Released: Update Rollup 2 for Exchange Server 2007 SP1

Exchange Server 2007 SP1 Update Rollup 2 has been released.

Description of the roll-up can be found in KB 948016. Besides all the fixes from Update Rollup 1 (for SP1), this rollup includes fixes for the following issues:

• - 940462 The public folder store may take several minutes to mount on an Exchange 2007 server
• - 944153 Exchange Server 2007 does not have Transport Neutral Encapsulation Format (TNEF) capabilities for POP and IMAP protocols
• - 945917 You receive an error message when you try to access the Outlook Web Access global address list in an Exchange Server 2007 environment
• - 947346 Exchange Server 2007 mailbox users cannot retrieve the free/busy information for Exchange Server 2003 mailbox users in a large Exchange Server organization that has more than 100 administrative groups
• - 947360 Error message occurs, and users cannot access the free/busy information after you use the Import-Mailbox cmdlet to import data to a mailbox in Exchange Server 2007 Service Pack 1
• - 947391 The contents of .pst files are not imported into Exchange Server 2007 mailboxes when you use the Import-Mailbox cmdlet
• - 947451 A recipient sees unexpected text in the top of an e-mail message that you send in Exchange Server 2007
• - 947458 The Edgetransport.exe process may crash on an Edge server that is running Exchange Server 2007 Service Pack 1
• - 947551 The Edgetransport.exe process may crash intermittently on an Exchange Server 2007 Service Pack 1 Edge server
• - 947577 If you try to connect a mobile device to a mailbox server through a server that is running Exchange Server 2007, the mobile device may be unable to connect
• - 947646 Event ID 12011 is logged every time that the MSExchangeTransport service starts after you install Exchange Server 2007 Service Pack 1 on a computer that is running the German version of Windows Server 2003
• - 948047 An event ID 1080 message is logged in the System log every three seconds after you run the Set-ExchangeServer command to set the static domain controllers on an Exchange 2007 cluster node
• - 948297 The OOF template may be delivered as an attachment in an Exchange 2007 environment when you use the "Reply with Template" option in Microsoft Outlook
• - 948332 Failover takes a long time to finish in an Exchange Server 2007 cluster continuous replication environment
• - 948374 The EdgeTransport.exe process crashes intermittently, and event ID 1033 is logged in Exchange Server 2007
• - 948666 When you try to migrate a mailbox from Exchange Server 2003 to Exchange Server 2007, the Exchange Management Shell may stop responding
• - 948830 The MSExchangeSyncAppPool application pool crashes on a server that hosts an Exchange Server 2007 Client Access Server role
• - 948831 A user may be unable to synchronize with an Exchange Server mailbox from a mobile device when a Client Access server has been upgraded to Exchange Server 2007 Service Pack 1
• - 948844 An exception occurs, and event IDs 4999 and 5000 are logged when you modify the Outlook Web Access user interface
• - 949186 When you try to run the Restore-mailbox cmdlet on a server that is running Exchange Server 2007, you receive an error message
• - 949193 The address rewrite agent does not rewrite the address for Out of Office (OOF) messages in Exchange Server 2007
• - 949463 An exception error is generated after you run a Set-AttachmentfilterListConfig command together with the ExceptionConnectors option on an Exchange 2007 SP1-based server
• - 949541 You cannot log on to Outlook Web Access Light, and an error message occurs in Exchange Server 2007
• - 949703 Error message in Outlook when you click the signature icon of a signed e-mail message that an Exchange Server 2007-based Edge server receives: "The digital signature is invalid"
• - 949726 After you install Exchange Server 2007 Service Pack 1, the Set-ExcecutionPolicy task causes an error message, and event ID 103 is logged
• - 949772 If you run the "isinteg -dump" command against a dismounted store on a server that is running Exchange Server 2007, the Store.exe process stops unexpectedly
• - 950123 Error message after you apply Update Rollup 1 for Exchange Server 2007 Service Pack 1 in a Japanese environment: "Public Folder Management Console is not an allowed Snap-in"

HOW TO: Remove Public Folders

This is a fairly common question - you're trying to remove the Public Folder store on an Exchange 2007 server and get an error that some Public Folder replicas still exist. You're certain you've removed all Public Folder replicas from that server. What next?

