|
skipdogg posted:I must say I'm looking forward to migrating from BPOS to Office365. All the BPOS negatives are negated with 365. Well, it's a week later and I just did my first mailbox move using rich coexistence after days and days of nonstop setup. So far, so good. Everything works just like they say, and it's amazing to see free/busy syncing correctly between internal 2003 and Office 365. I've got mailboxes on 2003, 2010 and 365, and they all send/receive perfectly and single signon works everywhere. drat confusing when I actually sit down an map out the design, but it does work. The ExDeploy docs are super, super helpful, but holy gently caress did I hit about a million gotchas going through the steps. But I was able to either google every one or find a fix on the 365 forums. Biggest annoyance are the drat SSL certs, as usual. 99% of the problems I hit were cert related. Especially using a wildcard cert from a Verisign reseller instead of some crazy expensive SAN cert direct from Verisign/DigiCert/etc. The only complete roadblock was Forefront, since they only allow TLS ESMTP certs that are signed from a root CA on the MS list. The docs say you MUST use ESMTP to send between cloud and internal, but I found they're full of poo poo with Office 365 Enterprise, since you have full control of Forefront and can just allow a regular SMTP connection instead. That took care of the internal->365 mail flow, and coming the other way TLS is fine. Overall, I'm impressed with the documentation most of all, considering I did all of this having never actually installed Exchange from scratch before, though I've got years of experience working with it for clients are my previous jobs.
|
# ? Jul 19, 2011 11:30 |
|
|
# ? Jun 5, 2024 03:16 |
|
Customer of mine has started having a problem sending e-mail to specific government related addresses. My message implies that it's being rejected as spam, but I'm not on any of the blacklists I've checked using mxtoolbox or dnsbl. Both the mxtoolbox smtp test and the dns health test seem to show that everything is configured fine on my end. I've had no luck contacting admins for any of the addresses we're having problems with. Censored NDS follows: code:
|
# ? Jul 19, 2011 17:58 |
|
Can you route your outbound mail through something like postini or whatever filters your inbound mail? Surely they'll trust postini.
|
# ? Jul 19, 2011 18:13 |
|
All I'm seeing in that NDR is a generic 554 SMTP response. The thing that sucks about NDRs is that really getting a proper rejection notification is a courtesy on the receiver's behalf. If your connection is being rejected outright like it seems to be here (ie. they aren't allowing you to connect to even attempt submission), then it may be unhappy with your: - SPF record - rDNS PTR - the FQDN it's submitting when it says EHLO. For instance if your sending TPECI-SERVER.tpeci.local as the FQDN when you connect (EHLO TPECI-SERVER.tpeci.local) even if you have an SPF record set for your external domain it won't be able to do a proper query against TPECI-SERVER.tpeci.local, which is what it will try to do if that is what EHLO is providing it. If you are on Exchange 2003 check the default SMTP virtual Server (under delivery / advanced). If you are on 2007/2010 then run Get-SendConnector|fl name,fqdn and make sure it's returning something that matches your FROM: address. Big providers and govt mail servers are understandably draconian about this type of poo poo. If everything checks out then either grab the SMTP protocol logs or try using SMTPDiag to see if there are more return codes / messages. Blame Pyrrhus fucked around with this message at 19:18 on Jul 19, 2011 |
# ? Jul 19, 2011 19:13 |
|
Thanks for the ideas, rDNS PTR and FQDN both match the mx record of mail.tpeci.com I have no SPF record set, I will fix that now. If that doesn't help, I'll come back with SMTPDiag results
|
# ? Jul 19, 2011 20:49 |
|
JBark posted:Well, it's a week later and I just did my first mailbox move using rich coexistence after days and days of nonstop setup. So far, so good. Everything works just like they say, and it's amazing to see free/busy syncing correctly between internal 2003 and Office 365. I've got mailboxes on 2003, 2010 and 365, and they all send/receive perfectly and single signon works everywhere. drat confusing when I actually sit down an map out the design, but it does work. That is really great to hear, we're going to start out inhouse to 365 migration Q4 now apparently. I'm just worried about some of the real dumb custom stuff and how well it'll migrate (things like rooms/resources with specified people who can reserve & permissions)
|
# ? Jul 19, 2011 23:15 |
|
The Fool posted:Thanks for the ideas, SPF record is set, and propagated. SPF record passed tests at http://www.kitterman.com/spf/validate.html Ran SMTPdiag, and my server passed all of the tests. We are still having problems with .gov and .mil e-mail addresses.
