Category Archives: Exchange

Exchange Microsoft Office365 SSL

Exchange: Replacing certificate for Microsoft 365 hybrid connector’s

When certificates needs to be renewed or changed on (on-premise) Exchange server’s, and you have Microsoft 365 hybrid setup though Hybrid Configuration Wizard, a Office 365 connecter is setup as send and receive:

Receive:
Default Frontend xxxx/EXCH01

Send:
Outbound to Office 365
xxxxx send connector

If you try to delete the old certificate, without setting the new cert for the connectors, you will get this in ECP:
“A special Rpc error occurs on server EXCH01: These certificates are tagged with following Send Connectors : Outbound to Office 365. Removing and replacing certificates from Send Connector would break the mail flow. If you still want to proceed then replace or remove these certificates from Send Connector and then try this command.”

So we need to move into Powershell and replace it, because it cannot be done through the ECP:

Get the thumprint for the new cert:

Get-ExchangeCertificate

So here it is, the top level cert, it’s a wildcard cert, thus the “*.” in the subject name, sorry for the maskings, this is from a non-lab environment

Copy the thumprint to notepad for next command.

Read the certificate subject and thumprint into a variable:

$cert = Get-ExchangeCertificate -Thumbprint <paste the thumbprint in here from previous command>

$tlscertificatename = "<i>$($cert.Issuer)<s>$($cert.Subject)" - Do not change anything here!

The replace the connectors:

Send Connector –

Set-SendConnector "Outbound to Office 365" -TlsCertificateName $tlscertificatename

Receive Connector –

Set-ReceiveConnector "EXCH01\Default Frontend EXCH01" -TlsCertificateName $tlscertificatename

Note: replace the word “EXCH01” with the name of your Exchangeserver like “MY-EXCH01\Default Frontend MY-EXCH01”

Run IISRESET

This is because the old and new certificate have the same “issuer” and “subject”, the set-sendconnector and set-receiveconenctor, cannot thereforem tell the difference, but solution is easy:

Just add another cert on the servers thumbprint to the first script, then run all commands throgh, after that, do the same again, but now with the real cert’s thumprint, and it works ?

Note that if you fail to replace your certificate before it expires (You forgot to), your mailflow between on-prem Excahnge and Exchange Online (365) will stop working and you will see this in the logs:

[Message=451 5.7.3 STARTTLS is required to send mail]

source links:

https://martinsblog.dk/exchange-replacing-certificate-for-microsoft-365-hybrid-connectors/
https://martinsblog.dk/exchange-an-error-occurred-while-using-ssl-configuration-for-endpoint-0-0-0-0444/
https://www.azure365pro.com/replacing-send-connector-certificate/

Exchange Microsoft SSL

Configure Wildcard SSL Certificate for POP/IMAP on Exchange 2010 (PowerShell)

It is assumed you have your SSL wildcard certificate already installed on an Exchange 2010 server.

We use Windows Server 2008 R2 Datacenter x64 in this example.

Open Exchange Management Shell as Administrator and get a list of SSL certificates that are available:

[PS]> Get-ExchangeCertificate

Thumbprint                    Services  Subject
----------                              --------  -------
1F70359DC0BE9CAD58F965A3C110  ...WS.    CN=*.example.com, OU=IT Dep, O=Example Comp...
0F7FF199B11E662621D80700D04F  ....S.    CN=ExampleDC

When you enable the wildcard *.example.com certificate for POP service, you normally get the following error:

PS]> Enable-ExchangeCertificate -Thumbprint 1F70359DC0BE9CAD58F965A3C110 -Services POP
WARNING: This certificate with thumbprint 1F70359DC0BE9CAD58F965A3C110 and subject '*.example.com' cannot used for POP SSL/TLS connections because the subject is not a Fully Qualified Domain Name (FQDN). Use command Set-POPSettings to set X509CertificateName to the FQDN of the service.

