|
Thalagyrt posted:DKIM is orthogonal to SPF. Mail will never be blocked due to DKIM. It's only used to give you a rep boost. SPF explicitly states "These mail servers can send for this domain" and you block mail that doesn't match. DKIM is a bit different - you put a signature on a message and the receiver can verify the signature against your published keys. A receiver will typically give a negative spam score to a message with a valid DKIM signature. So, say on a system where you block mail with a score of 5 or higher as spam and give -5 points to a DKIM signed message, a message might be scored at 6 normally and blocked as spam, but that same message with a valid DKIM signature would be scored at 1 and passed as clean mail. Awesome, well explained. Thank you.
|
# ? Jul 29, 2014 03:26 |
|
|
# ? Jun 8, 2024 09:03 |
|
Next question. We're a small/medium business (300ish networked users) but we are a global company that deals with people and businesses all over the world. This has caused us to have a lot of issues with phishing attempts from third world countries, and some being successful and losing us hundreds of thousands of dollars. A while ago we setup a rule to delete all incoming email from our own domain that wasn't send from one of our relays via IP address. However, in an effort to consolidate our SMTP relays and outsourced application email, we are giving the Mandrill service a go and getting rid of the internal relays. In addition to Mandrill, we also use MailChimp for marketing email. One problem we're now encountering is that we're finding it difficult to manage our "external senders" rule. The problem is that Mandrill and MailChimp change their mail server IPs on a regular basis so every so often I "dig TXT spf.mandrillapp.com" for a list of Mandrill's sending IPs and "dig TXT spf1.mcsv.net" for a list of MailChimps IPs and update accordingly. Now, before I go through the hassle of writing a program to alert us when one of these change, is there any better way to do this? Here is the rule:
|
# ? Jul 29, 2014 14:11 |
|
That really sounds like a job for SPF. If you're filtering inbound email with SPF, then the SPF check phase should catch "Huh, this email came from a hosting company in Brazil, not from one of our trusted relays" and drop the email. That rule shouldn't even be necessary if your spam filtering setup is working properly... Maybe I'm missing something - I deal with on premises Exchange - but that's how it works for our setup. Anyone trying to spoof my domain as a sender will just get dropped via SPF.
|
# ? Jul 29, 2014 15:18 |
|
Thalagyrt posted:That really sounds like a job for SPF. If you're filtering inbound email with SPF, then the SPF check phase should catch "Huh, this email came from a hosting company in Brazil, not from one of our trusted relays" and drop the email. That rule shouldn't even be necessary if your spam filtering setup is working properly... Maybe I'm missing something - I deal with on premises Exchange - but that's how it works for our setup. Anyone trying to spoof my domain as a sender will just get dropped via SPF. We have high confidence spam going into quarantine (with option to allow users to manage their own quarantine) and regular spam going into junk email. I can't remember exactly what happened since it was over a year ago but a user still got a phishing attempt and then proceeded to wire over $100k to a bank account in Russia. Whether it was marked as spam and she retrieved it from one of those two locations manually, I can't remember.
|
# ? Jul 29, 2014 15:42 |
|
kiwid posted:We have high confidence spam going into quarantine (with option to allow users to manage their own quarantine) and regular spam going into junk email. I can't remember exactly what happened since it was over a year ago but a user still got a phishing attempt and then proceeded to wire over $100k to a bank account in Russia. Whether it was marked as spam and she retrieved it from one of those two locations manually, I can't remember. If the message fails SPF it should be outright dropped, not quarantined. Any mail claiming to be from your domain that's not actually from your domain will fail SPF and thus should be dropped.
|
# ? Jul 29, 2014 16:49 |
|
Thalagyrt posted:If the message fails SPF it should be outright dropped, not quarantined. Any mail claiming to be from your domain that's not actually from your domain will fail SPF and thus should be dropped. Oh, let me do some testing then as I might not need the rule any more. We've only recently turned on SPF so that rule might be for nothing. Thanks.
|
# ? Jul 29, 2014 16:58 |
|
kiwid posted:Oh, let me do some testing then as I might not need the rule any more. We've only recently turned on SPF so that rule might be for nothing. Thanks. We tag messages that fail SPF. While dropping the message if it fails SPF should be what you do not everyone is using SPF or using it correctly. So if you do decide to drop the messages just be prepared to tell your users/clients that the problem is on the senders side and they have to fix something. Recently a government entity started sending us legitimate mail that was failing an SPF check and dropping those messages could have potentially led to missing out on thousands of dollars of grant money which would be very bad. The response of "that's their problem they need to fix it" wouldn't be acceptable in my organization.
|
# ? Jul 29, 2014 18:54 |
|
I put our rule into Test mode without policy tips and then tried to send an email from our domain from an SMTP server that is niether in our SPF nor in our external senders rule and it comes in just fine... Here is a screencap showing that a hard fail (our spf record uses -all) should be triggered. Maybe Office 365 is just a giant piece of poo poo? I don't know.