|
# ? Jul 20, 2011 00:51 |
|
Are these actual messages or OOO replies that are getting rejected? edit: nevermind, I see you got it with a test message. I'm not sure what SMTPdiag does - can you walk through the smtp dialog in telnet and see if there's any more information given there? Mierdaan fucked around with this message at 01:11 on Jul 20, 2011 |
# ? Jul 20, 2011 01:01 |
|
Mierdaan posted:Are these actual messages or OOO replies that are getting rejected? Actual e-mail messages are getting rejected. Mierdaan posted:I'm not sure what SMTPdiag does - can you walk through the smtp dialog in telnet and see if there's any more information given there? Annoyingly, if I telnet mail4.blm.gov 25 from the server and send a test e-mail that way, it all appears to go through with no problems, and I have yet to receive an NDR from it. On the other hand, sending a test e-mail from exchange, I still immediately get the same NDR. The Fool fucked around with this message at 01:54 on Jul 20, 2011 |
# ? Jul 20, 2011 01:10 |
|
Fool: I'm seeing "Generating server: TPECI-SERVER.tpeci.local" in that log you posted. How many users are having this issue? What is their default SMTP address sent to? Are they sending on behalf of another user or distro list? If so, check that account's default SMTP address. I can't be too much more helpful than that, but since SMTP is plaintext I've had good luck troubleshooting issues with a sniffer like Wireshark. I am pretty convinced Exchange is presenting the incorrect address, based on what it's saying in the return message.
|
# ? Jul 20, 2011 07:11 |
|
The Fool posted:SPF record is set, and propagated. SPF record passed tests at http://www.kitterman.com/spf/validate.html If you add -v you get a pretty verbose response that will include anything you are likely to see in the raw logs. If it passes that, and still cant be submitted via exchange then idk. smtpdiag.exe "sender@domain.com" "reciever@domain.gov" -v If you want, post the get-sendconnector|fl output?
|
# ? Jul 20, 2011 18:05 |
|
Someone please refresh my memory here. If I feel like rebooting my Exchange server. What services do I want to stop before I actually reboot the machine? I vaguely remember my coworker mentioning something, but cannot think of it for the life of me. The Information Store Service and the Transport Service?
|
# ? Jul 21, 2011 22:40 |
|
We use a shutdown script that does this automatically for Exchange 2003. From the script net stop MSExchangeES /y net stop MSExchangeMGMT /y net stop MSExchangeMTA /y net stop MSExchangeIS /y net stop MSExchangeSA /y net stop WinHttpAutoProxySvc /y I would think the Information Store would be most important, but it can't hurt to stop them all prior to a reboot.
|
# ? Jul 21, 2011 23:12 |
|
Moey posted:Someone please refresh my memory here. If I feel like rebooting my Exchange server. What services do I want to stop before I actually reboot the machine? I vaguely remember my coworker mentioning something, but cannot think of it for the life of me. The Information Store Service and the Transport Service? You don't need to manually halt any, but in 2003 the information store can take a while to stop. For 2007/2010 just set a powershell script like: get-service -displayname *exchange*|stop-service -force Blame Pyrrhus fucked around with this message at 03:14 on Jul 22, 2011 |
# ? Jul 22, 2011 01:59 |
|
The reason most people stop the services is because you don't know how long it will take to reboot otherwise. They should all stop successfully after some time, just be extremely patient with the shutdown prompt and process - never turn the box off manually. It can take 10+ minutes depending on what recently happened with the database and how much data it needs to commit/flush.
|
# ? Jul 22, 2011 02:53 |
|
adaz posted:That is really great to hear, we're going to start out inhouse to 365 migration Q4 now apparently. I'm just worried about some of the real dumb custom stuff and how well it'll migrate (things like rooms/resources with specified people who can reserve & permissions) I just started testing the migration of shared mailboxes today, and it doesn't seem to keep the access/send as perms, but it did keep the shared attribute, which means you don't have to assign a license to it. Shouldn't have to assign a license to room/equip mailboxes either. I had to manually set the quota to 5GB (max for shared mailbox), and had to re-add the full access using the remote EMS. And before people think "Well poo poo, why don't I just created shared mailboxes for everyone?", it won't work because each account accessing a shared mailbox must be licensed through 365 already. So make sure you do shared mailboxes last or assign a license to all users at the beginning. Also, don't migrate a mailbox first, then try to change it to shared through the remote EMS. I hilariously borked the mailbox I was testing with, and basically had to completely remove the mailbox and start over. I think I might have even busted something on the cloud side, since I started getting lots of "mail store not responding" messages.
