How to setup an IIS SMTP Relay server for Office 365

There are two options when setting up an IIS SMTP relay, depends on where the target recipient is.

Let’s say the SMTP domain on Office 365 is contoso.com.

Send to internal users only:
In this scenario, all recipients are hosted on the Office 365 tenant. In other word, all recipients have a SMTP address with domain suffix contoso.com. Since the recipient are all internal mailboxes, the mail delivery is not a relay and does not require authentication.
The SMTP relay server simply deliver the email to Office 365 EOP (Exchange Online Protection) server anonymously. As a result, emails sent in this way will always be treated as an external email, instead of an internal one.
The only thing matters is that, the Internet IP address the SMTP relay server used to connect EOP should not be banned by spam filters.

  • Query the MX record of contoso.com. For example, use NSLOOKUP
  • Leave the default configuration on SMTP virtual server without any change
  • Create a remote domain in SMTP Relay server. with the domain name contoso.com
  • Select the Allow incoming mails to be relayed to this domain option.
  • Set the smart host to the FQDN of the MX query result, E.g. contoso-com.mail.protection.outlook.com
  • Do not use TLS or authentication

Send to both internal and external users:

Important: TLS is required in the option. Windows 2003 is no longer supported, because it support 128bits encryption only, and Office 365 requires 256bits encryption. A higher version of Windows serer is required.

 In this scenario, the IIS SMTP relay server can help to send emails to any recipient, both internal and external. For cloud based users, they will get emails sent in this method marked as “internal”.


The SMTP relay server acts as a SMTP client. It connects to the Office 365 client access server and submit emails after authentication.


In the properties page of SMTP virtual server

  • In Access – Relay
    Choose the computers which are allowed to submit emails through this SMTP Relay serer
    • Allow emails from any computer
      Select All except the list below
    • Allow specified computers only
      Select Only the list below, then add the IP addresses of the allowed computers into the list
  • In the Delivery – Outbound Security
    Input a user credential of Office 365, and select TLS
  • In the Delivery – Outbound connections
    Set the port to 587
  • In the Delivery – Advanced
    Input smtp.office365.com as the smart host. If your are a Gallatin user, use smtp.partner.outlook.cn
  • Grant Send As permission of all users to the user account which was set in Delivery – Outbound Security
    This configuration can be set from Office 365 admin portal – Exchange Online admin center – recipients – mailboxes – <Select property page of one user> – Delegation – <Add the user account into Send As list>
    Or use power shell
    • Basic command:
      Add-RecipientPermission <identity> -AccessRights SendAs -Trustee <user>
    • Example, grant Send As permission of user1 to user2, then user2 can be used on the IIS server to relay:
      Add-RecipientPermission User1 -AccessRights SendAs -Trustee User2
    • Bulk add permission:
      Get-Mailbox | Add-RecipientPermission User1 -AccessRights SendAs -Trustee User2
  • Remote domain is not required unless you want to override the configurations above for specified SMTP domains.

Configuration for LOB (such as scanner or copier)

Consider the scenarios discussed above, the configuration on LOB is similar, which depends on where the recipient is, internal or external.

For internal recipients: (not a relay)
Important:
Ensure the Internet IP address used is not banned by EOP.

  • SMTP Server Name : the EOP server
  • SMTP Port Number : 25
  • SMTP Authentication : Off
  • TLS: Off

For external recipients: (relay)
Important: Ensure the device supports 256bits TLS encryption.

  • SMTP Server Name : smtp.office365.com (or smtp.partner.outlook.cn for Gallatin)
  • SMTP Port Number : 587
  • SMTP Authentication : On
  • TLS: On

Original article, please indicate the source.

George Wu  

Advertisements
Posted in Exchange Online, Windows Server | Leave a comment

Meeting requests automatically moved to Calendar and set as tentative

Symptom:
When a meeting request is sent to an Exchange user, user could not find it in inbox. The meeting request will be delivered to Calendar directly and marked as tentative.
The user will not be notified since the meeting is tentative, and will miss the meeting.
Once the problem exists, it can always be reproduced no matter the sender is internal or external.