Here's a little procedure documented in How to Delete Multiple Public Folders from Your Organization that takes care of this.

Remove all Public Folder replicas from the server using the following command:

Get-PublicFolder -Server "SERVER NAME" "\" -Recurse -ResultSize:Unlimited | Remove-PublicFolder -Server "SERVER NAME" -Recurse -ErrorAction:SilentlyContinue

Next, remove all System Folders using the following command:

Get-PublicFolder -Server "SERVER NAME" "\Non_Ipm_Subtree" -Recurse -ResultSize:Unlimited | Remove-PublicFolder -Server "SERVER NAME" -Recurse -ErrorAction:SilentlyContinue

To verify all Public Folders have been deleted:

Get-PublicFolderStatistics -Server "SERVER NAME" | fl

At times the replica clean-up may take a little while. If you still see replicas after running this command, run it again in 10-15 minutes.

Note: This procedure should be performed only if you're removing the last (or only) Public Folder Store from an Exchange Organization. If there are other servers in the Organization that also host Public Folders, using this procedure removes the folders from the Public Folder hierarchy.

Removing Public Folder replicas using MoveAllReplicas.ps1

If Public Folders are hosted on more than one server, use the MoveAllReplicas.ps1 script to remove replicas from a server, as illustrated in KB 927464: How to remove Exchange 2007 from a computer.

The MoveAllReplicas.ps1 script resides in the Scripts folder in the path where Exchange Server 2007 is installed. It's an easy-to-use script that takes 2 parameters— the source and target server names. The source server is the server you're trying to remove the Public Folder replicas from. The target server can be any other server in the Organization that hosts Public Folders— presumably a server that's in the same location to avoid replicating PFs over WAN links.

MoveAllReplicas.ps1 -Server "SOURCE SERVER NAME" –NewServer "TARGET SERVER NAME"

Once this is done, it may take some time for Public Folders to replicate to the target server, and for these to be removed from the source server. To verify there are no replicas on the source server, you can use the Get-PublicFolderStatistics command.

Moving on to the Exchange team

"Vista Gets Compromised" couldn't be the best blog post to kick off a Microsoft career with— and yet, that happened to be my last post before I joined Microsoft. (To be fair, it wasn't Vista's fault.. read the comments in that post..)

Sorry for the radio silence over the past weeks— it is rather unusual.

I landed at the Exchange product group about three weeks ago. I am excited to be part of an excellent product team, and cannot seem to contain my excitement about what's going on with the next version of Exchange. What's more, I'll still be working from the Bay Area.

The night before NEO, Scott Hanselman did a great job of explaining his reasons for joining Microsoft and how he feels about it. Russ and I nodded in agreement.

What about Exchangepedia?
What started as "Bharat Suneja's Blog" close to 4 years ago morphed into Exchangepedia. I will continue to blog here, and will have even more information to share - at least about the versions of Exchange we continue to use and deploy today (2007/2003), and other issues not directly related to Exchange.

Over the years, the Exchange team folks have been great about sharing information that has found its way to this blog and newsgroup responses. If anything, I see myself being even more involved with the Exchange community in this new role.

Not an MVP any more!
One of the things that happens when MVPs join Microsoft - they can't remain MVPs any more. Being an Exchange MVP has meant a lot to me over the past years, and given the mystery about my start dates, I was lucky to get awarded for 2008-2009 as well. Yes, the pleasure of still being an MVP as a Microsoftie was very short-lived indeed, but a pleasure nonetheless.

What about Zenprise?
Zenprise is an amazing and exciting product and I'm proud to have been a part of it. We went from no product to Zenprise 3.3 in a little over 2.5 years that I was there. Along the way, we built some great troubleshooting and monitoring functionality for Exchange and BlackBerry, and won a lot of awards for it (including Best of TechEd for 2 consecutive years). Zenprise has an excellent team, and the products keep getting better with every rapid-fire release. It was one of InfoWorld's Top 15 Startups to Watch in 2007, and recently got named a Gartner Cool Vendor. Needless to say, it is and will continue to be an exciting company to watch.