|
# ? Jul 22, 2011 05:54 |
|
JBark posted:I just started testing the migration of shared mailboxes today, and it doesn't seem to keep the access/send as perms, but it did keep the shared attribute, which means you don't have to assign a license to it. Shouldn't have to assign a license to room/equip mailboxes either. I had to manually set the quota to 5GB (max for shared mailbox), and had to re-add the full access using the remote EMS. I had seen that the resources/shared mailboxes were "Free" as long as they were being accessed by a licensed user, but the security permissions is interesting to hear. It sounds like you have yours setup same way we do -a security group as full access owners of the mailbox then add users to that security group. Having to reapply all that is going to suck, but it's all scriptable assuming the set-mailboxpermissions cmdlet and so forth is supported by 365. I really don't want to do the poo poo manually, we have like 300 some shared mailboxes and around 500+ resources adaz fucked around with this message at 06:30 on Jul 22, 2011 |
# ? Jul 22, 2011 06:25 |
|
Right now I'm having a bitch of a time getting Outlook 2007 connecting to my new shiny 2010 CAS. Whenever I launch Outlook I get "Cannot open your default e-mail folders. You must connect to Microsoft Exchange with the current profile before you can synchronize your folders with your offline folder file." I mostly see recommendations on forums to delete the local mailbox folders, which I've done, I've delete them, and then deleted the nodes from the registry that pertain to mail settings for me, I've tried on a different computer which I've never logged into before. Same problems. It's not the encryption option, I'm running Exchange 2010 SP1 (defaults to not requiring encryption) and I've tried with it disabled and enabled on the client side anyway. Fortunately I'm the only person on the new mailbox servers and OWA still works for me.
|
# ? Jul 25, 2011 15:24 |
|
captkirk posted:Right now I'm having a bitch of a time getting Outlook 2007 connecting to my new shiny 2010 CAS. Whenever I launch Outlook I get Is your mailbox server 2010 or 2007? If you create an entirely new mailbox and connect to it, is it still borked?
|
# ? Jul 25, 2011 16:25 |
|
Linux Nazi posted:Is your mailbox server 2010 or 2007? Mailbox server is a spanking new Exchange 2010 box. I get the errors when trying to access either my box or my test account's mail box (test account created on 2010 mailbox server, has never lived on any of the 2003 stuff) but bother are accessible through OWA.
|
# ? Jul 25, 2011 17:38 |
|
captkirk posted:Mailbox server is a spanking new Exchange 2010 box. I get the errors when trying to access either my box or my test account's mail box (test account created on 2010 mailbox server, has never lived on any of the 2003 stuff) but bother are accessible through OWA. Of course make sure that test-mapiconnectivity comes back clean, and then bump up the verbosity of the eventloglevel for some of the MSExchangeIS catagories(?). It sounds like a MAPI issue, considering that OWA is able to operate the mailboxes fine, but the outlook clients are not. Don't turn up a bunch of logging all at once, start with some of the general categories and go from there. Also, since it's a new installation, maybe give the BPA a spin. It's good for making sure you didn't miss something like turning on the tcp port sharing service or whatever. You can also rule out the mailbox database configuration itself by taking a moment to create a new one and see if you see the same behavior. Sorry I can't be more helpful, usually new installs are relatively problem-free.
|
# ? Jul 25, 2011 18:55 |
|
Linux Nazi posted:Of course make sure that test-mapiconnectivity comes back clean, and then bump up the verbosity of the eventloglevel for some of the MSExchangeIS catagories(?). It sounds like a MAPI issue, considering that OWA is able to operate the mailboxes fine, but the outlook clients are not. Don't turn up a bunch of logging all at once, start with some of the general categories and go from there. Turned out the RPC client access service was turned off on the server clients kept auto-discovering. gently caress me that was a stupid problem that consumed way too much of my time. It was also not detected by any of the BPA health things or the system health cmdlet, it wasn't until I went to turn all the Exchange Services off on that server that I realized that one was off. On a related note, how can I change which server is getting auto-discovered by clients? I need to figure out how we will fail over for our CAS's since we only have two exchange servers which are both multi-roled and you having a CAS array for the same servers that are part of a DAG isn't supported.
