Exchange 2007 Service Pack 2 Update Rollup 3 Released

Microsoft has released Exchange 2007 Service Pack 2 Update Rollup 3 today and it can be downloaded from:

Here are some of the product improvements and critical bug fixes that are addressed in this release:

978517 This fix reduces the possibility of a deadlock in unsubscribe during destruction of LOGON object.
979219 A three way deadlock no longer occurs between EcUpdate, EcLockId, EcDoRestrict when 972269 was applied.
978469 Fixed case where some users were unable to logon to mailboxes after online mailbox move.
978521 BkBry Search Folder no longer breaks after moving Mailbox back to its original Exchange Server.
976460 After updating a meeting with ActiveSync, a the next update sent by Outlook became duplicated.
978832 An Outlook Event is now sent when PF items are read after one is marked unread.
979055 Settings on ‘Resource Settings’ page are now properly saved using OWA.
978137 No longer will the subject line in Remote Wipe Confirmation Email get Html Encoded twice.
976108 An Edge Server can now properly use Hosts File for name resolution. Email delivery was failing with Error “451 4.4.0 DNS Query Failed” for emails from Edge to Hub Transport Server.
977179 Situation fixed where System State Backups were failing on Passive Nodes of CCR-Clusters with Error 0x800423F0.
978528 A Store crash does not happen in EXCDO processing since exmime now frees the right address.
979520 Store should now not Crash When Appointment Timezone is 32 Characters or longer.
977923 This fix is to avoid a crash in Item to Mime conversion when converting outbound VCalendar if server is using UmAlQuraCalendar in Regional Settings.
978200 Meeting Request forwarded across 2007 org now has correct “from” data.
977531 Last appointment does not go missing in recurring meeting request if recurrence pattern uses end-by date.
978253 When running Test-OwaConnectivity after running the Test-SystemHealth in the same powershell window, it will not inadvertently result in a Certificate error, even with the TrustAllCertificates:$true.
979170 Scheduled Scan is no longer broken in SP2 ExBPA.
974161 We backed out this RU1 change in this KB since Entourage couldn’t send meeting requests with attachments after applying Update Rollup 2. Once we have this fixed in a less impactful way, we will include it in a future rollup

Prevent Spam Mail From Your Own Domain in Exchange 2007

One of the biggest bug-bears with spam is the spam that comes from (or supposedly comes from) or even This is known as spoofed mail and is a common technique that spammers use to try to get mail past Anti-Spam software.

From the Anti-Spam logs on my own server in the last 24-hours, I have received 1,974 emails (out of 17,432 in total) where the sender domain matched the recipient domain. This is about 11.3% of all mail that hit my server, so it is a relatively large problem. Factor that up to a year’s worth of mail and you get 720,510 a year.

To prevent this from happening, you simply need to remove a specific permission that allows anonymous senders to use your internal domain names in the Mail From section of an email. If anyone tries to do this (anonymous users only) they will receive a “550 5.7.1 Client does not have permissions to send as this sender” message.

The syntax to remove the permission should be entered as follows in the Exchange Management Console:

Get-ReceiveConnector “My Internet Receive Connector” | Get-ADPermission -user “NT AUTHORITY\Anonymous Logon” | where {$_.ExtendedRights -like “ms-exch-smtp-accept-authoritative-domain-sender”} | Remove-ADPermission

(You need to change the “My Internet Receive Connector” part in the above syntax)

Having run this command successfully, test using Telnet to your mail server from an external computer and see what happens if you try to send mail as one of your internal domain names. You should receive the 550 5.7.1 Message.

N.B. To put the permission back (in case you need to), please run the following:
Get-ReceiveConnector “My Internet Receive Connector” | Get-ADPermission -user “NT AUTHORITY\Anonymous Logon” | where {$_.ExtendedRights -like “ms-exch-smtp-accept-authoritative-domain-sender”} | Add-ADPermission

If you have internal photocopiers and other hardware that needs to relay via your Exchange 2007 server and you cannot configure them with a username / password, then removing the above permissions will prevent you from relaying and will cause you problems.

Activesync Working But Only For Some Users On Exchange 2007 / 2010

There are some issues with Activesync for both Exchange 2007 and Exchange 2010 users whereby some users can connect their Mobile Devices (Windows Mobile Phones / iPhones / Motorola Droid etc) quite happily and Activesync pushes mail to the devices, but other users cannot connect and cannot sync anything at all.

There appear to be plenty of potential solutions for this problem around if you search the web, but the solution to the majority of these problems can be solved quite simply.

If you open up Active Directory Users and Computers and locate one of your users that is not working, Double-Click into the account and click on the Security Tab (if this is not visible, Click on View> Advanced Features from the Menu at the top of the screen then navigate back to your user). Once on the security tab, click on the Advanced Button and make sure that the ‘Include Inheritable Permissions From This Object’s Parent’ is ticked. Click OK twice to close the user account.

Once the box is ticked, you should then be able to connect up your Mobile Device to your Exchange Server and receive your mail like the rest of your users.

This particular problem seems to only affect migrated users and not users that were setup on the server post migration.

You may also find that if you use an account that has Admin privileges, and you Check the ‘Include Inheritable Permissions From This Object’s Parent’ check box, that it works for a while, and then stops working again about an hour or so later.

The reason this happens is because Active Directory uses something called the AdminSDHolder to define what permissions the default protected security groups receive. Whilst you can change the inherited permissions, a process called SDPROP will run, by default every 60 minutes on the domain controller that holds the PDCe role. It will check the ACL of the protected groups and reset their inherited permissions and the users within the groups, with what has been defined by the AdminSDHolder object.

Microsoft’s recommendation and best practice is that if you are a domain administrator that you have 2 accounts. One for your everyday user which is restricted in the same way that every other user is and a second for your administration role.

The built in groups that are affected with Windows 2008 are:
Account Operators
Backup Operators
Domain Admins
Domain Controllers
Enterprise Admins
Print Operators
Read-only Domain Controllers
Schema Admins
Server Operators

The built in users that are affected with Windows 2008 are:

Many thanks to Glen Knight aka Demazter for the section about AdminSDHolder.

The following blog shows a way to get around the issue if you want to maintain Activesync with an Administrator Account (use at your own risk):

Exchange 2010 Rollup 2 Released

Exchange 2010 Rollup 2 has now been released and is available from:

Issues that the update rollup fixes:

Update Rollup 2 for Exchange Server 2010 fixes the issues that are described in the following Microsoft Knowledge Base (KB) articles:

977633 Certain third-party IMAP4 clients cannot connect to Exchange Server 2003 mailboxes through an Exchange Server 2010 CAS server

979431 The POP3 service crashes when a user connects to a mailbox through the POP3 protocol and the user is migrated from an Exchange Server 2003 server to an Exchange Server 2010 server

979480 Users cannot receive new messages if they access mailboxes that are moved to another Exchange Server 2010 RU1 server by using IMAP4 clients

979563 Exchange Server 2010 Push Notifications does not work

979566 A 0x85010014 error is generated when linked mailbox users try to synchronize their mailboxes with mobile devices in a CAS-CAS proxying scenario in Exchange Server 2010

980261 This fix introduces the supports for Exchange Server 2010 page patching when a “-1022” disk I/O error is generated

980262 Event ID 2156 is logged on a computer that is running Exchange Server 2010
Back to the top

I will be applying the update this weekend and hope that it fixes my POP3 issue : )