|
# ? Jul 29, 2014 19:24 |
|
kiwid posted:Maybe Office 365 is just a giant piece of poo poo? I don't know. I can't say I've heard good things about Office 365 unfortunately... Plus I've never liked MS's spam filtering anyway - it just doesn't work all that well. I much prefer on-premises Exchange with a third party filtering solution such as SpamTitan (or if the budget permits, Barracuda) appliances given the choice.
|
# ? Jul 29, 2014 20:02 |
|
Do any of you guys use the disclaimer in Exchange? We've been having problems with inconsistent email signatures recently, so I'm wondering if fixing it with a disclaimer makes sense, or if that's just opening up another can of worms.
|
# ? Aug 6, 2014 05:13 |
|
beepsandboops posted:Do any of you guys use the disclaimer in Exchange? We've been having problems with inconsistent email signatures recently, so I'm wondering if fixing it with a disclaimer makes sense, or if that's just opening up another can of worms. We do it with a transport rule that stamps a sig pulling the info from AD. It is a block of HTML using %%Phone%% %%DisplayName%% etc to fill in the user info
|
# ? Aug 6, 2014 07:15 |
|
Doesn't that drop it in at the bottom of the message chain, not after the reply?
|
# ? Aug 6, 2014 08:31 |
|
Is there a way to use the auto mapping feature in 2010 without having to grant full mailbox access? For example, I want to my coworkers' mailbox auto added to my outlook profile, but just the root and inbox. Not the rest of his poo poo.
|
# ? Aug 6, 2014 11:22 |
|
beepsandboops posted:Do any of you guys use the disclaimer in Exchange? We've been having problems with inconsistent email signatures recently, so I'm wondering if fixing it with a disclaimer makes sense, or if that's just opening up another can of worms. I like exclaimer mail disclaimer.
|
# ? Aug 6, 2014 17:51 |
|
NevergirlsOFFICIAL posted:I like exclaimer mail disclaimer. Seconding this. Used it at my old place to "fix" all the idiotic signatures out there.
|
# ? Aug 6, 2014 18:35 |
|
Exclaimer Mail Disclaimer is fantastic. Great product, great support.
|
# ? Aug 6, 2014 19:08 |
|
Does Exclaimer Mail Disclaimer work on Office 365? The website really only says Exchange 2007-2013 from what I see.
|
# ? Aug 6, 2014 19:21 |
|
DrAlexanderTobacco posted:Exclaimer Mail Disclaimer is fantastic. Great product, great support. That's quite the mouthful of a product name.
|
# ? Aug 6, 2014 19:25 |
|
The Electronaut posted:That's quite the mouthful of a product name. yeah because they have some other Exclaimer poo poo that I've never used Does it work on O365 - I don't think so. It injects the sig in hub transport on the exchange server.
|
# ? Aug 6, 2014 19:45 |
|
So we have a bunch of mailboxes and a shared mailbox with online archiving enabled. Now all clients (Outlook 2007 SP3 that worked before) suddenly stopped showing archives. Personal archives still show in OWA but shared don't and never did. I have no idea what might have caused them suddenly to break and no real idea where to look. This is a single server install serving 5 users.
|
# ? Aug 7, 2014 12:45 |
|
first thing I'd do is create a new profile without cached mode and without rpc/https, and see if the archive folder shows up then.
|
# ? Aug 7, 2014 18:35 |
|
KaneTW posted:So we have a bunch of mailboxes and a shared mailbox with online archiving enabled. Now all clients (Outlook 2007 SP3 that worked before) suddenly stopped showing archives. Personal archives still show in OWA but shared don't and never did. The online ("Personal") archive function in Exchange 2010 requires special Licenses: quote:Retail
|
# ? Aug 7, 2014 19:02 |
|
Yeah, that was my suspicion too, except it worked before for ages. Just stopped working today and nothing changed in Outlook licensing or Exchange.NevergirlsOFFICIAL posted:first thing I'd do is create a new profile without cached mode and without rpc/https, and see if the archive folder shows up then. Already tried that. -- I ended up just disabling automatic archiving for the time being and merged the archive back into the main mailbox so it was accessible to my users. E: just checked our licensing and we are indeed on Outlook 2007 included with Pro 2007, which is not supported. Yet why was it working before? Also the lack of a non volume licensing option for 2013 with archiving is annoying. KaneTW fucked around with this message at 22:52 on Aug 7, 2014 |
# ? Aug 7, 2014 22:43 |
|
What's everyones favorite way to migrate pop emails over to exchange online?
|
# ? Aug 8, 2014 03:49 |
|
MigrationWiz https://www.bittitan.com/products/migrationwiz/types
|
# ? Aug 8, 2014 06:57 |
|
Anything cheaper then $12 dollar a email? Or am I being too cheap?
|
# ? Aug 8, 2014 12:25 |
|
How much would it cost you by hand? We use MigrationWiz on every migration we do, but if it's POP and you only have a few mailboxes, it's not that time consuming to do by hand.
