OK, a little further into the 21st Century we were gifted with Exchange 2007 - unfortunately the Spammers don't care what we're running nor how much better we might like it than we did Exchange 2003, so, we start by visiting http://technet.microsoft.com/en-us/library/bb124696(v=exchg.80).aspx and get the info straight from Microsoft.
Well, that wasn't very helpful - first off I'm running Exchange 2008 without the Edge Transport role - don't ask me why, I didn't set it up, a subcontractor did, and he did a lot of things that might be questionable. I'm not sure if this is even one of them, but I digress. . .
You can access the Antispam settings by installing them in your Hub Transport role by going into the Exchange Shell and entering (replace c:\ with whatever the appropriate drive is):
c:\program files\microsoft\exchange server\scripts\install-antispamagents.ps1
then restart your Exchange Transport with:
restart-service msexchangetransport
You may then open your Exchange Management Console, go under Organization Configuration, click Hub Transport, and find your Anti-Spam Tab.
For more details, see http://www.msexchange.org/articles-tutorials/exchange-server-2007/security-message-hygiene/exchange-server-2007-spam-filtering-features-without-using-exchange-server-2007-edge-server.html
Monday, April 22, 2013
Wednesday, March 27, 2013
Reduce Spam Using Exchange 2003
I understand that this may be six or seven years too late, but many old 2003 servers are still chugging along just fine. The volume of junk mail, however, continues to increase, and that old server may be unhappy with the ever increasing volume of traffic. I certainly know that your users aren't happy with it!
Microsoft has made an excellent toolset for reducing the spam (get your No Spam T-Shirt (Google Affiliate Ad) here!) sent through your Exchange 2003 server. In a future article I will address similar measures for Exchange 2007 and 2010 - the Exchange 2003 just happens to be what I worked on today and noted the steps for tonights blog entry.
Microsoft has made an excellent toolset for reducing the spam (get your No Spam T-Shirt (Google Affiliate Ad) here!) sent through your Exchange 2003 server. In a future article I will address similar measures for Exchange 2007 and 2010 - the Exchange 2003 just happens to be what I worked on today and noted the steps for tonights blog entry.
- If you haven't already ( I won't judge, I promise) download and install Exchange 2003 Service Pack 2. I'll wait. Don't know which one you're on? On your server open the Exchange System Manager, go to Servers, then expand the fifth column, it will tell you there.
- Enable filtering based on free Real-Time Black Lists (free RBL? Wow!) following the instructions at http://support.microsoft.com/kb/823866/en-us and using the following servers:
Spamhaus zen.spamhaus.org* (this one gives a return code, see http://www.spamhaus.org/zen/)
SpamCop bl.spamcop.net
Surriel psbt.surriel.com
SORBS dnsbl.sorbs.net - Expand Global Settings then right click Message Delivery then select Properties. Click the Recipient tab then make certain the "Filter Recipients who are not in the Directory" box is checked. This prevents your server from bouncing non-deliverable reports to senders and places the burden of saying "sorry, noone here by that name" on the senders e-mail server where it belongs.
- Click the Intelligent Message Filter then change the Block SCL to 8 and set the action to "Reject" - after a few weeks of testing you can set this to "Block". The difference is that "Reject" sends a non-deliverable report back to the sender, allowing you to diagnose incorrect rejections. "Block" silently drops the message.
Set your store and Move to Junk Mail to 6. Later on you may tweak these if too many messages are marked as spam or you are receiving too much junk. - Now you need to enable your new filters. In the Exchange System Manager expand Servers,
, Protocols, SMTP, then right-click the Default SMTP Virtual Server and select Properties. Click the Advanced button on the first page, click Edit . . . the select the boxes next to Apply Recipient Filter, Apply Connection Filter, and Apply Intelligent Message Filter. Save these settings. - Restart your Exchange Store Service (if you've come this far you probably know how. . .)
Now you should send some messages from the outside world to an internal user. Use Gmail or Outlook.com or whatever you like.
Now that you're sending and receiving like you were before you may not be aware of whether this is really working. To see some metrics that reveal what's going on behind the scenes you will use the Performance Monitor.
- Go to Start, Administrative Tools, and open Performance Monitor.
- Delete the default counters then add the following:
SMTP Server -> Messages Delivered Total
MS Exchange Transport Filter Sink -> Connections rejected by Block List Providers
Intelligent Message Filter -> Total Messages Scanned for UCE
Intelligent Message Filter -> Total Messages Assigned an SCL Rating of 0-9 (add all ten!) - Click OK then change your report type to Histogram or Report.
