Exchange

You are currently browsing articles tagged Exchange.

Apache as an OWA Front-End

Saturday, June 24, 2006 in Interoperability by slowe

A while ago, I discussed the use of Apache to protect OWA from web-based attacks.  This configuration placed an Apache HTTP server in front of a server running Microsoft Exchange Server 2003 to protect it against web-based attacks, offload SSL encryption, and enable name-based virtual hosts (for the conservation of public DNS hostnames, especially important for smaller organizations).  While this is a useful configuration, it is not without its drawbacks.

First, let’s review some of the advantages of this type of configuration:

  • You can use the open source mod_security module to protect OWA against virtually all forms of URL-based attacks.  Mod_security is an extremely powerful and useful module that can greatly increase the protection against web-based attacks.  See the mod_security web site for more information.
  • Even without mod_security, deploying Apache in front of OWA can protect the OWA server against many IIS-specific attacks.
  • This configuration can be used in addition to IIS-specific protection such as URLScan.
  • You can terminate the SSL connection at the Apache server instead of on the OWA server, freeing up CPU resources on the OWA server for other tasks (this is especially useful in smaller Exchange deployments where the OWA server may also be a mailbox server).

Now, for some of the disadvantages of this type of configuration:

  • Apache lacks the intelligence of an Exchange server configured as a true front-end, and therefore cannot direct requests to multiple back-end mailbox servers.  In this type of configuration, the Apache reverse proxy always directs requests to the same OWA server and cannot determine which mailbox server the user is homed on.
  • Organizations with expertise in Microsoft products won’t necessarily see any real benefit from this due to the added overhead and learning curve of supporting Linux and Apache.  (Don’t snicker, this is a real concern for organizations.)

I’m sure there are other disadvantages as well.  Anyone care to comment and share their experiences?

Tags: , , ,

Mass-Creating Exchange Mailboxes

Tuesday, June 13, 2006 in Microsoft by slowe

While performing some testing and research at the office today, I found myself in need of a way to mass-create some Exchange mailboxes.  A very quick Google search revealed just the tool I needed to perform the task:  ExchMbx, a freeware utility by the same author of AdFind and AdMod.

The real power of ExchMbx is demonstrated when combined with Dsquery (a Microsoft-supplied command-line tool for pulling lists of objects from Active Directory) or AdFind.  In these examples I’m using AdFind because tools such as Dsquery don’t work on Windows 2000 (at least, not in my experience).

So, let’s say you wanted to mailbox-enable all the users in a particular OU.  With AdFind, you could enumerate all the users in an OU like this:

adfind -dsq -b “OU=Users,OU=Department,DC=example,DC=net”
-f “(objectclass=user)”

(Be sure to type commands like this on a single line, not broken across lines for appearance’s sake as shown here.)

This will produce a quoted DN listed similar to the output of Dsquery (hence the “-dsq” switch).  Then, this output can be fed to ExchMbx:

adfind -dsq -b “OU=Users,OU=Location,DC=example,DC=net”
-f “(objectclass=user)” | exchmbx -cr “SERVER1:First Storage
Group:Mailbox Store (SERVER1)”

Here, the DN output from AdFind is piped to ExchMbx to create a mailbox on the database named “Mailbox Store (SERVER1)” in the First Storage Group on SERVER1.

Or, you could move all the user objects for the HR personnel to a new Exchange server or database:

adfind -dsq -b “OU=Users,OU=Location,DC=example,DC=net”
-f “(&(objectclass=user)(department=HR))” |
exchmbx -move “SERVER1:First Storage Group:Second Database”

To find which accounts don’t have an Exchange mailbox (perhaps you only created Exchange mailboxes for a subset of your users), this command will help you out:

adfind -dsq -b “ou=RTP,dc=legacyad,dc=net”
-f “(&(objectclass=user)(!(homeMDB=*)))”

You could then pipe this to ExchMbx again to create mailboxes, repeating the process until the AdFind command did not find any more accounts out there without mailboxes.

Of course, there’s a lot more to ExchMbx than just creating and moving mailboxes; you can also mail-enable objects, hide or unhide objects from address lists, and set mailbox quotas.  All in all, a very handy tool!

Tags: ,

May Security Vulnerabilities

Thursday, May 11, 2006 in Security by slowe

Earlier this week, Microsoft released a couple of patches on its standard monthly schedule.  These patches are designed to plug a couple of critical security flaws, including what appears to be a very serious problem with Microsoft Exchange Server.

