How to Configure the SCL in Exchange

Recently I was asked what the proper Spam Confidence Level (SCL) should be for an Exchange 2007 installation. The answer is the ever-popular, "it depends."

The SCL is a value that Exchange assigns to each incoming SMTP email and is based on Microsoft's SmartScreen technology. This score determines how likely Exchange thinks an email message is spam. A rating of 0 means the message is not likely spam and a rating of 9 means the message is most likely spam.

SmartScreen is a "black hole" technology -- meaning that the algorithms and heuristics it uses for scoring is not published by Microsoft, thereby making it more difficult for spammers to create messages that can score lower and pass the filter. The Exchange server downloads new heuristics from Microsoft periodically.

Exchange 2003 SP2 introduced the Internet Message Filter (IMF) to score emails with an SCL rating. Exchange 2007 uses Content Filtering on the Anti-spam tab of the Edge Transport server to score emails (as shown below). It can also be enabled on a Hub Transport server if Edge Transport servers are not used. See How to Enable Anti-Spam Functionality on a Hub Transport Server.

Selecting the right SCL filter level is not an exact science. You're trying to filter obvious spam without accidentally filtering legitimate messages. You can use the following method to determine the starting point for your filter.

Using Perfmon to Select the SCL Filter Level
The best way to determine the appropriate SCL filter level is to use perfmon and examine the MSExchange Content Filter Agent object. Over time, the "Messages with SCL x" counters will increment and begin to show a trend.

In the example below, the Messages with SCL 0 through 7 counters are in the lower half of the scale. Messages with SCL 8 is off the charts at 270 -- more than all the lower SCL levels combined. From this data we can infer that it is safe to filter messages with an SCL higher than 7.

Note that these counters reset to zero upon restart of the server. It may take a little while before the trend appears.

Keep in mind that this is only the filter to begin with. You may have to adjust your filter up or down for your specific environment, but this will give you an excellent starting point.

SmartScreen filtering is just one of the anti-spam solutions available for Microsoft Exchange Server 2007. Other solutions include Sender ID Framework, Outlook Junk E-Mail Filter, and Microsoft Exchange Hosted Filtering. See the Microsoft AntiSpam Technologies website for more details.

---

Subscribe to my feed  

Subscribe to The EXPTA {blog} by Email

Getting Exchange 2007 to work with SBC Yahoo DSL

---

Update: Beginning yesterday, November 14, 2008, the smtpauth.sbcglobal.net email relay servers began NDRing emails sent from AT&T customers. Again, this information was not passed on to its customers.

I've updated the instructions below to use the smtp.att.yahoo.com servers, which are now accepting authenticated connections.

---

First, let me say that SBC Yahoo is less than helpful on any assistance with configuring Exchange (any version) to work with their SMTP gateways. Really, I can't blame them too much because of the potential to hammering of their systems with large quantities of email from businesses using a "home"level of service.

In any event, here's how to configure Exchange 2007 with Edge services to send email through SBC Yahoo's email servers.

Configure the outbound Send Connector

• Logon to the server hosting the Hub Transport role


• Open the Exchange Management Console (EMC)


• Expand Microsoft Exchange\Organization Configuration\Hub Transport


• Click the Send Connectors tab


• Double-click your outbound SMTP connector to open its properties. Mine is named "EdgeSync - expta to the Internet"


• Click the Network tab


• Select "Route email through the following smart hosts" and click the Add button


• Select "Fully qualified domain name (FQDN)" and enter smtp.att.yahoo.com as the smart host. Click OK
  
• Select Basic Authentication (do not check Basic Authentication over TLS)


• Enter your SBC username (i.e., username@pacbell.net) and SBC password. Click OK

Configure the Edge server to use port 587

• Yes, yes, I know that SBC's documentation says SSL port 469, but trust me, it's 587...


