SuperTekBoy

Practical Help for Exchange & Office 365

Configure global mail flow settings from the new Exchange Admin Center

By Leave a Comment

Share
Tweet
Share
Reddit
Print

One of the new Exchange Admin Center benefits is that many of the global mail flow settings that were previously only available via PowerShell are now available in this new GUI. For example, the Mail Flow settings page allows you to define several global transport configurations. This article will look at these settings and what they do. These settings are:

  • Plus addressing
  • Sending from aliases
  • Enabling SMTP AUTH protocol
  • Legacy SMTP AUTH endpoint for TLS 1.0 / TLS 1.1 clients
  • Reply-All storm protection

To find these settings, log into the new Exchange Admin Center and navigate to the Settings tab on the left navigation pane. Then select Mail Flow.

Exchange Online Mail Flow Settings B

This will pop out a dialog with the following options.

Exchange Online Mail Flow Settings

Plus Addressing

Plus addressing allows users to create their own unique email addresses by leveraging a plus sign in their email address—for example, apond+newsletter@exchangeservergeek.com. Anything after the plus sign is completely at the discretion of the user.

This becomes particularly useful when you want to target newsletters to a unique email address, especially when configuring inbox rules. It is also helpful to determine who might have sold or leaked your email address.

To enable this feature from the new Exchange Admin Center, navigate to Settings > Mail Flow. From the pop-up window, select Turn on plus addressing from your organization and click the Save button.

If you prefer to enable this from PowerShell, log onto Exchange Online PowerShell and run the following command.

 C:\> Set-OrganizationConfig -AllowPlusAddressInRecipients $true

To confirm the setting has taken effect, run Get-OrganizationConfig.

 C:\> Get-OrganizationConfig | FL AllowPlusAddressInRecipients

AllowPlusAddressInRecipients : True

Users can then start leveraging plus addresses. Emails addressed to a plus address will appear in the user’s inbox without any further user intervention. From there, the user can build inbox rules for the plus addresses if they desire.

Plus Addressing in Exchange Online

Reference: Plus Addressing Now Available in Exchange Online

[Read more…] about Configure global mail flow settings from the new Exchange Admin Center
Print Friendly, PDF & Email

Accessing HPe iLO 3 fails with Unsupported Protocol: ERR SSL VERSION OR CIPHER MISMATCH

By 16 Comments

Share
Tweet
Share
Reddit
Print

UPDATE: Since writing this article in November it does not appear this fix works anymore. I am guessing the AES/3DES ciphers have been deprecated in modern browsers. I can confirm David’s comment using Internet Explorer mode in Microsoft Edge does work.

To enable IE mode, launch edge and type edge://settings/defaultBrowser in the address bar. From the Allow sites to be reloaded in Internet Explorer mode drop-down, select Allow.

Navigate to your iLO URL, select the three dots in the top right (Settings), and pick Reload in Internet Explorer mode from the menu. Edge will remember this setting on each subsequent visit.

If you are trying to connect a modern browser such as Microsoft Edge to HPe’s Integrated Lights Out 3 (iLO 3) management interface, you may receive the following error and be blocked from accessing the iLO webpage.

ERR_SSL_VERSION_OR_CIPHER_MISMATCH

Unsupported protocol
The client or server don't support a common SSL protocol version or cipher suite.
ERR SSL VERSION OR CIPHER MISMATCH - The client or server don't support a common SSL protocol version or cipher suite.

To resolve this error, I recommend ensuring you are on the latest iLO 3 firmware from HPe. At the time of writing, 1.94 was the latest HPe firmware for iLO 3 (released Dec 17, 2020). Firmware can be updated in several ways, including uploading the BIN file via the iLO webpage or online from any number of operating systems, including Windows, Linux, and VMware. Also, refer to the HPe documentation on how to upgrade your firmware.

Once you have the latest firmware, log into the iLO webpage from an older browser, such as Internet Explorer. Then, from the left navigation menu, expand Administration and select Security.

From the Security page, select the Encryption tab.

Then, under the Encryption Enforcement Settings section, toggle the Enforce AES/3DES Encryption dropdown to Enabled.

Click Apply.

[Read more…] about Accessing HPe iLO 3 fails with Unsupported Protocol: ERR SSL VERSION OR CIPHER MISMATCH
Print Friendly, PDF & Email

Filed Under: HP

Outlook 2013: Your account is in a bad state

By Leave a Comment

Share
Tweet
Share
Reddit
Print

Starting November 1st, 2021, only Outlook 2013 SP1 (build 15.0.4971.1 and greater) will be able to connect to Microsoft 365 services. This means older Outlook 2013 builds, and Outlook 2010 and earlier will not connect to Microsoft 365. This new requirement goes hand in hand with the deprecation of basic auth, requiring Outlook 2013 SP1 (build 15.0.4753.1 and greater). Microsoft is deprecating basic auth on October 1st, 2022.

