de-DEen-GB
 
rss

Granikos Technology Blog

The PowerShell script Set-UserPictures now supports uploading resized user pictures to Exchange On-Premises and Exchange Online.

Read more about the new functionality here: https://www.granikos.eu/en/justcantgetenough/PostId/307/add-resized-user-photos-automatically

Download the updated script here:

Enjoy!

 

 

Weiterlesen »

SharePointProblem:

When you try to connect to SharePoint Online using PowerShell you receive an Access Denied error as follows:

PS C:\> Connect-SPOService -Url https://tenant-admin.sharepoint.com -credential $credential
 
Connect-SPOService : Cannot contact web site
'https://tenant-admin.sharepoint.com/' or the web site does not support
SharePoint Online credentials. The response status code is 'Unauthorized'. The
response headers are 'X-SharePointHealthScore=0,
SPRequestGuid=310ce59d-002b-3000-ef1a-70e5fe7eaf72,
request-id=310ce59d-002b-3000-ef1a-70e5fe7eaf72, X-MSDAVEXT_Error=917656; Acces
s+denied.+Before+opening+files+in+this+location%2c+you+must+first+browse+to+the
+web+site+and+select+the+option+to+login+automatically.,

Solution

Connecto to the SPO Service without the previously entered credentials ($credential) and enable the LegacyAuthProtocolsEnabled attribute.

Set-SPOTenant -LegacyAuthProtocolsEnabled $True

 

Enjoy SharePoint Online.

 

 

Weiterlesen »

Problem

After configuring Access Services you cannot deploy Access custom web apps from Access 2013 - an error with a Correlation ID occurs.

Screenshot Custom web app error

 

Reason

As if it´s not inconvenient enough to configure the SharePoint Access Services Requirements (e.g. AppStore with DNS), the SQL Server Configuration can be the cause, too. In the SharePoint Site Content overview you can see the faulty deployed App and in it`s details the following error:

The database server is temporarily unavailable.
Details: The sp_configure value 'contained database authentication' must be set to 1 in order to alter a contained database. You may need to use RECONFIGURE to set the value_in_use. ALTER DATABASE statement failed.

Screenshot Custom web app error details

 

Solution

You need to enable the SQL Server 2012 Feature Contained Database Authentication if you receive this error. You can do this in the Management Studio via this T-SQL statement:

SP_CONFIGURE 'contained database authentication', 1;
GO
RECONFIGURE;
GO

 

Enjoy SharePoint!

 

Weiterlesen »
Last updated: 2017-02-08


NoSpamProxy Azure Edition is the cloud based email security gateway of the successful NoSpamProxy family of products by Net at Work. The Azure edition of NoSpamProxy can easiliy be deployed using the Microsoft Azure Marketplace.

NoSpamProxy Azure easily connects an Office 365 tenant and offers an easy way to provide centralized email encryption and decryption with PGP and/or S/MIME for mailboxes hosted in Exchange Online. Additionally, NoSpamProxy Azure provides compliant anti-spam handling, an anti-malware component, and a large file portal.

The edition currently available in Microsoft Azure installs a NoSpamProxy single-server deployment. A single-server deployment combines the NoSpamProxy intranet role and the gateway role on a single server.

The NoSpamProxy Azure Edition is provided as BYOL (Bring Your Own License) deployment. In addition to the recurring fees for the Microsoft Azure VM you are required to buy a NoSpamProxy license. If you already own a NoSpamProxy Version 11 license, the license can be used for the NoSpamProxy Azure Edition as well.

Content

DeploymentOptions
Notes
Deployment
Links

 

Deployment Options

Due to the nature of a cloud service NoSpamProxy Azure can be operated in different scenarios in Microsoft Azure. By default the system is configured as a workgroup system without any Active Directory domain membership. The different operational scenarios for NoSpamProxy Azure depend on the existence of a Site-2-Site VPN between your Azure deployment and your on-premises IT infrastructure.

  • Without Site-2-Site VPN to Microsoft Azure
     
    • An on-premises email server (e.g. Exchange Server or SmarterMail) utilizes NoSpamProxy Azure as an external relay for outgoing messages. Incoming messages are received by NoSpamProxy Azure and are forwarded to the on-premises email server via the internet.
       
    • Email addresses of internal recipients are maintained manually using plain text file. The file itself is imported automatically by NoSpamProxy Azure
      This is a viable option, if there aren't too many email addresses to maintain.
       
    • Good option for Office 365 customers running a cloud only deployment without any on-premises Active Directory users and mailboxes. The required import file can be created by exporting Office 365 recipients and email addresses.
       
    • RDP access to the Azure VM and NoSpamProxy Azure must be limited to an external IP address of the company network.
       
  • With Site-2-Site VPN to Microsoft Azure
     
    • AN on-premises email server (e.g. Exchange Server or SmarterMail) utilizes NoSpamProxy Azure as an internal Relay for outgoing messages. Incoming messages are received by NoSpamProxy Azure and forwarded to the on-premises email servers using the Site-2-Site VPN.
       
