SefaUtil Gui v2.1

SefaUtil Gui v2.1 is a new minor version is published of the SefaUtil GUI script. It contains some small improvements to fix some issues some users experienced. Issues fixed in this release are:

  • searching for delegates doesn’t work correctly
  • time before forwarding to a team could not be configured

If you find new issues please let me know.

Download SefaUtil GUI v2.1

Congratulations 2013 Microsoft MVP!


Today I received the MVP (Most Valuable Professional) award for the 5th time from Microsoft. This award is valid for one year and each year you have to earn it again.
The award is given by Microsoft to people for their work in the community. What the exact things are they will look at is still a black-box.

You can become a MVP in several categories from Excel to Exchange. In this last categorie I received the MVP award. Besides me several other people received the MVP award among them The UC Architects Steve Goodman, Paul Cunningham and Justin Morris.

If you would like to know more about the MVP program have a look at the site below:


Exchange 2010 SP3 available soon

It looks like we can expect Exchange 2010 SP3 very soon. There are a lot of rumors on going on Twitter and Facebook the Microsoft Downloads already contains the Exchange 2010 SP3 UM Language Pack.

A question by Exchange fan Hakim Taoussi that it has been announced but not available:




Was answered by Bharat Suneja from the MsExchange team with the following tweet:



So for those who have been waiting till they can migrate to Exchange 2013 from Exchange 2010 you should be able soon. If it is wise to do it, well read the several blog posts from Exchange guys and then rethink your decission again.

Exchange 2013 and Lync 2013 Preview versions available

Microsoft has released a whole set of Wave 15 last monday which are available for everyone interested in the new versions. The version which is released is the so called Preview version, also known as Beta. So this are not the final versions of the products yet and it is not recommend to install them in a production environment.

Below you will find some links to both the downloads and documentation for both Exchange 2013 and Lync 2013:

Exchange 2013 download:

Exchange 2013 documents:

Lync 2013 download:

Lync 2013 documentats:

The UC Architects

 A few weeks ago it started with the following tweet of Steve Goodman:

In a very short period several Exchange and Lync bloggers informed Steve that they would like to attend and this resulted in The UCArchitects. A podcast which only contains unified communications related subjects. The mail and IM traffic which was exchanged between the contributors was from a high volume and new ideas were found.

After several days the site was already online although hidden for the large public. As it looks like Metro will be the new style we decided to use this both for the website and landing page. This resulted in the following landing page:

On the 18th of June the website was launched together with the first episode of the podcast: In the Beginning … . In this episode the following things where discussed:

  • Exchange 2010 SP2 UR3 – Added features and bugs fixed. Installation complexities
  • Importance of a development/lab environment for testing and demos
  • Who’s going to MEC (Microsoft Exchange Conference)? Not Steve!
  • TechEd 2012 vs. MEC
  • Exchange “15″
  • Public folders
  • Simultaneous product releases
  • Running multiple versions of Office products, upgrading client apps
  • End of Edge Transport? Alternative approaches to messaging hygiene
  • Desired features of the next version of Exchange
  • Centralized (roaming) signatures
  • Archiving
  • The coming week and points of interest

Last week the second podcast was published: Corruption, Poison, and Ethiopia. In the second episode the following things where discussed:

  • News Roundup (Yammer, Surface, MVPs)
  • Lync: July2012 CU6
  • Lync: Wildcard Support
  • Lync: Push Notifications on IOS Update
  • Exchange: Mailbox Corruption
  • Exchange: Poison Mailboxes
  • Exchange Tip: Get-MailboxReport
  • Tip: TechEd North America 2012 / Europe 2012 content available
  • MEC 2012
  • Upcoming Event: UC User Group London (July, 26th)
  • Lync Tip: How to make phone numbers and IM address in signatures clickable
  • Upcoming Event: Network Group Netherlands (TBA, around end of October)
  • Turkish Community Group, msHowto
  • Roundup

If you would like to listen to the Podcasts you can  do this by using one of the following methods:

Besides the Podcasts and the website you can find us back here:


Kerberos authentication fails sporadically

Earlier this year a blog on the Exchange Team site was poste by Ross Smith IV. In this blog he encouraged to use Kerberos as authentication method for Outlook clients.

