Microsoft Office Live Communications Server 2005 Certificate Configuration" deployment guide to version 2.2. Comparing the old with the new version shows that it’s mostly clarifications and removal of some references to using client certificates that were required in earlier versions of LCS.
Find the guide here.
Find the guide here.
Santa IM Worm hits MSN (And AOL / Yahoo)
A new worm called IM.GiftCom.All tricks users into installing a rootkit on their computer, that in turn will IM the users other contacts with links to an image of Santa. Quote -
This is just one more reasons for companies to block Public IM communications and move to Live Communications Server 2005 with PIC and IMLogic/Sybari for their RTC needs.
Read more at source and thanks to bink.nu for pointing to the info.
"This worm is a medium threat in terms of its distribution, but in terms of the damage it can create, it's a more severe threat," said Art Gilliland, vice president of products for IMlogic."It's not a very happy delivery," he added.
This is just one more reasons for companies to block Public IM communications and move to Live Communications Server 2005 with PIC and IMLogic/Sybari for their RTC needs.
Read more at source and thanks to bink.nu for pointing to the info.
Tuesday, December 20, 2005
IMF Updates explained
Alexander at EHLO has posted a very good description of how to enable automatic updates of IMF v2 and the functionality of IMF updates
Find it here
IMF updates are twice per month
IMF updates are only supported on Exchange 2003 Servers with SP2 where IMF is enabled
IMF updates are supported on all Exchange server languages
IMF updates are available from Microsoft Update via both manual and AU
IMF updates supports uninstall through Add/Remove Programs and manual rollback
Find it here
Friday, December 16, 2005
Microsoft Command Shell "Monad" Videos
Monad - or msh as the exe is called - is still in the works. Currently, it is in public beta 2 (September
2005). You can get a version for .Net Framework 2 RC/RTM at MS Downloads. Click this link to search for your version.
If you want to get a little deeper into this, look at the Channel 9 videos on Monad. They feature Jeffrey Snover, are short and useful.
Getting Started documentation is available here.
Monad can do the same stuff in a few commands like you can do in many lines of VBScript (or similar) - it will hit you some day!
Being an old (Open)VMS user, it really like the nice words he uses about its DCL. Even though it can be better, it is very good owing to it consistent syntax, error handling and lots of other features. Man, I spent a lot of time using that...
2005). You can get a version for .Net Framework 2 RC/RTM at MS Downloads. Click this link to search for your version.
If you want to get a little deeper into this, look at the Channel 9 videos on Monad. They feature Jeffrey Snover, are short and useful.
Getting Started documentation is available here.
Monad can do the same stuff in a few commands like you can do in many lines of VBScript (or similar) - it will hit you some day!
Being an old (Open)VMS user, it really like the nice words he uses about its DCL. Even though it can be better, it is very good owing to it consistent syntax, error handling and lots of other features. Man, I spent a lot of time using that...
Thursday, December 15, 2005
Exchange DirectPush notifications to WM5 may be delayed / stopped
Several sources including msmobiles reports that a company called Visto has filed a lawsuit against microsoft for infringing three of their patents
Read Visto's press release here.
(Redwood Shores, CA, December 15, 2005) - Visto Corporation has filed a legal action against Microsoft (NASDAQ: MSFT) for misappropriating Visto’s intellectual property. The complaint asserts that Microsoft has infringed upon multiple patents Visto holds regarding proprietary technology that provides enterprises and consumers with mobile access to their email and other data. The company is seeking a permanent injunction that would prohibit Microsoft from misappropriating the technology that Visto and its cofounder helped develop nearly a decade ago.
Read Visto's press release here.
Wednesday, December 14, 2005
Microsoft Office Communicator Web Access has been released
"OWA" for Live Communications Server 2005 SP1 has been released to the web. It's an interesting product that support for example external users and those whose platforms aren't supported by Office Communicator (E.g. Windows 2000) and it contains the following features -
Web access – Users can access the IM and presence features in Live Communications Server 2005 SP1 through any supported Web browser.
Presence – Communicator Web Access users can determine the status of other SIP users and update their own presence information.
Personal notes – A user can publish a personal note that is displayed along with the user’s presence information.
Extensive contact management – Users can add contacts to a contact list, tag contacts to be notified when those contacts’ presence status changes, and organize listed contacts into groups.
Federation – When federation is enabled in Microsoft Office Live Communications Server 2005 with SP1, Communicator Web Access users can view the presence of users in external organizations and send instant messages to those users.
