CONTROLLING INBOUND SMTP MAIL 663 Configuring a Connection Filter to Use a Block List Configuring Exchange 2003 to use a block list is pretty simple. Display the Connection Filtering property page of the Message Delivery object, and then click the Add button. You will see a dialog box that allows you to specify a connection filtering rule. In the Connecting Filtering Rule dialog box, you must enter a name for the rule and the DNS suffix of the RBL provider. In this case, I m using bl.spamcop.net. Alternatively, you can also configure a custom error message that is included in the frame that rejects the message. I like to do this in case the sender is a valid user; I include the web address for the provider so the administrator can find out how to get their IP address removed. Clicking the Return Status Code button allows you to specify which types of servers you will reject. If the RBL provider you are using supports all of the return status codes in Table 16.2, you can specify which types of blocked hosts you want to block. The default is that any returned address is blocked. For example, if I wanted to block only known open relays, I would enter 127.0.0.4. Inevitably, some IP addresses wind up on RBLs and don t really belong there. This was common with Exchange 5.5 because the Internet Mail Service was open for relay by default. Some RBLs are notoriously difficult to get off of once your IP address is on them. For this reason, the Connection Filtering property page (shown in Figure 16.12) allows you to specify a list of SMTP address from which you will always accept mail, even if they are found to be coming from an open relay. You can find these addresses in the Exception list.
Note: If you are looking for good and high quality web space to host and run your application check Lunarwebhost mac Web Hosting services
662 CHAPTER 16 INTERNET CONNECTIVITY I can also test to see whether an IP address is on a specific RBL using the NSLOOKUP command. For the 64.119.217.53 IP address, the result would look like this: C:>nslookup -q=a 53.217.119.64.bl.spamcop.net Server: kalapana.volcanosurf.com Address: 192.168.254.10 Name: 53.217.119.64.bl.spamcop.net Address: 127.0.0.2 Table 16.2: RBL Provider Status Code Examples Status Code Explanation No response / Not found / Name does not exist Host is not on this RBL 127.0.0.2 Known source of spam or known open relay 127.0.0.3 Known dial-up IP address or DHCP range 127.0.0.4 Known source of spam 127.0.0.5 Known smart host or multistage open relay 127.0.0.6 Spam software developer or site that advertises using spam (see spamsites.org) 127.0.0.7 List server that automatically opts in e-mail address without confirmation 127.0.0.8 Systems with insecure CGI scripts or scripts that turn them into an open relay 127.0.0.9 Open proxy servers Learning More about Block Lists Block lists have been around almost as long as spam. They have been met by e-mail administrators with a mixed range of emotions. Some administrators think block lists are gifts from the heavens; others think they are a form of terrorism. Most block list providers have been threatened with lawsuits numerous times. A lot of RBL providers are on the Internet; most of them are free. They do accept donations, however. If you use their services, consider sending them some money so they can keep operating. The following is a list of some of the more popular RBLs: www.ordb.net www.spamcop.net cbl.abuseat.org www.mail-abuse.org www.spamhaus.org You can find a list of some of the most common RBL providers and the features they support at www.email-policy.com/Spam-black-lists.htm.
