I inherited GFI MailEssentials and MailSecurity recently.

I was troubleshooting a problem today where an SMTP sender was getting an NDR when emailing one of my users, but the exchange message tracking center claimed the message was delivered to the store.

Enter GFI MailEssentials, which optionally sends an NDR when it thinks something is spam. Here’s the fun catch though, it sends a 5.1.1 “email account does not exist”. In hopes of convincing the spammer the account doesn’t exist anymore? As if bulk mailers use legitimate return addresses.

It’s certainly not to inform the legitimate user their mail was rejected, as the NDR is a farce. It’s not signaling exchange to send an NDR, but rather taking these actions itself, so make sure logging is on. Fortunately there’s a template file in MailEssentials\templates called ndr.xml. Open it up in notepad, change the 5.1.1 references to 5.5.0 and put in your own custom anti-spam message instead of “this user does not exist”.

Not that this software should be sending NDRs. I’m sure I’m flooding the net with NDRs, but it looks like it’s hooking after the smtp service, not into or before. I’ll replace it with SA eventually.

Update 07/2007:
The NDR template just wasn’t working and GFI never replied the last time I sent them the requested tech support logs. I ran into an issue a couple of weeks ago where messages would go to GFI (sent to advanced queuing in Exchange System Manager) and never come back. Stopping GFI would get the messages back. I just deinstalled GFI and I’m replacing it with a traditional SpamAssassin installation.

Also known as, where is /etc/aliases in exchange and why again is point and click “easier”…

I’ve seen a ton of howto’s on how to do this, and I wouldn’t say anything about this if they weren’t all so damn round about or not to the point.

This article has you creating a contact with the external email address, then using another user account to forward mail to that contact. The mentioned exchange 2000 and not exchange 2003, and I don’t want a user account kicking around as well, I just want an internal email address to forward to an external one.

Microsoft recommends something similar in kb 281926.

But for the sake of our sanity, let’s try something simpler.
1) In ADUC with ESM, right click, new, contact
2) Enter the names, next
3) set alias to the internal name. click modify, choose smtp, type the external address. next.
4) finish.
5) right click the contact. properties.
6) Exchange Advanced tab, click “hide from exchange address lists”
7) email address tab. the external address should be bold (primary) check that you have an email alias for all the domains you want (if your ad domain is not your email domain, add another smtp address)
8) done.

Computers and servers seemed to update okay. I’m still tracking down a few boxes as I realized kerb isn’t working on them, but for the most part everything took it’s updates and everything else required the normal flip of the dst hour by hand (such as pbx’s).

OTOH, there’s this little tool we sometimes use in companies called exchange. This tool contains calendars, with appointments, which have times. These times, are affected by DST. So be it.

Fortunately for us, microsoft has PILES of documentation. DST Home base, KB 931836, 926666, 930879, 931667. They also revealed late in the already late process (many tools didn’t come out until Feb 2007) after some people had already prepared for this that it totally screws up resource mailboxes, which require another process.

Fine. The server patch and exchange patch when okay, but the calendar update tool? Take a close look at this kb article. How long does it take you to figure out the order of steps you should follow? The TOC is pretty useless and misleading.

I eventually figured out that “How to manually configure and run Msextmz.exe” is the “how to be an exchange hacker because we didn’t see this issue ever coming up”, also known as: “How to use some scripts to make tab delimited text files of all your DNs, matching up a load of timezones in a crapshoot fashion and hoping it all works out in the end.”

I instead used “How to run Msextmzcfg.exe” which is this little vb looking app that does some of the above work for you, dumping out a bunch of text files everywhere (mostly in a hostname folder, btw, use netbios names). I checked the “extract recurring meeting information” box even though it warns of the increased overhead. We have < 100 users. Be aware of the serious list of “things this shit does not do right” in this article:

“A time zone may be ambiguous”

Our tool often doesn’t do shit in PST

“There is a limit on the number of mailboxes that can be processed per server”

This can only do 65,535, obviously that’s because of a variable, but we’re parsing tens of thousands of DNs from a text file at this point, you’re already screwed.

“There may be conflicts with conference room assignments”

this shit totally screws up resource rooms, use a bunch of other utilities to fix this. i really only have one room that matters, so I just opened it up in outlook myself.

Unclear caveats:

1) you can’t install these tools on an exchange server, or even a machine that has the exchange management tools installed, which it considers and exchange server.
2) the tools tie into outlook, have outlook installed.
3) tzmove.exe which is needed, isn’t really referenced. I believe this is what actually ties into outlook and you download this separately. If when you run the batch script, which you’ve pointed to tzmove, you get an error 0x80004005, it’s because tzmove is an installer, not the real tzmove. Run the installer, cancel the program when it’s ready to do something, and then point the config file back at: “C:\Program Files\Microsoft Office\Office12\Office Outlook Time Zone Data Update Tool”.
4) the grant permissions script at the end of the file wasn’t interested in working for me. it just kept spewing out syntax until I realized it wanted an input file. check this out instead.
5) in case you didn’t notice, this doesn’t scale at all. Microsoft’s idea of scaling this small utility appears to be splitting up the work on a bunch of VMs on whatever hardware you have kicking around. VMs provided here. Note I thought this was a great laugh, and didn’t download it. Maybe you’re supposed to download it, and it isn’t just a joke.

Hopefully you’ve already lived through this, but if not, good luck. I’m still waiting for emails this morning asking what the hell I did to everyone’s calendars over the weekend.