Exchange

Exchange 2013 (low on log volume space) Alert: The Reason and How To Override

If you are monitoring Exchange 2013 Servers, you may receive this alert from your Mailbox Servers:

Database ‘DATABASE’ is low on log volume space. ‘DATABASE’ is low on log volume space. Current=xx GB, Threshold=195.31 GB

You can check the status also by issuing this command in the Exchange Management Shell:

Get-ExchangeServer | Get-Serverhealth -HealthSet Diskspace | ? AlertValue -ne Healthy | ft –autosize

The reason is because Exchange expects that there will be at least 200 GB (or 195.31 GB) free disk space on the disk hosting the database log files. which might not be the case for your deployment, probably because you don’t need all that much of space.

The solution is simple (It will work for Exchange 2013 With SP1 (CU4) or later):

1- Open Powershell on your Mailbox Server(s).

2- Run this command (Replace 10240 by your desired value of Free Disk Space threshold in MB):

New-ItemProperty "HKLM:Software\Microsoft\ExchangeServer\v15\ActiveMonitoring\Parameters\" -Name "SpaceMonitorLowSpaceThresholdInMB" -Value 10240 -PropertyType "DWord"

Change the Location of Outlook OST File

How to move Outlook.ost and Outlook0.ost to another location?

– Click Tools –> E-mail Accounts –> Next –> select your Exchange account

– Click Change –> More Settings –> select the Advanced tab.

– Unchecke “Use Chached Exchange Mode” –> then click OK –> answer the prompt that told your settings would take effect the next time you start Outlook –> click Next –> then Finish.

– Close Outlook

– Open the Mail applet in Control Panel –> Click E-mail Accounts –> again select your Exchange account –> click Change –> More Settings –> Advanced.

– Click “Offline Folder File Settings” –> “Disable Offline Use” –> OK –> OK –> Next.

– Reclick More Settings –> Advanced –> “Offline Folder File Settings”.

– Enter a new OST path. click OK

– Rechecked “Use Cached Exchange Mode” –> click OK –> Next –> Finish.

When I restarted Outlook, receiv a brief popup stating that Outlook was preparing for first time use.
When it finished opening, I was back in cached Exchange mode and my OST was in the new location.

Credits: Brian Tillman

How to Isolate Forefront Protection For Exchange While Troubleshooting Emails Related Issues

It’s likely for while troubleshooting an emails related issues like some Exchange services are not starting, or there’s a delay in the messages processing… etc, that you will be thinking to isolate the issue to perform your root cause analysis.

One thing you may consider is to temporarily disable the integration of the Exchange Services and Forefront Protection for Exchange 2010 (FPE 2010) or the old Forefront Security for Exchange FSE.

A specific utility called Fscutility.exe that’s available in the FPE installation directory (as well as FSE) can help you to easily perform this action as shown below:

1- Open the command prompt (cmd.exe)

2- Move to the Forefront Protection for Exchange installation directory, for Example:

CD “C:\Program Files (x86)\Microsoft Forefront Protection for Exchange Server”

3- To check the current integration status, run this command:

Fscutility /status

4- To Disable the Integration:

Fscutility /disable

5- To Re-Enable the integration:

Fscutility /enable

Note:

I found that this utility parameters are case sensitive, so Fscutility /disable is correct, but Fscutility /Disable will not work.

Ticket#7: Exchange 2007 Stop Receiving Emails From Time to Time

Issue:

Exchange 2007 stops receiving external emails periodically from time to time.

