Some thoughts about applications sending SMTP messages to Exchange

Most organizations have applications that need to send mail, either to internal recipients or to have a SMTP server to relay there mail destined for external recipients.

Common configuration is that they figure out the server IP address where the application runs on and then enter the IP on the allow relay list on Exchange 2003 virtual server, if then run Exchange 2007 they often are a little bit puzzled until someone shows them MSExchangeteam 'Allowing application servers to relay off Exchange Server 2007'.

Why do I think this is bad?
First, most applications don't need the relay permission, admins often think so but the truth is that they don't need it.
Servers are not static, IP changes, name changes both on the application side and the Exchange side. If the server get infected with something bad, it is not just the application running on the server that are allowed to relay but everything running on the server since its the IP that are allowed to relay.
Remember this: IP restrictions are not authentication.
Have seen applications that are hardcoded to connect to a specific IP or names meaning that either IP or name can be changed on the Exchange server.
Resolution is of course to have applications easy to reconfigure with destination SMTP server’s name.

Another problem is when there is some kind of anti spam software running on Exchange. This will often make the applications mail end up being classified as spam and make Exchange admins trying to configure the anti spam software to white list some mail. Sometimes this cant be done and sometimes it can making admin workload bigger than before.
Resolution here is to educate developers in SMTP. They often doa good job of building applications but are very often bad at SMTP. They find a free SMTP engine on Internet and they stick it in there applications and in the end they manage to send a SMTP mail but it is often bad formatted in various way making the anti spam software react and classify it as spam.
Resolution here is of course knowledge about SMTP.

Back to the relaying part of sending mail. One very good solution here is to have the submitting application to authenticate SMTP session. By sending authenticated SMTP mail to Exchange, it will get the permission to relay, it will most likely bypass antispam software depending of software of course. It will also make the application easier to move to another server without reconfigure Exchange. Another thing with authentication and SMTP is that if I authenticate as ‘application 1’ I am only allowed to use ‘application 1’ email address, I cannot use another SMTP sender address..

My recommendations to developers, building applications sending SMTP mail.
* Use a good SMTP engine that do work. Have encountered one that didn’t like the tarpit time you can configure in Exchange 2003 and are default activated on Exchange 2007. This engine simply could not work with tarpit.
* Use authentication when submitting mail. NTLM is of course better than Basic, but if using basic authentication, use it over TLS.
* Ability to easy change SMTP configurations such as server name, sender and receiver SMTP address, TCP port etc.
* Have redundant SMTP server configuration. The SMTP server that you’re using may not be up and running. If mail are critical, consider having some queue functionality in the application that can try to resend mail. One queue functionality would be to use the local windows SMTP service, but this will only work if application run on Windows boxes and the local SMTP service is working.
* Use only valid sender and destination SMTP addresses. If there is NDRs, they should go back to an existing mailbox that someone can monitor and act upon.

There are of course recommendations to Administrators as well.
* Clearly communicate to developers what the rules are for submitting SMTP mail to Exchange. No hardcoded configuration, no anonymous submission etc.
* Add a good name for your SMTP servers, such as ‘smtp.ADdomainname’ for developers to use instead of giving them the real servername or IP. With a standardized name across all applications you can make them use another server when there is need. If you internal Active Directory name is company.local your smtp server name would be SMTP.company.local
* Set up internal MX records for the AD name space. Same advantage as above.
* If you have multiple HUB server, Load balance TCP port 587 across those servers and make applications use SMTP submission port 587 (this is the client receive connector that are default created on Exchange 2007)  instead of the default 25. Don’t load balance port 25 since it will break functionality in Exchange such as authentication.
* Be very careful of what mail you let through to internet, maybe you should block applications to send to Internet on connectors to maintain your good name on Internet. Companies have ended up on various blacklists because developers have built bad SMTP mail or have a buggy application that spray mail across Internet.

There are probably many more options/alternative/thoughts around this, but these are just some that regularly pops up.

Exchange Server 2003 support shift

For you that still use Exchange 2003, Heads up!!