Multiple browser and operating system support – Users with Windows-based and non-Windows-based browsers and operating systems can use Communicator Web AccessUser search – The Communicator Web Access server connects to the Microsoft Active Directory® directory service. Unlike Communicator, however, Communicator Web Access does not query the Live Communications Server Address Book.
Tuesday, December 13, 2005
Circumventing Group Policy as a Limited User
Just a warning :)
Read it all at Mark's Sysinternals blog. As always, you have to be impressed by Mark.
Read it all at Mark's Sysinternals blog. As always, you have to be impressed by Mark.
Wednesday, November 30, 2005
New RTC blog by the RTC product team
We've heard loud and clear that many people want a better connection with the RTC product team. We're excited to do something about it. The primary goal of this blog is to establish two way communication between the product team and our customers and partners. We will also use this blog as an educational channel to provide additional product information.
Find the blog here or the RSS feed here
Sunday, November 20, 2005
Microsoft ActiveSync 4.1 has been released - updated for clarity
Most notably it will support devices running the upcoming Messaging and Security Feature Pack (MSFP a.k.a. AKU2) with the following feature enhancements (From MSFP) supported in Microsoft ActiveSync -
Btw. besides the integration to MSFP there also are a few new features to ActiveSync 4.1 -
- DirectPush Mail
- Local device wipe
- Certificate-based authentication
Btw. besides the integration to MSFP there also are a few new features to ActiveSync 4.1 -
- New partnership wizard to help customers more easily setup a sync partnership
- Faster transfer of data files including media
- Ability to sync photos assigned to contacts from Outlook on the desktop
Friday, November 18, 2005
LCS 2005 - why NLB is not recommended
As I wrote a couple of days ago in LCS and Network Load Balancing software based Load Balancing isn't recommended for anything else than test environments.
Well it turns out that the LCS Kid has a post on the subject named LCS 2005 - Reasons why NLB is not recommended but instead a Hardware Load Balancer that contains even more reasons to avoid NLB.
Well it turns out that the LCS Kid has a post on the subject named LCS 2005 - Reasons why NLB is not recommended but instead a Hardware Load Balancer that contains even more reasons to avoid NLB.
Live Communications Server resources - updated
So you are looking for Live Communications Server resources but finding that a bit hard? That might be because there aren't that many around. I have collected some of the resources I'm currently using or have been using in the past here -
Microsoft
Microsoft
- General – Homepage for Microsoft LCS
- Deployment - resources on LCS and Office Communicator - loads of info but a bit unstructured
- Community - Links to blogs but not all are LCS related.
- Product support - How-to articles, downloads and top KB articles
- RTC Webcasts - On-demand and Live webcasts
Community pages
- LCS Kid – Tom is a MS employee. Great info on LCS and its clients
- Intense Collabage - Will Robinsons real world experiences with LCS/PIC
- Joe Schurman – LCS MVP has a good FAQ that’s excellent for newcomers to LCS
- Eileen Brown – Microsoft evangelist focusing on LCS, MOM and Exchange (A must read!)
- The Goldfish Bowl – Graham Tylers blog on LCS, Sharepoint (Developer oriented)
- The Collaboration Blog – General collaboration info including a few LCS articles
- Realtime Blog – Mostly VoIP but also a little LCS
- Bob’s Blog – LCS MVP mostly Exchange news
If you have other good resources (including your own blog) please feel free to write a comment!
Thursday, November 17, 2005
Citrix Presentation Server now integrated with MOM 2005
According to a press release from Citrix, they have just released a new MP integrating Presentation Server 4 and MetaFrame (Presentation Server 3) with MOM 2005.
This is great news for customers having both products.
This is great news for customers having both products.
Exchange 12 will be 64 bit only
Microsoft announced yesterday that it will be 64 bit only as they have seen significant performance gains on this platform -
Read more at Eileen's post and in the official press release.
They tested Exchange on 64 bit and found almost a 75% reduction in IOs per second compared with Exchange 2003. This could result in almost a 4X increase in the number of users on the same disks or require 1/4 the disks to support the same users from a throughput perspective.
Read more at Eileen's post and in the official press release.
Wednesday, November 16, 2005
Enabling Exchange 2003 SP2 IMF v2
So you've uninstalled IMF v1, installed SP2, set the SCL thresholds and actions correctly and everything should be fine but UCE keeps arriving at your inbox?
Well it might be because you forgot the last bit - namely setting the Default SMTP Virtual Server properties for each SMTP server correctly. Under the General tab, IP Address, Advanced, Edit there’s a checkbox called "Apply Intelligent Message Filter".