 

Analysis:

When you try to telnet the HUB server IP on port 25 you receive this error:

4.3.1 Insufficient system resources

 

On an SMTP server on the front of the HUB server –that should deliver emails to the HUB server-, the below warning is logged in the Application Event log:

Message delivery to the host ‘HUB_SERVER_IP’ failed while delivering to the remote domain ‘DOMAIN.TLD’ for the following reason: An SMTP protocol error occurred.
The SMTP verb which caused the error is ‘MAIL’.  The response from the remote server is ‘452 4.3.1 Insufficient system resources

 

Well, now go to the HUB server, open the event viewer, and filtered the Application log by:

Source: MSExchangeTransport

Category: ResourceManager

 

You will find Warning(s) error(s) like the one mentioned below:

 

Exchange Back Pressure

 

Cause:

That’s due to the Back Pressure effect of Exchange 2007/2010, that checks periodically on some aspects on the HUB server(s) and see if it’s out of the limit or not –in my case above, there’s an issue with the free disk space on the Partition C:\-.

 

Solution:

Solve the issue mentioned in the event viewer.

Note: While it’s possible to disable the Back Pressure, it’s not recommended at all.

best way to go, is to investigate why it’s happening, and solve the root cause.

What is SMTP Session Tarpitting.

SMTP Session Tarpitting for Windows 2003 and Exchange

A common strategy for increasing the cost of would-be mail abuse uses a technique called tarpitting. Mail servers that tarpit wait a specified period of time before issuing SMTP responses to the client, thus increasing the time investment needed to successfully send a large amount of mail or a constant stream of (usually invalid) SMTP commands. To minimize the impact on the performance of well-meaning senders, servers can tarpit responses only for SMTP errors and allow authenticated clients to bypass the tarpit time.

Tarpitting is a useful countermeasure for:

  • Dictionary harvest attacks (where an attacker is trying to compile a list of valid e-mail addresses from your organization)
  • User account attacks (where an attacker repeatedly attempts to authenticate via username/password guessing)
  • Spam scripts that send more invalid than valid e-mail recipients.

Most of these abuses depend on quick SMTP server responses to complete in an acceptable timeframe. SMTP servers that tarpit slow down the amount of work they can do in a given amount of time, thereby making the abuse less enticing or lucrative.

Until recently, there wasn’t a way to enable tarpitting behavior for Windows/Exchange. Now, you can.

Simply install the KB:842851 package and KB:885881 package. The only requirement is that you’re running Windows Server 2003 with Internet Information Services 6.0. If you’re running Microsoft Exchange, the package automatically integrates with it.

Then, create/set the following registry key:

HKLM\System\CurrentControlSet\Services\SmtpSvc\Parameters\TarpitTime (DWORD)

The key value is the number of seconds you wish the server to tarpit error responses. You must stop/start the SMTP service for the change to take place.

When used with Microsoft Exchange Server 2003 features like recipient lookup, tarpitting increases the cost of invalid lookups that makes it harder to abuse the feature to launch a dictionary harvest attack.

Update#1

SMTP Tarpitting In Exchange 2007…

SMTP Tarpitting is enabled by default in Exchange 2007. This is really good news as admins who configure recipient filtering are automatically protected against directory harvest attacks. This was not the case in exchange 2003, as a registry edit was necessary to enable the feature. Check this KB article for information regarding how to enable tarpitting on an exchange 2003 server.

SMTP Tarpitting is the feature by which a delay is introduced to the rejection response. When a recipient is rejected with a 5.x.x response, a delay of few seconds is introduced before the response is initiated. This makes it difficult for spammers to find legitimate email addresses in a domain by using directory harvesting attacks.

Exchange 2007 has a default tarpit interval of 5 seconds, which can be increased upto a maximum of 10 minutes. Much thought should be put in while changing the tarpit interval, as it will affect legitimate emails as well (the ones that are not spam, like misspelt addresses). The default interval is good in most cases. Tarpit interval is set on the receive connector and is in the format hh:mm:ss.

In order to find the tarpit interval, run the following command

Get-ReceiveConnector connectorname | select tarpitinterval

To increase the tarpit interval to 10 seconds, run Set-ReceiveConnector connectorname –TarpitInterval 00:00:10

Run Set-ReceiveConnector connectorname –TarpitInterval 00:00:00 to disable tarpitting (not recommended).

Sources: The Microsoft Exchange Team Blog, How Exchange Works