The two Windows flaws are not terribly serious, in my opinion.  One, MS06-020, is rated “Critical” and plugs a problem with the Flash player.  So, technically, this isn’t a problem with Windows but with Flash, and Adobe has also released a security bulletin as well.  The second, MS06-018, fixes a flaw with the Distributed Transaction Coordinator (DTC).  This flaw can only cause a Denial of Service (DoS) condition and can be blocked at perimeter firewalls (but this, of course, won’t protect against internal threats).

Other related security advisories:
Secunia:  Microsoft Distributed Transaction Coordinator Two Vulnerabilities
Secunia:  Microsoft Windows Flash Player Code Execution Vulnerabilities

However, it is the Microsoft Exchange Server vulnerability, MS06-019, that is more troubling.  Remotely exploitable via anonymous connections (such as SMTP), this exploit is ripe for an automated worm.  What’s worse, typical perimeter firewall protections won’t help and no user intervention is required.  Simply getting spammed may be sufficient to affect your server!  This is one patch to get installed as quickly as possible (after appropriate testing has occurred, of course).

Read the Secunia advisory on the Exchange flaw here.

Also, a third party has uncovered an additional flaw in Windows that has not yet been patched.  This vulnerability affects compiled Help files (see more detailed information).  This one requires user intervention, so isn’t quite as likely to spread via a worm.

Tags: , , ,

My New Job

Tuesday, March 21, 2006 in General by slowe | 2 comments

I started work at ePlus Technology yesterday.  I had originally thought that my first day would be on March 13, but things got delayed until the 20th.  So far, things are going pretty well.

One of my first assignments is to get up to speed with VMware’s high-end products, ESX Server and VirtualCenter.  I’m signed up for a VMware class in May and hope to be getting some hands-on experience with the products in the next week or so.  Having already worked with GSX Server (soon to be replaced by VMware Server) fairly extensively, I don’t expect the learning curve for ESX Server to be too bad.  I have a feeling that most people getting into ESX Server for the first time probably aren’t command-line people; I, on the other hand, sometimes feel like I live at the command line.  I should feel pretty comfortable.  I’ve managed to dig up some good resources with the organization as well; that’s one key advantage of working for a larger company.

I knew that integration of my PowerBook onto their corporate network would be a challenge, and I was right.  I had spent a fair amount of time on my network making sure that everything was cross-platform, but not here.  I’m going to be working first on universal e-mail access, so that I can use IMAP both inside and outside (without having to establish a VPN first).  I haven’t quite worked out all the details yet, but I imagine it will involve the use of the Perdition IMAP proxy and some DNS cunning.  I also need to get LDAP queries from the Mac OS X Address Book working against the corporate Global Address Book, so that I don’t have to add a bunch of people manually to my address book.  Snerdware, whose Groupcal product I do use (even now) to push iCal data up into my Exchange calendar, also offers a product for helping with that (called AddressX), but I’d rather avoid having to purchase yet another license if at all possible.  (And yes, I know that the Address Book has an option to synchronize with Exchange.)  Unfortunately, all of these changes will have to be done on some sort of local scope; that’s one key disadvantage of working for a larger comapny.

All in all, I’m excited about the opportunities that are ahead of me, particularly with regards to learning some new products.  Stay tuned!

Tags: , , , ,

Protecting OWA with Apache

Saturday, December 3, 2005 in Interoperability, Messaging by slowe | 6 comments

Outlook Web Access (OWA) is the web-based interface for accessing e-mail and other resources handled by Microsoft Exchange.  Unfortunately, OWA’s popularity also makes it the target of numerous worms and security exploits.  As a result, many organizations seek to deploy OWA behind a reverse proxy that can help shield OWA from web-based attacks and exploits.  In this posting, I’m going to share information to help build a reverse proxy using Apache 2.0.

