SuperTekBoy

Practical Help for Exchange & Office 365

Exchange

Configure global mail flow settings from the new Exchange Admin Center

By Leave a Comment

Share
Tweet
Share

One of the new Exchange Admin Center benefits is that many of the global mail flow settings that were previously only available via PowerShell are now available in this new GUI. For example, the Mail Flow settings page allows you to define several global transport configurations. This article will look at these settings and what they do. These settings are:

  • Plus addressing
  • Sending from aliases
  • Enabling SMTP AUTH protocol
  • Legacy SMTP AUTH endpoint for TLS 1.0 / TLS 1.1 clients
  • Reply-All storm protection

To find these settings, log into the new Exchange Admin Center and navigate to the Settings tab on the left navigation pane. Then select Mail Flow.

Exchange Online Mail Flow Settings B

This will pop out a dialog with the following options.

Exchange Online Mail Flow Settings

Plus Addressing

Plus addressing allows users to create their own unique email addresses by leveraging a plus sign in their email address—for example, apond+newsletter@exchangeservergeek.com. Anything after the plus sign is completely at the discretion of the user.

This becomes particularly useful when you want to target newsletters to a unique email address, especially when configuring inbox rules. It is also helpful to determine who might have sold or leaked your email address.

To enable this feature from the new Exchange Admin Center, navigate to Settings > Mail Flow. From the pop-up window, select Turn on plus addressing from your organization and click the Save button.

If you prefer to enable this from PowerShell, log onto Exchange Online PowerShell and run the following command.

 C:\> Set-OrganizationConfig -AllowPlusAddressInRecipients $true

To confirm the setting has taken effect, run Get-OrganizationConfig.

 C:\> Get-OrganizationConfig | FL AllowPlusAddressInRecipients

AllowPlusAddressInRecipients : True

Users can then start leveraging plus addresses. Emails addressed to a plus address will appear in the user’s inbox without any further user intervention. From there, the user can build inbox rules for the plus addresses if they desire.

Plus Addressing in Exchange Online

Reference: Plus Addressing Now Available in Exchange Online

[Read more…] about Configure global mail flow settings from the new Exchange Admin Center

Exchange Online PowerShell fails to connect with error AADSTS50011

By Leave a Comment

Share
Tweet
Share

If you receive the following error when trying to connect to Exchange Online via PowerShell, then you will need to upgrade the Connect-ExchangeOnline PowerShell module.

AADSTS50011: The reply URL specified in the request does not match the reply URLs configured for the application
Exchange Online PowerShell fails to connect error AADSTS50011

Resolving AADSTS50011 for Connect-ExchangeOnline

To resolve, launch PowerShell and run the following command. If you do not trust the PowerShell gallery you may also be prompted to confirm the installation from an untrusted gallery. Press “Y” to confirm.

 C:\> Update-Module ExchangeOnlineManagement

You are installing the module from an untrusted repository. If you trust 
this repository, change its InstallationPolicy value by running the 
Set-PSRepository cmdlet. Are you sure you want to install the module 
from 'PSGallery'?
[Y] Yes  [A] Yes to All  [N] No to All  [S] Suspend  [?] Help: Y

At this point, it is best to close and reopen any PowerShell windows you had open and reissue the command Connect-ExchangeOnline. The issue should now be resolved.

[Read more…] about Exchange Online PowerShell fails to connect with error AADSTS50011

Exchange September Cumulative Updates and the new Emergency Mitigation Service

By 2 Comments

Share
Tweet
Share
Exchange 2016 CU22 Emergency Mitigation Service

Last month Microsoft released cumulative updates for Exchange 2016 and Exchange 2019. Once you get the September cumulative updates, be sure to grab the security updates released in October.

While Exchange 2013 did not have a cumulative update, it did receive a security update, which can be applied to Exchange 2013 Cumulative Update 23.

A security update was not released for Exchange 2010. The latest update for Exchange 2010 is still Rollup 32 (March 2nd, 2021). Keep in mind that Exchange 2010 was out of support as of October 13th, 2020.

If you need guidance on migrating from a specific CU to the latest, check out Microsoft’s Exchange Update Wizard for step-by-step instructions.

The updates are as follows:

Exchange Logo Mini

Exchange 2019 Cumulative Update 11 | KB5005334 | October Security Update

Exchange 2013 Cumulative Update 9

Exchange 2016 Cumulative Update 22 | KB5005333 | October Security Update

Exchange 2013 Cumulative Update 9

Exchange 2013 October Security Update | KB5007011

The new Microsoft Exchange Emergency Mitigation Service

As a response to the HAFNIUM exploits the Exchange team developed a new Exchange Emergency Mitigation service to be included with Exchange Server. Emergency Mitigation is a new Windows service that is deployed by the Exchange Server setup utility.

Microsoft Exchange Emergency Mitigation Service

It is effectively a built-in version of the previously released standalone Emergency Online Mitigation Tool (EOMT) that administrators could run on-demand. The standalone tool was a way for administrators to apply interim remediation until they could apply the needed patches.

In much the same way the Emergency Mitigation Service checks the Office Config Service (OCS) for new mitigation XMLs every hour. It then applies the interim remediation specified in the XML file. The mitigation service can apply the following three actions.