    • Automated import of internal email recipients from a LDAP source (e.g. Active Directory)
      This option simplifies recipient maintenance, as recipients are automatically imported by NoSpamProxy Azure.
       
    • Perfect option for Office 365 customers maintaining user accounts on-premises and running Azure AD Connect or maybe even having a full Office 365 hybrid setup with centralized mail flow.
       
    • RDP access to the Azure VM and NoSpamProxy Azure restricted to internal company network(s).

Currently a direct connection to Azure AD is not supported, but it is planned for a future release.
 

Notes

  • The Azure Service for NoSpamProxy Azure System requires a Reverse-DNS configuration, as any other public facing SMTP service. External SMTP servers must be able to perform a Reverse-DNS check successfully. A link on how to configure Reverse-DNS in Azure is listed in the Links section.
     
  • The system name of the NoSpamProxy Azure VM should not follow internal IT naming conventions, as the name is publically resolvable. Otherwise you are going to expose your internal naming conventions.

Depending on the size of the Azure VM different throughputs can be reached in regards to emails per minute.

Tests have shown the following results for Standard A Virtual Machines:

VM Size CPU Cores Memory Emails/minute
Standard A1 1 1,75 100
Standard A2 2 3,5 200
Standard A3 4 7 300
Standard A4 8 14 300

 

Deployment

The following steps describe a simple deployment of NoSpamProxy Azure.

NoSpamProxy Azure Edition in Microsoft Azure Marketplace

Go to Azure Marketplace and search for NoSpamProxy, select the NoSpamProxy Azure Edition.

Click Create to configure the NoSpamProxy Azure system.

NoSpamProxy Azure System  - Basics

Configure the required parameters as needed

  • Name
    System name which is added to Azure DNS and externally resolvable.
  • VM disk type
    When selecting SSD as VM disk type, you must choose an Azure VM supporting SSD in a following step.
  • User name, Password
    User name of the local administrator account
    As the Azure VM is accessible via RDP from the internet by default, you should use a non-trivial user name and password.
  • Subscription
    Azure subscription to add the Azure resources to.
  • Resource group
    Resource group for the new Azure resources. The example creates a new resource group.
  • Location
    Azure region for the new resource group.

NoSpamProxy Azure System  - Choose Size

Select an appropriate virtual machine type. NoSpamProxy Azure doesn't have extraordinary system requirements for processor and memory. SQL Server 2014 Express is downloaded and installed as part of the standard setup of NoSpamProxy. Even SQL Server 2014 Express can be run on a standard VM..

NoSpamProxy Azure System - Settings

All other settings remain unchanged for this simple deployment. You can adjust the settings, if required for your individual deployment. Especially if you want to utilize exisiting resources.

  • Storage Account
    Storage for Azure VM VHD files
  • Virtual Network
    Azure virtual network for the new Azure VM
  • Subnet
    Azure virtual network subnet
  • Public IP Address
    External IP address
  • Network Security Group
    Network firewall configuration

NoSpamProxy Azure System - Summary

Verify the technical summary and click OK to add the configured system to your shopping cart.

NoSpamProxy Azure System - Purchase

Verify the selected Azure service offering and the configured virtual machine. Click Purchase to buy the selected subscription. The deployment is a so called BYOL Deployment and requires a valid NoSpamProxy trial license or an existing full license. After the NoSpamProxy setup as been completed in the virtual machine you will be redirected to a web page to request a trial license.

Connect to the newly deployed virtual machine using Remote Desktop. After first log on NoSpamProxy setup will start automatically as part of an scheduled task. The scheduled task will execute the following steps:

  • Configure the preinstalled SQL Server Express Edition
  • Download and setup of the most current release of NoSpamProxy
  • Redirect to the NoSpamProxy Azure web page to request a trial license
  • Removal of the scheduled task

NoSpamProxy Azure System - Setup

Do not close or interrupt the Windows PowerShell window.

After the setup has finished the public web page of NoSpamProxy Azure Edition will be opened in Internet Explorer. After initial setup of the operating system Internet Explorer runs in secure mode. Therefore, a security warning is displayed. Just add the web page to the list of exclusions and request your personal NoSpamProxy trial license.

The program setup adds new security groups and adds the logged on account to these security groups. It is required to log off and log on again to reflect the new group memberships. This is mandatory to sucessfully manage NoSpamProxy.

After log on start the NoSpamProxy Configuration MMC to import the license.

The NoSpamProxy Configuration MMC displays the NoSpamProxy version.

NoSpamProxy Azure System - Configuration MMC

After initial import of the license you can start configuring NoSpamProxy to suit your needs.

 

Links

 

 

Weiterlesen »
On September 14, 2016
1071 Views
This is a translated blog post of the original post in German, which can be read here.

Different technologies are used to verify the validity of email senders. Each technolgy by itself represents only one component of an holistic solution. It is currently recommended to implemtent all three technologies.

The technologies are:

  • SPF - Sender Policy Framework
    The SPF resource record of a DNS zone defines which servers (host names or IP addresses) are allowed to send emails on behalf of the domain. Each sender domain must have it's own SPF resource record.
     
