Exchange 2007 / 2010 Inbound Mail-flow Suddenly Stops – Quick Fix

What is Backpressure?
Backpressure is a new ‘feature’ in Exchange 2007 / 2010 where Exchange actually monitors resources such as Free Disk Space on the disk where the Exchange Message Queue / Message Queue Transaction Logs live and the Memory that the Edgetransport.exe process is using and memory in general used by other processes.

How do I know if my server is suffering from Backpressure?
If one or more items being monitored hits pre-defined limit, then Exchange will stop inbound mail-flow, so usually the first thing that you notice is that all of a sudden, you are not receiving emails from the rest of the world. You will be able to continue to send emails, you just won’t receive and new emails.

Look in your event logs and if Backpressure is being applied, you will see Event ID’s 15006 or 15007 in the logs:

Event log entry for critically low available disk space
Event Type: Error
Event Source: MSExchangeTransport
Event Category: Resource Manager
Event ID: 15006
Description: The Microsoft Exchange Transport service is rejecting messages because available disk space is below the configured threshold. Administrative action may be required to free disk space for the service to continue operations.

Event log entry for critically low available memory
Event Type: Error
Event Source: MSExchangeTransport
Event Category: Resource Manager
Event ID: 15007
Description: The Microsoft Exchange Transport service is rejecting message submissions because the service continues to consume more memory than the configured threshold. This may require that this service be restarted to continue normal operation.

How do I get mail-flow restored quickly?
For a quick fix, modify the edgetransport.exe.config file (notepad works happily for this) found in c:\program files\microsoft\exchange server\bin (Exchange 2007) or c:\program files\microsoft\exchange server\v14\bin (Exchange 2010)

Search for and change the “EnableResourceMonitoring” from “True” to “False”, save and close the file, then restart the Microsoft Exchange Transport Service.

Okay – so mail-flow has been restored – what to do next?

Once your inbound mail-flow has returned (assuming disk space is an issue, which has been the case every time I have seen Backpressure applied), then tidy up your drives and if you are not backing up your Exchange Server (which will purge the Exchange Log files), then make sure you do!

Once you have tidied up your drives and freed up some disk space, set the “EnableResourceMonitoring” back to “True” in the edgetransport.exe.config file and then restart the Microsoft Exchange Transport service again.

Further reading:
Exchange 2007 – Microsoft Backpressure Article:
http://technet.microsoft.com/en-us/library/bb201658(EXCHG.80).aspx

Exchange 2010 – Microsoft Backpressure Article:
http://technet.microsoft.com/en-us/library/bb201658.aspx

Backing Up Exchange 2010 with Windows Backup:

Backup Exchange 2010 Information Store using Windows Backup

Exchange 2007 / 2010 Queues Filling Up With Postmaster Mail to Invalid Domains

If you have an Exchange 2007 / 2010 Server and you notice that your queues are filling up with mail for domains that do not seem to be going anywhere and no-one internally has emailed those domains, you need to check to see who it is that is sending these emails.

Open up the Exchange Management Console, then click on the Toolbox, Open the Queue Viewer and then double-click onto a queue that is for a domain that you don’t recognise.

If you see as the Sender, then your server is sending out Non-Delivery Reports back to emails that are received at your server for recipients that don’t exist.

To check your server configuration, please open the Exchange Management Shell and type in the following:

get-recipientfilterconfig | ft RecipientValidationEnabled

You will most likely see the result showing as False, meaning that your server is not filtering Recipients on your server.

The problem with this is that if your server accepts all messages, then tries to deliver them, realises that some are destined for email addresses that don’t exist, your server becomes responsible for sending back a Non-Delivery Report. Now suppose that the email is spam and that the spammer has made-up the sender address. Your server will then be sending a Non-Delivery Report back to either an invalid email address, a valid email address for which the recipient had not sent the email in the first place, or worst of all, a honeypot email address (one that has never been advertised but has been hidden for spammers to find) designed to trap spam mail. If an NDR email arrives at a honeypot address, YOUR mail server will end up getting blacklisted on such sites as Backscatterer.org, causing you problems sending mail to some domains.

How to fix this problem?

Well, if you have an Edge Transport server, simply run the following command in the Exchange Management Shell:

Set-RecipientFilterConfig -RecipientValidationEnabled:$true

This simple command will tell your Exchange server to check the Recipient email address for any inbound email and if the address does not exist on the Exchange Server, it will immediately reject the message, resulting in the sending server becoming responsible for sending a Non-Delivery Report.