Here’s a skeleton of an httpd.conf file to support Apache as a reverse proxy in front of OWA:

NameVirtualHost 1.2.3.4:80
NameVirtualHost 1.2.3.4:443
ProxyRequests Off

<VirtualHost 1.2.3.4:443>
ServerAdmin webmaster@domain.com
ServerName webmail.domain.com
DocumentRoot /var/www/webmail
RequestHeader set Front-End-Https “On”
ProxyRequests Off
ProxyPreserveHost On

SSLEngine On
SSLCertificateFile conf/webmail-ssl-cert.pem

<Location /exchange>
ProxyPass http://mail.domain.com/exchange
ProxyPassReverse http://mail.domain.com/exchange
SSLRequireSSL
</Location>

<Location /exchweb>
ProxyPass http://mail.domain.com/exchweb
ProxyPassReverse http://mail.domain.com/exchweb
SSLRequireSSL
</Location>

<Location /public>
ProxyPass http://mail.domain.com/public
ProxyPassReverse http://mail.domain.com/public
SSLRequireSSL
</Location>

</VirtualHost>

The key portions of this configuration are described below, along with some supporting information.

  • NameVirtualHost:  The NameVirtualHost directive enables Apache to use name-based virtual hosts on the specified IP addresses and ports.  The parameter to the NameVirtualHost directive must match one of the VirtualHost definitions, as shown in the sample configuration, or else the content will be served from the default virtual host (the first virtual host listed in the configuration).  Note that if the Apache reverse proxy will not be using name-based virtual hosts (instead using IP address-based virtual hosts or running only a single server instance), then this directive is not required.
  • RequestHeader:  This directive instructs Apache to add a header “Front-End-Https: On” to requests sent to the internal OWA server.  This header is proprietary to OWA and forces OWA to build URLs using “https://” references instead of ordinary “http://” references.  This directive is required in order to terminate the SSL tunnel at the reverse proxy and use clear-text HTTP between the reverse proxy and the internal OWA server.  This directive requires the mod_headers module.
  • ProxyPreserveHost:  This directive configures Apache to pass the original host header, supplied by the client, to the server to which the request is being proxied.  (This is instead of the host name supplied in the ProxyPass directive.)  Again, this facilitates the construction of URLs with the correct hostname when accessing resources inside OWA.
  • SSLCertificateFile:  Apache expects the web server’s SSL certificate to be in PEM format.  If the certificate’s key is encrypted, Apache will prompt upon startup for the passphrase to the key (this prevents any form of automated startup).  It is considered a security best practice to keep the key in a separate file (using the SSLCertificateKeyFile directive) in encrypted form and supply the password upon the startup of Apache.

With this configuration in place, the following benefits are realized:

  1. Name-based virtual hosts are supported. This allows other URLs to also be proxied through this same reverse proxy server.
  2. SSL encryption is offloaded from the Exchange server to the reverse proxy server. Traffic from the reverse proxy server itself to the Exchange server is standard, unencrypted HTTP.
  3. When used in conjunction with mod_security (another Apache module), OWA is protected against a very significant majority of all web-based attacks.

Using Apache to serve as a reverse proxy for OWA is a cost-effective way to add another layer of security to an Exchange-based messaging infrastructure.

Tags: , , ,

Current Tech Projects

Sunday, November 6, 2005 in Collaboration, Messaging, UNIX by slowe

Every now and then, I like to post out here a list of my current “tech projects.”  These are the things that I’m working on for my own network, things that I may or may not start recommending to or supporting for customers.

Here’s my current list:

  • InterNetNews (INN):  I had an installation of INN up and running a short while back, but had to resort to an ugly hack with stunnel in order to make SSL work from a newsreader.  To get a clean build, I’ve decided I’ll just start from scratch with a clean installation.  I’ll be using CentOS 4.1 again as I work on transitioning all my Linux-based servers to a newer Linux distribution, and I’ll be compiling INN from source instead of using a package.
  • OpenBSD-based antispam gateway:  I’ve got an antispam gateway running right now (uses Red Hat Linux, Postfix 2.1, SpamAssassin, Postgrey, Razor, DCC, and ClamAV), but I want to try building one using OpenBSD 3.8 (just recently released) and newer builds of Postfix, SpamAssassin, and Amavisd-New.  In particular, I’m interested in the advanced integration of newer versions of Postfix and Amavisd-New.
  • XC Connect:  I’ve also mentioned XC Connect before as well, but a previous installation proved to be unstable, and the Apache integration was less than stellar.  In fact, the integration was nonexistent.  I’m going to try a clean build of CentOS 4.1 and XC Connect to see if that will correct the stability and integration problems.

I also need to wrap up the documentation for a few completed items, such as the Cisco VPN integration with Active Directory.  Mac OS X integration with Active Directory is also on the “to do” list, but it will have to wait a little while—I’ll need to find another Mac to “experiment” with instead of using my own PowerBook.