Note: If you are looking for good and high quality web space to host and run your application check Lunarwebhost inexpensive Web Hosting services
CONTROLLING INBOUND SMTP MAIL 661 If the host had been on the RBL, the response would look similar to this in the Answer section of the DNS response: DNS: Answer section: 53.217.119.64.bl.spamcop.net. of type Host Addr on class INET addr. DNS: Resource Name: 53.217.119.64.bl.spamcop.net. DNS: Resource Type = Host Address DNS: Resource Class = Internet address class DNS: Time To Live = 2048 (0×800) DNS: Resource Data Length = 4 (0×4) DNS: IP address = 127.0.0.2 WARNING In Microsoft s implementation of block list lookups, if a sender s IP address is on the block list, the connection is rejected. Other implementations (such as some antispam systems), use the RBL lookup as one more thing that can increase the likelihood that a message is spam. Other implementations will tag the subject line or quarantine messages that are received from hosts on a block list. This response is from a SpamCop s RBL service (www.spamcop.net). Notice that the IP address reported for the host 53.217.119.64.bl.spamcop.net was 127.0.0.2. Figure 16.11 shows the relevant frames captured in Microsoft Network Monitor. Figure 16.11 Capturing an SMTP session with an RBL lookup Once the Exchange server realized that the inbound IP address was on an RBL, it rejected the inbound message and disconnected the session. The SMTP response looked like this: SMTP: Response =550 5.7.1 64.119.217.53 has been blocked by Spamcop RBL list If you are curious about what this looked like in the SMTP protocol logs, my Exchange 2003 server issued a 550 command. Here is a conversation from the perspective of the SMTP protocol logs: 15:29:32 64.119.217.53 bestdealsguy.com HELO - +bestdealsguy.com 250 15:29:32 64.119.217.53 bestdealsguy.com MAIL - +FROM:+ 250 15:29:32 64.119.217.53 bestdealsguy.com RCPT - +TO:+ 550 15:29:32 64.119.217.53 bestdealsguy.com QUIT - bestdealsguy.com 240 The most common response is probably either name does not exist or 127.0.0.2, which means the requested host is on the RBL. Table 16.2 lists the possible status codes that the RBL server may return. Not all RBLs support anything other than 127.0.0.2; see www.email-policy.com/Spamblack- lists.htm for a list of some of the RBLs and the status returns they support. There is no Internet standard for return codes, and not all RBL providers use the exact list shown in Table 16.2. Check with the provider you plan to use to see which return codes they use.
Note: If you are looking for good and high quality web space to host and run your application check Lunarwebhost inexpensive Web Hosting services
660 CHAPTER 16 INTERNET CONNECTIVITY This server had the Filter Recipients Who Are Not in the Directory check box enabled, and thus for each of these recipients, the error code 550 was returned. You may notice that each of these attempts was set 15 seconds apart. This is because the SMTP server has an SMTP tar pit of 15 seconds defined. This slows the return of error codes. None of the recipients you see in this small listing (I took a very small part of the log) are or have never been a valid recipient in this company s mail system. All in all, over a four-hour period of time, this IP address attempted nearly 1,000 invalid messages. Fortunately, the tar pit slows down the attempted delivery of these messages and since recipient filtering is enabled the messages never actually enter the mail server. Connection Filtering Connection filtering allows you to reject inbound IP addresses if the IP address is found on a block list. Block lists are also known as real-time block lists (RBL), real-time black hole lists, or just black hole lists; Microsoft refers to these as real-time block lists. As far as a true, built-in antispam feature for Exchange 2003, this is about as close as it gets. My favorite RBL at the moment is the Spamhaus XBL and SBL combination (www.spamhaus.org), though I am always testing the performance of these block lists. I find that using the Spamhaus list withOpen Relay Database (www.ordb.net) and Spam- Cop (www.spamcop.net) helps the RBL feature block about 50 to 70 percent of the spam I receive. Not everyone has such a charitable attitude toward block lists. More than once I have seen discussions in newsgroups by frustrated administrators whose servers or entire IP subnets have been placed on an RBL through no fault of their own. In one case in particular, an entire subnet was placed on an RBL because the previous occupier of those IPs had open SMTP relays. And, I have tested RBLs that ended up being too aggressive in how they add hosts to their lists. The SORBS list, for example, includes many dial-up and DHCP addresses on its list. Although these types of addresses are often the source of spam, many small businesses now use DHCP addresses for their mail servers (including my own home/test network). In my case, I have to relay all of my outbound mail through my cable modem provider in order for some large ISPs to accept the mail that I send. WARNING Yes, RBLs help me block more than 50 percent of the spam I receive. However, before you get up and start dancing on the tables, read the section later in this chapter called Detection and False Positives. Microsoft s implementation of RBL features is not the most robust in the world, so the error logging and filtered message forwarding features are nonexistent. Connection filtering checks one or more lists of open relays, dial-up addresses, and known spammers. These lists are usually implemented via