PWN to OWN Contest: Vista gets compromised

Update on the PWN to OWN contest at the CanSecWest conference. After the MacBook Air got compromised in 2 minutes, Shane Macaulay claimed victory over the Fujitsu laptop running Windows Vista. Yes, Windows Vista was compromised at the tail end of Day 2, at 7:30 p.m., thanks to a vulnerability in Adobe Flash.

More in PWN to OWN: Final Day (and another winner!) on TippingPoint.

The list of conference sponsors includes both Adobe and Microsoft.

Mac, meet PC: PC, the Mac's already hacked!

The Event: CanSecWest's PWN 2 OWN contest, Vancouver, Canada
The Contenders: Mac OS X Leopard, Microsoft's Windows Vista, and Linux.
The Challenge: Compromise the OS
The Prize: $10,000 + laptop
The Winner: Charlie Miller

Apparently, the OS that's safer by design is the first to get compromised, after the rules were relaxed a little bit. 2 minutes is all it took, according to a report in InfoWorld (yes, still one of my favorite tech news sources). Excerpt:

Contest rules state that Miller could only take advantage of software that was pre-installed on the Mac, so the flaw he exploited must have been accessible, or possibly inside, Apple's Safari browser.

And:

Shane Macaulay, who was Dai Zovi's co-winner last year, spent much of Thursday trying to hack into the Fujitsu Vista laptop, at one point rushing back to his Vancouver area home to retrieve a file that he thought might help him hack into the system.

But it was all in vain.

More in Gone in 2 minutes: Mac gets hacked first in contest on InfoWorld.com.

This comes little over a week after Apple released what is labeled a massive patch, a monster patch, a mega-update, or a mega-monster security update by the media (Yes, that makes me feel like Jon Stewart now). The patch contains 90 fixes according to these reports.

Last year's contest winner, Dino Dai Zovi, exploited a vulnerability in Apple's QuickTime to take home the prize.

Gloat not, Windows Vista and Linux. You are expected to be hacked by today— and when that happens, it will be further proof that vulnerabilities exist in all systems. That's the nature of software. When it comes to millions of lines of code, "bug-free" and "vulnerability-free" software is a myth. What really matters is how easily these can be exploited, how quickly the vendor responds and releases patches to fix vulnerabilities.

As far as Windows Vista is concerned, it has an enviable track record so far.

Errata: Edge Subscription and Synchronization white paper

The white paper on Edge Subscription and Synchronization has the following error:

Under Recipient Information:

Distribution groups are not replicated to ADAM.

Distribution Groups are in fact replicated to ADAM using EdgeSync. In Exchange Server 2007 SP1, Distribution Group membership (the member attribute) is also replicated.

On Windows Server 2008, ADAM is replaced by Active Directory Lightweight Directory Services (AD LDS).

Note that new Distribution Groups created in Exchange Server 2007 are set to receive mail only from authenticated senders by default— preventing them from receiving internet mail. Any Exchange recipients set to receive mail only from authenticated senders are not replicated by EdgeSync.

Related Posts:
- Configuring firewalls and name resolution for Edge Transport servers
- New Distribution Groups do not receive internet email by default

India not looking to ban BlackBerry, keen to resolve issue

India's Dept of Telecom (DoT) says it has asked Indian wireless carriers to specify a timeframe by which they will resolve all security concerns. India is not looking to shutdown BlackBerry services, but it is keen to resolve the issue.

There has been a lot of speculation about the DoT having given a 15-day notice to carriers and RIM to allow snooping or face a shutdown. The Economic Times says "all players offering BlackBerry in India said that that the government had not issued any such directives."

Excerpt:

DoT is looking at various possibilities, including asking RIM to create a mirror image of all emails and data sent on these devices in India and store the information for at least six months to address the concerns of security agencies.

DoT is also looking at other options such as asking RIM to migrate all data traffic originating from Indian mobile networks to servers in India.

More in "DoT calls up BlackBerry providers".

"Save XP" Campaign: InfoWorld responds, and the facts about downgrade rights

Note to readers: I haven't had to keep a post on hold for as long as I"ve kept this one, contemplating whether I should post it or not. After much thought, I've decided to post this, because it is important to know the facts about downgrade rights, and to clarify my position on this debate.

InfoWorld responded to my previous post (read InfoWorld's campaign to "Save Windows XP").