  • Block malicious patterns in HTTP requests via the IIS URL rewrite service
  • Disable vulnerable Exchange services
  • Disable vulnerable App Pools in IIS

Should you accidentally undo any mitigations, restart the Emergency Mitigation Service on the Exchange Server. Within 10 minutes the service will check OCS for the latest XML and reapply any mitigations.

At the time of writing, only a test XML file exists at the Office Config Service for heartbeat purposes. That said, your Exchange Server now requires an outbound connection to https://officeclient.microsoft.com to access these mitigation XML files. To verify Exchange can reach the Office Config Service, you can leverage the Test-MitigationServiceConnectivity.ps1 script located in the Exchange scripts folder.

Once you apply a cumulative or security update that addresses the vulnerability, you will need to manually undo any actions taken by the Emergency Mitigation Service.

[Read more…] about Exchange September Cumulative Updates and the new Emergency Mitigation Service

On the Line with Cohesity #44: Updates on M365 and more!

By Leave a Comment

Share
Tweet
Share

On September 14th, I had the great pleasure of being a guest on On the Line with Cohesity podcast. I joined host Theresa Miller to discuss several M365 topics; including:

[Read more…] about On the Line with Cohesity #44: Updates on M365 and more!

Workaround: Replying to a message with an invalid S/MIME digital signature fails

By 6 Comments

Share
Tweet
Share

If you received a message with an invalid or untrusted S/MIME digital signature, you might have problems replying to that message with Outlook on the Web (OWA).

The inability to reply is not necessarily a bad thing as it might indicate an impersonation attempt. Impersonation is where a bad actor pretends to be someone you know, often for financial gain. A common example of impersonation is a bad actor pretending to be a CEO asking their company accountant to wire money to the bad actor’s bank account.

So, if you see a failed digital signature, it is a good time to pause and determine if the sender really is who they say they are through other verified mechanisms (e.g., call them on a trusted phone number). Then validate if they are aware of the digital signature issue to see if they are already working to resolve it.

If using a product like Office 365, you can also check if the message has failed any impersonation checks. For example, are safety tips in OWA warning that you don’t typically receive mail from this sender with that email address.

The screenshot below provides an example of a message received in OWA where the S/MIME digital signature is not considered valid or trusted. Clicking the click here link gives us some additional insight into the error. We can see OWA does not trust this certificate because it has a broken certificate chain, more than likely caused by a missing or expired intermediary cert.

The digital signature on this message isn't valid or trusted OWA

When attempting to reply to this message in OWA, you may receive the following error.

This message can't be sent right now. Please try again later.
This message can't be sent right now. Please try again later.
[Read more…] about Workaround: Replying to a message with an invalid S/MIME digital signature fails

Former Calendar Delegate still receives meeting notifications

By 9 Comments

Share
Tweet
Share

Calendar delegation allows a user to manage someone else’s calendar on their behalf. For example, an assistant could be granted delegator rights to their manager’s calendar. Through delegation, the assistant has the right to add, edit, or delete items from their manager’s calendar. A delegate can also be granted the ability to view items marked as private. Aside from calendar permissions, the delegate can receive meeting invites on behalf of the delegator and respond to those invites (accept, decline, tentative, propose new time).

When an assistant no longer needs to access their manager’s calendar, they can be removed as a delegate. Either the manager can do this via the Outlook client or an Exchange administrator by using PowerShell. When their delegation rights have been removed, all access to the calendar is revoked. In addition, meeting invites are no longer sent to the delegate to accept or decline.

It is possible that even when the delegate permissions have been revoked, the assistant could still unexpectantly receive items sent to their manager. In this article, we look at a couple of possible areas that could be forwarding these items to the former delegate.

Let’s get started!

Verify the user is no longer a delegate

The first item to confirm is whether the delegate rights have been properly removed. To do this, connect to Exchange PowerShell and run the following command.

 C:\> Get-MailboxFolderPermission -Identity river.song@xyz.com:\Calendar

FolderName            User                  AccessRights
----------            ----                  ------------
Calendar              Default               {AvailabilityOnly}
Calendar              Rory Williams         {Editor}

In the example above, we are checking the calendar permissions for the user River Song. We use the Get-MailboxFolderPermission command for this purpose. The Identity parameter is a combination of the delegator’s email address and the folder in question. In this case, the calendar folder. You can also use this command against any other folder in the mailbox. In our example, we want to see if River Song’s former assistant, Amy Pond, still has any rights to River’s calendar.

The example output returns two entries. The first is for a user named Rory Williams. We see Rory Williams has editor rights to River’s calendar. We also see a user named Default. Default is the default permission users receive if they have not been granted explicit permissions. In the example above, Rory Williams would receive editor rights to River’s calendar, whereas all other users will only see River’s free/busy information (availability only). Amy Pond is not identified in this output, so she should only receive free/busy information. In this example, Amy is not a delegate.

If the output had returned Amy Pond as a user, we could remove those rights using the Remove-MailboxFolderPermission. For example, to remove all of Amy’s permissions from River’s calendar folder, we would issue the following command.

 C:\> Remove-MailboxFolderPermission -Identity river.song@xyz.com:\Calendar 
-User amy.pond@xyz.com
[Read more…] about Former Calendar Delegate still receives meeting notifications