Microsoft and Research in Motion announce full BES support for Exchange 2010

Microsoft and Research in Motion have just announced full BlackBerry Enterprise Server (BES) support for Exchange 2010 - the earliest customers have been able to deploy BlackBerry smartphones with a new Exchange release— ever.

You'll need the just-released Update Rollup 1 for Exchange 2010, Exchange Server MAPI Client v6.5.8147, and BlackBerry Enterprise Server 5.01 Maintenance Release 1 (MR1).

More from Paul Bowden in BlackBerry Enterprise Server fully supported on Exchange 2010 on the Exchange team blog.

cc:Betty: A cool web app you may want to block

If you haven't looked at Palo Alto-based cc:Betty yet, perhaps you should. cc:Betty promises to keep everyone on the same page. Still in beta, it's a useful web app that helps users organize their email communication, collects email content, catalogs attachments and files, and also maintains your contacts.

It's also amazingly simple to use. Besides adding content on the cc:Betty web site, users can simply add betty@ccbetty.com as an additional recipient (To/Cc/Bcc) to email they send, and it shows up in their cc:Betty account - email content, attachments, et al. With the click of a button, users can publish the discussion to their Facebook feed.


Figure 1:With the click of a button, cc:Betty posts your discussion to your Facebook profile

And therein lies the threat to your data!

Although it's an impressive tool for personal use (the usual caveats about personal information and privacy apply), organizations and IT departments must consider the consequences carefully. Many small businesses and organizations operating in unregulated industries or locales may not consider themselves to be at risk and actually welcome such services.

If your organization isn't one of them, consider that simply adding another recipient to all email messages results in data leakage. How's this any different from adding any other recipient to an email? Unlike other recipients, the sole purpose of cc:Betty is to facilitate further sharing of email content outside an organization. Email can contain sensitive information— including high business impact (HBI) data or personally identifiable information (PII). Transmitting and storing such information outside the organization, with no control over the content or its security, could expose your organization to multiple risks.

Content scanning and privacy
It's important to consider what services such as cc:Betty do with your information. cc:Betty's privacy policy is not very different from Gmail's privacy policy— email content is scanned to display relevant ads. Some would argue that similar content scanning is also performed by antispam and antivirus software and services, and that this isn't something to be concerned about.

Regardless of whether you find content scanning by an automated process acceptable or not, the bigger threat is data leakage.

If usage of cc:Betty and other such services is in violation of your organization's policies, your users must be informed. If your organization's policies don't address such services and usage, perhaps it's time to consider a policy review. You may also want to consider blocking outbound mail to domains offering such services.You can easily block outbound mail to a domain using transport rules or a Send Connector. Exchange 2010's Information Rights Management (IRM) features can also help you prevent data leakage.

What can cc:Betty do to help organizations?
How can cc:Betty help organizations protect themselves from unauthorized use of its service? As a web-based service its success lies in widespread adoption of its app. More users, more user content accumulated, more sticky the service proves to be, and more pageviews it racks up. As such, there's no incentive to actually stop users from joining or posting information. In fact, it may directly impact its success.

However, cc:Betty and other such services may gain a lot of goodwill and more acceptance if they work with organizations to help prevent data leakage. One way of doing this may be to block email from organizations that register with it. When a user signs up for an account using your organization's email address, he/she gets a polite message about your company not allowing use of the service. Email sent from your domain can also be bounced back with a polite NDR.

Some organizations may choose to allow their users to use the service, but with appropriate policy guidelines and controls in place. [Update: According to cc:Betty, an enterprise version of the service is in the works.]

Does your organization allow the use of cc:Betty.com or similar services?

Bulk mailbox creation: Import passwords from a file

Automating bulk mailbox creation required fairly advanced scripting skills in Exchange 2003/2000. Thanks to the Exchange Management Shell (aka "the shell") in Exchange 2010 and 2007, this task is greatly simplified. It doesn't require any advanced scripting skills and it can be accomplished by relative newcomers to Exchange Server with very little knowledge of the shell.