In a blog post titled Exchangepedia Blog Author calls "Save XP Campaign" Childish!, InfoWorld columnist J. Peter Bruzzese writes:

However, in the overall scheme of things will it budge the folks at Redmond to reconsider its plans? Not if Bharat Suneja, an MVP for Exchange and tech guru who publishes the popular Exchangepedia Blog site has anything to say about it. He has done his own research on the matter and his opinion should be heard!

Thanks for the kind words Peter - much appreciated.

To put it on record, I am not for or against Microsoft extending the deadline for Windows XP OEM and retail sales. I called Peter the saner voice (of InfoWorld) - he gets the gist of what I wanted to convey in the post:

The point Bharat is trying to make: Windows XP is an operating system that has lived past its prime, and Microsoft isn't about to pull the plug on it any time soon. (Users can move to Vista on their own timeline).

In my post, I pointed out Microsoft's Product Lifecycle Policy for Windows XP, including the facts that Windows XP mainstream support won't end till April 2009, extended support will be available till April 2014, and Volume License customers can use their downgrade rights if Windows XP licenses are no longer available from retail or OEM channels. (As it turns out, downgrade rights are not restricted to Volume License customers.)

In fact, Microsoft will soon release a new service pack— Service Pack 3, for Windows XP. You can download Release Candidate 2 of the service pack here.

InfoWorld Editor Galen Gruman comments
InfoWorld Editor Galen Gruman left a comment on the post here. What she has to say (relevant portions highlighted and bolded for emphasis):

For the record, as the InfoWorld editor who's responsible for the "Save XP" story and related content, there's one big error in this well-reasoned post: XP will not be generally available after June 30 if you are *adding* computers or people. We never said this was an issue of support. It is true that if you have a site license to Vista, you have downgrade rights to XP. But most small businesses and no individual buyers have these rights. They cannot get XP after June 30. And unless they bought new of two specific types of Vista -- the full, not OEM, versions of Vista Business and Vista Ultimate -- they do not have downgrade rights. GIven that practically everyone who buys a computer has just an OEM copy of Windows, they do not in fact have downgrade rights to XP and cannot add new XP licenses to their mix of XP systems. This forces them to have a mix of XP and Vista, whether or not they are ready for Vista. It was this concern that we heard repeatedly in the last year and led to this story. And why we advocated that XP be available for sale indefinitely -- meaning not forever but until the market as a whole is much more ready to move.

Thanks for commenting Galen. Having read your follow-up article "The "Save XP" manifesto: Time to get past the distractions", I agree with some of the arguments presented (and greatly disagree with others), and the underlying reasons for the "Save XP" campaign. However, your basic premise that setting a date for end of availability of OEM and retail licenses for Windows XP is like Microsoft giving users an eviction notice is simply not true!

I understand that the main issue Galen has is not about existing Windows XP users or computers, but about availability of Windows XP for new computers or users. Carrying the analogy further, that's more like Microsoft saying we aren't accepting new lease applications for this old, run-down apartment that is scheduled to be torn down. You can, however, lease a unit in this brand new complex we built across the street.... It is far from an eviction notice for existing tenants.

The facts about downgrade rights
As far as the downgrade rights Galen referred to (highlighted) in the above comment and in her follow-up article are concerned— she deserves the benefit of the doubt. There's clearly some misunderstanding on her part, and it probably isn't her fault. (Update: Based on our email exchange, I know she has tried to get a definitive answer to this.) Navigating Microsoft's web of licensing options and agreements can be be challenging, even for MVPs. However, to be fair to Microsoft, I was able to get the answer by searching the web, and a single follow-up call to Microsoft Pre-Sales and Licensing. The response was clear and unambiguous.

Downgrade rights are not limited to large enterprises. This Microsoft Volume Licensing Brief [download] (dated January 2007) titled Microsoft Select License, Open License, Original Equipment Manufacturer (OEM) License, and Full Packaged Product (FPP) License Downgrade Rights says:

Can I downgrade my OEM version of Windows Vista Business to Windows XP Professional?
Yes. OEM downgrade rights for desktop PC operating systems apply to Windows Vista Business and Windows Vista Ultimate as stated in the License Terms. Please note, OEM downgrade versions of Windows Vista Business and Windows Vista Ultimate are limited to Windows XP Professional (including Windows XP Tablet PC Edition and Windows XP x64 Edition). End users can use the following media for their downgrade: Volume Licensing media (provided the end user has a Volume Licensing agreement), retail (FPP), or system builder hologram CD (provided the software is acquired in accordance with the Microsoft OEM System Builder License). Use of the downgraded operating system is governed by the Windows Vista Business License Terms, and the end user cannot use both the downgrade operating system and Windows Vista Business. There are no downgrade rights granted for Windows Vista Home Basic or Windows Vista Home Premium.

