Microsoft Exchange and Remote Desktop Services Specialists

SEMblog

Microsoft Exchange Server and
Blackberry Enterprise Server news, views and fixes.

BES 5.0 Cannot Delete or Select User: The Request Could Not be Completed

Currently migrating a client from BES 4.1 to BES 5.

All going well, except a few users didn't migrate correctly using the transporter suite. When selecting the user, it returned an error "The Request Could not be Completed". This stopped me from doing anything with the user account, including deleting them so I could reactivate them.

However a clever trick was shared with me, which I hadn't seen anywhere else, which allowed me to delete the troublesome user.

Select Manage Users, then Search. At the bottom of the page, choose manage multiple users. Select the user with the problem and then choose Delete User at the bottom of the list. You will get asked if you are sure. After selecting yes the user is then deleted and can be added back in again and go through the regular activation process.

A simple fix for an annoying problem.

SBS 2008 Certificate Installation

21st April 2011

An Updated and revised version of this article can be found on our main site here: http://exchange.sembee.info/2007/install/sbs2008ssl.asp


In recent months I seem to have spent longer with SBS deployments, rather than Exchange 2007 or 2010. Therefore I have had lots of time to get annoyed with how SBS 2008 works with SSL certificates.

Exchange 2007 is very dependant on SSL certificates, which is something I have posted about in the past. However throw in the customisations to IIS that SBS 2008 makes and it gets much harder.
The SBS team have attempted to simplify the process, but for most people they have actually made it worse.

The major problem with SBS 2008 and SSL certificates is twofold.
1. SBS 2008 presumes that your external DNS provider supports SRV records. Their DNS partners that are pushed in the wizard do of course, but most do not.
SRV records are one of the methods that Outlook 2007 can use for autodiscover. Autodiscover is connected to the availability service. Therefore that means if you are using Outlook Anywhere, without autodiscover working correctly, the client doesn't work.
It can also cause problems internally, but the wizard does actually make the required changes for that.

I can see why the SBS team used the SRV record method, as it allows a standard single name SSL certificate to be used - usually remote.example.com . The wizard then makes the requires changes to Exchange and the domain to allow this method to work correctly. Using a single name SSL certificate keeps the costs down, as anyone who has worked with SBS user will know - getting the typical customer to pay for a certificate can be difficult, particularly when there is a "free" certificate in the product.

The comments in this article from Sean Daniel clearly show the presumption of SRV records use. In my opinion this is a very poor decision from Microsoft, when the wizard could easily automatically enter the additional names that are required and generate the relevant request.
http://sbs.seandaniel.com/2009/02/installing-godaddy-standard-ssl.html


2. The second issue is that SBS 2008 sets up additional web sites and uses them for external traffic. If you install and enable the certificate in the usual way for Exchange 2007, then you break those sites. That causes a mess, which can be resolved, does make extra work.

However, it is possible to get the certificate in place, in a way that is acceptable to both Exchange 2007 and SBS 2008. Whatever you do, DO NOT use IIS to generate and manipulate the certificate.

Preparation Work

To ensure that you work with the common configuration for SBS 2008, some DNS entries need to be made on the internet facing DNS services (usually your DNS provider).
Specifically these are
remote.example.com and autodiscover.example.com

(where example.com is your domain after the @).

These should point to your public static external IP address. If you cannot use a static IP address, then use a dynamic DNS provider to setup a host. Then create a CNAME for each of the above hosts and point them to then dynamic DNS host name.

While you can use another host name instead of remote.example.com, but everything in SBS seems to be orientated towards that name. Therefore I usually also use that host name for the MX records for the server as well, and get the ISP to setup the reverse DNS (aka PTR) record.

Certificate Request Generation and Response Installation

To generate the request, follow my guide elsewhere on this blog: http://blog.sembee.co.uk/archive/2008/05/30/78.aspx
However, add the name "Sites" to the list of domains that you include. That makes the full list:

remote.example.com
autodiscover.example.com
server.domain.local (the server's internal FQDN)
server (the server's NETBIOS name)
sites

When you get the response back from your provider, continue to follow my blog article up to the point about installing the response. DO NOT use the enable-exchangecertificate command.