|
# ? Aug 8, 2014 12:39 |
|
scanlonman posted:Anything cheaper then $12 dollar a email? Or am I being too cheap? You are being too cheap. MigrationWiz owns. Also, someone recommended SkyKick to me saying its full-featured solution (i.e. doing outlook profiles too) is better than MigrationWiz's. Haven't tried it yet myself though. https://www.skykick.com/
|
# ? Aug 8, 2014 14:15 |
|
I once wrote a script in PHP to do POP and IMAP migrations. (Why PHP? When the only tool you have is a hammer...) It takes user/pass pairs on the command-line, so it can be scripted pretty easily if needed. I could send you a copy of this script if you like, but honestly, if you're doing fewer than a dozen or so mailboxes a professional/paid service is probably the wiser way to go. It's only worth doing weird hacky stuff like this if you need to move a few hundred mailboxes and have more time than money.
|
# ? Aug 8, 2014 16:56 |
|
scanlonman posted:Anything cheaper then $12 dollar a email? Or am I being too cheap? do you work for minimum wage?
|
# ? Aug 9, 2014 15:15 |
|
Gyshall posted:do you work for minimum wage? even if you work for minimum wage it's cheaper to have migrationwiz do it than for your to do it manually.
|
# ? Aug 11, 2014 14:45 |
|
scanlonman posted:Anything cheaper then $12 dollar a email? Or am I being too cheap? $12 an email is insane, $12 a mailbox isn't that bad. Microsoft has a migration tool in office 365 that will do IMAP migrations (I know you said POP but I assume you could use IMAP if you could use POP). You'll need an admin account that can log into every mailbox but I'm pretty sure it's free.
|
# ? Aug 11, 2014 20:27 |
|
Is there anything I need to worry about when upgrading my forest's functional level? I'm at 2003 right now with an Exchange 2010 server in our hosted space which has the FMSO roles on the AD server there too (different physical server). I assume I should raise the level on that FMSO server? I have full AD backups and we're not a huge company either.
|
# ? Aug 11, 2014 20:37 |
|
LmaoTheKid posted:Is there anything I need to worry about when upgrading my forest's functional level? You need to be sure that the functional level you're going to is supported by the version of Exchange that you're running. See the handy chart here under the "Supported Active Directory environments" section.
|
# ? Aug 11, 2014 20:57 |
|
Will Styles posted:You need to be sure that the functional level you're going to is supported by the version of Exchange that you're running. See the handy chart here under the "Supported Active Directory environments" section. Perfect, thank you!
|
# ? Aug 11, 2014 21:25 |
|
Will Styles posted:You need to be sure that the functional level you're going to is supported by the version of Exchange that you're running. See the handy chart here under the "Supported Active Directory environments" section. What's the reason for 2012 R2 AD domain and forest not being compatible with Exchange 2013 CU3?
|
# ? Aug 12, 2014 13:01 |
|
I've got a weird question. I generally don't do much exchange stuff as I have a sysadmin and I'm more involved with user hands on junk. I end up needing to give full access to email/contacts/calendars to users. I have found in exchange 2010 on the server I can right click the user and "Manage Full Access Permissions" to allow the parent users to let the child users have full access. The issue I'm running into is, if the child user is ONLY getting contacts/calendars and the parent does not want them to have access to email, I haven't found a good server side solution to doing that. The process I have now is go to the parent users outlook, set them up as a delegate with full permissions to the desired shares and then share the calendar. Is there a way I can dole out the rights server side as a lot of the parent users either work remote or unavailable or are a pain in the rear end.
|
# ? Aug 12, 2014 14:14 |
|
Do that through Outlook? Right click Share => on the contacts? Same for Calendars. e: Server Side this is controlled through Sharing Policies.
|
# ? Aug 12, 2014 14:42 |
|
Slow is Fast posted:I've got a weird question. As you're using Exchange 2010 you should be able to complete this using Powershell. Powershell is a CLI that Microsoft are slowly replacing the Exchange Management Console with - It's a fair bit more robust in terms of what you could do. In your case, you can target the specific contacts folder (or calendar) like below: Set-MailboxFolderPermission -Identity “UserA:\Contacts” -User “UserB” -AccessRights Editor User A in this instance is the mailbox you want to delegate access for, with UserB the target mailbox to apply that permission to. User B will be able to view User A's contacts folder. To apply this to the calendar, simply replace contacts with calendar.
|
# ? Aug 12, 2014 14:48 |
|
|
# ? Jun 8, 2024 09:03 |
|
DrAlexanderTobacco posted:As you're using Exchange 2010 you should be able to complete this using Powershell. Powershell is a CLI that Microsoft are slowly replacing the Exchange Management Console with - It's a fair bit more robust in terms of what you could do. Perfect, I'll give this a go.
|
# ? Aug 12, 2014 15:03 |