Translation: If you buy a computer and it ships with Windows Vista Business or Ultimate preinstalled by the manufacturer, also known as an OEM license, you can downgrade to Windows XP Professional. You do not need a Volume License of any kind to do that - end users, small businesses with or without an Open License, and larger businesses - again, with or without a Select or Enterprise License, can downgrade to Windows XP Professional, and use it for as long as they wish.

Microsoft confirms
A quick call to Microsoft Sales/Licensing confirmed that. You are welcome to do so yourself, by calling 800.426.9400. Select option 5, then option 3. In a follow-up call, Microsoft also explicitly and unambiguosly stated that users can use the OEM media (CD) or the one that came with a prior purchase of a FPP (retail) version to downgrade. Organizations with a volume license can also use their volume license media to downgrade. "The media is not important here, the license is", added the Microsoft rep.

If you're having trouble finding your Windows XP CD or need to order a replacement copy, you can do so by calling 800.360.7561 if you bought the retail (FPP) version. The cost is $23, or $29 with taxes and shipping. Volume License customers can order CDs by calling Volume License Fulfillment at 800.248.0655. When asked how long the replacement CDs will be available, and whether these will still be available after Windows XP is no longer sold, the rep responded: "They will be available for quite a while. No plans for discontinuing that yet."

Though well-intentioned, some of the arguments presented by Galen are not as valid. Once again, I am neither for or against Microsoft continuing to sell Windows XP, nor profess that users move to Vista whether they're ready or not. However, the implication that Microsoft is forcing users to move to Windows Vista, and terms like eviction notice used in such articles, do not present the issues in the right perspective.

Given the facts about Microsoft's product lifecycle, support policies and downgrade rights, is Microsoft's stance wrong here? Or does InfoWorld's Save XP campaign amount to unfairly criticizing Microsoft, as InfoWorld's own columnist J. Peter Bruzzese states in "Save XP? Why bother?"?

PS: Tom Sullivan's response, and comment about MVPs

I was equally annoyed and amused by InfoWorld Editor Tom Sullivan's response in "On the necessity of InfoWorld's 'Save XP' campaign". Tom says:

As Peter Bruzzese points out, the author of Exchangeapedia, Bharat Suneja, suggests that the campaign won't inspire Microsoft to change its plans and keep Windows XP alive beyond June 30.

Suneja, it's worth explaining, is a Microsoft MVP. A rare breed, indeed, these disciples are devout enough that, while attending an MVP Summit back in 2001, a pair of them even got married in Redmond, Wash. and read vows from their Pocket PCs.

That said, Bruzzese writes that Suneja "has done his own research on the matter and his opinion should be heard." I agree, and particularly when he explains that mainstream support will end on April 14th, 2009, and extended support will be available for five years from that date, till April 8th, 2014, both points IT shops should research. Suneja writes, in his post, "Windows XP doesn't seem like a product that's being retired prematurely."

That, obviously, is a matter of some debate. Contrarians can easily point to the reality that Vista sales are not exactly going like gangbusters.

Tom, All I can say is, I wish you had read my original post before commenting. Perhaps that's just one of those good old journalistic niceties that we simply don't have time for any more. :)

If you did read my original post, please accept my apologies.

MVPs are also some of Microsoft's sharpest critics. An excerpt from the article in Computerworld:

Paul DeGroot, an analyst at Directions on Microsoft, a research firm in Kirkland, Wash., agreed that MVPs are both "in Microsoft's camp" and its "best critics" at the same time.

"They criticize from a position of deep knowledge about the products and how customers use them," DeGroot said. "So when they say something, they know what they're talking about, and they're not inclined to take cheap shots. They'd rather fix things than lay blame."