Exchange Server 2007: Bulk creation of mailboxes using Exchange Management Shell shows you how to create bulk mailboxes using user data imported from a CSV file. A related post— Bulk mailbox creation revisited: Adding Active Directory attributes shows you how additional Active Directory attributes not included in the New-Mailbox/Set-Mailbox cmdlets can be populated.

When creating mailboxes using the New-Mailbox cmdlet, Exchange Shell requires the password to be of type System.Security.SecureString, derived from the SecureString class in the dot net framework. In the example in Exchange Server 2007: Bulk creation of mailboxes using Exchange Management Shell, we use the same password for all accounts. We also prompt the admin to enter that password using the Read-Host cmdlet, as shown below:

$Password=Read-Host "Enter Password" -AsSecureString

When the admin running the command or script enters the password, powershell masks the password by displaying a * for each character entered.

One frequently asked question when discussing bulk mailbox creation is: how do I import passwords from a text file? Of course, saving passwords in a text file isn't very secure, but there may be cases where you need to do this temporarily— particularly when you want to create mailboxes/user accounts in bulk and don't want to assign the same password to all accounts. When doing so, it's recommend to set the account to change password on next logon. There may also be other scenarios where you need to import passwords from a text file, so I'll leave the security aspect of this up to you.

The first step to importing passwords from the text file is to add it as an additional column or field in the file. For example:

Alias,Name,UPN,Password
User_One,User One,userone@yourUPNsuffix.com,P@ssw0rd1
User_Two,User Two,usertwo@yourUPNsuffix.com,P@ssw0rd2
User_Three,User Three,userthree@yourUPNsuffix.com,P@ssw0rd3

If you try to use the same command as shown in the previous post, and simply add the parameter -password and the value $_.password in the code block, it'll fail.

Import-CSV CreateRecipients.csv | foreach {new-mailbox -alias $_.alias -name $_.name -userPrincipalName $_.UPN -database "Mailbox Database" -org Users -Password $_.password}
Cannot process argument transformation on parameter 'Password'. Cannot convert the "P@ssw0rd1" value of type "System.String" to type "System.Security.SecureString".
+ CategoryInfo : InvalidData: (:) [New-Mailbox], ParameterBindin...mationException
+ FullyQualifiedErrorId : ParameterArgumentTransformationError,New-Mailbox

Converting a string to a SecureString
To use the password field imported from the CSV file, you must first convert it to a SecureString. You can convert a string to a SecureString using the ConvertTo-SecureString cmdlet. When using the ConvertTo-SecureString cmdlet, you must specify that the source string is provided as cleartext by using the AsPlainText switch (not to be confused with the plaintext message format). The cmdlet also requires that you specify the Force switch to confirm you really want to do this— yes, you've just provided your consent to convert a plaintext string to a SecureString!

The modified command looks something like this:

Import-CSV CreateRecipients.csv | foreach {New-Mailbox -Alias $_.alias -Name $_.name -UserPrincipalName $_.UPN -Database "Mailbox Database" -Org Users -Password (ConvertTo-SecureString $_.password -AsPlainText -Force)}

To enforce a password change on next logon, add the ResetPasswordOnNextLogon parameter to the command:

Import-CSV CreateRecipients.csv | foreach {New-Mailbox -Alias $_.alias -Name $_.name -UserPrincipalName $_.UPN -Database "Mailbox Database" -Org Users -Password (ConvertTo-SecureString $_.password -AsPlainText -Force) -ResetPasswordOnNextLogon $true}

Exchange Server 2010 Released

Microsoft announced the release of Exchange Server 2010 today at Microsoft TechEd 2009 in Berlin. The release marks the first version of Exchange Server designed for the cloud, and provides customers the option of deploying it on-premises— the way Exchange Server has always been deployed, or use it as a service hosted by Microsoft, or a combination of the two.

Exchange Server CVP Rajesh Jha posts on the Exchange team blog:

This has been an incredible engineering endeavor that no one else in the industry comes close to delivering. Today, we've successfully scaled Exchange 2010 to more than 15 million Outlook Live accounts around the world and, moving forward, to millions more with Exchange Online. Our promise to deliver a seamless Exchange experience on premises with the server, in the cloud as a service or a combination of the two truly gives customers choice and peace of mind.