After a few days you will notice a line at the higher end of the Total Messages Assigned an SCL Rating that is taller than the rest (normally 7 or 8). This should be what you set your Block SCL to - everything which receives that rating is typically junk and the junk volume often exceeds the volume of legitimate messages.
Wednesday, December 05, 2012
Configuring Server 2008 to use the NTP Pool
Excellent article by Luka Manojlovic at http://luka.manojlovic.net/2011/06/24/windows-server-2008-2008-r2-ad-sync-with-external-ntp-server/ about configuring your Server 2008 to use the NTP Pool. If you are in the us you may use us.pool.ntp.org.
Thanks, Luka!
Thanks, Luka!
Wednesday, October 31, 2012
pfSense: Remote Network Point to Point Link to VPN Over DSL Failover
The scenario:
You have two locations with Internet connections and a dedicated point-to-point connection between the two and two pfSense systems performing all routing at both sites. You desire the two sites remain connected should the dedicated connection fail.
The solution:
Create a pfSense configuration with failover from the point-to-point connection to a site-to-site VPN utilizing the existing Internet connections at each site.
Steps:
1. Create an OpenVPN Server on the main pfSense and Client setup on the remote pfSense (I used pre-shared keys). DO NOT set a route option in the Advanced box as most instructions for configuring OpenVPN will suggest nor should you have a static route to your remote network defined under System -> Routes. Also note that IPSec can not be used in this scenario as it doesn't create a new adapter that we can work with in the firewall rules and gateways.
2. Check and see that the VPN turns on and connects via Status -> OpenVPN before proceeding. If it does not then troubleshoot your Internet connectivity and OpenVPN settings.
2. Go to Interfaces -> Assign and add Interface OPT3 with Network port ovpns1 on both the server and the client pfSense systems.
3. On both your local and remote pfSense add a new Firewall Rule allowing all protocols from any source to to any destination under both OPT3 and OpenVPN.
4. On both your local and remote pfSense add OPT3 as a Gateway under System -> Routing -> Gateways leaving the Gateway and other options blank.
5. On both your local and remote pfSense create a new Group under System -> Routing -> Groups. The group will define your dedicated connection as Tier 1 and OPT3 as Tier 2. My trigger level is set to Member Down.
6. On both your local and remote pfSense create a new Firewall Rule under LAN which has all traffic from all sources bound for the remote network use the new Gateway Group (under Advanced) you created in Step 5.
7. Test - unplug the point-to-point connection, monitor things under Status -> Gateways, wait a minute or so, and hopefully you will still be passing traffic albeit through the VPN.
Friday, September 14, 2012
IPiphony and pfSense
Got this working on a single-WAN pfSense this past week, quick rundown of my pfSense settings:
NAT forward TCP/UDP ports 10,000-20,000 to the internal IP of the IPiphony, and NAT forward port 5060 to the same internal IP.
Go to Firewall -> NAT -> Outbound and set it to Manual Outbound Rule Generation. Edit the "Auto created rule for LAN to WAN" and make certain the Static Port box is selected. Save and reboot then feel the joy!
Anybody get this working with multiwan failover? My failover works but we have to reset the state table or (easier for the end user) reboot the pfSense computer to bring the VOIP system back up.
Update 18-Sep-12
The system had been having issues with disconnects on forward and I'm not certain if they're with the VoIP provider, the PBX, or the pfSense firewall. The vendor who is in charge of the PBX tested it with a Cisco firewall and found the behavior continued, but I'm still not certain as its possible the Cisco device is subject to the same failure.
If the undesired behavior continues I will be running through the troubleshooting steps at http://doc.pfsense.org/index.php/VoIP_Configuration.
NAT forward TCP/UDP ports 10,000-20,000 to the internal IP of the IPiphony, and NAT forward port 5060 to the same internal IP.
Go to Firewall -> NAT -> Outbound and set it to Manual Outbound Rule Generation. Edit the "Auto created rule for LAN to WAN" and make certain the Static Port box is selected. Save and reboot then feel the joy!
Anybody get this working with multiwan failover? My failover works but we have to reset the state table or (easier for the end user) reboot the pfSense computer to bring the VOIP system back up.
Update 18-Sep-12
The system had been having issues with disconnects on forward and I'm not certain if they're with the VoIP provider, the PBX, or the pfSense firewall. The vendor who is in charge of the PBX tested it with a Cisco firewall and found the behavior continued, but I'm still not certain as its possible the Cisco device is subject to the same failure.