• On the Hub Transport server, open the Exchange Management Shell (EMS)


• Type Get-SendConnectors and make note of the name of the send connector you just configured. Again, mine is "EdgeSync - expta to the Internet"


• Type Set-SendConnector "EdgeSync - expta to the Internet" -port 587 to change the port. Obviously, change the name in quotes to the name of your Send Connector.


• Type Start-EdgeSynchronization to force a sync with the Edge server

Force the Send Connetor to Retry

• Open EMC on the Edge server and click Toolbox


• Double-click Queue Viewer


• On the Queues tab, select the outbound SMTP queue and click the Retry action

Notes: TLS is not the same thing as SSL. TLS creates a secure connection between servers, while SSL creates a secure connection between a client and a server. TLS is capable of reverting back to SSL 3.0 if TLS doesn't work, but this is not an RFC requirement. At the time of this writing, Microsoft's implementation of TLS does not revert to TLS.

You should also register your external email address with SBC Yahoo's email system. This will ensure that email from your external account won't be NDR'd back to you when you send it. See http://help.yahoo.com/l/us/yahoo/mail/original/manage/sendfrom-07.html

---

Subscribe to my feed  

Subscribe to The EXPTA {blog} by Email

How to Change the Outgoing SMTP Port in Exchange 2007

By default, Exchange Server 2007 uses port 25 to send SMTP email using Send Connectors. On occasion you may be required to configure an Exchange Send Connector to use a different port - For example, TCP port 465 is commonly used for SMTP over SSL for secure SMTP communication using the SSL protocol. Configuring the port is not expoosed through the Exchange Management Console (EMC), it must be configured from the Exchange Management Shell (EMS).

To get a list of the Send Connector names configured in your organization, run:

Get-SendConnector

Here's the one-liner that configures a Send Connector to use port 465:

Set-SendConnector "Your SMTP Send Connector" -Port 465

If you're using a Microsoft Edge server, you will need to configure this from any server that is not running the Edge role. You will also need to wait for an EdgeSync operation or force it manually:

Start-EdgeSynchronization

No services need to be restarted for this change to go into effect.

---

Subscribe to my feed  

Subscribe to The EXPTA {blog} by Email

Windows Server 2008 Upgrade Complete

In a previous post I mentioned that I was going to upgrade my network to Windows Server 2008. Well, I've completed the upgrade and it ROCKS!

I now have a single W2K8 Enterprise server running Hyper-V RC0. This server hosts two guests, one x86 domain controller and one x64 Exchange 2007 server running ForeFront Security for Exchange Server. The host server is running this blog as well as Exchange 2007 Edge services. The performance is outstanding! Much better than my old x64 Windows 2003 host running VMware.

The Exchange Team posted a great article, Speeding up installation of Exchange Server 2007 SP1 Prerequisites on Windows Server 2008. It offers XML files that configure the Windows Server 2008 prerequisites for Exchange 2007 SP1. While it wasn't that difficult to install everything manually, it would have saved some time for me if I had this before my upgrade.

Last night I completed the upgrade and decommissioned the old W2K3 DC, Exchange and Edge servers.

Please let me know if you have any issues with the blog. The migration went very smooth and I don't anticipate any problems.

---

Subscribe to my feed  

Subscribe to The EXPTA {blog} by Email

How to Add SMTP Verb Commands to ISA Server 2006

If you have an ISA 2006 server between a Microsoft Exchange 2007 Edge server and the Exchange Hub Transport server, you may have a problem where messages queue on the Edge with 500 5.1.1 "unrecognized command" errors.

This Microsoft article partially explains how to resolve the problem. When the Edge Transport server tries to send mail through Microsoft Internet Security and Acceleration (ISA) Server 2006, with SMTP filtering or Secure SMTP (SMTPS) filtering enabled, the SMTP filter blocks the communication. You fix this by either disabling the SMTP filter on the ISA server or adding the verbs (and optionally their maximum length) to the SMTP filter.