Cause:
Receive folder for meeting requests is misconfigured. Probably by 3rd party Outlook add-ins.

Solution:

  1. Find a computer with Outlook installed, and has a profile connecting to the problematic mailbox
  2. Change the profile to use online mode (disable cached mode)
  3. Download and install MFCMAPI tool from http://mfcmapi.codeplex.com/
  4. Launch MFCMAPI
  5. Click Session – Logon
  6. Select the Outlook profile to connect
  7. After connected, double click the mailbox store
  8. In the Root Container window, click MDB – Display – Receive folder table
  9. In the table, IPM.SCHEDULE.MEETING will be found in the list.
    If it is not here, the problem should be caused by other reason. Stop here.
  10. Close the Receive Folder Table window, back to the Root Container window
  11. Right click Schedule, in the context menu, select Advanced – Set receive folder
  12. Input IPM.SCHEDULE.MEETING into the Class field, and select “Delete association” option, click OK


More Information:
RecieveFolders
http://msdn.microsoft.com/en-us/library/office/cc815405.aspx


Original article, please indicate the source.
George Wu

Posted in Exchange Online, Exchange Server | 10 Comments

PST Capture reports error 507 “insufficient storage” when migrating data to Office 365

Problem:
Using PST Capture to upload PST to Office 365. Some items failed to be uploaded with error as “The request failed. The remote server returned an error: (507) Insufficient Storage”.  

Cause:
This is by design. PST Capture uses Outlook Anywhere protocol to upload data to Office 365. EWS is called to perform the operation. There is a restriction on EWS to prevent large items from being uploaded.

Reproduce:

  • Sent large emails to a test Exchange account (on-premises Exchange 2013), message size from 24MB to 51MB.
  • Exported the mailbox data into a PST file
  • Upload the PST file via PST Capture tool.
  • Got error “507 insufficient storage” in mail items larger than 40MB

    Detailed error information:

More Information:

  • PST Capture is “as is”, and will not be changed in the future.
  • Upload large email items from Outlook to Office 365 will fail as well. It is expected since both PST Capture and Outlook are using the same protocol (Outlook Anywhere, which goes through Exchange Web Service) to upload data.
  • Upload large email items from Outlook to on-premises Exchange will succeed. Because by default, Exchange 2013 set the limitation to 2GB.

    In case of older versions, changing the configuration to enlarge the limitation can fix this issue. Configuration file: ClientAccessexchwebewsweb.config

Original article, please indicate the source.
George Wu

Posted in Exchange Online | 1 Comment

在Exchange 的免责声明中添加图片

 

用Word或其他编辑工具,编写一个HTML文件,然后用记事本打开该文件,将以下内容复制下来:

 

<div class=WordSection1 style=’layout-grid:15.6pt’>

<p class=MsoNormal style=’text-align:justify;text-justify:inter-ideograph’><span

style=’font-size:10.0pt;mso-bidi-font-family:”Times New Roman”‘>声明(</span><span

lang=EN-US style=’font-size:10.0pt;font-family:”Calibri”,”sans-serif”‘>DISCLAIMER</span><span

style=’font-size:10.0pt;mso-bidi-font-family:”Times New Roman”‘>):</span><span

lang=EN-US style=’font-size:10.5pt;font-family:”Times New Roman”,”serif”‘><o:p></o:p></span></p>

<p class=MsoNormal style=’text-align:justify;text-justify:inter-ideograph’><span

style=’font-size:10.0pt;mso-bidi-font-family:”Times New Roman”‘>本邮件及其附件含有XXXX的商业信息,仅限于发送给上面地址中列出的<span

class=GramE>个人或群组</span>。禁止任何人未经发件人许可以任何形式(包括但不限于全部或部分地泄露、复制、或散发)不当使用本邮件中的信息。如果您错收了本邮件,请您立即电话或邮件通知发件人并删除本邮件</span><span

lang=EN-US style=’font-size:10.0pt;font-family:”Calibri”,”sans-serif”‘>!</span><span

lang=EN-US style=’font-size:10.5pt;font-family:”Times New Roman”,”serif”‘><o:p></o:p></span></p>