By using the Exchange Management Shell to do the request you do not put the current self generated certificate at risk, because the request and response doesn't touch it. The certificate is only changed later on in the process.

Activating the Certificate

Now this is where things get different to Exchange 2007 full product installation.
In the SBS Management Console, start the SSL certificate. Select the option to use an existing certificate. Your new UCC certificate with the additional names should be listed. Select it and then complete the wizard. SBS will install the certificate in to the web sites correctly for you.
You should then be able to browse to https ://remote.example.com/remote and use the full feature set.

You can verify the certificate is installed correctly by using the Fix my Network wizard, which shouldn't touch the certificate installation - or by running the SBS Best Practises tool. The link to that is on my list of Exchange resources at http://exbpa.com/

Conclusion

With care, you can deploy a commercial certificate on to SBS server, without breaking any of the functionality of the server. This provides a more professional looking deployment for everyone involved, and no need to tell users to ignore certificate prompts.

Vamsoft ORF Update Available - Exchange 2010 Support

My favourite antispam tool Vamsoft ORF has had an update and now supports Exchange 2010, as well as Windows 2008 and Windows 2008 R2 IIS based SMTP.

While support was available for Exchange 2010 in the previous version, a patch was required, this has now been integrated.

The support for Windows 2008 and 2008 R2 is important because of the changes in IIS.
With Exchange 2003, Exchange used the SMTP engine from IIS. This meant that the product worked with and without Exchange.
With Exchange 2007 and 2010, Exchange has its own SMTP engine and you do not install the IIS SMTP engine on to the server at all. Vamsoft ORF worked with the Exchange SMTP engine, but not the IIS engine that was part of Windows 2008/2008 R2. This update corrects it.

What that means is that you can now use Windows 2008/2008 R2 as an SMTP gateway, as I have outlined in this article on amset.info: http://www.amset.info/exchange/gateway.asp

More information on this update is here: http://www.vamsoft.com/orfee_changelog.asp

For the price of $239 per server, this product is very cost effective.

Some of the background to my liking for Vamsoft ORF, particularly with the latest version can be found elsewhere on my blog here:

Truly Spectacular Results from Vamsoft ORF
http://blog.sembee.co.uk/archive/2009/11/16/112.aspx
Real Time Blacklisting
http://blog.sembee.co.uk/archive/2009/09/26/108.aspx

Catch All Mailboxes and the POP3 Connector

I have recently seen an issue with the POP3 connector which I haven't seen before, but will be very widespread. In this particular circumstance it caused the client's server to get blacklisted and have a server processing many thousands of messages which it shouldn't need to.

It is yet another reason why using the POP3 Connector is a bad idea. I have blogged on the POP3 connector being a bad option in the past: http://blog.sembee.co.uk/archive/2006/09/25/25.aspx .

This client was not only using a POP3 connector, but they were also using a catch all mailbox at the ISP - I have posted today why using a catch all is a bad idea here:  http://blog.sembee.co.uk/archive/2010/02/15/117.aspx (posting that item was inspired by this one).

The Problem

The actual problem was quite simple, and something that Exchange could have dealt with on its own if the server was setup for SMTP delivery. However it became a noticeable issue because of the way this particular server was configured.

The domain was subject to an NDR or directory harvest attack (I cannot tell which due to the nature of the SBS Connector) and ended up with large numbers of email messages in their queues.

What puzzled the client was that port 25 wasn't open to the internet, and they had followed my guides on recipient filtering and authenticated user relay so that the server was secure ( http://www.amset.info/exchange/spam-cleanup.asp ).
As I wrote in that article, messages can continue to appear in the queues for some hours after the initial clean-up due to the way Exchange displays the queues when there are a very large number of messages in the queues. However for this client, the messages continued to appear for weeks. Eventually, fed up with cleaning the queues daily, I was asked to look at the server.

What I found was that the messages in the queues were all from postmaster@ so had the classic hallmarks of an NDR or direct harvest attack, but the client was using the POP3 Connector.