Exchange 2003 is now moved from Mainstream to Extended support on April 14, 2009.
http://support.microsoft.com/lifecycle/Default.aspx?p1=1773

What does this mean? Exchange 2003 is still supported for another 5 years.
Difference between Mainstream and Extended support can be found here http://support.microsoft.com/gp/lifepolicy

• Non-security hotfix support
• No-charge incident support
• Warranty claims
• Design changes and feature requests

As you can see there is not that much difference, but this is clear signal from Microsoft that Exchange 2003 life is coming to an end. This might be good time to start planning the upgrade to Exchange 2007 or Exchange 2010.

One way of still having full support is to purchase Extended Hotfix support.

Important to say is that you still have support when running Exchange 2003 as long as you pay for your incidents.

Exchange monitoring tools

Ever wanted to know what users doing to your Exchange server? If you're a serious admin you should want to know.
Most common is to use performance monitor to monitor all kinds of statistics and how much pressure there is on your Exchange server. You can for sure see how many users and how much load they generate on your server, this is all good but you cannot see what individual users are doing to your server which is really nice in case you need to troubleshoot for example performance issues.
Luckily there exists tools out there that monitoring MAPI clients in real time (well almost anyway) and the best thing is that they are free of charge.

Microsoft has one tool called "Microsoft Exchange Server User Monitor" or ExMon for short.
It has been around for a couple of years. It can monitor Exchange 2000 and Exchange 2003 and in the latest version even Exchange 2007.
Read more about the tool on Technet http://technet.microsoft.com/en-us/library/bb508855.aspx and the download link is http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=9a49c22e-e0c7-4b7c-acef-729d48af7bc9

Unfortunate there seems to be something wrong with the download and you will not get the latest version that works with Exchange 2007, but I can only guess that this little glitch will be corrected shortly.

Recently I came across an almost identical tool "ExInsight for Microsoft Exchange".

You can read more about it and download it from http://www.bitrunes.com/

Both tools has there advanteges so there is no number one, they simply have different featue sets.

Exchange Server Remote Connectivity Analyzer

Have you ever needed to do some testing of your Exchange server from Internet?
Well here is a site that can do some pretty valuable tests of your server.

Exchange Server Remote Connectivity Analyzer https://www.testexchangeconnectivity.com/

Be carefull with the account and password that you submit, they should only be test account and should be deleted afterwards for best security.

Grant permission to change permission on mailboxes

To change mailbox permission on an Exchange 2003 mailboxes you must have the Exchange Full Administrator right. In many organizations there is just a few people that have this right, but the need to change mailbox permission is quite big, often the need is to give Full mailbox access to a user on a mailbox that is unmonitored.

And there we have a conflict, do we trust helpdesk or a novice Exchange administrator to have the Full Exchange Administrator permission? probably not. So what can be done?

Luckily there is a way to grant the permission to change permission on mailboxes without being the big Exchange administrator, sort of.

Use Exchange Management Console, drill down to a mailbox database, right click and click properties and select the security tab, add the helpdesk group and select Allow only Change Permission and Administer Information Store.
Change Permission will inherit down to mailboxes. The helpdesk group must also have Active Directory permission to manage user account. This is done with normal AD delegation.
Unfortunately helpdesk group must also have Administer Information Store permission to get what we want. With this right they can also dismount and mount that database.

Two links that help you understand things better.
http://support.microsoft.com/kb/329236
http://technet.microsoft.com/en-us/library/bb124053.aspx

This is not the ideal solution, but if there is a need for setting mailbox permission without being Full Exchange Administrator, this solution can help.

Exchange 2003 and 2007 security patch

Vulnerabilities in Outlook Web Access for Exchange Server Could Allow Elevation of Privilege (953747) http://www.microsoft.com/technet/security/bulletin/MS08-039.mspx and http://support.microsoft.com/kb/953747

Exchange 2003 statistics with Logparser

Often when I try to get some information about customers current Exchange 2003 system they don’t have a clue how much mail going through the system, other question that is unanswered is size of mail, when is mail delivered. Gathering this type of information is important since it can generate numbers to use as input when sizing your upcoming Exchange 2007 servers.