In a lot of Exchange environments you will see that it is implemented. When you are using a CAS Array you will need to create an alternate service account (ASA) for this. This can be done by using the  RollAlternateserviceAccountPassword.ps1 script. Keep in mind that when using the CreateScheduledTask parameter the scheduled task will run as the account who created the scheduled task.

After registering the correct SPN’s on the ASA account Kerberos will work in most cases. In some scenario’s a typo is made which results in incorrect SPN’s being registered. When this is the case you can solve it by using setspn or AdsiEdit.

But what if Kerberos sometimes works and sometimes not, or does only work for specific users?  If it doesn’t work a user will not be able to access his/her mailbox.

The easiest way to figure out if Kerberos is to change the Outlook profile.

On the security tab of the account you will need to change the value of Logon network security to NTLM. If the user can access his/her mailbox after this you know that Kerberos is causing the issue.

Besides this an event will be logged in the system event log. Because a small set of logging is enabled on the Windows Servers you won’t see the Kerberos issue on that side. To enabled the logging you will need to make a change in the registry:

  • start regedit
  • browse to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters
  • create a Dword called LogLevel
  • change the value of the Dword to 0x1

Logging is directly enabled after creating the registry key and after a refresh you will see several Kerberos errors in the log.

Another option is to create a network trace using Wireshark or Netmon. In both cases you will see the following message in the trace:

0xD – KDC_ERR_BADOPTION: KDC cannot accommodate requested option

When you will search the internet for this error you will see you are not the only one. But let’s start from the begin instead of going to directly to the solution.

One of the first things you will need to do is run SetSPN -L “ASA account”  to verify that all correct SPN’s are registered. The SPN’s should be unique. Despite I have seen environments where the domain controllers also contain two SPN’s named ExchangeAB followed by the netbios and fqdn. To verify if the SPN’s are unique you can use SetSPN -Q “SPN VALUE” , for example SetSPN -Q ExchangeAB/*.

As displayed in the screenshot above you will see ExchangeAB will be found four times. Two times on the Exchange Server and two times on the DC.

As fas as we can see at this moment everything looks OK. Time to continue troubleshooting. But with which step can you continue when you have the error above? Klist.exe or Kerbtray.exe will not help a lot because in most cases renewing the tickets won’t solve the issue.

After some research together with a customer we found the root cause of the issue.

Microsoft did change the UDP packet size starting from Windows 2003. In Windows XP the UDP packet size was set to 2000, starting from 2003 it has been set to 1465. I think you know what will happen when Kerberos will send a package. Kerberos will use UDP by default . This will result in incompleted packages which will arrive at servers containing Windows 2003 or above as OS.

But why does the issue only happens for some users? This depends on the Kerberos ticket size. The size of a Kerberos ticket is determind by:

  • length of the password
  • membership of groups
  • do the groups contain other nested groups

To solve this issue you will need to make a registry change:

  • start regedit
  • browse to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\ Kerberos\Parameters
  • create a Dword called MaxPacketSize
  • change the value of the Dword to 1

By making this change all Kerberos packages which are bigger then 1K will be send by using Kerberos over TCP.

Restart the computer and change the Outlook profile to Negotiate Authentication. Verify if you can access the mailbox. Using klist.exe or kerbtray.exe verify of the tickets will be created correctly. Both tools are part of the resource kit for Windows 2003. In Windows 7 and 2008 klist is a part of the OS.

In this screenshot two Kerberos tickets are listed which are being used by Exchange. If all authentication is performed by using Kerberos you will see the following Kerberos tickets:

  • exchangeMDB
  • exchangeRFR
  • exchangeAB
  • http

When you will look in the event log of the client you won’t find any Kerberos messages.

Microsoft has published a complete document about troubleshooting Kerberos authentication issues. You can find the document here.

Review Trend Micro Scanmail 10

In this article we will have a look at Trend Micro Scanmail (SMEX) 10. This is the latest version of Trend Micro’s antivirus/antispam solution for Microsoft Exchange Server.

The product can be used with Exchange 2003, 2007 and the most current version of 2010. Let’s start with having a look at the new features of SMEX 10.

New features

Just like Exchange 2010 Trend Micro has also introduced the Role Based access. Using this method of assigning permissions it will let you create templates and assign those templates to users.