|
# ? Jul 25, 2011 22:21 |
|
I'm having a really strange issue. I have a client running 2003 Exchange with about 15 clients. Last week they got new internet service, so I duly updated all the MX records and router stuff. Today I realized (due to spotty internet access) that I forgot to change the internet DNS on the DHCP. DHCP is on a Sonic Wall router. My normal preference is to simply use the router's IP for this, but I decided to keep things pretty much as they were on the original settings since this network is very badly set up and I have a long-term project to simplify all of this. Anyhoo all I did was remove the old IP's DNS and changed it to the new on the DHCP today. As soon as I did it, 4 users couldn't connect to Exchange. This was after I refreshed everyone's IPs. All of the other users (the majority) are fine. I didn't change anything on the servers. The affected users can log into OWA with no problem, so it's not like they mysteriously lost Exchange accounts. All affected users have either Outlook 2007 or 2010. All of the working users have the same except a couple of 2003. In case it matters the DNS in DHCP looks this: DNS 1: 192.168.1.12 (Primary DC) DNS 2: 192.168.1.6 (BDC) DNS 3: x.x.x.x (new ISP's DNS) What the hell?
|
# ? Jul 27, 2011 00:05 |
|
Tried ipconfig/flushdns & ipconfig/registerdns?
|
# ? Jul 27, 2011 02:03 |
|
Mithra6 posted:I'm having a really strange issue. In an AD environment your internal clients should only be pointing to an internal DNS server, if your clients are getting an additional external DNS from the DHCP provider then all kinds of things (like authentication) are going to be unreliable and skewed. The DNS server on the internet isn't going to have things like any of your SRV records or _msdcs information in place, so clients are going to be blind to a lot of key information if they make the request to the wrong provider. Just have the internal DNS server either configured for root hints (should be default) or give it your ISP's DNS servers as forwarders.
|
# ? Jul 27, 2011 02:04 |
|
Linux Nazi posted:In an AD environment your internal clients should only be pointing to an internal DNS server, if your clients are getting an additional external DNS from the DHCP provider then all kinds of things (like authentication) are going to be unreliable and skewed. Yep messing with the DNS settings on the router did it. I swear this particular network is the most needlessly complicated network I've ever seen. It's almost as if they're configured for a multi-site enterprise, but there's only an office with 15 people. They even have have some servers in two different remote locations. No one knows why they set it up that way. It sucks. I'm gradually simplifying all of this, but every time I take care of one tiny thing, 10 things break.
|
# ? Jul 27, 2011 18:52 |
|
Mithra6 posted:Yep messing with the DNS settings on the router did it. Every time I pick up a rock there is a pile of poo poo underneath. Every time I pick up that pile of poo poo there is another pile of poo poo underneath. [Edit: Oops, thought this was the "poo poo that pisses you off" thread. Oh well, it applies to my Exchange environment as well.] Internet Explorer fucked around with this message at 20:45 on Jul 27, 2011 |
# ? Jul 27, 2011 20:43 |
|
Linux Nazi posted:If you add -v you get a pretty verbose response that will include anything you are likely to see in the raw logs. If it passes that, and still cant be submitted via exchange then idk. I was working on another project for a while, but this is still an issue, so I'm revisiting it. I've tried contacting admins at a couple of the domains we're having problems with but haven't had any luck. (gently caress federal employees) Here's the output from get-sendconnector|fl code:
code:
|
# ? Jul 28, 2011 18:07 |
|
It is odd that you are receiving the 554 response immediately after the data clause kicks in. This probably explains why you aren't seeing the response when you use telnet, you aren't submitting a MIME encode when you type DATA and then hammer out a test message. Though I am honestly at a loss as to what the receiving end is so pissed off about, something about the message content. I once had a similar issue where somebody had a twitter link in their signature that was misspelled, but the link was not. So it ended up looking like a phishing link, they kept getting rejected right at the data clause as well. Do you have any default signatures or transport rules appending messages in any way? Also your connector is completely typical, if you don't mind show me your Get-RemoteDomain|fl output.
|
# ? Jul 28, 2011 22:04 |
|
For Exchange 2010 I know if you want automatic failover for your CAS you need to set up a CAS array, but how can you do manual failover? Our servers are multiroled with a DAG so we can't do a CAS array and I need to know how to fail over in the case one CAS dies.