  • DKIM - Domain Keys Identified Mail
    DKIM pursues the same objective as SPF. With DKIM parts of an email message are enrypted using a provivate key. The public key is published as a DNS resource record. In the most cases the key pair ist generated by the mail servers, as these encrpyt the message anyway.
     
  • DMARC - Domain-based Message Authentication, Reporting & Conformance
    DMARC is placed on top of SPF and DKIM. DMARC executes a so called alignment for SPF and DKIM. An alignment defines a policy that describes how strict a receiving server (MTA) should validate and assess the sender address with SPF and DKIM. Stefan Cink of Net at Work has published a detailed post (DE) on this.

 

The following figure illustrates the protocol relations.

DMARC, SPC and DKIM relations

The use of SPF, DKIM and DMARC are no substitute for email message encryption itself or transport encryption. These technologies are used to identify and asses valid senders and to protect against spam messages.

Keep in mind that SPF, DKIM and DMARC are offerings for other emails servers. As a sending party you do not control if and how SPF, DKIM and DMARC are evaluated by the receiving server. But if evaluated, the configuration must be correct to avoid messages being rejected by receiving email servers.

The following sections focus on the DNS configuration for SPF, DKIM and DMARC. This post is not intended to rate the technologies, but to desribe the implementation.

 

SPF

Each domain being used for sending emails requires a SPF resource record (RR) in its DNS zone. A SPF record is always of the type TXT and does not use any host name (or resource record name, if you will). A SPF RR is always valid for the entire DNS zone.

Example

mcsmemail.de.          3600     IN      TXT     "v=spf1 mx a:mail.mcsmemail.de ?all"

The following screenshot illustrates adding a new SPF TXT record in a common DNS management interface (DE) of an internet provider. The host name textbox remains empty.

Anlegen eines SPF TXT DNS Eintrages

Example explained:

v=spf1
SPF Version

mx
MX server records defined within the DNS zone are valid senders

a:mail.mcsmemail.de
The additional DNS host name defined as a A resource record is a valid sender as well

?all
Neutral validation of non listed servers that send emails for this domain

SPF records can be created by using one of the various online resources.

 

DKIM

DKIM resource records are configured as TXT resource records as well. In contract to a SPF record a host name is mandatory. In this case its called selector.

A DKIM TXT record is always created as a record in the sub domain _domainkey.

Example

nsp._domainkey.mcsmemail.eu. 3600 IN     TXT     "v=DKIM1\; k=rsa\; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQChZM8yjegaKfd0ssKyezTW/7xbDSNc0uPd50xa5/ecerv1v3mHKM+T7mClzRmIEx+Ji6AisVeo2uvjTYPemHFMBlQpuS/4zc2QxWHqp62FSQ7lASBOzDfUrIwayPVqwSPD6NrnfVSWoUNrFGGSVeU5uLASecBzTfxPukqTHgYKhQIDAQAB"

The following screenshot illustrates adding a new DKIM TXT record in a common DNS management interface (DE) of an internet provider. The host name textbox contains the selector nsp followed by the sub domain _domainkey.

Anlegen eines DKIM TXT DNS Eintrages

Example explained:

v=DKIM1
DKIM version

k=rsa
Public key encryption method

p=MIGfMA....
The DKIM public key

 

DMARC

DMARC is configured as a TXT resource record as well. The DMARC resource record uses the fixed host name _dmarc.

Example

_dmarc.mcsmemail.de.     3600    IN      TXT     "v=DMARC1\; p=none\; rua=mailto:DMARCRUA@mcsmemail.de\; ruf=mailto:DMARCRUF@mcsmemail.de\; fo=1\; adkim=s\; aspf=s\; rf=afrf\"

The following screenshot illustrates adding a new DMARC TXT record in a common DNS management interface (DE) of an internet provider. The host name textbox contains always the value _dmarc.

Anlegen eines DMARC TXT DNS Eintrages

Example explained:

v=DMARC1
DMARC version

p=none
No DMARC policy defined (You should always start with None, before switching to Quarantine or Reject)

rua=mailto:DMARCRUA@mcscmemail.de
Email address for status reports

ruf=mailto:DMARCRUF@mcscmemail.de
Email address for error reports

fo=1
Error report type

adkim=s
DKIM alignment, s = strict

aspf=s
SPF alignment, s = strict

rf=afrf
Error report message format, afrf = Abuse Report Format nach RFC 5965

The DMARC policy (p) should be raised step-by-step. The results for each policy type are:

  • none - No action, affected messages are part of the daily message report
  • quarantine - Affected messages are marked as spam
  • reject - An affected message is rejected on the SMTP layer

Recommended reading on this topic: Google Support Post.

DMARC DNS zone entries can easily be checked by using the Net at Works PowerShell tool. The PowerShell script an only be used with NoSpamProxy11+. But there are some online tools available as well.

Links

 


You need assistance with your Exchange Server setup? You have questions about your Exchange Server infrastructure and going hybrid with Office 365?

Contact us at office365@granikos.eu or visit our website http://www.granikos.eu.

Weiterlesen »