Due to the way the POP3 connector works, messages that come in to the server through it are not subject to the recipient filter. The recipient filter works at the connection point, but the POP3 connector simply drops the in to the queue for delivery. This is the key point and the result was the same as a standard NDR attack through SMTP without recipient validation  - the messages that could be delivered were, and the messages with invalid external recipients, or where there was a delivery problem, hung around in the queues. As time went on, the server became blacklisted by most major ISPs for being a source of spam and back scatter.

Furthermore, the client also had the POP3 connector setup to send a copy of messages that could not be delivered to a valid user  in to a mailbox, so not only were the messages being delivered there (and the client had what they considered to be a major spam problem) but the NDRs were going out as well. The user concerned thought they were receiving large amounts of spam - when in actual fact they were receiving email that wasn't even addressed to them.

In short, it was a complete mess.

This will be a widespread problem

In many respects, the client was not to blame for this problem. This configuration is quite common, and would therefore affect everyone using the POP3 connector with a catch all mailbox. However you may not see the messages in the queues and therefore be unaware that your server is a source of spam or backscatter.

The most common configuration when SBS is used with a POP3 connector is to route email OUT through a smart host - usually the ISPs SMTP Server. If you are doing that in combination with a catch all mailbox then you wouldn't see the symptoms of this problem. When a smart host is used, Exchange is sending the email straight back out again and the smart host is responsible for the delivery of the email.

It was only because this client was using direct delivery rather than a smart host that the email messages were shown in the queue causing further investigation. The client had accepted large amounts of spam in the mailbox as something that happens - and asked me to look at that as another issue - not realising that it was all caused by the same thing.

If the server had been configured in the usual way for POP3 use, that is to use a smart host, then the first the client would have known there is a problem is when their ISP called to tell them - although many do not.

Furthermore the email messages also do not appear in message tracking logs as they do not pass through Exchange, but simply bounce off SMTP. The only messages that do appear in message tracking are those delivered to the user set to receive the messages that could not be delivered.
Therefore a server could be the source of back scatter and the administrators (whether in house or an external support company) would be completely oblivious to the issue.

I haven't been able to verify if the email messages showed in the volume reported by the SBS Reporting tool, because as with most SBS Servers I see, it wasn't turned on.

The Solution

Changing the client to SMTP delivery of email resulted in the spam level dropping immediately. In the 24 hours after the change, the number of messages the server dropped for non-valid recipients was measured in 1000s. The account which received a copy of the unmatched addresses from the POP3 connector saw the level of spam almost completely drop away - as most of the spam wasn't addressed to the user.

Conclusion

There is a very simple conclusion to this blog posting.
Don't use a catch all mailbox with the POP3 Connector. Ideally you shouldn't use the POP3 connector at all.

If you are using the POP3 connector and do not wish to move to SMTP delivery, then you should look at switching to user specific POP3 mailboxes instead of a catch all. While that is more tedious to setup, it does mean you are only downloading email that you may want, rather than lots of spam that you almost certainly do not, only for it to be rejected.

Why you shouldn't use "catch all" mailboxes

This is another post in my serious of articles on why you shouldn't use certain features in Exchange, even though they are there. As with the other articles, the article does NOT tell you how to enable the feature in question.
In this post I am going to outline why a "catch all" mailbox is a bad idea.
Many of the points in this article also apply to enabling the option to have a copy of any Non Delivery Reports delivered to someone else in the Exchange org.
This post applies to all email servers, not just Exchange though.

I actually completed this post some time ago, I just never got round to putting it on the blog. However I have recently seen a problem with a SBS Server where a catch all mailbox was used, which I am going to blog on separately, so thought this article should go up first.

The other articles in this series to date are:

Why you shouldn't use logos in signatures ( http://blog.sembee.co.uk/archive/2008/04/14/76.aspx )
Why you shouldn't enable the POP3 Server ( http://blog.sembee.co.uk/archive/2008/03/03/71.aspx )
Why you shouldn't use the POP3 connector ( http://blog.sembee.co.uk/archive/2006/09/25/28.aspx )
Why you shouldn't use a self generated SSL certificate ( http://blog.sembee.co.uk/archive/2006/03/05/9.aspx )
Why you shouldn't put Exchange 2003 in to a DMZ ( http://blog.sembee.co.uk/archive/2006/02/23/7.aspx )


Where does the request come from?