If the undesired behavior continues I will be running through the troubleshooting steps at http://doc.pfsense.org/index.php/VoIP_Configuration.
Tuesday, August 21, 2012
Windows 7 Kiosk Lockdown
Why oh why won't Microsoft make a Steady State for Windows 7? Even when users don't have administrative access to a Windows 7 desktop there are still a multitude of ways to waste time or foul things up. My biggest concern is time wasting - I've seen staff try their hand at ASCII art, figure out how to invoke supposedly hidden applications, and do anything but get their work done using the computer.
If you've been itching to make your Windows 7 computer into a system that may only perform just a few tasks consider Inteset Secure Lockdown V2 - it's not free, but it will more than pay for itself in reduced headaches and increased productivity!
Check it out at http://shop.inteset.com/Category/14-lock-down-windows-7-and-internet-explorer-for-kiosks.aspx
If you've been itching to make your Windows 7 computer into a system that may only perform just a few tasks consider Inteset Secure Lockdown V2 - it's not free, but it will more than pay for itself in reduced headaches and increased productivity!
Check it out at http://shop.inteset.com/Category/14-lock-down-windows-7-and-internet-explorer-for-kiosks.aspx
IT's Kris Haynes: Scan to Email - Exchange 2007
This one had stumped me for quite some time. Even after reading numerous blogs and expert advice sites I couldn't make this work to my satisfaction - I could get it working internally but not externally. Today I found IT's Kris Haynes: Scan to Email - Exchange 2007 - Thank you Kris, you rock!
Monday, August 20, 2012
HP LaserJet Printer Drivers for Windows 7 x64
64 Bit Windows has finally come into its own and is the preferred platform versus 32 Bit in most situations. Unless you're using an old HP printer, then it becomes a potentially serious issue. I've found that most of the Vista 64 bit drivers work just fine in Windows 7.
If you're using a network printer it becomes a bit trickier - the Host Based Printing Systems don't print across the network, so they're right out even though they are often available in a 64 bit edition.
HP Universal Printing often works, and often does not. For example it wouldn't work with a network connected Color LaserJet 3600 Series. Instead I used the Vista driver from http://h20000.www2.hp.com/bizsupport/TechSupport/SoftwareIndex.jsp?lang=en&cc=us&prodNameId=501046&prodTypeId=18972&prodSeriesId=501044&swLang=8&taskId=135&swEnvOID=2100.
If you're using a network printer it becomes a bit trickier - the Host Based Printing Systems don't print across the network, so they're right out even though they are often available in a 64 bit edition.
HP Universal Printing often works, and often does not. For example it wouldn't work with a network connected Color LaserJet 3600 Series. Instead I used the Vista driver from http://h20000.www2.hp.com/bizsupport/TechSupport/SoftwareIndex.jsp?lang=en&cc=us&prodNameId=501046&prodTypeId=18972&prodSeriesId=501044&swLang=8&taskId=135&swEnvOID=2100.
Thursday, August 16, 2012
Setting Up pfSense 2.x with Multiple WAN Connections and Squid in Transparant Mode
Setting up pfSense with multiple WAN connections configured for failover is easy. Setting one up in a pfSense that has Squid Proxy is not obvious - in fact, there is a lot of conflicting information. Ultimately http://forum.pfsense.org/index.php/topic,38882.0.html provided the answers I was looking for.
Interesting Note 27-Aug-2012: This configuration broke the ability of the package manager to check the repository and install packages resulting in unpredictable behavior at best. To compensate you must disable the Transparent Proxy and disable Allow Users on Interface as well as disabling the new floating rule that enables Squid to function.
Now, if only I could figure out how to run two copies of Squid so that each interface gets its own - this would allow for easy separation of proxied traffic and enable the load balancing rules to be easier to apply.
Interesting Note 27-Aug-2012: This configuration broke the ability of the package manager to check the repository and install packages resulting in unpredictable behavior at best. To compensate you must disable the Transparent Proxy and disable Allow Users on Interface as well as disabling the new floating rule that enables Squid to function.
Now, if only I could figure out how to run two copies of Squid so that each interface gets its own - this would allow for easy separation of proxied traffic and enable the load balancing rules to be easier to apply.
Tuesday, May 08, 2012
IPCop 2.0 - Not As Dead As I Thought?
Oh yeah, IPCop 2.0 has been available for a while. They have tailored it for the Small Office/Home Office space. If you liked IPCop 1.4, you will likely love IPCop 2.0.
Subscribe to:
Posts (Atom)