Another nice addition to the product is the ability to use AD objects in the policies you configure. This will give you the ability to create policy for a specific AD group. For example, you have got a group of developers in your company. These developers must have the ability to receive specific file types which are blocked by the default policy. In this scenario you can exclude the developers group from the default policy and apply the custom created policy.

SMEX 10 contains two types of reputation services:

  • Web reputation (WRS), which will check all url’s in a message
  • E-mail reputation (ERS), which checks the IP-address of the sending mail server

Especially the last option can decrease the amount of spam/viruses messages which will have to be processed by the policy or arriving at the end users mailbox.

The Web Reputation Services (WRS)  feature included in SMEX will check every e-mail for malicious URL’s. By enabling WRS you will add an extra detection layer on top of the Anti-spam/Anti-virus technology which is already used by the product. WRS can detect “0-Day” attack, as well as recently new type of spam and phishing attack like “Here you are “ spam and spear phishing.

If you are having a Trend Micro SmartScan server deployed you can configure SMEX 10 to use it. The advantage of using the smartScan method compared to the conventional scanning method is that the footprint on the server is smaller. This is caused by the fact that the pattern files are a lot smaller. Another advantage is better detection.  Cloud side (Trend file reputation service) always deploys latest anti-malware knowledge which is ahead of conventional anti-malware pattern. 

In the picture below you see how the process works:

As last major change, besides the optimization of the product, is integration of Data Leakage Prevention (DLP) Policies. Using these default DLP policies you can prevent data being leaked via e-mail from your company to the outside world.
The installation of SMEX 10 is pretty easy. But before starting the installation add the CGI component to the IIS server. Once this is done the setup can be launched. One of the first steps in the setup will ask you which Exchange version you have deployed. If deploying it on an Exchange 2007 or 2010 Server you must specify if you are installing it on an Edge or on a Hub Transport/Mailbox Server.Depending on the roles installed on your server a set of scan methods are available. For example on a mailbox server a mail store scan can be performed. While on a Hub Transport server scanning can be done during transport.

In the next step you will need to add one or multiple servers. This can either be done by adding a server manually or via the browse option. In this last scenario make sure you enable the Computer Browser service which might be disabled by default depending on your OS.

Next step is to provide the credentials of an account which is a member of the Organization Management Exchange security group. If you are planning to use the End User Quarantine option this account also needs to have domain admin permissions.

By default the installation will be performed on the C drive of the server. Scanmail will need to install a web application for management purposes. By default an additional website will be created in IIS for this purpose. Another option is to place it in the default website. My recommendation is to install it in a separate site. The reason for this is that Exchange uses the default website by default for all Exchange Web Services.

Optionally you can select the option to enable SSL. When enabling this option a self-signed certificate will be installed for the website.

The next step will verify if all prerequisites have been met. If this is not the case you will be warned and you will need to solve these issues before you can continue.

Because Scanmail will retrieve its updates from the internet you may need to provide a proxy server. If this is not the case leave the option unselected. After providing the activation key you get the option to participate in the World Virus Tracking Program. This program will gather real time data for the Virus Map of Trend Micro.

As already mentioned Scanmail will have the option to place spam messages in a specific folder. Scanmail will give you to options:

  • Integrate with Outlook Junk Mail
  • Integrate with EUQ which is a separate folder created by Scanmail

Personally I prefer the Outlook Junk Mail as this will provide users with one location where they can find they’re quarantined messages.

If you are having multiple Trend Micro solutions you might have implemented Trend Micro Control Manager. This program will give you the ability to manage all Trend Micro products via one interface.

Because of the Active Directory integration the setup will give you the option to select an Active Directory group which has access permissions to the Access Console.

Before starting the installation you will get a short summary. If you are satisfied with the settings then continue and start the installation.


One thing you should keep in mind is that the setup will install a SQL Express 2005 instance on your Exchange server. If you don’t want this prepare the database on an external SQL server and specify this SQL server during the setup.

After the installation has been completed make sure you install the latest service pack and patches available.


