Be alerted of upcoming full executive mailboxes

It is a good idea to keep mailbox size limits on your on-premises Exchange Servers for a few reasons:

- Preventing "mail storms" from running your databases storage out of disk space.
- Being able to control the maximum desired size of the mailbox databases.
- No mailbox limit means that nothing is get deleted and the Exchange becomes a document storage.

However, there are always those important management users that you don't want to allow them to run out of mailbox space.
A full mailbox in those cases may mean that a very important Email will not be received and your job will be on the line (and no one will care that the executive assistant disregarded all of those mailbox storage space warning messages even weeks before the mailbox clogged up).

So what can be done ?
Create a script to notify you of those mailboxes that are about to run out of space !The script that can be run daily will give you the option to either enlarge the mailbox or notify the user to archive or delete unneeded Emails.
Do not wait for the last moment as changing a mailbox size can take up to 2 hours go into effect:
Mailbox Size Limits Are Not Enforced in a Reasonable Period of Time


Here are the steps to make your notification script:

1. Set specific per-mailbox quota for executive mailboxes.
First, set up a mailbox quota for each user, letting go of the default database quota settings.
Keep those setting alive... but configure specific mailbox limit for each one of those mailboxes because you know that when the time comes you will need to change it anyway.

2. Set a way to distinguish between executive and none executive user mailboxes.
In order for the script to notify you about executive users only, you should set up a way to distinguish between executive and non-executive mailboxes.
One way (that I use in the script) is to gather all executive mailboxes into specific database / databases.
Another way is to assign a specific value in AD for executive users which you could query to gather all the executive mailboxes from all the Exchange databases.

for example:
$VIPList = get-mailboxdatabase *vip* | get-mailbox -ResultSize unlimited
Gets all mailboxes located on databases who's name contains the word VIP
Note ! My script uses this method so make sure to modify the script if needed !!! 

$VIPList = get-mailbox -ResultSize unlimited | where {$_.CustomAttribute10 -like "Executive"}
Gets all mailboxes with the value "Executive" in CustomAttribute10.

Of course you can use any desired attribute and any desired value to distinguish the executive mailboxes.

3. Select who will be notified
You may be the one who makes the decisions what actions to take when the reports arrive, or you may want your Help Desk to handle this task, so you need to decide who's Email the script will use (you can always assign multiple Email addresses).

4. Which SMTP server to use in order to route the mail
Nothing special here. You need an SMTP server (hub transport or other) to sent the notification Email.

Download the script here

The script assumes the executive databases are named with VIP in the database name.
You MUST change to your own search convention as stated above.
Also change the following parameters:

$SMTPServer = "192.168.1.2"
$ReportExceedingPrecentage = "94"
$ReportSender = "ExchangeServer@Mydomain.com"
$ReportRecipients = "HelpDesk@Mydomain.com","Me@Mydomain.com"

$SavedReportFilePath = "C:\LargeVIPMailboxes-$date.html"

Keep the $date.html at the end so the file will be saved with the date of creation.

This is how the report should look.
Just make sure to schedule the script for a daily run.
For assistance with creating a batch file for scheduling see my article

Load Powershell Addins in your scripts

Using the Exchange 2010 Anti-Spam feature to block specific IP addresses

The Exchange anti-spam features allow for a verity of options for protecting the Exchange environment.
Those features can be implemented for the Edge transport server or even on the Hub transport servers.

My article will focus on installing the Anti-Spam features on the Hub transport servers and on a script I wrote to automate adding / removing / viewing the IP addresses that are configured to be blocked by the IP Block List.

The reason I found for this is that in a large environment you may find that many servers are configured to be allowed connection and even relay using the Exchange Hub Transport SMTP service.
At times you may find that one of those servers go bad and starts sending a lot of Emails and even flood your Exchange server due to a software bug, or even if you would like to block a connection coming from the Internet (in case your Exchange server is getting its Emails directly).

If you got a single Hub Transport server you could easily do this configuration manually, however if you are using multiple hub transport servers and would like to configure the block list using a single commend the script may be helpful.

Lets begin...

Installing the Anti-Spam functionality
To start using those options you need to install them on the Transport/Edge Exchange server.
The installation is done using the built in .\install-AntispamAgents.ps1 script located on every Exchange server at  %system drive%/Program Files\Microsoft\Exchange Server\V14\Scripts folder

After installation the transport service needs to be restarted with the command
Restart-Service MSExchangeTransport or by using the services console.

For more information on installing this component see
Enable Anti-Spam Functionality on a Hub Transport Server

By default all of the Anti-Spam features are enabled at the Organization level in the management console, however they are not configured.

I chose to disable the features I did not want to run.

The Next step will be to install the Anti-Spam feature on every Hub Transport server you want.

It should be noted that every Hub Transport server can be configured differently altogether so you should decide if to install the feature and where.

The provided script makes an assumption that all Hub Transport servers in the organization will use the same IP blocking settings, so you may need to modify the script for your own environment.

Next we will take a look at how to configure the feature manually using the management console.
Navigate to the Server Configuration section, select a Hub Transport server where you installed the features and you will see the Anti-Spam tab.




