The same applies to IMAP:

[PS]> Enable-ExchangeCertificate -Thumbprint 1F70359DC0BE9CAD58F965A3C110 -Services IMAP
WARNING: This certificate with thumbprint 1F70359DC0BE9CAD58F965A3C110 and subject '*.example.com' cannot used for IMAP SSL/TLS connections because the subject is not a Fully Qualified Domain Name (FQDN). Use command Set-IMAPSettings to set X509CertificateName to the FQDN of the service.

Set FQDN for POP service to fix the error:

[PS]> Set-POPSettings -X509CertificateName exchange2010.example.com

Do the same for IMAP service:

[PS]> Set-IMAPSettings -X509CertificateName exchange2010.example.com

Verify POP settings:

[PS]> Get-POPSettings

UnencryptedOrTLSBindings  SSLBindings            LoginType    X509CertificateName
------------------------  -----------            ---------    -------------------
{:::110, 0.0.0.0:110}     {:::995, 0.0.0.0:995}  SecureLogin  exchange2010.example...

Verify IMAP settings:

[PS]> Get-IMAPSettings

UnencryptedOrTLSBindings  SSLBindings            LoginType    X509CertificateName
------------------------  -----------            ---------    -------------------
{:::143, 0.0.0.0:143}     {:::993, 0.0.0.0:993}  SecureLogin  exchange2010.example...

Restart POP and IMAP services:

[PS]> Restart-service MSExchangePOP3
[PS]> Restart-service MSExchangeIMAP4

Source link:

https://www.lisenet.com/2014/configure-wildcard-ssl-certificate-for-pop-imap-on-exchange-2010-server/

Exchange Microsoft PowerShell

PowerShell One-Liner: Get a Count of Exchange Server Mailboxes Per Database

 
 
[PS] C:\Get-Mailbox | Group-Object -Property:Database | Select-Object Name,Count | Sort-Object Name | Format-Table -Auto

Exchange Microsoft

Message size and recipient limits in Exchange Server

Get-TransportConfig | Format-List MaxReceiveSize,MaxSendSize,MaxRecipientEnvelopeLimit

Get-TransportRule | where {($_.MessageSizeOver -ne $null) -or ($_.AttachmentSizeOver -ne $null)} | Format-Table Name,MessageSizeOver,AttachmentSizeOver




https://docs.microsoft.com/en-us/exchange/mail-flow/message-size-limits?view=exchserver-2019

Code Snippets Exchange Microsoft PowerShell

Hide Office 365 Groups from the GAL

Schools may require that newly created classes are hidden from the Global Address List (GAL) in Exchange Online. Classes may be hidden through PowerShell. Use the instructions below to hide Classes created with SDS from the GAL.

Classes are represented in Office 365 as Office 365 Groups. In Exchange Online, where the GAL is built, they are called Unified Groups. Use the Get/Set-UnifiedGroup cmdlet to manage these groups through PowerShell.

 

Hide a single class

Launch PowerShell as an Administrator and connect to Exchange Onlineas shown below.

$UserCredential = Get-Credential
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $UserCredential -Authentication Basic -AllowRedirection
Import-PSSession $Session -DisableNameChecking

Once connected, run the command below against the Group you want to hide.

Set-UnifiedGroup -Identity <UnifiedGroupIdParameter> -HiddenFromAddressListsEnabled $true 

 

Hide all classes created by SDS

Launch PowerShell as an Administrator and connect to Exchange Online as shown below.

$UserCredential = Get-Credential
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $UserCredential -Authentication Basic -AllowRedirection
Import-PSSession $Session -DisableNameChecking

Once connected, run the command below against all SDS-created groups.

 $Groups = Get-UnifiedGroup -ResultSize Unlimited | ? {$_.PrimarySmtpAddress -like "Section_*"}
Foreach ($Group in $Groups) {Set-UnifiedGroup -Identity $Group.Name -HiddenFromAddressListsEnabled $true}
}

 

 

https://docs.microsoft.com/en-us/schooldatasync/hide-office-365-groups-from-the-gal

Exchange Microsoft SSL

Problems with mail flow after changing email certificate

Problems sending email from onpremises to Office 365 accounts in hybrid environment.