MVP or not, my opinion and criticism of InfoWorld in this matter wouldn't have changed. It is sad to note that what is otherwise a well-regarded tech journal is increasingly sounding like the MAD magazine of tech journalism on this topic.

Standby Continuous Replication (SCR): Replay and Truncation Lag

Standby Continuous Replication (SCR) is a new High Availability feature in Exchange Server 2007 SP1. It uses Continuous Replication (also used by LCR and CCR) to replicate Storage Groups from a clustered or non-clustered mailbox server, known as a SCR source, to a clustered or non-clustered mailbox server, known as a SCR target.

SCR is managed using the Exchange shell - no management features exist in the EMC to configure or manage it.

Unlike LCR and CCR, which are designed to have a single copy of a Storage Group (consisting of an Exchange Store EDB + transaction logs & system files), SCR is designed to have many-to-one and one-to-many "replication relationships". (A SCR relationship or partnership - not formally defined terms, but simply used to explain the concept here - is SCR replication of a particular Storage Group from a SCR source server to a particular SCR target server).

A Storage Group from one SCR source can be replicated to multiple SCR target servers, and Storage Groups from one or more SCR source mailbox servers can be replicated to a single SCR target mailbox server.

By default, the Replication Service delays replaying 50 transaction logs to the SCR replica Database. Additionally, you can configure the following parameters to control how SCR replicas behave:
ReplayLagTime: specifies how long the Replication Service waits before replaying replicated transaction logs to the replica Database (EDB) on the target. Default:1 day
TruncationLagTime sets a lag time for truncating log files on that replica. Provided the other requirements are met for log file truncation on the SCR replica, log files are not truncated till ReplayLagTime + TruncationLagTime has elapsed. Default:0.

Why do I need the delay?

Replay lag gives you the protection of having a copy of your database from back in time. This back-in-time copy can be used to recover from logical corruption, pilot errors etc.

Additionally, if there is no delay, in the case of a lossy failover of the SCR source to a LCR or CCR replica, the (new source) Database will be behind its SCR target(s), requiring reseeding. Not something one would want to do for large Databases over WAN links (or even locally within the same datacenter). Delaying the last 50 transaction logs from being replayed to the SCR target avoids the need to reseed.

However, a large number of transaction logs not replayed to the Database means increased storage requirements for the SCR target, and also an increase in the time it takes to activate it in case of failure of the SCR source. Before it can be brought online, all the logs will need to be replayed.

To avoid this, you can set the ReplayLagTime to 0 (from the default of 1 day). Note, the replay will still lag behind by 50 transaction logs - a hard-coded limit enforced by SCR that cannot be changed. The TruncationLagTime can be set higher, so logs are replayed but not truncated. You can then take VSS snapshots of the target for the point-in-time copies.

Once setup using the Enable-StorageGroupCopy command, the ReplayLagTime and TruncationLagTime cannot be changed without disabling and re-enabling that SCR relationship for the Storage Group.

How can I see ReplayLagTime and TruncationLagTime? The following command shows the SCR targets a Storage Group is being replicated to:

Get-StorageGroup "SG Name" | fl

However, neither the above command, nor Get-StorageGroupCopyStatus show the lag times.

The parameters are returned as an array when you use the former (Get-StorageGroup) - only the name of the SCR target is displayed in the StandbyMachine property.

To see the lag times:

$sg = Get-StorageGroup "MyServer\MyStorageGroupName"
$sg.StandbyMachines

Here's what it looks like:


Figure 1: Displaying the Replay and Truncation lag time

Can I change ReplayLagTime and TruncationLagTime without reseeding the Database? You need to disable replication and re-enable it to add or modify the lag times. :

Disable-StorageGroupCopy "Storage Group Name" -StandbyMachine "SCR Target Server"

When disabling SCR, you get prompted to delete all files in the replica folder on the SCR target. Skip that. Reseeding is not required if you do not delete the files:

WARNING: Storage group "DFMAILMAN.e12labs.com\dfmailman-sg1" has standby continuous replication (SCR) disabled. Manually delete all SCR target files from "C:\Exchange Server\Mailbox\First Storage Group" and "C:\Exchange Server\Mailbox\First Storage Group\Mailbox Database.edb" on server "mirror".