When we select Properties we are able to add or remove a specific IP address, Subnet or range of IP addresses.

You can also see that it is possible to define if the blocking will never expire or set this blocking to expire at a specific date and time.

I would not recommend using complete network subnets or IP address ranges unless you are sure that there is no scenario there there will need to unblock a specific address from the range or subnet.

You can add an IP address manually to check how this feature work, for example by adding your workstation IP address and then using Telnet command to perform an SMTP Email transaction with the server.



The result above will be seen by the sending party.
In case this is a real mail server with mailboxes, the sender will get this message as an NDR.

However since the SMTP session will be disconnected right after the "Mail From" section, this messaging transaction will not be logged or found in the Exchange tracking logs. The server owner should be informed that you configured the IP to be blocked since if the server is using an application to send Emails and those will fail to be routed the only way to discover why will be by using Telnet from the sending server to the HT server and seeing this error message.

Now that we know what is expected to happen lets continue to the automation section.
Copy the following script into a new text file using notepad and save as IPBlockListScript.ps1

#####

Add-PSSnapin microsoft.exchange.management.powershell.e2010 -ErrorAction silentlycontinue

$selection = $null
Do
{
cls
write-host Exchange 2010 Transport IP Blocker Manager script be Liran Zamir -ForegroundColor yellow
write-host " "
write-host "Please Select action:"
write-host ""
write-host "1. Add IP to be blocked on the Exchange transport servers"
write-host "2. Remote IP from the Exchange transport servers block list"
write-host "3. Display blocklist from a random transport server"
write-host "X. To quit"
write-host ""
$selection = read-host "Type selection"

if ($selection -eq 1) {
cls
$AddIPblock = Read-Host “Type and IP address to block SMTP connections to Exchange servers”
[ref]$a = $null
if (![system.net.IPAddress]::tryparse($AddIPblock,$a)) { write-host "" ; write-host " !!! The IP address is invalid. !!!" -ForegroundColor white -BackgroundColor red ; read-host " "}
else {

$servers = Get-TransportServer | select name
foreach ($x in $servers) { Add-IPBlockListEntry -IPRange $AddIPblock -server $x.name -ExpirationTime '12/31/9999 11:59:59 PM' }
write-host ""
read-host "IP address was added to the block list"
}
}

if ($selection -eq 2) {
cls
$RemoveIP  = read-host “Type the IP address to remove from the block list”
if (![system.net.IPAddress]::tryparse($RemoveIP,$a)) { write-host "" ; write-host " !!! The IP address is invalid. !!!" -ForegroundColor white -BackgroundColor red ; read-host " "}
else {
$removefromservers = Get-TransportServer | select name,IPIdentity
$r = Get-IPBlockListEntry -server (Get-TransportServer)[0].name | select IPrange
$found = $null
0..($r.count-1) | foreach { $r[$_].iprange ; if ($r[$_].iprange -like $RemoveIP) { $found = "Yes"  } }
if ($found -eq $null) { write-host "" ; write-host " !!! The IP address you typed was not found !!! " -ForegroundColor white -BackgroundColor red ; read-host " " } 
else {
foreach ($s in $removefromservers ) { remove-IPBlockListEntry -identity ((Get-IPBlockListEntry -Server $s.name | where {$_.iprange -eq $RemoveIP  }).identity) -server $s.name -confirm:$false }
write-host ""
read-host "IP address was removed to the block list"
}
}
}

if ($selection -eq 3) {
cls
write-host " "
write-host "List of blocked IP addresses on the transport server "
write-host " "
Get-IPBlockListEntry -server (Get-TransportServer)[0].name | select IPrange
write-host " "
read-host "click Enter to return to menu"
}

} While ( $selection -ne "x")

write-host " "
#####

You will be able to run this script on the Exchange server or on your own workstation as long as you have the Exchange 2010 Powershell management installed.

When you run the script you will be presented with a simple menu

The first option will allow you to specify an IP address (only, no ranges or subnets) to be blocked.
The script then will verify that the IP address type is in a proper IP address format, and then enumerate the hub transport servers and add the IP address to each of those servers with an open-ended expiration date.

The second option will allow you to remove an IP address from the list of blocked addresses.
Here again the IP address you typed will be validated also for correct IP address syntax as well as verify of the first first enumerated Hub Transport server that the typed IP address is indeed set to be blocked.
If all goes well, the IP address will be removed from the blocked IP list on all the HT servers.

The third option allows you to view the list of blocked IP addresses from the first enumerated Hub Transport server.

Please note the script will not work well for removing the last blocked IP address (so you may choose to first add a false IP such as 1.1.1.1 to the list - this will also allow you to verify the Add IP functionality).

The script also does not handle IP subnets or ranges.

Another important note; If you configured a receive connector to specifically allow relay for the IP address or range of IP addresses that includes the IP address you want to block, the block feature will not work until you remove the IP address / subnet / range from the allowed to relay list on the receive connector.

Hope you enjoyed this post... you are welcome to let me know.