Newcomers to Exchange will often ask where is the "catch all" option, particularly if they are used to that option provided by their ISP with POP3 mailboxes, or are coming from the POP3 connector on Small Business Server.
It may also be asked by a manager, in the mistaken belief that they are missing out on important emails when someone mistypes the email address.

Of course Exchange doesn't support catch all mailboxes, which is why the question is asked.

Similarly, I have seen servers with the "Send copy of Non Delivery Report to..." option set on the SMTP virtual server so that someone gets a copy of the message which can be forwarded on to the relevant person. Of course that is just a COPY, the sender will already have received the NDR, and then may get confused when their message is replied to, despite getting an NDR saying it wasn't delivered.

Why are they a bad idea?

Catch all mailboxes have been a bad idea since the late 1990s, with the growth of worms on the internet that make up email addresses.
In short, a catch all mailbox means that every email address on your server is valid. Therefore the bots that create email addresses based on common name combinations will be able to successfully deliver their messages to your server.

As such, if you enable a catch all, then someone needs to monitor the mailbox constantly for the odd valid email message. Depending on the number of users, the number of messages that could by saved by the catch all may be one or two a day at most.

Meanwhile the person monitoring the mailbox will be deleting the vast majority of the messages, as they will be spam and virus infected messages.
The fact that messages have been delivered at all is also a security risk. If the message is opened or the attachment looked at because it seems legitimate, then the payload could be executed. However if the message had been dropped then it would not even get the chance.

By dropping messages to invalid recipients you will save on bandwidth as the messages do not have to be delivered and on processing power, as the messages do not have to be processed by your AV, Antispam and then Exchange.

Furthermore, if a spammer decides to launch an NDR attack, or simply sends a large amount of spam to your domain, then the messages will be delivered. You may find that you have a mailbox that Outlook cannot open because it has 150,000 messages in it.

I have posted on this blog in the past about VAMSOFT ORF which uses emails to non-valid addresses as a feature to block spam, to great effect. If you are receiving 10,000 messages a day to non-valid address then that would be a tremendous waste of bandwidth - I have a client who drops this kind of level a day.

What is the problem with "Send copy of Non Delivery Report to..." option?

With the "Send copy of Non Delivery Report" option, if you have that set, you are actually being a poor internet citizen. To receive a copy of the Non Delivery Report (NDR) you need to allow the message to be delivered. The server then attempts to send the original NDR back to the sender. However if the message is a virus or spam message (which is most likely) then the sender will be spoofed. Your server is then a source of "back scatter" which could lead to a poor spam score or even blacklisting.
During the last major email-borne virus attack, there were more back scatter NDRs going back and forth than infected messages.
 
Your server is also exposed to an NDR attack or NDR spam attempt, as the server will accept the message and then try and send it back to the "sender" who is the real target of the message.
I have more on NDR attacks on my spam clean up page: http://www.amset.info/exchange/spam-cleanup.asp

Then there is the internal security aspect. If someone senior makes a typo in a confidential email address, this could be seen by someone else, who possibly should not. The original sender will be unaware of this, because they will still get a copy of the NDR.

What are the alternatives?

If you have Exchange 2003 or higher on Windows 2003 SP1 or higher, then enable the recipient filter and tar pit option (instructions: http://www.amset.info/exchange/filter-unknown.asp ). Anyone who sends an email to the wrong address will get a failure immediately. If they are a legitimate sender then they will call or email someone else to get the correct email address.
On older versions of Exchange or if you can't set the tar pit, for example when Exchange 2003 is installed on Windows 2000 where the option isn't available, then setting recipient filtering can actually expose your server to attack, as it cannot defend itself from a directory harvest - therefore a third party tool is required such as Vamsoft's ORF to do recipient filtering and the tar pit.
For other email server products, you should check for recipient validation functionality. If it doesn't exist, but an LDAP lookup option is available, then something like VAMSOFT ORF can query an LDAP database for valid addresses, so could be used as an SMTP gateway. ( http://www.amset.info/exchange/gateway.asp )

If you are aware of a common misspelling, for example Steven and Stephen, then add the misspelling to the user's account as an additional email address. That will ensure that the common misspellings are delivered, without exposing your server.