If you don’t have an Edge Transport Server – only a Hub Transport Server, you will need to install the Anti-Spam Agents by running the following comand in the Exchange Management Shell:

Exchange 2007:

Install-AntiSpamAgents.ps1

Then, run the above command also in the Exchange Management Shell:

Set-RecipientFilterConfig -RecipientValidationEnabled:$true

Exchange 2010:

Read the following article for how to install the Anti-Spam agents:

http://technet.microsoft.com/en-us/library/bb201691.aspx

then run the Set-RecipientFilterConfig command.

If you find that you have not got Recipient Filtering enabled and have to Enable it by using the command above, please pay a visit to MXToolbox, enter your Mail Server’s IP Address and see if you are Blacklisted on Backscatterer.org (or any other blacklist sites for that matter) and request de-listing if you have fixed the problem.

Windows Small Business Server 2011 Standard and Premium Add-on Released to Manufacturing

Today Microsoft announced that the next version of Small Business Server (2011) will be released to manufacturing. Early January will see the Volume Licensing versions released and from mid January, trial versions will be downloadable from the Microsoft Website.

Designed and priced for small businesses with up to 75 users, Windows Small Business Server 2011 Standard delivers enterprise-class server technology in an affordable, all-in-one solution. Windows Small Business Server 2011 Standard not only helps to protect, access, and manage your information from virtually anywhere, but also allows your business to be more productive by providing:
• A great way to manage email with the powerful new Microsoft® Exchange Server 2010 SP1. Securely access and manage your communications—e-mail, voice mail, instant messaging, and more—from virtually any platform, Web-browser, or device.
• A powerful collaboration suite with Microsoft SharePoint® Foundation Services 2010. Enable your employees to access and share your business documents with exciting features and capabilities that help you collaborate securely online—no matter where you are.
• A rich platform to run your business applications. SBS 2011 Standard allows you to take advantage of the vast library of applications compatible with Windows Server 2008R2 technologies.
• A simple installation/migration path to limit your downtime. SBS 2011 Standard has been designed to simplify the experience of upgrading or installing a new server.
If you have limited IT resources but still need to run a large number of applications, you should consider using the Windows Small Business Server 2011 Premium Add On to complement your SBS 2011 Standard deployment. Because the Premium Add-on includes SQL Server 2008 R2 for Small Businesses, it offers a dedicated, highly effective data management solution to run those applications that require a centralized database and shared information among users. Also with the Premium Add-on you have access to technologies like Hyper-V or Remote Desktop Services that Windows Server 2008 R2 Standard provides.

Increase in Hacker attempts on Windows / Exchange Servers – One Way to Slow Them Down!

In an earlier post I advised about an increase in hacking attempts that I had been seeing on Experts Exchange and also on the servers that we support for our customers.

My Earlier Post:
https://alanhardisty.wordpress.com/2010/09/28/increase-in-frequency-of-security-alerts-on-servers-from-hackers-trying-brute-force-password-programs/

Having recently been alerted to yet another round of sustained attacks on a couple of servers we receive daily alerts for, I started to dig a little deeper and came up with an interesting thought. A lot of the hackers seems to be passing random usernames such as 1234 / 123 / Claire etc and because these users don’t exist on any of our servers, the Account Lockout Policy does not kick in after x many invalid login attempts. As a result – they just keep on trying in vain!

So – what to do?

Well – it seems that lots of the hackers seem to be trying to use SMTP to attempt to hack a username / password, so I got thinking. On the majority of servers, the SMTP Virtual Server / Receive Connector has Anonymous Authentication / Basic Authentication / Integrated Windows Authentication enabled.

Anonymous Authentication is required if you want to receive emails from other servers around the world, so disabling that is not an option because you would not receive any email at all!

Basic Authentication is required if you want users to send mail with Usernames / Passwords but don’t want to send them securely (why would you?)

Integrated Windows Authentication is required if you want your domain users to to be able to use SMTP and supply their credentials from their Windows accounts to verify access to the server.

As the vast majority of our Server we manage have RPC over HTTPS / Outlook Anywhere configured on them – the Basic / Integrated Windows Authentication is not required in the slightest, so I disabled them both on the servers that were receiving unwanted attention.

Two days later – no more hacker attempts are being reported / logged in the Security Event Logs!

So – if you want a more secure server and don’t have users with SMTP / POP3 accounts sending via your own Exchange Server and have not already disabled Basic & Integrated Windows Authentication on your SMTP Virtual Server / Receive Connector – what are you waiting for?

One less point of attack for hackers is good news in my books.