If you can't find it then visit Vladimir’s blog, which contains detailed instructions (with pictures ;-) for enabling IMF v2.
Well it might be because you forgot the last bit - namely setting the Default SMTP Virtual Server properties for each SMTP server correctly. Under the General tab, IP Address, Advanced, Edit there’s a checkbox called "Apply Intelligent Message Filter".
If you can't find it then visit Vladimir’s blog, which contains detailed instructions (with pictures ;-) for enabling IMF v2.
New whitepaper on HMC use of privileged users, security groups and permission
Conrad Agramont has written an interesting whitepaper that tries to accomplish the following -
The HMC solution includes documentation and deployment tools that will provide instructions for or will automate the creation of user accounts, security groups, and permissions. However, there isn’t a single view for all of the accounts and their "final” implementation. The purpose of this document is to provide such a view.For anyone new to HMC it gives a good overview of the solutions use of accounts and security groups. It is based on HMC 3.0 - but so far that I can se it will also be applicable for the upcoming HMC 3.5 release (I'm in Redmond on HMC 3.5 training but we have been explicitly asked not to blog about the new features in HMC 3.5).
LCS and Network Load Balancing
I've have had a few questions on using hardware load balancers versus using Windows Server 2003 Network Load balancing. The important note is the following quote from the "Live Communications Server 2005 Enterprise Pools and Windows 2003 Network Load Balancing" deployment guide -
Using hardware load balancers is strongly recommended. Microsoft Windows® NLB may be used for evaluation, test, and pilot systems or for small, nonmission critical deployments.Furthermore there are the following limitations with using NLB -
So the short answer is - don't do it !1. Remote administration using the Live Communications Server snap-in is not supported. The front-end Enterprise Servers will have to be managed by running the administrative snap-in locally and not from a remote computer.
2. Multiple pools within an organization are not supported.
Sony XCP uninstaller opens a new security hole!
The first version of the uninstall software that Sony has delivered opens yet another security hole according to a Princeton researcher -
Read more here Update: Sony Uninstaller Hole Stays Open
Due to a serious design flaw, the CodeSupport component allows any web site you visit to download and run software on your computer. A malicious web site author can write an evil program, package up that program appropriately, put the packaged code at some URL, and then write a web page that causes CodeSupport to download and run code from that URL.
Read more here Update: Sony Uninstaller Hole Stays Open
Saturday, November 12, 2005
Mark won the "war" against Sony BMG - update #3
Last update #3 - read Marks post Victory! (No further explanation required ;-)
According to eWeek Mark Russinovich apparently won the "war" against Sony in the combat against the cloaking methods used in their DRM software (Source).
If you haven't followed the story then go to his blog and read the first post Sony, Rootkits and Digital Rights Management Gone Too Far - there are a lot of interesting insights and comments to his his first and the following posts on the subject (1, 2, 3)
UPDATE - Mark has written a follow-up story after Sony's retreat Sony: No More Rootkit - For Now also Microsoft is going to include detection and removal of the rootkit in Windows AntiSpyware and the upcoming Windows Defender (Source). Congratulations to Mark and all who will benefit from his fight !!!
UPDATE #2 - Someone actually sat down, read the EULA and summed up the result of it; check out these examples -
According to eWeek Mark Russinovich apparently won the "war" against Sony in the combat against the cloaking methods used in their DRM software (Source).
If you haven't followed the story then go to his blog and read the first post Sony, Rootkits and Digital Rights Management Gone Too Far - there are a lot of interesting insights and comments to his his first and the following posts on the subject (1, 2, 3)
UPDATE - Mark has written a follow-up story after Sony's retreat Sony: No More Rootkit - For Now also Microsoft is going to include detection and removal of the rootkit in Windows AntiSpyware and the upcoming Windows Defender (Source). Congratulations to Mark and all who will benefit from his fight !!!
UPDATE #2 - Someone actually sat down, read the EULA and summed up the result of it; check out these examples -
If your house gets burgled, you have to delete all your music from your laptop when you get home. That's because the EULA says that your rights to any copies terminate as soon as you no longer possess the original CD.
You must install any and all updates, or else lose the music on your computer. The EULA immediately terminates if you fail to install any update. No more holding out on those hobble-ware downgrades masquerading as updates.
Sony-BMG can install and use backdoors in the copy protection software or media player to "enforce their rights" against you, at any time, without notice. And Sony-BMG disclaims any liability if this "self help" crashes your computer, exposes you to security risks, or any other harm.
If you file for bankruptcy, you have to delete all the music on your computer. Seriously.