What the article doesn't say is which verbs to add or their maximum length. Well, here they are:

• PIPELINING


• DSN


• ENHANCEDSTATUSCODES


• STARTTLS


• X-ANONYMOUSTLS


• AUTH


• X-EXPS NTLM


• 8BITMIME


• BINARYMIME


• CHUNKING


• XEXCH50


• SIZE

All the verbs have an empty maximum length except for possibly SIZE. That should be set to the maximum message size allowed in your org in bytes (for example, 10485760 for 10MB).

---

Subscribe to my feed  

Subscribe to The EXPTA {blog} by Email

Top Ten Reasons to Move to Exchange 2007

Here are some key features and technologies Exchange Server 2007 provides that make a good business case for its use:

• Fault Tolerance -- Exchange 2007 offers several forms of fault tolerance, right out of the box:


• Local Continuous Cluster (LCR) maintains a continuously updated copy of the active mailbox database on a different LUN to provide immediate failover capability if the active database becomes corrupt. The second copy is activated manually by the administrator.


• Cluster Continuous Replication (CCR) is a local cluster model where each node maintains its own database and replication is performed using log shipping. In the event of failure of a service, the cluster services immediately failover to the passive node and continue servicing client requests, minimizing client downtime. CCR clusters can be stretched over distance, providing a geographically dispersed clusters.


• Standby Continuous Replication (SCR) is similar to CCR, but the failover node resides in a different geographic location. It utilizes log shipping for replication and the Hub Transport servers "fill in the blanks" for messages that may not have replicated since the time the active node went offline.



• Disaster Recovery -- Outlook 2003 and Outlook 2007, along with the fault tolerance technologies listed above, provide a quick and easy disaster recovery strategy for nearly any outage. Outlook Exchange cached mode is another key technology to making disaster recovery as seemless as possible.



• Mailbox Server Consolidation -- As a 64-bit messaging platform, Exchange 2007 is able to accommodate much larger mailboxes and mailstore databases than ever before. This allows you to greatly consolidate the number of mailbox servers needed to support the same number of users.



• Exchange Edge Server -- Edge Server for Exchange is a non-domain server that acts as the SMTP gateway between the Internet and SCIF's internal network. It replaces both the current SMTP gateway and Interscan servers, saving both hardware and software costs. It provides anti-spam and anti-virus services for the organization. EdgeSync is a process that synchronizes the email addresses in AD and the user Junk Mail safe lists/block lists with the Edge server to reduce spam at the network edge.



• Better Integration with Outlook -- Suspected spam that is not blocked by the Edge server is delivered to Outlook's built-in Junk E-mail folder. Users can choose to block or allow emails from users or domains directly from Outlook without the need for third-party software.



• Forefront Security for Exchange -- Forefront antivirus is included with the Exchange 2007 Enterprise CAL. Forefront allows you to choose up to five different antivirus engines (from a collection of nine) that all emails are scanned against. This provides more defense in depth than previously possible.



• Corporate Manage Folders -- Managed folders allow administrators to configure common corporate folders that will display in users' Outlook and OWA that have specific retention periods. For example, a folder named Legal may have a seven year retention policy. Any items in this folder older that 7 years will automatically be purged to maintain the company's corporate retention policy.



• Improved Outlook Web Access -- Outlook Web Access (OWA) has been improved to provide much better performance and usability. The Private computer security setting now allows you to stay logged in for up to 24 hours. Calendaring and scheduling has been greatly improved. OWA now provides the ability to open another user's mailbox (assuming you have the appropriate rights to do so). Public Folders now open in the same OWA window. Searching for an email items takes only seconds, no matter how large the mailbox is.



• Remote Access to Network Shares -- OWA provides the ability to "translate" UNCs to internal network shares. For example, if you click a link for //hofs01/share/CIOMeeting.ppt, OWA will fetch the document from the internal network (assuming you have rights to the document) and deliver it to you in OWA. You can also open a Windows SharePoint Services or file share by typing the address of the share to open directly in OWA.