Now SMEX has been installed let’s have a look at the configuration part. By default only the following antispam/antivirus components are enabled:

  • Security Risk Scan, which scans messages for viruses and spyware both on transport and store level;
  • Web reputation, which scans all messages for malicious URL’s;
  • Content Scanning, which is part of the Spam prevention option and scans messages for undesirable content. For example sensitive info and unprofessional info;

Because each environment is unique it might be necessary to adjust the default configuration settings. For example, you might want to scan all messages for all spyware/grayware. By default SMEX only scans for spyware and adware.

But how does the web reputation service work? Every url is checked against a database which contains a rate for the url. The Web Reputation rating is based on a number of factors including domain profiling, malware behavior related to the site, site content scanning, site categorization and correlation with phishing and spam intelligence among other things. To configure which ratings should be blocked you will need to configure the security level. SMEX does contain three security levels:

  • High, blocks a greater number of Web threats, each url with a rating of 80 or lower. Change of false positives increases.
  • Medium, blocks most Web threats and limits the amount of false positives. Each url with a rating of 65 or lower
  • Low, blocks fewer Web threats and decreases the amount of false positives. Each url with a rating of 50 or lower

In the diagram below you can see a diagram of the complete process:

When a message arrives the following steps are performed:

  • A message arrives at the Edge or Hub Transport server which contains SMEX 10;
  • SMEX detects a url in the message and sends it to the WRS Cloud service;
  • WRS checks the url and returns the rating to SMEX 10;
  • If the rating is passes the threshold the message will be either delivered using a modified subject or placed in quarantine;

Additionally you might want to enable some extra components. For example block all attachments which have program/scripting extensions such as bat, cmd and wsh or just block specific file types.

A second option which you might want to enable is the content filtering component. This component contains some predefined policies. These policies can be split up in:

  • Specific word categories: such as profanity, hoaxes and chainmail;
  • DLP, default DLP policies for specific countries/continents;

As already explained every environment requires different policies. For example you might receive a lot of spam which is not detected by other filters. In this case create a custom policy which filters specifically those words.

The second component I would highly recommend is the E-mail Reputation Service (ERS) which is part of the Spam Prevention part of SMEX. ERS works just like a black list is an IP address found then the connection is dropped. The advantage of ERS compared to blacklists is that you can configure them using a web portal provided by Trend Micro. For example, if you don’t want to block messages from a specific country even if they are listed make the configuration change in the ERS web portal.

As you can see in the screenshot above you can also add specific ISP’s and ip addresses to the approved list. Besides approving it’s also possible to block a country, ISP or ip address using this website.

One important note about the ERS is that there must be no other MTA between the sending server and Exchange. This will cause ERS not be able to work correctly because it only checks the last MTA’s ip address.

Once you are satisfied with the configuration you can replicate the configuration to other servers. This option is very useful if you are having multiple SMEX instances but want to keep the configuration the same on all of them.

By selecting the Server Management option you will get an overview of all SMEX instances:

Select the server(s) to which you would like to replicate and press the replicate button. The next step is to select which configuration settings will need to be replicated. By default all settings will be replicated. In this case you would like to replicate only a subset select only those features which you would like to replicate.

Reporting and logging

In addition to the real time monitoring of the traffic SMEX has the option to generate reports. These reports can either be created manually or automatically via a schedule.

In the screenshot below you can see an example of which content you can add to a report. A scheduled report can be created daily, weekly or monthly. As you can see you can add a lot of content to the report. Using these reports you might see some trends for example one specific user is receiving a lot of spam. Or you just want to know how much traffic passes the SMEX solution.

Compared to a manual report a scheduled report also has the option to send the report to one or multiple e-mail addresses. Which might be very useful if you do not want to login to the admin console daily.

But how does a report looks like? Well in the screenshot below a small part of the report being generated. In this example you can see the Spam Prevention statistics. It starts with a summary which gives you a quick overview. Because you might want to distribute this report to the management it might be nice to also include the graph. The graph will display the percentage of spam messages compare to the complete amount of messages.

Below the graph an overview of the top 5 spam senders will be displayed. Due to privacy I haven’t included them in the screenshot above.