<p class=MsoNormal><span lang=EN-US style=’font-size:10.0pt;font-family:”Calibri”,”sans-serif”‘>This

e-mail and its attachments contain confidential information from <span

class=SpellE>XXXX</span>, which is intended only for the person or entity

whose address is listed above. Any use of the information contained herein in

any way (including, but not limited to, total or partial disclosure,

reproduction, or dissemination) by persons other than the intended recipient(s)

is prohibited. If you receive this e-mail in error, please notify the sender by

phone or email immediately and delete it!</span></p>

<img src=”http://windowsteamblog.com/cfs-file.ashx/__key/CommunityServer.Blogs.Components.WeblogFiles/wpdev/appbar.favs.addto.rest_5F00_thumb_5F00_7961C72C.png” />

</div>

 

其中用到的图片为http://windowsteamblog.com/cfs-file.ashx/__key/CommunityServer.Blogs.Components.WeblogFiles/wpdev/appbar.favs.addto.rest_5F00_thumb_5F00_7961C72C.png

 

这个图片需要从Internet上能够访问,这样收件人才能够正确看到。

 

然后将这段文本粘贴到Exchange的Transport Rule中。

1

 

配置后的效果:

2

 

原创文章,转载请注明出处。George Wu

Posted in Exchange Server | Leave a comment

利用两台Exchange服务器实现完整的高可用解决方案

注意:本文中的内容并非Microsoft官方支持的部署方式,仅是个人的一些想法。

 

Exchange Server 2010中的核心服务器角色,即:Mailbox/Hub Transport/Client Access有不同的高可用性解决方案。Mailbox角色的高可用性可以使用DAG功能来实现;Hub Transport角色能够自动实现负载均衡;Client Access角色需要利用网络负载均衡技术(Windows自带的NLB,或硬件HLB)来实现高可用。

 

Microsoft所推荐的高可用性解决方案,应该是将Client Access与Mailbox分开配置来实现的。原因在于Windows NLB与DAG后台所使用的Windows Failover Cluster不能同时配置在一台服务器上。也就是说,需要用到至少4台Exchange 2010服务器。如果只使用2台Exchange服务器,就需要硬件负载均衡设备(HLB)的帮助。

 

可以看到,如果使用标准方式,对于软硬件的成本投入会比较大。那么,是否可能在只使用2台Exchange服务器的情况下,就能够实现完整的高可用性方案呢?

 

事实上,DAG内部会使用Windows的Failover Cluster,也就是说,在DAG部署完成之后,就已经存在一个群集组,那么就可以直接在该组中添加一个计算机名称资源,来用于CAS的冗余。

 

在一个简单的Exchange 2010环境中,部署了3台服务器,DC/Exch01/Exch02,两台Exchange上分别安装有Mailbox/ClientAccess/HubTransport等角色。

服务器 IP地址
GWTDC01 192.168.1.101
GWTExch01 192.168.1.102
GWTExch02 192.168.1.103
GWTDAG(DAG名称) 192.168.1.104
GWTCAS(Client Access Array,及虚拟服务器名称) 192.168.1.105

下面简要说明一下配置方式:

  1. 在两台Exchange服务器上,配置DAG。见证服务器使用域控制器,可以参考前面的文章:
    http://blog.sina.com.cn/s/blog_70e1dcc80100m4l3.html
  2. 打开Failover Cluster Manager,连接到GWTDAG上
    0
  3. 在Services and applications上,点击右键,选择Configure a Service or Application。这将启动向导
    1
  4. 选择Other Server
    2
  5. 输入相关信息。虚拟服务器名称,IP地址
    3
  6. 没有存储,直接下一步
    4
  7. 准备开始配置
    5
  8. 配置完成
    6
  9. 回到MMC主界面,可以看到该资源以及添加完成
    7
  10. 检查DNS,可以看到新建的A记录
    8
  11. 接下来就是配置Client Access Array了。主要就是两个命令:
    New-ClientAccessArray和Set-MailboxDatabase -RpcClientAccessServer
    9
  12. 最后需要做的是,配置客户端访问服务器的证书,以及发布的Url路径。前面的文章中已经提过,不再赘述。