That said, if you are already blocking legacy auth for Outlook clients (or you are reading this post after October 1st, 2022), you may receive the following error when trying to sign in to your Office 365 account with Outlook 2013 or any other Office suite product. In addition, your Outlook 2013 client might not be able to connect to your Office 365 mailbox either.

When signing in to your Office 365 account via File > Office Account > Sign In from any Office suite product, you receive the following error.

Your account is in a bad state. Please sign-in to this account online to address the issue.
Your account is in a bad state. Please sign-in to this account online to address the issue

Alternatively, you may first see the error below which can then lead to the error above when you click the Fix me button.

Account Error: There are problems with your account. To fix them, please sign in again.
There are problems with your account. To fix them, please sign in again.
[Read more…] about Outlook 2013: Your account is in a bad state
Print Friendly, PDF & Email

Exchange Online PowerShell fails to connect with error AADSTS50011

By Leave a Comment

Share
Tweet
Share
Reddit
Print

If you receive the following error when trying to connect to Exchange Online via PowerShell, then you will need to upgrade the Connect-ExchangeOnline PowerShell module.

AADSTS50011: The reply URL specified in the request does not match the reply URLs configured for the application
Exchange Online PowerShell fails to connect error AADSTS50011

Resolving AADSTS50011 for Connect-ExchangeOnline

To resolve, launch PowerShell and run the following command. If you do not trust the PowerShell gallery you may also be prompted to confirm the installation from an untrusted gallery. Press “Y” to confirm.

 C:\> Update-Module ExchangeOnlineManagement

You are installing the module from an untrusted repository. If you trust 
this repository, change its InstallationPolicy value by running the 
Set-PSRepository cmdlet. Are you sure you want to install the module 
from 'PSGallery'?
[Y] Yes  [A] Yes to All  [N] No to All  [S] Suspend  [?] Help: Y

At this point, it is best to close and reopen any PowerShell windows you had open and reissue the command Connect-ExchangeOnline. The issue should now be resolved.

[Read more…] about Exchange Online PowerShell fails to connect with error AADSTS50011
Print Friendly, PDF & Email

Exchange Online Updates (October 2021)

By Leave a Comment

Share
Tweet
Share
Reddit
Print

Deprecation of the classic Exchange Admin Center

The new Exchange Admin Center has been available for quite some time and was designated reaching general availability back in April. With feature parity met, and in many cases exceeded, it is no doubt that the Exchange team is now planning the deprecation of the classic Exchange Admin Center.

Starting this month features will be redirected away from the classic admin center with the planned removal of the classic EAC by September 2022. Check out Microsoft’s timeline in the image below.

Deprecation of the classic Exchange Admin Center

To use the new Exchange Admin Center point your browser to https://admin.exchange.microsoft.com or from the classic Exchange Admin Center select the toggle to Try the new Exchange Admin Center in the top-right of the screen.

New Exchange Admin Center

New end date for Basic Authentication

Since 2018 Microsoft has announced the blocking of basic authentication. However, due to the pandemic, that date has shifted a few times. Back in February, it was announced that the deprecation of basic auth had been put on hold until further notice. In September Microsoft announced new deadlines for the deprecation of basic authentication for all Exchange protocols. This date is October 1st, 2022. After this date, any application connecting to Exchange Online will be required to leverage modern authentication (OAuth 2.0). The only exception to this is SMTP Auth which can continue to use basic authentication.

Note: Prior to October 1st, 2022, Microsoft will continue to disable basic auth on protocols in tenants where basic auth is not detected.

For devices and applications that integrate with Exchange Web Services, such as voicemail, ticketing systems, or line of business applications, these will be required to support modern authentication. One option is to leverage certificate-based authentication leveraging an Azure app. However, it is better to switch the EWS integration over to Microsoft Graph as Microsoft plans to deprecate EWS integration starting September 30th, 2022. Microsoft is positioning Microsoft Graph to be the sole entry point for all app integrations rather than having separate entry points for each Office 365 workload. This reduces the attack footprint of the Office 365 service. I would also recommend looking into Application Access Policies. These policies limit what mailboxes an app can access. Be sure to check your vendor’s documentation for guidance on connecting these apps to Office 365 with modern authentication.