DNS, and therefore they are easily queried via almost any type of SMTP host. When an inbound connection is established to the SMTP virtual server with a connection filter enabled, the virtual server does a DNS query for a hostname, but the query looks like reverse lookup. The RBL lookup is almost the same as a regular reverse lookup, except that the root domain is the name of your RBL provider rather than in-addr.arpa. For example, if the inbound IP address is 216.95.201.85, the query will be 85.201.95.216.bl.spamcop.net because I m using the orbd.net RBL. The following is the captured query from Microsoft Network Monitor. DNS: 0×6C:Std Qry for 85.201.95.216.bl.spamcop.net. of type Host Addr on class INET addr. If the IP address is OK, the response from the DNS looks like this: DNS: 0×6C:Std Qry Resp. Auth. NS is spamcop.net. of type SOA on class INET addr. : Name does not exist
Note: If you are looking for good and high quality web space to host and run your application check Lunarwebhost inexpensive Web Hosting services
220 CHAPTER 5 BEST PRACTICES AND DISASTER PREVENTION Public Folders For some organizations, the public folder feature is barely used, if used at all, while at other organizations it is an indispensable resource. Public folders are covered more thoroughly in Chapter 12, Public Folders, but the following list contains some basic information on best practices for public folders: . Ensure that you have at least two replicas of the organization forms libraries and each administrative group s Schedule+ Free Busy folders. Preferably, there should be a replica of these folders in each routing group. . Enable deleted item recovery for each public folder store. . Confirm that the Everyone group is not granted the Create Top Level Public Folder permissions at either the Exchange organization level or at the administrative groups. Configure Message Tracking There will come a time when you ll need to figure out where message delivery is failing. The best tool for that is the built-in message-tracking feature. This can be enabled for each server, or it can be enabled using an Exchange system policy. Figure 5.7 shows the properties of a server and the check box for enabling this feature. You can use the message tracking in the Exchange System Manager to track the path that a message took to be delivered within your organization. You need to make sure you have sufficient disk space for the message-tracking logs. On busier servers, I have seen message tracking generate 50 to 100MB of message-tracking logs per day. For more information about message tracking, see Chapter 8, Keeping an Eye on Exchange 2003 Usage. Consider also turning on subject logging so that you can view the subject of the message from the message tracking logs. Figure 5.7 Enabling message tracking Monitor Your Servers Almost nothing is worse than getting a telephone call from an important user and having that user explain to you that something is not functioning in the e-mail system. It is especially bad if the problem is something you should have known about. I cover more details about the actual steps to set
Note: If you are looking for good and high quality web space to host and run your application check Lunarwebhost mac Web Hosting services
EXCHANGE 2003 ORGANIZATION BEST PRACTICES 219 one administrator tell me that he had someone who created folders and was storing things in the Deleted Items folder; the user s rationale was these were things he might want to get back. To configure the server to empty the Deleted Items folders, you will need to configure a Mailbox Manager recipient policy. I am assuming in this text that you don t currently have a Mailbox Manager policy, so I m not going to walk you through the steps to integrate a recipient policy into your existing Mailbox Manager policies. Create a new Mailbox Manager policy using the following steps: 1. Open the Exchange System Manager console, and click the Exchange organization to display the global properties and administrative groups. 2. Open the Recipients container and then open the Recipients Policies container. 3. Right-click on the Recipients Policies container, and choose New Recipient Policy. 4. Check the Mailbox Manager Setting box, and click OK. 5. Assign the policy a name, such as Default Mailbox Manager Settings. 6. Click the Modify button, and then click OK twice. (This defines the filter to automatically affect all mailboxes in the entire organization. You can refine the filter if this is not what you desire.) 7. Click the Mailbox Manager Settings (Policy) property page, and then clear all the folders in the folder list except for Deleted Items. 8. Highlight the Deleted Items folder in the folder list, click Edit, set the Age Limit to the number of days you want, clear the Message Size check box, and then click OK. You should have Mailbox Manager Settings properties that look like Figure 5.6. Figure 5.6 Mailbox Manager settings for emptying the Deleted Items folder of any messages older than 14 days You have now defined the policy. This policy will affect all mailboxes in the organization; it will automatically delete any message in the Deleted Items folder that has been in that folder (and not modified) for more than 14 days. The final step is to modify the properties of each Exchange server to indicate when the Mailbox Manager should actually run. I recommend running it during a time when the tape backup and online maintenance are not running; no more than once per day should be sufficient. More information is available about this process in Chapter 7, Tweaking Operations.