Activate Message tracking:
In these examples I use Exchange Message Tracking log files to run Logparser against. Other sources of information can be the SMTP protocol log files, but this is another story.
Most Exchange admins have activated Message Tracking but if you don’t, start Exchange System Manager and drill down to the Server object, right click on it and select properties. Select the checkbox “Enable message tracking”. This activation is per server basis and if you have multiple servers it’s a good idea to activate it on all servers. It can be done with System server policy or by manually doing it on all servers. When activated; log files will be created in C:\Program Files\Exchsrvr\.log\ if you have installed Exchange in the default location.

Message tracking format:
When mail is sent in an Exchange server it goes through several steps before it actually arrives at the recipient inbox. Which steps involved also depends on where the message originates from and where it’s sent to. Each event write a line in the message tracking log file and therefore every mail is logged several times with different Event-ID in the file. See Microsoft KB article 821905 for Message tracking event IDs in Exchange Server 2003. As stated in the KB article there is no single event that is logged a single time for each mail but the closest match is Event-ID 1019. Event-ID’s is important depending on what information you want to get from log files.

Logparser:
What is Logparser? It’s a very nice command line tool for parsing log files. Most log files are in some kind of text format such as CSV, W3C but it can also be eventlog and netmon trace files.
Start by download and install logparser from http://www.microsoft.com/downloads/details.aspx?FamilyID=890cd06b-abf8-4c25-91b2-f8d975cf8c07&DisplayLang=en. If you want results to be displayed as graphs you also need Office web components http://www.microsoft.com/downloads/details.aspx?FamilyID=7287252C-402E-4F72-97A5-E0FD290D4B76&displaylang=en. They only exists for office 2003 but can be used even if you run office 2007. Logparser is also available as a COM object so it can be used from scripts you write. http://msexchangeteam.com/files/12/attachments/entry445704.aspx
You don’t need to install logparser on your Exchange server, simplest is to run it from your PC as long as you have access to the log files.

Running logparser:
Start by copy those message tracking log files you want to examine from your Exchange server to a local directory on your PC. If you open a log file it will be opened with notepad which not do a great job of formatting it, my suggestion is to use wordpad if you want to open and read message tracking log files manually.
Other important factors are from which server is log files copied, you would get different result if using log files from a mailbox server or from a server acting as a hub, also consider the Event-ID used when parsing log files.

A common request is getting the number of email per day.
"C:\Program Files\Log Parser 2.2\LogParser.exe" "Select Date as Day,Count(*) as email from *.log where Event-ID = 1019 Group By Day" -i:W3C

Output will look like
Day email
--------- -----
2008-2-29 22869
2008-3-1 8479
2008-3-2 7234
2008-3-3 24290
2008-3-4 25504
2008-3-5 25020
2008-3-6 25096
2008-3-7 23806
2008-3-8 16864
2008-3-9 12754
2008-3-10 26683
2008-3-11 47088
2008-3-12 26132
2008-3-13 28605

What happens is that each logfile in the current directory is examined for rows where ‘Event-ID = 1019’. The Date field is read and summed and then the output is grouped to get number of hits per day. In this example I have logfiles ranging from 29 Feb to 13 of Mar.

You can also output the result to jpg file
"C:\Program Files\Log Parser 2.2\LogParser.exe" "Select Date as Day,Count(*) as email Into chart.jpg from *.log where Event-ID = 1019 Group By Day" -i:W3C -o:Chart -Charttype:Line -Charttitle:"Number of emails per day" -View:on





or to a little more fancy 3D graph
"C:\Program Files\Log Parser 2.2\LogParser.exe" "Select Date as Day,Count(*) as email Into chart.jpg From *.log where Event-ID = 1019 Group By Day" -i:W3C -o:Chart -Charttype:Column3D -Charttitle:"Number of emails per day" -View:on