More in Exchange Server 2010 is now available worldwide! on the Exchange team blog.

Want to take Exchange 2010 for a test drive? Microsoft provides multiple ways for trying Exchange 2010. You can try Exchange 2010 by downloading the 120-day trial, or the pre-configured virtual machine for use with Windows 2008 Hyper-V. You can also experience Exchange 2010 and Office Communications Server 2007 R2 free for 60-days by signing up for the Unified Communications Virtual Experience.

Exchange Server 2010 120-day Trial: Build 14.00.0639.021
Exchange 2010 Release Candidate VHD: Exchange Server 2010 VHD image: This is a pre-configured VHD image which gets you started on your Exchange 2010 evaluation quickly without having to setup everything from scratch. Requires Windows 2008 Hyper-V.

Some links to get you started on the road to Exchange 2010:

• Overview | What's New | Documentation
  
• Licensing: On-Premise Licensing for Exchange Server 2010
  
• Pricing | Licensing & Pricing FAQ | Purchasing Options
  
• Exchange 2010 Forum
  

Export and Import Content Filter Words or Phrases

In Exchange 2010 and Exchange 2007, you can add custom words or phrases as good or bad words to modify the Spam Confidence Level (SCL) assigned to messages. Messages with a good word or phrase are assigned an SCL of 0 and bypass other antispam agents that fire after the Content Filtering agent. Messages with a bad word are assigned an SCL of 9, and any configured action (delete/reject/quarantine) is taken based on the Content Filtering configuration.


Figure 1: Adding a custom word or phrase to Content Filtering configuration

To add a good or bad phrase to the custom words list using the EMC:

1. Go to Organization Configuration | Hub Transport | Anti-spam tab
   
2. Select Content Filtering and click Properties in the action pane
   
3. In Content Filtering Properties, select the Custom Words tab
   
4. Add a word or phrase in the following fields as required:
   • Messages containing these words or phrases will not be blocked:To add a good word or phrase, type it in this field
     
   • Messages containing these words or phrases will be blocked, unless the message contains a word or phrase from the list above: To add a bad word or phrase, type it in this field.
   
   

To add a word or phrase using the shell, besides the actual word or phrase, you must also specify the influence:

Add-ContentFilterPhrase "bad word" -Influence Badword

You can get a list of words or phrases added to Exchange by using the Get-ContentFilterPhrase cmdlet:

Get-ContentFilterPhrase | Select phrase,influence

Exporting and Importing Custom Words and Phrases
On the Edge Transport server, configuration information is stored in the local instance of Active Directory Application Mode (ADAM) on Windows Server 2003. In Windows Server 2008, ADAM is renamed to Active Directory Lightweight Directory Service (ADLDS). Unlike Exchange Server configuration information stored in Active Directory, which is replicated to all domain controllers in the AD forest, Edge Transport configuration information stored in ADAM/ADLDS is not replicated to other Edge Transport servers.

You can configure an Edge Transport server using a cloned configuration. See Using Edge Transport Server Cloned Configuration.

You can also export only the content filter phrases from one Edge Transport and import it to another Edge Transport server. To export the phrases, use the Get-ContentFilterPhrase cmdlet:

Get-ContentFilterPhrase | Select Phrase,Influence | Export-CSV "C:\MyFolder\CFPhrases.txt"

To import the phrases on another Edge Transport server, use the Add-ContentFilterPhrase cmdlet:

Import-Csv "C:\MyFolder\CFPhrases.txt" | foreach {Add-ContentFilterPhrase -Phrase $_.phrase -Influence $_.influence}

Exchange 2007 SP2 Released, Adds PowerShell v2 and Exchange 2010 Support

Exchange Server 2007 Service Pack 2 is now available for download. SP2 adds support for Windows Powershell v2, and allows coexistence with Exchange Server 2010.

SP2 also adds support for VSS backups of Exchange 2007 on Windows Server 2008. More in Details of Exchange 2007 SP2 in-box backup when running on Windows Server 2008 on the Exchange team blog.