Note: If you are looking for good and high quality web space to host and run your application check Lunarwebhost mac Web Hosting services
218 CHAPTER 5 BEST PRACTICES AND DISASTER PREVENTION Figure 5.5 Mailbox storage limits TIP By preventing any single mailbox from growing to gigabytes and gigabytes in size, you reduce the likelihood that you will run out of disk space on either the server s Exchange transaction log disk or the Exchange database disk. Also configured on the Limits property page is the number of days to keep deleted mailboxes (Keep Deleted Mailbox For) and deleted messages (Keep Deleted Items For). I strongly recommend enabling these on all mailbox stores. At some point, this will save you from having to perform a tape restore when you are busy doing a million other things. The Keep Deleted Items For option allows Outlook MAPI users to undelete messages that they have deleted. The only types of items that cannot be recovered are messages that were expired from a public folder because of age limits or deleted from a mailbox using the Mailbox Manager function. TIP Messages that have been deleted by POP3 clients or by using a hard delete (Shift+Delete), thereby bypassing the Deleted Items folder, can be recovered from the deleted item cache. See Microsoft Knowledge Base article 246153, How to recover items that have been hard deleted in Outlook, for how to do this. Automatically Purge Deleted Items In some organizations, I have noted that users delete messages but then forget to empty their Deleted Items folder. This is an example of a situation where you can implement a technological solution to correct user behavior. Administrators can force users to empty their Deleted Items folders using Outlook options or by using the Outlook admin templates and a Group Policy Object. But I think the server-based solution is better. First, you will need to decide how long items can remain in the Deleted Items folder. I think a good figure is between 7 and 14 days. Next, users need to be briefed, or this configuration option needs to be placed in the acceptable use policy or the service-level agreement. In the past, I have simply referred to this as a feature of the server that will automatically purge anything that is stored in that folder for longer than the specified number of days. After all, it is the Deleted Items folder. I did have
Note: If you are looking for good and high quality web space to host and run your application check Lunarwebhost mac Web Hosting services
216 CHAPTER 5 BEST PRACTICES AND DISASTER PREVENTION useful to all administrators. EXCHDUMP.EXE has several command-line switches that will allow you to dump information about the Exchange server s HTTP, SMTP, RPC, routing group, recipient policies, or address list configuration, if you are looking for a specific piece of information. NOTE One third-party solution that you can use for documentation is Ecora s Enterprise Auditor Suite (www.ecora.com). This tool can be useful not only in documenting your Exchange organization (and other components on your network) but also in helping implement a change and configuration management control system. Exchange 2003 Organization Best Practices You can and should impose a number of Exchange configuration settings, restrictions, and limits to prevent your users from abusing the Exchange servers and your bandwidth. In addition, you should document all of these restrictions in an acceptable use policy so that the user community is aware of their existence. Further, you can impose some configuration options and limits that may help to make maintaining servers easier. These limits may affect only a particular subset of your users or may affect the entire organization. And all of these limits can be overridden on a per-user account basis. Establish Global Limits If you have the Exchange Admin or Exchange Full Admin role at the Exchange organization level, then you have the necessary permissions to enable these restrictions. The limits I m talking about are the global message sizes and maximum number of message restrictions. You can find these restrictions in the Exchange System Manager console by opening the Exchange organization container, then opening the Recipients container, and then clicking on the Global Settings container. Right-click the Message Delivery object, choose Properties, and then choose the Defaults property page (shown in Figure 5.4). I Have That Written Down! A couple of years ago, I sat through a disaster recovery drill that one of my larger corporate clients was performing. They had just done a complete changeover to Exchange 2000, and they wanted to test their knowledge of Exchange 2000 recovery. I was simply along for the ride as an observer rather than a participant. This customer completely recovered an Exchange 2000 server (running on a Windows 2000 member server) in just more than three-and-a-half hours. This included rebuilding the operating system, the Exchange software, the antivirus software, a couple of custom Registry changes and restoring the SRS database, mailbox store, and public folder store. The most I did during that entire time was sit back, smile, and nod occasionally when the Exchange administrator turned to confirm something with me. Personally, I think a three-and-a-half-hour recovery time (start to finish) for a server that supported several hundred users is rather remarkable. My hat is off to their Exchange administrator for being so well organized. What was the key to her success? Everything about the original installation was well documented. During the configuration of each server, she had kept meticulous notes of what was installed, what order it was installed in, the locations of files and directories, the configuration of the backup software, the service packs applied, and even the antivirus software configuration.