 

When configuring a hybrid deployment, you must use and configure certificates that you have purchased from a trusted third-party CA.

 To check if the issue is related to the certificate part, please manually remove the previously created hybrid connectors both in the on-premises Exchange server and Office 365, re-run the HCW (Hybrid Configuration Wizard) to re-create these connectors using the new certificate, then check if the messages can be delivered.

Exchange Microsoft PowerShell

Use the Exchange Management Shell to set up mail forwarding

This example delivers email to the mailbox of Douglas Kohn and, at the same time, forwards all mail sent to Douglas Kohn to douglaskohn.parents@fineartschool.net.

Set-Mailbox -Identity "Douglas Kohn" -DeliverToMailboxAndForward $true -ForwardingSMTPAddress "douglaskohn.parents@fineartschool.net"

This example forwards all email sent to the mailbox of Ken Sanchez, an employee of Contoso Suites, to one of his coworkers, pilarp@contoso.com.

Set-Mailbox -Identity "Ken Sanchez" -ForwardingSMTPAddress "pilarp@contoso.com"
 

For detailed syntax and parameter information, see Set-Mailbox.

Note:
-ForwardingsmtpAddress to multiple addresses Shell script

The parameter “ForwardingSmtpAddress” only allow to setup one SMTP address.
To work around this issue, you can setup the mailbox forwarding to a distribution group, you need to add the users you want to forward message to this distribution group.

link:
https://docs.microsoft.com/en-us/exchange/recipients/user-mailboxes/email-forwarding?view=exchserver-2019

on office365 account, go to portal.office.com > outlook > definitions

 

 

 

REMOVE

Set-Mailbox "email xpto" -ForwardingAddress $NULL -ForwardingSmtpAddress $NULL
Exchange Microsoft Office365

Email Forwarding on an on-prem mailbox to Office 365 mailbox

 

 Configure email forwarding for a mailbox

Set-Mailbox -Identity “OnPrem mailbox” -ForwardingSMTPAddress “Office 365 mailbox”

Exchange Microsoft Tips & tricks Tutorials Utils

How to prevent internal email spoofing in an Exchange organization

Ensuring email security might be one of the most important and most difficult tasks an administrator must face. Every day, servers process thousands of emails and controlling such a big mail flow is not easy. No wonder hackers focus on this channel when they plan attacks. They use various tricks to make users think that opening a suspicious attachment is a good idea.

One of the tricks they use is email spoofing.

Prevent Internal Spoofing in Exchange organization

What is email spoofing?

Email spoofing is a very popular attack method. The sender modifies message headers so that emails appear as sent from someone else. Hackers use it, for example, to impersonate employees of a company to obtain login credentials, personal data, or other confidential information. Two most common ways to protect your organization from external spoofing attacks are:

  • An SPF record – a list of IP addresses which are authorized to send emails from a domain.
  • DKIM check – an email authentication method. It enables you to sign and verify email messages using public and private keys. The public keys, published in the DNS records are used to verify if the message comes from the original sender. You cannot configure it on the Exchange Server natively – you require a plugin for SMTP gateway.

Both ways give good results when fighting with external spoofing. The problem starts when we come across internal spoofing when one employee tries to impersonate a colleague. It might be a joke, or to achieve some benefits – either way, it can sabotage a company in a number of ways:

  • Cause chaos,
  • Induce material damage,
  • Harm data integrity,
  • Damage the company reputation.

 

 

See Full article in https://www.codetwo.com/admins-blog/how-to-prevent-internal-email-spoofing-in-exchange/

 

Exchange Office365 Tips & tricks

MRS Proxy Error “The connection to the server could not be completed”

Check MRS endpoint user and password.

read more »