Some mail server networking best practices

I was reminded this week about the importance of some good best practices when handling the networking portion of a mail server. While a server or exchange administrator will do a great job handling all of the best practices of configuring the software itself, it is not uncommon for the networking portion to be overlooked. Here is a summary of a couple of networking or firewall related best practices…

  • Your Mail Server should be NAT’ed to an IP address different than your general internet traffic. This ensures that malicious activity taking place on your general internet traffic, or an infected pc, or even a guest system does not impact your ability to send email. If I guest laptop on your wireless network has a virus and is sending out spam, it might result in your IP address being blacklisted, and it will cascade onto your mail server. With a public IP address dedicated to your mail server, you can be assured that if you’re blacklisted, it is because of traffic through your mail server, and not from another source.
  • Block outbound port 25 from everything except your mail server. In general, the only device that should be sending mail outside of your network is your mail server, and if another device needs to send email, such as your MFP or other device, it should relay off your mail server, and not send out directly.
  • If you are using some form of hosted inbound spam or mail filtering, such as MXLogic or Reflexion, you should source IP filter your inbound port 25 traffic, or better yet, consider using an alternate port. If you don’t lock this down, it permits people to bypass your hosted mail hosting, and directly send spam to your mail server.
  • Ensure that your firewall has application aware protection in place for SMTP traffic, however if you have an older Cisco PIX firewall and an Exchange mail server, consider turning FIXUP off for SMTP since there is a long history of documented problems.
  • Be on the lookout for a mail administrator who assigns a public IP address on their mail server directly, thereby bypassing the firewall or other edge protection. If they really want to dual home the mail server, have them place it on a DMZ instead.

Enjoy

 

Disabled Mailbox is not showing in Disconnected Mailbox Area

In Exchange, when you delete an active directory user account, it does not delete their mailbox automatically. Instead it considers the mailbox to be in a “disconnected” state. The mailbox exists but it is no longer associated to an active directory user account. There are several reasons why you might want to keep the mailbox around and perhaps eventually reconnect it. Today I was working on a very corrupt user account in AD, but the mailbox itself was fine. I simply deleted the user account from AD (after ensuring proper backups were taken), and then recreated a new user account. Now even though the username is the same as the one I just deleted, they contain a different GUID, so they are, in fact, different users. After creating the AD user account, I went over to the Exchange Management Console and the users mailbox was missing from both the Mailbox list, as well as the Disconnected list. The reason for this is because these are moved during a mailbox maintenance process. However you can speed this up.

 

Launch the Exchange PowerShell and run the following

Clean-MailboxDatabase

After that is complete, go back to the Disconnect Mailbox list and refresh the page, and you will find your mailbox.

 

Enjoy!

DHCP Server Logs

There have been several instances where I have been trying to troubleshoot DHCP Issues live, or other cases when I needed to know what computer had a specific IP address in the past…. A useful way to find out this information is to use/view the DHCP server logs. The log keeps only the past 7 days of logs, but through backups, you can actually go back to any point in time.

The log it located at C:\Windows\System32\dhcp

The logs are named dhcpsrvlog-mon; dhcpsrvlog-tues, etc… you get the idea. There is also a separate log to DHCPv6 (IPv6) addreseses.

 

dhcplog

Also, along that lines, don’t specifically trust the DHCP Lease active/inactive status as indicated in the DHCP console. Sometimes a reservation is used for a device that is set statically, so DHCP will show inactive, while the address is actually in use. Also it might show active even though the device isn’t properly receiving an IP address.

Enjoy!

Cisco terminal length 0 and –more–

From time to time I just need to perform a simple dump of a configuration file from a Cisco IOS device for backup or review purposes, such as a from a router or switch. However, for switch stacks or complex configurations the configuration file can be long, and when using something like Putty to log all the terminal/ssh actions to a file, there is no need to constantly press any key at the –more– prompt. To avoid this, you can simply enter:
terminal length 0
at the enable (#) prompt. From there you will no longer see page breaks but rather have the data scroll out to you the entire configuration file. This also avoids the needs to go back and find/replace the –more– elements from a dump.

Enjoy!

ca.gov email servers under spam attack

 

ca.gov

For the past couple of days many ca.gov domains have been under attack with a huge volume of spam. The result is effectively a denial of service of the mail servers, as they are saturated with connection attempts. This has caused various many emails to sporadically bounce because the sending SMTP mail servers are unable to connect to the ca.gov mail servers.

Using an inbound hosted mail filtering service such as Postini or MxLogic can help avoid this problem for your organization because they host multiple inbound SMTP servers, and have a focus on the stability and reliability of these services so you don’t have to worry about it.

W32/autorun.worm.aaeb-h Outbreak

I don’t typically post on virus or malware outbreaks because it would consume too much of my time and they are simply too frequently created. For the most part, if you run your network and systems with the concepts of defense in depth and principle of least access, you should be fine. And as long as you are not running as the local administrator of your workstation you should also be fine… But every once in a while a piece of malware becomes noteworthy…

In this case, W32/autorun.worm.aaeb-h infects both removable media and network shares by coping itself to those locations. Once copied, it modifies the permissions so the executable is hidden. When used with removable media (think USB flash drives, or even MP3 players), it will modify the autorun.inf to auto-run the executable. It will also infect files with common file types such as audio (mp3, wmv, avi) and documents (doc, xls, pdf).

The presence of the following file names will indicate you might have this worm:

  • Secret.exe
  • Sexy.exe
  • Pron.exe
  • Password.exe
  • x.mpeg

Defense:

  • Disable autorun feature
  • Prevent the use of USB media for mission-critical servers
  • Ensure scanning is enabled for removable media

Mitigation:

For more information on McAfee product coverage and mitigation for this threat, see PD24169 – Threat Advisory: W32/Autorun.worm.aaeb

How to Remove a XenServer Slave when it No Longer Exists in the Pool

Citrix article CTX126382 describes how to remove a XenServer Slave from a pool, however it does not completely clean up after the process is complete. While the host will be removed, any storage repositiories will be left behind, such as DVD and local storage.

To clean these up perform the following:

1) Click on the disconnected storage repository on the console

2) On the general tab, right-click on the UUID and select copy

3) On the Pool master console, type: xe sr-forget uuid= (and then right-click paste which will insert the UUID of the disconnected storage repository)

Repete this process for all disconnected storage repositories, which is tpically local storage, DVD, and removable storage.

 

 

 

DHCP Best Practices

Here are several DHCP best practices as collected from various resources including Comp/TIA and Microsoft:

  • Always include the entire subnet in the scope (192.168.1.1 – 192.168.1.254, or 172.29.0.1 – 172.29.255.254)
  • Add exclusions for ranges which are using static IP addresses, and for future growth area, such as setting aside 10 addresses for printers so they stay within the same general IP address range
  • For networks where DHCP services are critcal or for larger networks, consider two DHCP servers configured in an 80/20 split (however, Microsoft Server 2012 has a new provision for redundant DHCP servers)
  • Configure active directory credentials to enable DHCP to update the DNS server with IP address information using secure updates.
  • Use “server side conflict detection” only when needed – this is a feature which delays DHCP from handing out an address until it has first issued an ICMP ping message to check if the address might already be in use but not known by DHCP already (ie statically assigned within the lease range without an exclusion or active lease).
  • Typical DHCP lease time is 8 days, however if you have a separate scope for guest or wireless clients, consider a shorter lease time such as 8 hours; conversely, leases for fixed devices (printers, etc) consider 16-24 days.

Powered by WordPress.com.

Up ↑