Note: If you are looking for good and high quality web space to host and run your application check Lunarwebhost clan Web Hosting services
EXCHANGE 2003 ORGANIZATION BEST PRACTICES 217 Figure 5.4 Global message delivery defaults In Figure 5.4, I configured the default maximum incoming (Receiving) and outgoing (Sending) message size to 5MB and the maximum number of recipients to 100. The maximum number of recipients will include the membership of any distribution lists to which the user addresses a message. If a mail-enabled group has more than 100 members, a user will not be able to send to that group unless they have specifically had their account s maximum recipient limit overridden. Contrary to popular belief, the maximum incoming and outgoing message size limits cannot be overridden on a user-by-user basis; but the maximum recipient limit can be overridden on the Delivery Restrictions properties of a user account by clicking the Delivery Options button. Establish Mailbox Limits Are you looking for a surefire way to get your user community upset? Impose mail storage limits without informing them. I am a strong advocate of mail storage limits for a number of reasons; most notably, they help me to plan the amount of disk capacity required for each server and they require that the user manage the messages they deem worth keeping. The tricky part is figuring out what a good set of mailbox limits are. I think a good starting point for most organizations is 50 to 75MB, but that is just me. If there is a business reason why users need more space than that in their mailbox, I ll be the first person in front of the CEO to ask for more money for larger disks and higher-capacity tape drives (after all, we have to be able to back up all that extra storage in a reasonable amount of time). You can configure limits on the properties of each individual mailbox store (on the Limits property page) or by using an Exchange system policy. If you have more than a few mailbox stores that all need identical limits, you can save yourself a lot of time and ensure that the limits are applied consistently by using an Exchange system policy. Figure 5.5 shows the Limits property page. I have configured the storage limits as I typically recommend. You should note a couple of important facts about these limits. First, if an Outlook MAPI client or Outlook Web Access client exceeds their Prohibit Send At limit, they will get a message stating that they have exceeded their mailbox limit and they must delete some items before they can reply to messages or send messages. If the client exceeds the Prohibit Send and Receive At limit, the mailbox will shut down and no longer accept new messages. For this reason, I set the Prohibit Send and Receive At limit to a relatively high limit.
Note: If you are looking for good and high quality web space to host and run your application check Lunarwebhost clan Web Hosting services
HOW DID WE DO THAT? THE CASE FOR DOCUMENTATION 215 . Updates to your antivirus software that had to be applied separately from routine, automatic updates . Updates and service packs for your tape backup software Tools That Can Help Doing thorough system documentation is a daunting task, but some tools are available to help. If you are interested in dumping the entire Exchange configuration into a text file, the LDIFDE.EXE utility can be of use. In this example, I m dumping the entire Exchange container from the configuration partition of the Active Directory. This will include the Exchange configuration as well as the Active Directory Connector information. The organization name is volcanosurfboards.com, and I m dumping this to a text file called E2K3.LDF. Ldifde -f e2k3.ldf -d cn=Microsoft .Exchange,cn=services,cn=configuration,dc=volcanosurfboards,dc=com Warning, though, this dumps everything out to the text file, and if you are not fairly adept at reading the configuration information in Active Directory, it will be nearly meaningless. However, in the event of a failure of your system, this information may be useful to a Microsoft Product Support Services engineer. In even a small organization, this file will exceed 3MB. Another tool that is included with Exchange 2003 is the EXCHDUMP.EXE utility that is found in the c:program filesexchsrvrbin directory. EXCHDUMP.EXE is intended to dump specific pieces (or all) of your Exchange configuration information. If you want all the configuration for your server, at the command prompt type this: exchdump /all This will create two files, Full_servername.txt and Summary_servername.htm. Both of these files will be more than 1MB for even a small Exchange organization and may not be immediately Documenting Everything On a fairly large Exchange 5.5 installation that I worked on, the administrator decided everything should be documented so that anything could be re-created in the event any component was lost or accidentally deleted. I spent a couple of days painstakingly creating templates in Word so we could just fill in the blanks for each Exchange 5.5 server. Naturally, the configuration information varied somewhat from one component to another, so no single table could be used easily for all components. I finally managed to create a reasonably comprehensive configuration document. The Exchange administrator looked at it and decided it was too much work to fill out those tables for each Exchange server and that the Word document was not visual enough. His solution: we created documents full of screen captures. While I was a little frustrated about the time I had spent creating my Word templates, his solution worked just as well as mine. And his solution made it a little easier to visualize what settings needed to be configured for each server and component. The point is: find something that works for you; just make sure you are getting things documented.
Note: If you are looking for good and high quality web space to host and run your application check Lunarwebhost clan Web Hosting services