Now, let's enable SCR with the replay and truncation lag times:

Enable-StorageGroupCopy "Storage Group Name" -StandbyMachine "SCR Target Server" -ReplayLagTime 1.00:00:00 -TruncationLagTime 2.00:00:00

Once replication is enabled again, make sure to test replication status using:

Get-StorageGroupCopyStatus "SG Name" -StandbyMachine "SCR Target Server"

India wants access to BlackBerry encryption algorithms to fight terrorism

India's half a million BlackBerry users may have to live with the prospect of the Indian government having easy access to their wireless communication.

India says it needs access to RIM's encryption algorithms, used to encrypt email sent and received by BlackBerry smartphones, to fight terrorism. The Indian government is delaying a license to offer BlackBerry services to wireless carrier Tata Teleservices, and may cancel the licenses already issued to other Indian wireless carriers— Vodafone Essar, Bharti Telecom and Reliance Communications, if RIM doesn't comply by March 31st. The Information Technology Act of 2000 provides the government of India the right to intercept electronic communications for security reasons.

It's no secret that terrorists are increasingly using the internet and email to communicate. Bringing BlackBerry handhelds under the scope of lawful interception shouldn't come as a big surprise, but it does pose interesting questions for RIM.

The Department of Telecom's intent and its notice to carriers is anything but abrupt. The DoT had requested access some time last year. The March 31st deadline is an extension to the earlier deadline of December 31st. DoT officials are meeting with carrier execs and RIM officials to resolve the issue.

More in "BlackBerry under security scrutiny in India" on washingtonpost.com.

What makes the whole episode more interesting are reports that the Indian government wants significantly weaker encryption keys to be used across the board. If true, this could make security of online banking and e-commerce transactions questionable, and may even pose threats to India's growing outsourcing sector. ISP Association of India President Rajesh Chharia says "Routine check-ups are fine with us since the issue is one of national security. All ISPs must, and will, cooperate. What is of concern, though, is the fact that we have been asked to reduce the encryption from 128-bit to 40-bit, which is ridiculous.” (More in "BlackBerry security issue makes e-com insecure").

As similar incidents involving India's bureaucracy have proven in the past, better sense does eventually prevail in India (Read previous post: "Update: India blocks access to blogs"), but not before giving massive doses of anxiety attacks to those concerned.

Routing outbound mail using a particular IP address

A question that frequently and inevitably pops up when discussing Exchange transport is that of being able to route outbound mail using a particular IP address. The Exchange Server 2003/2000 transport architecture was confusing for many newcomers— the difference between an SMTP Virtual Server and an SMTP Connector being the main cause of this confusion. This is further exacerbated by the fact that SMTP Connectors use SMTP Virtual Servers as bridgeheads.


Figure 1: In Exchange Server 2003/2000, the IP address binding in SMTP Virtual Server properties is only for inbound connections

I've often quoted Scott Landry's post on the team blog— SMTP Virtual Server Myths Exposed. Myth #4 in Scott's post:

Myth 4: Virtual Server IP Address Will Be Used For Outgoing Connections

The last source of misunderstanding is the socket which will be used to open an SMTP connection. This may seem confusing and somewhat contradictory of my first point, but SMTP simply tells the Windows network stack to provide SMTP with a socket. It does not provide a source IP address to use, and as such, you will notice that the source IP address assigned by Windows will be based on the Windows routing table, not taking into consideration the IP of the SMTP VSI that is delivering the message. A common observation of this is that on a cluster server we are using the physical machine IP as our source IP, not any of the virtual IP addresses.

Exchange Server 2007, with its shiny new transport stack (freshly divorced from IIS' SMTP service), makes this quite clear. Receive Connectors, somewhat comparable to the SMTP Virtual Server in previous versions, are for receiving inbound mail. Send Connectors are for sending outbound mail.

When creating or modifying a Send Connector using the shell, you can specify the SourceIPAddress parameter to configure it to use a particular IP address for outbound mail. The IP address can be any IP address bound to a NIC on the Edge Transport server that is configured as a source server on the Send Connector. To modify an existing Send Connector, using the following command:

Set-SendConnector "ToInternet" -SourceIPAddress 1.2.3.4

However, as noted in the documentation, this only works on Edge Transport servers. Hub Transport servers ignore the SourceIPAddress parameter.