Tags: , , , , ,

Error ID c10308a2 is Put to Rest

Monday, September 26, 2005 in Microsoft by slowe | 6 comments

As you may already know, I’ve been struggling with a bug in an environment running Exchange Server 2003 and Windows Server 2003 with SP1.  The bug is manifested as an error that appears when users with the properly delegated permissions attempt to add or modify an e-mail address on an already mail-enabled or mailbox-enabled object.  The error, listed as error ID c10308a2, contains text along the lines of being unable to determine if the Microsoft Exchange System Attendant service is running.

The underlying issue is a change that Windows Server 2003 SP1 makes to the security descriptors applied to the Service Control Manager.  This change in security descriptors now makes it impossible for non-administrators to query service status; hence, the error message.

In trying to apply the fix suggested by Microsoft in KB905809 (the use of the SC.EXE command), the error was never resolved.  It turns out that the workstation I was using the test environment was configured not to use the primary DNS suffix, but instead use a predetermined DNS suffix search list.  This configuration resulted in the system’s AD domain name not being in the suffix search list.  As a result, even though the fix from Microsoft was applied, errors still occurred.

This morning I double-checked everything on the test servers as well as the test workstations, corrected the problem described above, and reset the environment to match the production environment.  Then, walking through the tests again, I confirmed that running the SC command to add permissions to the Authenticated Users group (see the KB article linked above for more details, then see this explanation of SDDL syntax) does indeed resolve the issue.

So, finally, we can put this issue to rest.  If you are running Exchange Server 2003 with Windows Server 2003 SP1 and finding that your non-administrative users can’t add or modify e-mail addresses using Active Directory Users & Computers, see KB905809 and run the SC command listed in there.

Tags: , ,

Have You Seen Error ID c10308a2?

Thursday, September 22, 2005 in Microsoft by slowe

As the next-to-last article in a series of postings about the problem described in this KB article, it appears that Microsoft will not be producing a hotfix for this bug.  In speaking with Microsoft earlier today, it appears that no hotfix will be produced for this, even though it is a confirmed bug.  As of this afternoon, the only known fix for the problem is using both methods outlined in the KB article.  I hope to confirm that for sure on Monday.

I’m also going to confirm on Monday whether membership in the local Administrators group (on the actual Exchange servers) will also fix the issue.

The next posting about this problem will be the last one regarding this issue.  Really.

Tags: , ,

Badmail and Exchange 2003

Saturday, July 16, 2005 in Messaging by slowe

If you are planning an in-place upgrade of your server running Exchange 2000 to Exchange Server 2003, beware of the Badmail folder.  Apparently, during the Exchange Server 2003 setup process, the setup application tries to go back and stamp ACLs (access control lists) on all the objects in the installation directory.  This, by default, includes the Badmail directory.  If your Badmail directory contains lots of items (which, in an Exchange 2000 installation, it probably does), then this can cause the Setup process to appear to be hung.  Microsoft has published this KB article discussing the issue and the resolution.

Fortunately, in Exchange Server 2003 SP1, Microsoft has changed the behavior of Exchange to use the Badmail folder only if explicitly configured to do so (see this KB article).  No more monitoring the Badmail folder!

In addition, for those networks that have not yet deployed Exchange Server 2003 SP1, Microsoft has released the BadMailAdmin tool.  I’ve tested this, and it works as advertised.

Tags: , ,

Perdition Working Now

Sunday, May 15, 2005 in Messaging by slowe

I finally managed to get Perdition working.  Still unable to confirm if Mac OS X’s Mail.app supports STARTTLS (my experience thus far says No), I had to resort to using Stunnel to wrap IMAP inside an SSL tunnel, then forward the IMAP traffic to Perdition on the same host.  The Perdition proxy then passes the traffic to the back-end mail server.  It’s not the solution that I really wanted, but it will do for now.  At least the Exchange Server 2003 IMAP server isn’t exposed directly to external networks.

On a slightly related note, the Slipstick Systems web site has a link to an IMAP proxy server that implements STARTTLS as a workaround for Exchange’s lack of native support for STARTTLS.  The IMAP proxy can be found at http://www.slipstick.com/files/imapproxysvc.zip.  So, if you have an IMAP4 client that supports STARTTLS and want to connect it to Exchange, you can use this IMAP proxy.  At least, until Microsoft puts STARTTLS support into Exchange directly.

Tags: , , , , , , ,

« Older entries § Newer entries »