There's also support for monitoring named properties. For background, see Jason Nelson's post Named Properties, X-Headers, and You. As Jason notes in Named Properties, Round 2: What lies Ahead

(In SP2) ...No x-headers are ever promoted to individual properties if a client has not already requested (and mapped) them.

Finally, head over to Service Pack 2 Preview: Get-NamedProperty for more details on how to use Get-NamedProperty.

Exchange 2007 SP2 updates the Active Directory schema. Details of schema changes, including new attributes and classes, and modifications to existing ones can be found in Active Directory Schema Changes (SP2).

Note, once you install SP2, you cannot uninstall it without uninstalling Exchange 2007 from the server.

Microsoft recommends upgrading Exchange 2007 servers in the following order:

1. Client Access Servers (CAS)
   
2. Unified Message (UM) servers
   
3. Hub Transport servers
   
4. Edge Transport servers
   
5. Mailbox servers

More details and important deployment considerations in Exchange 2007 SP2 Release Notes.

Released: Exchange 2010 Release Candidate

Microsoft has released Exchange 2010 Release Candidate— a feature-complete version of the next release of Exchange Server. It is available for download here. You will be able to upgrade from the Release Candidate to the RTM version, due later this year.

Looking back, Exchange has come a long way in its 14-year history. Microsoft's Michael Atalla notes in a blog post on the Exchange team blog:

When we shipped the first version of Exchange about fourteen years ago, IBM/Lotus dominated the space. According to a 2008 Ferris research report, Notes/Domino share has dwindled to a mere 10% in enterprises, while Exchange has grown to 65% market share across all organizations and continues to grow with more than 4.7M starting the switch to Exchange last year. In fact, Exchange is now is approaching $2B in annual revenues. If Exchange were a standalone business, it would be the 9th largest software company in the world. We expect that momentum to accelerate with Exchange 2010, the most compelling version yet.

More in Exchange Server 2010 Release Candidate Available Today!

Exchange 2010 is a 64-bit only release— Microsoft released a 32-bit version of Exchange 2007 for testing and training, during Exchange's transition to the 64-bit platform. Not surprisingly, in-place upgrades from previous Exchange Server versions are not supported. (In-place upgrades stopped being supported from Exchange 2007, and most Exchange folks do not prefer or use this method for upgrading Exchange servers.)

There is a lot to look forward to in Exchange 2010, and end-users will enjoy the many new features. I am particularly excited about the new Outlook Web App (yes, the new OWA. Note, the acronym remains the same), the productivity-boosting conversation view that'll help users better manage their email, MailTips, the new self-help features including users' ability to track messages from OWA and manage distribution groups. There's plenty to look forward to for IT pros and organizations as well, and we'll continue to look at these new features on Exchangepedia.

User Self-Service: Message Tracking from OWA

One of the things on top of my Exchange wish lists, and I'm sure on the Exchange wish lists of many Exchange folks, is allowing users to help themselves with common tasks such as managing Distribution Groups, and tracking the status of their own messages as I suggested in Message Tracking as part of OWA/Outlook (hard to believe this was posted in July 2005!).

Yes, Exchange has had Message Tracking for administrators, but this results in the waste of valuable IT resources when users call/e-mail/shoutout (depending on location and position... ) why a particular message they were supposed to receive hasn't yet made it, or why someone never received a message they sent.

Exchange 2010 allows users to track their own messages using the Exchange Control Panel (ECP). Head over to Spotlight on Exchange 2010: Delivery Reports on the Exchange team blog for more info.

I'll gladly admit the final implementation of this feature is a lot better than the way I thought it should work 4 years ago. Allowing users to perform common tasks using easy-to-use web-based self-service options, using functionality found out-of-the-box in Exchange Server, should help you reduce administration costs and resources.

What's your take on these self-service features?

Released: Exchange 2010 Beta

The word is out— the product hitherto known as E14 has hit the streets as Exchange 2010 beta! Download it here (Note: 64-bit only).

As Exchange CVP Rajesh Jha points out on the Exchange team blog (read 'Presenting Exchange 2010'), the latest and greatest version of Exchange Server is built from the ground up with Software + Services in mind, and is already being used by 5 million Outlook Live users! In case you missed it, Outlook Live is the free email service available to universities, formerly known as Exchange Labs.