|
# ? Jul 28, 2011 22:53 |
|
The Fool posted:Here's the output from get-sendconnector|fl Alaska! May want to edit out your company info, up to you though.
|
# ? Jul 28, 2011 23:45 |
|
Moey posted:Alaska! Not too worried about it, anyone that lives in this town would recognize my avatar. Linux Nazi posted:Do you have any default signatures or transport rules appending messages in any way? No default signatures, no transport rules. This is literally a fresh install of SBS 2011. Linux Nazi posted:Also your connector is completely typical, if you don't mind show me your Get-RemoteDomain|fl output. code:
|
# ? Jul 29, 2011 00:13 |
|
Anyone have good recommendations for hosted Exchange companies? One of our clients wants to go that route rather than host it on-site (thank god). Just looking for some reliable vendors. Thanks!
|
# ? Jul 29, 2011 00:18 |
|
In exchange how can I set it so that a users mail from their old user name is sent to the new inbox? I would prefer to do this from exchange rather then relying on users to set up forwarding.
|
# ? Aug 1, 2011 18:22 |
|
trilljester posted:Anyone have good recommendations for hosted Exchange companies? One of our clients wants to go that route rather than host it on-site (thank god). Just looking for some reliable vendors. Thanks! Microsoft is the only one I have direct experience with, they have been pretty good so far.
|
# ? Aug 1, 2011 18:28 |
|
Drumstick posted:In exchange how can I set it so that a users mail from their old user name is sent to the new inbox? I would prefer to do this from exchange rather then relying on users to set up forwarding. Does the old mailbox still exist? If not, you can set an e-mail alias pretty easily. What version of exchange?
|
# ? Aug 1, 2011 18:42 |
|
Exchange 2007. Honestly, im not sure. Helpdesk just wanted to know if it was possible. I believe the old mailbox does still exist. Our help desk usually takes care of creating and disabling mailboxes.
|
# ? Aug 1, 2011 18:55 |
|
I'm working on replicating our public folder from the 2003 servers to the 2010 servers. My boss does not want to move them all over to 2010 yet, so I can't just use the Move All Replicas... button. Is there something in existence to do this or will I need to just add a replica to every folder by hand (or script it I suppose)?
|
# ? Aug 3, 2011 16:12 |
|
captkirk posted:I'm working on replicating our public folder from the 2003 servers to the 2010 servers. My boss does not want to move them all over to 2010 yet, so I can't just use the Move All Replicas... button. Is there something in existence to do this or will I need to just add a replica to every folder by hand (or script it I suppose)? Add the Exchange 2010 server as a replication partner on the 2003 server (provided they can communicate via SMTP). Wait up to 24hrs (it shouldn't take this long, my largest public folder was like 5GB and took ~20mins) and then remove the 2003 server as a replication partner
|
# ? Aug 3, 2011 18:15 |
|
|
# ? Jun 5, 2024 03:16 |
|
I'm getting some boucebacks, and I think it's due to reverse DNS. DNS confuses me normally, but this particular case confuses me more. This only happens on a few recipients. Here's the actual error: "You do not have permission to send to this recipient. For assistance, contact your system administrator. <office.apples.org #5.7.1 smtp;501 5.7.1 <jdoe@oranges.org>... Sender IP must resolve>" I renamed the domains in the error of course. Apparently their original domain was "apples.org", but now it's "oranges.org". Both are on different hosts. Apples.org has no MX record according to the host. This was the case when I started, so nothing's changed. However there is a "(mail servername).apples.org" has an A record pointing to the public IP of the mail server. Oranges.org also points to the public IP of the mail server. There are several MX records pointing to Postini and one pointing to a third domain (I'll call it "pears.org") on the first host (the same as apples). This also has an A record pointing to the public IP and a bunch of MX records going to Postini. A few weeks ago we got a new internet provider, and the only thing I changed was the appropriate public IPs on the hosts and Postini. Their main e-mail domain is "oranges.org". If I check the reverse DNS on the main domain with MX toolbox, it resolves to Postini and "pears.org". What the heck am I missing? This looks like a maze to me. edit: fixed a typo Mithra6 fucked around with this message at 21:58 on Aug 3, 2011 |
# ? Aug 3, 2011 21:54 |