原创文章,转载请注明出处。George Wu

Posted in Exchange Server | Leave a comment

在Exchange 2010中批量导入联系人对象

 

  1. 将要用户的列表,用Excel编辑为以下格式:

    DisplayName ExternalMailAddress Alias
    张三 zhangsan@contoso.com Zhangsan
    李四 lisi@contoso.com Lisi

  2. 利用Excel将数据另存为CSV格式

    1

  3. 用记事本打开上一步保存的文件,然后另存为UNICODE格式。(这一步是由于文件中包含了中文字符)
    2
  4. 用于导入的CSV文件内容:
    0
  5. 将文件复制到Exhange上
  6. 在活动目录中,新建一个OU,命名为ADSync,用于存放这些导入的联系人对象
  7. 在Exchange Management Shell中,运行命令,其中的PTCDemo.com需要更改为您的活动目录域名
    Import-Csv d:\mailcontact.csv | ForEach-Object -Process {New-MailContact -Name $_.DisplayName -ExternalEmailAddress $_.ExternalMailAddress -Alias $_.Alias -OrganizationalUnit PTCDemo.com/ADSync}
    3
  8. 命令的运行结果中,出现问号,是由于Exchange是英文,而导入的姓名包含中文的原因,不影响最后结果。
  9. 导入结束后,就可以从Exchange中看到这些联系人了,并且他们的外部邮件地址也已经设置完成。
    4
  10. 除了最基本的邮件地址之外,如果需要设置其它属性,可以在CSV文件中添加额外的列,用于存放附属信息,如手机号、职位、公司名等,然后利用Set-Contact来进行设置。
    Import-Csv d:\mailcontact.csv | ForEach-Object –Process{Set-Contact –identity $_. ExternalMailAddress -MobilePhone $_. MobilePhone}
    关于Set-Contact的详细信息,请参考以下文档:
    http://technet.microsoft.com/en-us/library/bb124535(EXCHG.140).aspx

原创文章,转载请注明出处。George Wu

Posted in Exchange Server | 2 Comments

来信及回复照登,关于RpcClientAccessServer的使用

今天收到一位网友来信,内容如下:

0

我用一个类似的环境来说明,以下是测试环境的情况:

1

 

根据上面命令运行的情况,可以看到:

1、 共有4台Exchange服务器,CAS-A/CAS-B上分别安装了CAS和HT角色

2、 没有配置DAG

3、 共有两个邮箱数据库,MBX#1指派的RpcClientAccessServer为CAS-A,装载在MBX-A上;MBX#2指派的RpcClientAccessServer为CAS-B,装载在MBX-B上

4、 Administrator的邮箱位于MBX#1上

 

按照RpcClientAccessServer的配置情况,administrator要使用MAPI方式连接到Exchange,就必须保证:

1、 服务器MBX-A正常运行

2、 数据库MBX#1正常加载

3、 CAS-A正常运行

 

实际上,每个Client Access角色的服务器上都有一个名称为Microsoft Exchange RPC Client Access的服务,这个服务专门用于MAPI客户端的接入。如果停止这个服务,MAPI客户端的访问就会有问题。下面是测试情况:

1、 正常情况下,Outlook客户端可以连接,连接的服务器为CAS-A
2

2、 关闭CAS-A上的Microsoft RPC Client Access服务
3

3、 此时检查Outlook上的情况,状态显示从Connected to Microsoft Exchange变为Disconnected。这个过程可能有几分钟的时间,因为Outlook会多次尝试重建连接。
4

4、 整个过程中,仅仅停止了CAS-A上的Microsoft RPC Client Access服务,没有做任何其它操作

综上,可以确定出RpcClientAccessServer所指定的CAS服务器如果出现异常,会导致Outlook客户端无法正常使用MAPI方式连接。

Posted in Exchange Server | Leave a comment