Auditing mailbox actions for security and accountability

I was facing with a challenge. A company VIP with a few secretaries, and a few mobile devices was facing a serious issue. Calendar items were changing by themselves. Updates were sent to attendees but something changed the meeting date / time on the owner mailbox.
I was asked to find out what is the root cause.

In order to do that, there are two tools:

1. The Microsoft Exchange Troubleshooting Assistant (Extra.exe) which will allow you to gather the information, but you will have to open a case with MS in order to get the results.
   The process requires to start the tool on the mailbox server of the effected user and target the user mailbox to perform a trace up until the issue occurs
   .
2. Enable Mailbox Audit on the Exchange Server (2010)
   
   This will be the path we will investigate
   
   Enabling mailbox auditing is something that you can do by yourself. The audit can be used for security reasons (see who is abusing his/her assigned permissions to do something that they are not supposed to do), this includes Admins as well as Delegates, but also you can configure to audit the mailbox owner actions which can help with troubleshooting.
   
   The Audit is enabled per user mailbox and is saved as a part of the mailbox.
   The audit log needs to be enabled, the amount of days to save the audit can be specified (90 days by default), and most importantly, you must configure what to audit.
   
   In my case, the default owner audit setting did not include all types of operations so it was difficult at first to track the problem. (which was discovered by the trace due to the lack of information). However, after enabling additional audit items on the mailbox owner, it enabled tracking all actions and associating specific calendar actions with a specific ActiveSync mobile device.
   This eventually was found to be the cause of the above problem.
   
   So... Lets start this thing:
   
   First, log on with a user with administrative rights to the Exchange server to enable auditing for the user mailbox you would like to investigate.
   
   Now, Enable auditing on the mailbox with the command:
   
   Set-Mailbox UserName -AuditEnabled $true
   
   This command will enable auditing for Admin actions as will as Delegate actions, but not for mailbox owner actions.
   
   If you run the command Get-Mailbox UserName | select *audit*
   you will see exactly what is audited and what is not:
   
   AuditEnabled     : True
   AuditLogAgeLimit : 90.00:00:00
   AuditAdmin       : {Update, Move, MoveToDeletedItems, SoftDelete, HardDelete, FolderBind, SendAs, SendOnBehalf, Create}
   AuditDelegate    : {Update, SoftDelete, HardDelete, FolderBind, SendAs, Create}
   AuditOwner       : {}
   
   You may notice that by default the mailbox owner is not edited.
   
   If you will run the command: Set-Mailbox Username -auditowner $true
   you will see that the AuditOwner setting changes to:
   
   AuditOwner       : {Update}
   
   This is nice, but may not be enough to get all the information you want.
   
   Lets enable auditing for all options for both Admin, Delegate and owner:
   
   Set-Mailbox UserName -AuditEnabled $true -AuditAdmin Update,Move,MoveToDeletedItems,SoftDelete,HardDelete,FolderBind,SendAs,SendOnBehalf,Create -AuditDelegate Update,SoftDelete,HardDelete,FolderBind,SendAs,Create
   -AuditOwner Update,Move,MoveToDeletedItems,SoftDelete,HardDelete,Create
   
   Of course this will consume more space, however you only need to enable this when you need to investigate an issue or on a regular basis for specific users.
   
   Now, allow some time for the information to be collected.
   
   When you want to investigate, you will need to view or export the information in order to filter them more easily.
   
   The command that is used to retrieve the data is:
   Search-MailboxAuditLog UserName -ShowDetails
   
   This will give you tons of lines if information on every every action performed on every item.
   You can either use powershell to filter the output sent to the screen, or you can more easily send everything (filter or unfiltered) to a CSV file later to be opened in Excel or your favorite spreadsheet.
   
   
   Search-MailboxAuditLog UserName -LogonTypes Admin,Delegate,Owner -ShowDetails | export-csv c:\UserName.csv -Encoding utf8
   
   Please note that you can specify all type of logon types (as shown in the command above) or just specific logon type such as Delegate if you only want to get data about actions performed by the delegates.
   The command -Encoding utf8 will allow exporting of characters that can be identified for non-English (in my case Hebrew) in the item subject.
   
   You can additionally filter based of available properties, for example, add the following pipe between the Search section and the Export section in order to filter audit items in the calendar folder only | where {$_.FolderPathName -like "\calendar"} | 
   If English is NOT your default folder language you will need to modify the folder name based on your folder language.
   
   In the CSV file you will get all the detailed information on the actions performed.
   The information also include the client type, such as Outlook and even ActiveSync.
   The ClientInfoString provides the full Device information so you will be able to tell which device performed the action (this is very helpful in case that a few devices are user to sync with the same mailbox).
   
   Another option to view and filter audit logs for a specific mailbox is using the Exchange Control Panel (ECP) on your exchange server. For example user https://yourserver/ecp
   
   
   
   However, based on available options, it doesn't seem you can view owner actions using this interface.
   
   I hope this article will provide you with valuable information for troubleshooting.
   If you like this article you are welcome to drop me a line at: liranzamir@gmail.com