The reviews are already pouring in:

• InfoWorld: Exchange 2010 beta shines
  
• eWeek: Microsoft Exchange 2010 Beta Looks Solid from Core to Cloud
  
• Slideshow: Microsoft Exchange Server 2010 Includes Welcome Improvements, where you can see some screenshots.

Exchange Server 2007: Logging SMTP Protocol Activity

I wrote about SMTP logging in Exchange Server 2003/2000 in what is one of the most popular posts on Exchangepedia [read previous post - "Logging SMTP protocol activity"]. Exchange Server 2007 has its own SMTP stack, and what I like to think of as smarter or more intelligent Receive Connectors (these are protocol listeners, roughly equivalent or comparable to the SMTP Virtual Server we've known from Exchange Server 2003/2000 - Bharat).

Not enabled by default
I hoped to see (SMTP) protocol logging turned on by default on these connectors, this is one aspect that hasn't changed. Yes, SMTP logging is still not enabled by default! You have to remember to enable SMTP logging on transport servers.

To enable protocol logging on Receive Connectors, use the following command:

Set-ReceiveConnector "Connector Name" -ProtocolLoggingLevel verbose

In case you're wondering if there are any choices for the logging level - there aren't. It's either verbose or none.

To enable protocol logging from the Exchange console, go to Server Configuration | Hub Transport | select the Hub Transport server you want to configure | select the Receive Connector -> properties | General tab | change Protcol logging level to Verbose, as shown in the screenshot below.


Figure 1: Enabling SMTP logging on a Receive Connector

Unlike Exchange Server 2003/2000, you have to enable logging separately for Send Connectors (equivalent of SMTP Connectors), using the following command:

Set-SendConnector "Send Connector Name" -ProtocolLoggingLevel verbose

To do this using the Exchange console, go to Organization Configuration | Hub Transport | Send Connectors tab | select the Send Connector -> properties | General tab | change Protocol logging level to verbose.

Besides the visible Receive and Send connectors, an invisible Send Connector lurks under the hood - used to transport messages within the organization, between Hub Transport servers, Edge Transport servers, and Exchange Server 2003/2000 servers. It's the Intra-Organization Send Connector. You won't see it in the console, or in the shell if you use the get-SendConnector command. To configure protocol logging for this Intra-Organization Send Connector:

Set-TransportServer "TRANSPORT SERVER NAME" -IntraOrgConnectorProtocolLoggingLevel verbose

Where do protocol logs reside?
- Unlike Exchange Server 2003/2000, which maintain separate protocol logs for each instance of a SMTP Virtual Server, all Receive Connectors share "SmtpReceive" logs. Similarly, Send Connectors share "SmtpSend" logs.
- Receive Connector logs are located in
\Exchange Server\TransportRoles\Logs\ProtocolLog\SmtpReceive
- Send Connector logs are located in
\Exchange Server\TransportRoles\Logs\ProtocolLog\SmtpSend

How do you change the path of SMTP logs?

To change the path of SmtpReceive logs:

Set-TransportServer "TRANSPORT SERVER NAME" -ReceiveProtocolLogPath "C:\New SmtpReceive Log File Directory"

To change the path of SmtpSend logs:

Set-TransportServer "TRANSPORT SERVER NAME" -SendProtocolLogPath "C:\New SmtpSend Log File Directory"

If you do decide to change the path, ensure the new directories/folders exist with appropriate permissions, as outlined in "How to Configure Protocol Logging" in the product documentation. In addition to the above, you can also control the maximum log file size, the maximum directory size, and the maximum age of log files. This ensures you don't have to worry about purging the logs manually over time, or scheduling a script to do this periodically.

SMTP logs are an important troubleshooting tool - enabling SMTP logging after the fact isn't any help when troubleshooting SMTP mail flow.

Related posts and links:

• Exchange Server 2007: How many logs hath thee?
  
• Exchange Server 2007 Transport: 452 4.3.1 Insufficient system resources
  
• Logging SMTP Protocol Activity
  
• SMTP Virtual Servers: Some irksome defaults you should change