Friday, November 11, 2005
Solution for adding own root certificates to Windows Mobile 5 devices - Updated
Per and I just received our new Qtek 8310 mobile devices today and got into trouble when we tried to add our own root certificate.
On Pocket devices and in Windows Mobile 2003 SE you just copy the certificate to the device and doubleclick it from File Explorer. But on the Qtek 8310 we got the error "Security permission was insufficient to update your device". In desperation, we also tried to use the SPAddcert.exe utility for Windows Mobile 2002 and 2003 Smartphone edition and received the message "The phone may be locked".
The problem were due to changes in the security model in Windows Mobile 5. Although it is very interesting/innovative in terms of mobile device security (Protecting from malicious software) it isn’t something we like when we want our new gadgets to work with WPA and Exchange Server ActiveSync.
Using Google intensively, I finally found the direction for solving the problem (the first version of this post) and using MSDN I found a better solution as follows -
First you need to get a copy of regeditSTG.exe (Apparently a HTC signed registry editor with an issuer CN that equals HTCCanary) zip it and move it to your device (You get an error if you copy the .exe directly). Now unzip it by double clicking it from File Explorer (on your device) and run the program. Then change the Grant Manager Policy registry key (Remember to note the old value) -
HKLM\Security\Policies\Policies\00001017 = 144
After setting the registry key above reboot your device, copy your root certificate to the File Explorer and click to install it (There’s no feedback that the operation was successful – check settings, security, certificates, root certificates for the existence of your certificate).
Before proceeding, we choose to set the registry setting back to the original values so the Phone was once again protected and finally Exchange ActiveSync and WPA worked like a charm ;-)
The solution apparently works on several different devices like i-Mate, C550, Qtek 8310 (Thats the only one we tested - don't ask about the others but do feel free to comment on those that works ;-) and probably most Windows Mobile 2005 Smartphone devices.
A utility called SDA_ApplicationUnlock.exe can also be found on the Internet but our testing shows us that it does the same as the Grant Manager Policy registry key. The problem with this application is that it only has a "Remove Lock" feature and no "Enable Lock" feature. Different posts/websites show the solution for other phones that include the use of SDA_ApplicationUnlock.exe utility; so if you run into problems you might want to try it.
Disclaimer - We don't know the copyrights on the mentioned utilities - so this posting is only meant for informational purposes and be sure to get correctly licensed versions of these!
On Pocket devices and in Windows Mobile 2003 SE you just copy the certificate to the device and doubleclick it from File Explorer. But on the Qtek 8310 we got the error "Security permission was insufficient to update your device". In desperation, we also tried to use the SPAddcert.exe utility for Windows Mobile 2002 and 2003 Smartphone edition and received the message "The phone may be locked".
The problem were due to changes in the security model in Windows Mobile 5. Although it is very interesting/innovative in terms of mobile device security (Protecting from malicious software) it isn’t something we like when we want our new gadgets to work with WPA and Exchange Server ActiveSync.
Using Google intensively, I finally found the direction for solving the problem (the first version of this post) and using MSDN I found a better solution as follows -
First you need to get a copy of regeditSTG.exe (Apparently a HTC signed registry editor with an issuer CN that equals HTCCanary) zip it and move it to your device (You get an error if you copy the .exe directly). Now unzip it by double clicking it from File Explorer (on your device) and run the program. Then change the Grant Manager Policy registry key (Remember to note the old value) -
HKLM\Security\Policies\Policies\00001017 = 144
After setting the registry key above reboot your device, copy your root certificate to the File Explorer and click to install it (There’s no feedback that the operation was successful – check settings, security, certificates, root certificates for the existence of your certificate).
Before proceeding, we choose to set the registry setting back to the original values so the Phone was once again protected and finally Exchange ActiveSync and WPA worked like a charm ;-)
The solution apparently works on several different devices like i-Mate, C550, Qtek 8310 (Thats the only one we tested - don't ask about the others but do feel free to comment on those that works ;-) and probably most Windows Mobile 2005 Smartphone devices.
A utility called SDA_ApplicationUnlock.exe can also be found on the Internet but our testing shows us that it does the same as the Grant Manager Policy registry key. The problem with this application is that it only has a "Remove Lock" feature and no "Enable Lock" feature. Different posts/websites show the solution for other phones that include the use of SDA_ApplicationUnlock.exe utility; so if you run into problems you might want to try it.
Disclaimer - We don't know the copyrights on the mentioned utilities - so this posting is only meant for informational purposes and be sure to get correctly licensed versions of these!
Subscribe to:
Posts (Atom)