Exchange 2007 Anti-Spam

As part of this Exchange roll out, I've experimented with the built-in anti-spam features of Exchange 2007. I expected it to be horrible and it wasn't as bad a I feared.

The good:

• Simple, easy to understand interfaces
• Easy setup

The bad:

• No manual sender whitelist
• Not much control over whether the mail gets dropped or redirected
• You have to have an Edge server to get the best benefits.

That's right - to get the best benefits of the built in anti-spam, you have to sacrifice a whole server license of Exchange 2007 to get the half the functionality of ORF or any of a half dozen open source RBL filters. I am shocked that is sucks that badly. I really don't get it...

I found the Exchange 2007 error

I finally opened a business critical support issue with Microsoft and found the problem. The KB that I got pointed to was both right and wrong. http://support.microsoft.com/kb/936907

The description of the issue was 100% accurate

If you copy and paste the LDAP query string exactly as shown, you're install will fail because there is a typo in the KB.

That was a first for me. The string shown for the All Users query has an extra space in the last portion of the string. The correct string is:

(& (mailnickname=*) ( (&(objectCategory=person)(objectClass=user)(!(homeMDB=*))(!(msExchHomeServerName=*)))(&(objectCategory=person)(objectClass=user)((homeMDB=*)(msExchHomeServerName=*))) ))

Exchange 2007 Setup

The Exchange 2007 setup is an annoying process. I've done a couple now and they all seem to generate the strangest errors. I'm getting a couple of fun ones:

When running setup.com /PrepareAD:

Welcome to Microsoft Exchange Server 2007 Unattended Setup
Preparing Exchange Setup
No server roles will be installed
Performing Microsoft Exchange Server Prerequisite Check
Organization Checks ......................... COMPLETED
Configuring Microsoft Exchange Server
Organization Preparation ......................... FAILED Active Directory operation failed on sabeydata.Sabeyco.com. The object 'CN=All Contacts,CN=All Address Lists,CN=Address Lists Container,CN=Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=Domain,DC=com' alreadyexists.

I got pointed to one possible lead http://support.microsoft.com/kb/936907 that looked promising but didn't pan out.

The system log has an error similar to this from http://support.microsoft.com/kb/555854/en-us

The following error may appear in the event log:
Event Type: Error Event Source: MSExchange ADAccess Event Category: Devices Event ID: 2152

Description: The following information is part of the event: ExSetupUI.exe; 4912; 1753; Error 6d9 from HrGetServersForRole

This error may occur due network adapter binding error issue or/and disable File and Print sharing on the network adapter.

That still didn't get me anywhere...

ISA 2006 SSL publishing

I'm not a big fan of Internet Security and Acceleration (ISA) server but it many of my clients can get it for free. The documentation is pretty bad, though. Here' s the latest irritation I found.

Publishing a SSL protected site through ISA is more complicated than the MS technet articles show. The how-to’s and technet articles are slanted towards an enterprise-wide certificate authority instead of third party SSL certificates. At the size of the Centro target market, I don’t expect many organizations would have their own PKI infrastructures. The changes to the setup that should be noted are:

• After installing the third-party web certificate on the web server, open the IIS management consoleo Right click the SSL protected website and select properties
• On the directory security tab, press the Server Certificate button to start the certificate wizardo Select “Export the certificate to an PFX file” and select a password and file location
• At the ISA server, select Start >> Run and enter MMC to start a new MMC console
• Select File >> Add and Remove snap ins
• Add the Certificates snap in
• Select Computer account in the next screen.
• Once the MMC console is open, right click the Personal node and select Import
• Browse to the location of the PFX file and open ito Enter the password and click through the remaining dialog boxes to import the cerficate.

If you just open the PFX file, the certificate will get automatically placed in Current User >> Personal and the only location that ISA will accept the certificate and private key is Computer >> Personal – a point that is not mentioned in the ISA documentation. The import wizard available from opening the PFX file will not give you that option.

I guess this is a more secure way to access an SSL protected website but it seems very complicated.

Why the $#%# is Vista so slow?

I have a brand new IBM T60p with 2 gigs of RAM and Vista absolutely sucks! I don't get it. I've been though the system and disabled as much of the junk as I can, I've removed all sorts of applications, and followed Daniel Petri's http://www.perti.co.il/ recommendations and it still drags. Between turn on and fully ready to go (outlook open) is almost 10 minutes.

I have a ton of devices that don't work correctly, too.

I don't remember these kinds of problems with the Windows 2000 roll out. I'm starting to agree with Joel's philosophy about MS http://www.joelonsoftware.com/articles/APIWar.html

Getting used to Exchange 2007

I've had to roll out an Exchange 2007 upgrade at one of my clients and it did not go well. I can't believe how much Microsoft changed the interface around. I can't find anything! Exchange 2007 is no longer tightly integrated with Active Directory users and computers so you don't get "exchange tasks" options or any way to assign a mailbox to a new user inside AD. The paradigm has shifted to "adjust Active Directory inside Exchange Manager"

The documentaiton is less than ideal as well. I strongly recommend waiting until SP1 to do serious deployments.