• WebReady Document Viewing -- WebReady Document Viewing renders common document types for you to view within OWA, even if the application is not installed on that computer. For example, if you want to view an Excel attachment from a machine that does not have Excel installed, click the "View as web page" link next to the attachment. Exchange 2007 will convert the spreadsheet to a web page for you to review.

---

Subscribe to my feed  

Subscribe to The EXPTA {blog} by Email

Installation Notes for Exchange 2007 SP1 RTM

In an earlier post I documented my installation notes for installing Exchange 2007 Service Pack 1 RC1. Now that Exchange 2007 SP1 has been released, I'm including my notes from installing the RTM version.

A recommended prerequisite is to ensure that .NET Framework 2.0 SP1 is installed. Check my previous article to determine which SP version is installed.


Upgrade the Edge Server First

• First, you must disable Forefront for Exchange according to KB929080. When I followed this, the Microsoft Exchange Transport and FSCController services could not be stopped. I used Task Manager to end task the MSExchangeTransport and FSCController *32 processes.


• Run the following command to disable Forefront:

C:\Program Files (x86)\Microsoft Forefront Security\Exchange Server\fscutility /disableInstall SP1

• Proceed with the installation of SP1. Here were my times:

UpgradePreparing Setup - 00:12

Removing Exchange Files - 01:33

Preparing Files - 00:01

Copy Exchange Files - 01:27

Edge Transport Server Role - 09:31

Management Tools - 00:30

Finalizing Setup - 00:15

Elapsed time: 13:32

Download and install Microsoft Forefront Security for Exchange Server with Service Pack 1. Be aware that this requires a restart at end of setup.

Restart the Edge Server

Stop all Microsoft Exchange services

Run the following command to enable Forefront again:

C:\Program Files (x86)\Microsoft Forefront Security\Exchange Server\fscutility /enable

• Ensure that the Forefront services are set to Manual startup (FSCController, FSCMonitor, FSCStatisticsService, FDEMailPickup, and FSEIMC)


• Start the FSCController service (all other Forefront services will start)


• Start all Microsoft Exchange services and test mailflow
  

Upgrade Mailbox/HT/CAS Server (in my case, these roles are all on the same server)

• Proceed with the SP1 upgrade. Times were as follows:

Organization Preparation - 01:05

Preparing Setup - 01:37

Remove Exchange Files - 05:18

Preparing Files - 00:02

Copy Exchange Files - 05:32

Hub Transport Role - 11:53

Client Access Role - 03:27

Mailbox Role - 06:21

Management Tools - 00:46

Finalizing Setup - 02:05

Elapsed time: 38:12

• Check that all services are started and test mailflow again
  
• Restart all servers because I'm anal and test again.

Hope your SP1 upgrade goes as smooth as mine!

---

Subscribe to my feed  

Subscribe to The EXPTA {blog} by Email

Installing Exchange 2007 SP1: Notes from the field

NOTE: These upgrade notes are for Exchange SP1 Beta 2. Many readers have found this useful in their RTM upgrades. Also please see my latest post that discusses the installation of SP1 RTM. - Jeff

The following are my notes for installing Exchange Server 2007 Service Pack 1 Beta 2. As with most beta software, upgrades may not go as smoothly as they will in the final product. I came across some problems and solutions, which I'll share with you and will hopefully make your upgrade smoother.

I'm not going into a lot of detail on each of these steps, so if you want more info please post your question and I'll do my best to answer.

My setup is a single x64 dual-core host with 4GB RAM. It functions as my Microsoft Exchange 2007 Edge server and runs VMware Workstation 6.01. It runs two VMs, one Windows Server 2003 SP2 x64 Domain Controller and one Exchange 2007 x64 Hub Transport, CAS, Mailbox server running E2K7 Update 4. The Edge server is running Microsoft Forefront Security for Exchange RTM.