For PowerShell, I recommend using the Microsoft Exchange Online PowerShell Module. This module supports both modern auth and is a requirement if your admin account has multi-factor authentication enabled (which I hope it does!). I recommend checking out this article for more information on how to use this module. Also, you may want to look into the Azure Cloud Shell. Check out the tutorial; Using Exchange Cmdlets in Azure Cloud Shell.

For POP and IMAP, Microsoft added OAuth support. However, this still requires your POP or IMAP application to support OAuth. For integrated apps that use POP or IMAP, like helpdesk ticketing systems, I would recommend looking for other methods of integration rather than using POP or IMAP. Using our helpdesk ticketing system example, look to see if the app can integrate with EWS or the Graph instead. For clients, see if you can switch those users over to a new client that supports a direct Exchange connection. My recommendation is to get rid of POP and IMAP entirely and globally shut down those legacy protocols.

The most significant impact of this announcement will be on ActiveSync. Countless native mail apps use ActiveSync to access their Office 365 mail. I highly recommend migrating your user base to Outlook mobile (for iOS and Android). Outlook Mobile supports both modern authentication and multi-factor authentication. It is worth noting that some native mail apps, such as those included in iOS 11+, have modern authentication support. However, pushing users to Outlook Mobile versus upgrading their phones is the path of least resistance. Not to mention your helpdesk or IT department will only need to support one mail client and have greater control protecting corporate data via mobile application management policies from Intune.

To track which devices and applications are signing in with legacy authentication, you can use the Azure AD Sign-ins dashboard. Microsoft covers this process in this article.

[Read more…] about Exchange Online Updates (October 2021)
Print Friendly, PDF & Email

Exchange September Cumulative Updates and the new Emergency Mitigation Service

By 2 Comments

Share
Tweet
Share
Reddit
Print
Exchange 2016 CU22 Emergency Mitigation Service

Last month Microsoft released cumulative updates for Exchange 2016 and Exchange 2019. Once you get the September cumulative updates, be sure to grab the security updates released in October.

While Exchange 2013 did not have a cumulative update, it did receive a security update, which can be applied to Exchange 2013 Cumulative Update 23.

A security update was not released for Exchange 2010. The latest update for Exchange 2010 is still Rollup 32 (March 2nd, 2021). Keep in mind that Exchange 2010 was out of support as of October 13th, 2020.

If you need guidance on migrating from a specific CU to the latest, check out Microsoft’s Exchange Update Wizard for step-by-step instructions.

The updates are as follows:

Exchange Logo Mini

Exchange 2019 Cumulative Update 11 | KB5005334 | October Security Update

Exchange 2013 Cumulative Update 9

Exchange 2016 Cumulative Update 22 | KB5005333 | October Security Update

Exchange 2013 Cumulative Update 9

Exchange 2013 October Security Update | KB5007011

The new Microsoft Exchange Emergency Mitigation Service

As a response to the HAFNIUM exploits the Exchange team developed a new Exchange Emergency Mitigation service to be included with Exchange Server. Emergency Mitigation is a new Windows service that is deployed by the Exchange Server setup utility.

Microsoft Exchange Emergency Mitigation Service

It is effectively a built-in version of the previously released standalone Emergency Online Mitigation Tool (EOMT) that administrators could run on-demand. The standalone tool was a way for administrators to apply interim remediation until they could apply the needed patches.

In much the same way the Emergency Mitigation Service checks the Office Config Service (OCS) for new mitigation XMLs every hour. It then applies the interim remediation specified in the XML file. The mitigation service can apply the following three actions.

  • Block malicious patterns in HTTP requests via the IIS URL rewrite service
  • Disable vulnerable Exchange services
  • Disable vulnerable App Pools in IIS

Should you accidentally undo any mitigations, restart the Emergency Mitigation Service on the Exchange Server. Within 10 minutes the service will check OCS for the latest XML and reapply any mitigations.

At the time of writing, only a test XML file exists at the Office Config Service for heartbeat purposes. That said, your Exchange Server now requires an outbound connection to https://officeclient.microsoft.com to access these mitigation XML files. To verify Exchange can reach the Office Config Service, you can leverage the Test-MitigationServiceConnectivity.ps1 script located in the Exchange scripts folder.

Once you apply a cumulative or security update that addresses the vulnerability, you will need to manually undo any actions taken by the Emergency Mitigation Service.

[Read more…] about Exchange September Cumulative Updates and the new Emergency Mitigation Service
Print Friendly, PDF & Email
Toggle Dark Mode
Toggle Font Size