In addition to the reports you may also consult the log files available. The logs are divided in a few types:

  • Security risk scan, gives an overview of messages  which did break the security risks configured;
  • Attachment blocking, gives an overview of attachments blocked;
  • Content filtering, gives an overview of messages which are tagged by the content filter;
  • Update, an overview of the update process, here you will find if an update has succeeded or failed;
  • Scan event, an overview of manual and scheduled scan tasks;
  • Backup for security risk, information about the files that the Security Risk Scan moved to the backup folder;
  • Backup for content filter, information about the files that Content Filtering moved to the backup folder;
  • Unscannable message parts, gives an overview of messages which couldn’t be scanned partitially;
  • Event tracking, gives an overview of administrative tasks performed, for example log in/outs, configuration changes made or messages released from quarantine;
  • Web reputation, gives an overview of web reputation checks performed;

In the screenshot below a part is displayed of the Content filtering log. As you can see a lot of information is displayed:

But this is not all information when scrolling to the right you will find the most interesting information:

In this piece of the logging you can see detailed information about:

  • which policy did get applied to the message;
  • which action has been taken;
  • which matching keyword(s) where found;

So as you can see a lot of information is stored in the logs which might be very useful during troubleshooting.


Here ends my article about Trend Micro’s Scanmail for Exchange 10. Trend Micro did include a lot of nice new features.  By default the antispam and antivirus settings might require you to make some modifications. For example Email Reputation is disabled by default; it might be worth to enable the option if possible. Enabling this option will prevent a lot of spam arriving in the end users mailbox but also saves a lot of processing time from Scanmail.

To fine tune your solution you might consider creating a custom content filter. By using this custom filter you can block specific messages which pass the other filters. This will result in less spam arriving at the end users mailbox. If you are finding it a little bit tricky to just delete the message use the quarantine option. This will place the message in the junk mail folder or EUQ folder from the user. If a user misses a message he or she can retrieve the message easily.

At this moment the beta for SMEX 10.2 will almost start I am very curious which new features will be added.

Issues with website

The last couple of days there where some issues with my site, the cause was a problem with the plug-in which makes my site dual-language. Today a new version of the plug-in has been released and everything should work again. If your looking for a good plug-in have a look at the site below, one disadvantage of the plug-in is that you first need to upgrade the plug-in before upgrading your WordPress.


Congratulations 2009 Microsoft MVP!

MVP logo

Today I received the e-mail below:

Congratulations! We are pleased to present you with the 2009 Microsoft® MVP Award! This award is given to exceptional technical community leaders who actively share their high quality, real world expertise with others. We appreciate your outstanding contributions in Exchange Server technical communities during the past year.

I am really happy with this award, it’s a nice appreciation from Microsoft. Ofcourse I will continue with updating my site so keep an eye on it.


How to test smtp with telnet

When starting to troubleshoot smtp issues you can do this easily via telnet, below a hosrt description on how to perform the test:

First we will make connection to the mailserver on port 25.

telnet 25

You will receive the following answer when, for example, you connect to an Exchange server

220 Microsoft ESMTP MAIL Service, Version: 6.0.3790.3959 ready at  Sun, 5 Apr 2009 21:36:57 +0200

You will need to reply with a helo followed by the domain you are sending from


Next you will need to specify the sender of the mail

mail from:

When the sender has been accepted the mailserver will respond with a 250 – OK

250 2.1.0 OK – Mail FROM

Next thing you need to specify is the recipient of the mail

rcpt to:

When the recipient address has been excepted the mailserver again will respond with a 250 OK

250 2.1.5 OK recipient

Now we have specified both the sender and recipient we can specify the mail, this will be done via the command data


When you have send the aboe command to the mailserver it will respond with the following command

354 Send data. End with CRLF.CRLF

The mailserver will tell you that you will need to end the mail with a .

First we specify the subject of the mail, when you don’t do this the subject will be empty.

subject: smtp test via telnet

After the subject command has been specified you will need to press enter 2 times, you won’t receive feedback of this. The 2 times enter is needed according to  RFC-822 and RFC-2822.

Now we have specified the subject we can specify the text we would like to be in the mail

This mail is send via telnet

As mentioned earlier we end the mail with a ., the . needs to be placed on a new line. When the mail has been accepted by the mailserver for delivery it will respond with the following command

250 2.6.0 <> Queued mail for delivery

To disconnect from the mailserver you will need to use the command quit


For further information of the RFC’s have a look at the sites below.