The Exchange 2007 SP1 release notes say to update your Edge, Hub Transport and CAS servers before your mailbox servers. It also says that Forefront Security for Exchange RTM is incompatible with Exchange 2007 SP1. You have to use Microsoft Forefront Security
for Exchange Server with Service Pack 1 Beta 2 (FSES SP1 Beta 2). You can download it here.

Note: I was told by Microsoft, "Exchange SP1 Beta 2 requires FSES SP1 Beta 2 (installed before you install the Exchange Service Pack 1 Beta 2)."

So, without further ado, here are my upgrade notes:



BEFORE BEGINNING

• Took snapshots of DC and EX01 VMs


• Make a backup of host/Edge server

EDGE SERVER

• Install ForeFront SP1 Beta 2


• Follow http://support.microsoft.com/?kbid=929080 to disable ForeFront before installing Exchange 2007 SP1


• Restart and stop all Exchange services, except ADAM


• Install. Be patient. Configuring common transport polices took 10 minutes by itself.


• Install completed successfully


• Re-enabled Forefront as per KB929080, above


• Restarted the server, checked event logs, tested email inbound/outbound successfully

HUB TRANSPORT/CAS/MAILBOX SERVER

• Begin installation


• Installation failed about halfway through


• Tried to run again, but got the error, "This installation is forbidden by system policy." Solved using the Local Security Settings tip from Tim Chad at the bottom of this page


• Restarted installation, but got the error, "The Exchange files are not installed, but the backup settings registry key is present. Only build to build upgrade mode is available."


• Ran Setup.com /mode:upgrade from the command line to perform an unattended upgrade setup


• Got the following output:

Welcome to Microsoft Exchange Server 2007 Unattended Setup

Preparing Exchange Setup

The following server roles will be upgraded
Hub Transport Role
Client Access Role
Mailbox Role

Performing Microsoft Exchange Server Prerequisite Check

Hub Transport Role Checks ......................... FAILED
Setup cannot continue with upgrade because 'C:\Program Files\Microsoft\Exchange Server\bin\ExchHelp.chm' is open. Close the file and restart setup.

Client Access Role Checks ......................... FAILED
Unable to read data from the Metabase. Ensure that Microsoft Internet Information Services is installed.

The World Wide Web (W3SVC) service is either disabled or not installed on this computer. You must exit Setup, install the required component, then restart the Setup process.

Setup cannot continue with upgrade because 'C:\Program Files\Microsoft\Exchange Server\bin\ExchHelp.chm' is open. Close the file and restart setup.

Mailbox Role Checks ......................... FAILED
Unable to read data from the Metabase. Ensure that Microsoft Internet Information Services is installed.

The World Wide Web (W3SVC) service is either disabled or not installed on this computer. You must exit Setup, install the required component, then restart the Setup process.

Setup cannot continue with upgrade because 'C:\Program
Files\Microsoft\Exchange Server\bin\ExchHelp.chm' is open. Close the file and restart setup.

The Exchange Server setup operation did not complete.
Visit http://support.microsoft.com and enter the Error ID to find more
information.

Exchange Server setup encountered an error.

• Set the World Wide Web Publishing Service, IIS Admin Service, and HTTP SSL service to automatic and started (they were disabled)


• Copy file ExchHelp.chm from \setup\serverroles\common of the setup media into the \Program Files\Microsoft\Exchange Server\Bin directory


• Re-run Setup.com /mode:upgrade


• Success! Restart all servers. Test OWA and Outlook inbound/outbound successfully

Good luck with your own upgrade. Now to test the new SP1 features!

---

Subscribe to my feed  

Subscribe to The EXPTA {blog} by Email

Don't put SharePoint Services 3.0 on an Exchange Edge Server

Bad things happen and both products won't work. Just don't do it.

---

Subscribe to my feed  

Subscribe to The EXPTA {blog} by Email