There are many different chart types available. If you run ‘logparser.exe –h –o:Chart’ you get a list of what charttype’s is available.
Line,LineMarkers, LineStacked,LineStackedMarkers, LineStacked100,LineStacked100Markers, Line3D,LineOverlapped3D, LineStacked3D,LineStacked1003D, SmoothLine,SmoothLineMarkers, SmoothLineStacked, SmoothLineStackedMarkers,SmoothLineStacked100, SmoothLineStacked100Markers, BarClustered,BarStacked, BarStacked100, Bar3D,BarClustered3D, BarStacked3D,BarStacked1003D, ColumnClustered,ColumnStacked, ColumnStacked100,Column3D, ColumnClustered3D,ColumnStacked3D, ColumnStacked1003D,Pie, PieExploded, PieStacked, Pie3D,PieExploded3D, ScatterMarkers,ScatterSmoothLine, ScatterSmoothLineMarkers, ScatterLine, ScatterLineMarkers, ScatterLineFilled, Bubble,BubbleLine, Area, AreaStacked,AreaStacked100, Area3D, AreaOverlapped3D, AreaStacked3D, AreaStacked1003D, Doughnut, DoughnutExploded,RadarLine, RadarLineMarkers,RadarLineFilled, RadarSmoothLine,RadarSmoothLineMarkers, StockHLC,StockOHLC, PolarMarkers, PolarLine,PolarLineMarkers, PolarSmoothLine,PolarSmoothLineMarkers

When examining this statistic we can see that there is low volume on 1,2,8,9 of Mars and that should not be a surprise since those days are weekends. On the 11th we can see a higher volume.

Number of emails per hour:
"C:\Program Files\Log Parser 2.2\LogParser.exe" "Select Quantize(To_Timestamp(To_String(Extract_Prefix(Time,0,' ')),'h:m:s'),3600) as Hour,count(*) as email Into chart.jpg from 20080311.log where Event-ID = 1019 GROUP BY Hour ORDER BY Hour ASC" -i:W3C -o:Chart -Charttype:Line -Charttitle:"Number of emails per hour" -View:on

We can see that there is a high volume of email between 9 and 12 AM.
This logparser command reads the Time field and manipulates it to be in timestamp format in order for the Quantize parameter to work. Result from Quantize parameter is then summarized per hour and displayed in a line graph.


Or by adding all email from all log files per hour.
"C:\Program Files\Log Parser 2.2\LogParser.exe" "Select Quantize(To_Timestamp(To_String(Extract_Prefix(Time,0,' ')),'h:m:s'),3600) as Hour,count(*) as email Into chart.jpg from *.log where Event-ID = 1019 GROUP BY Hour ORDER BY Hour ASC" -i:W3C -o:Chart -Charttype:Line -Charttitle:"Number of emails per hour" -View:on

Other useful information is who is receiving most mail.
"C:\Program Files\Log Parser 2.2\LogParser.exe" "Select Top 10 Recipient-Address as Recipient,Count(*) as hits From *.log Where Event-ID = 1019 Group By Recipient Order By hits DESC" -i:W3C


Who is sending most email.
"C:\Program Files\Log Parser 2.2\LogParser.exe" "Select Top 10 Sender-Address as Sender,Count(*) as hits From *.log Where Event-ID = 1019 Group By Sender Order By hits DESC" -i:W3C



Which domain is receiving most email.
"C:\Program Files\Log Parser 2.2\LogParser.exe" "Select Top 10 Extract_SUFFIX(Recipient-Address,0,'@') as Recipient,Count(*) as Hits from *.log Where Event-ID = 1019 Group By Recipient Order By Hits DESC" -i:W3C



Avarage size on email per day.
”C:\Program Files\Log Parser 2.2\LogParser.exe" "Select Date,AVG(total-bytes) From *.log Where Event-ID = 1019 Group By Date" -i:W3C

Date AVG(ALL total-bytes)
--------- --------------------
2008-2-29 156344
2008-3-1 53003
2008-3-2 104991
2008-3-3 158491
2008-3-4 190721
2008-3-5 178313
2008-3-6 188157
2008-3-7 168273
2008-3-8 25809
2008-3-9 46874
2008-3-10 170719
2008-3-11 89262
2008-3-12 180671
2008-3-13 181731

Or just the average size of email in all log files.
"C:\Program Files\Log Parser 2.2\LogParser.exe" "Select AVG(total-bytes) From *.log Where Event-ID = 1019 " -i:W3C

AVG(ALL total-bytes)
--------------------
144804

This gives us an average message size of 141KB