Exchange Server

Setting up DKIM for Exchange Server for DMARC

Setting up DKIM for Exchange Server

Out of the box Exchange Server does not support DKIM signing. And it doesn’t look like Microsoft has any intention of adding this feature any time soon. So for now the best way to implement DKIM signing is via third party a plugin.

What is DKIM?

DKIM (DomainKeys Identified Mail) is an email security standard designed to make sure messages weren’t altered in transit between the sending and recipient servers. It uses public-key cryptography to sign email with a private key as it leaves a sending server. Recipient servers can then use a public key published to a domain’s DNS to verify the source of the message, and that the body of the message hasn’t changed during transit. Once the hash made with the private key is verified with the public key by the recipient server, the message passes DKIM and is considered authentic.
Source: https://postmarkapp.com/guides/DKIM

If you want to know more about how DKIM works, Postmark provides a pretty detailed explanation.

Installing Exchange DKIM Signer

Exchange DKIM Signer is an open source, easy to install DKIM Signing Agent for Microsoft Exchange Server. It includes support for Exchange Server 2007 through to 2016.

Online Install

1. Download the latest GUI package: https://github.com/Pro/dkim-exchange/releases/latest (Configuration.DkimSigner.zip)

2. Extract it somewhere on your Server (e.g. Desktop)

3. Start Configuration.DkimSigner.exe

4. Select Install

5. Once the installer has completed, click Close

Configuration

1. Now configure the DKIM Signer with the installed GUI. Navigate to and launch the configuration executable (located under "C:\Program Files\Exchange DkimSigner\Configuration.DkimSigner.exe".

2. Click Configure and move the priority of the DkimSigner Agent up to at least 3, if not 1 (This is to prevent other agents from potentially interfering with the headers), and then click Close

3. Navigate to the DKIM Settings tab and change the Header & Body Canonicalization options to Relaxed. Click Save configuration to save your changes. See DKIM Canonicalization – or – why Microsoft breaks your mail for reasons why choosing Relaxed over Simple may be the better option.

4. Now switch to the Domain Settings Tab. Fill in your Domain name and Selector and click Generate new key. DKIM Signer will then generate new public and private DKIM signing keys based on your chosen domain and selector.

A save window will open prompting you to save the newly generated key in "C:\Program Files\Exchange DkimSigner\keys". Click Save.

You can save the generated keys to an alternative location if you wish. However DKIM Signer recommends storing them in the default location.

IMPORTANT: Make sure the user you’re signed into your exchange server as has permission to access whichever path you choose to store your keys. Otherwise you’ll encounter access denied errors: "Couldn't load private key for domain mydomain.net: Access to the path 'C:\Program Files\Exchange DkimSigner\keys\mydomain.net.pem' is denied.". And DKIM signing of outgoing mail will fail.

5. Now you need to publish the DKIM TXT record for your domain (mydomain.net) with your DNS provider. Make a note of your Suggested DNS Name and click Copy to clipboard to copy the Suggested DNS Record.

Now head to your DNS provider to create your TXT record.

6. Select TXT record as the type of record to create and for the TXT record Name, enter your Suggested DNS Name (key1_2017._domainkey).

*Most DNS providers automatically add your domain name to the end of the TXT record ‘Name’ entry, so there should be no need to enter the whole record e.g. key1_2017._domainkey.mydomain.net.

For the TXT record content, paste your copied key and save.

Wait a few minutes for the record to propagate (Most DNS providers are pretty quick these days) then head back to the DKIM Signer Domain Settings tab and click Check. DKIM Signer will query your DNS record and if all’s well your record should now be verified as correct. Click Save to save your domain settings.

7. Switch to the Information tab and restart the Exchange Transport Service by clicking on Restart.

DKIM Signer is now configured to sign emails originating from your domain.

Testing

1. Open your web browser of choice and navigate to http://dkimvalidator.com/. Make a note of the randomly generated email address. DO NOT CLOSE THE BROWSER/TAB, you’ll need to return to this page shortly.

2. Log into an Exchange mailbox associated with the domain you’ve just setup and send an email to this random address.

3. Allow a few minutes for your email to arrive at dkimvalidators.com’s site then return to your browser and click on View Results.

If you see results = pass, congratulations, your setup is complete and you can now send email verified using DKIM signing.

Note: This is copy of the post from: https://colinwilson.uk/2017/07/19/setting-up-dkim-for-exchange-server/

I particularly did not want to loose it as it is great.

Outlook 365 Keeps Prompting for Password After August 2017

Outlook 365 Keeps Prompting for Password After August 2017

3db989da d0d4 4210 b5ff f9975e6687dc

In August 2017 Microsoft released another version of Outlook for Office 365 for PC that caused a major problem for people connecting to Exchange 2016 servers. This problems is all to do with the AutoDiscovery setup that Outlook uses. Microsoft appear to have set outlook to use their Office 365 servers as an initial point of setup configuration regardless of how you have configured AutoDiscovery.

The bottom line is that outlook keeps trying to authenticate agains office365 and not your own server. While this is a known issue, as of January 2018 it has not been fixed in the next version of Outlook.

The Fix

There are two fixes, and either one should work. We suggest Fix 1

Fix 1

First one involves setting a registry entry on the computer experiencing the issue. To fix this issue, create a text file and copy/paste this text below.

Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\AutoDiscover]
"ExcludeExplicitO365Endpoint"=dword:00000001

Then save it, and rename it as ExcludeExplicitO365Endpoint.reg and run it (this will import the applicable registry key). ONLY DO THIS if you are using an Exchange On-Premise account, and not a Office365 or hosted exchange account.

Ref: https://www.stephenwagner.com/2018/01/14/cannot-create-exchange-2016-account-office-2016-due-repeated-password-prompts/#comment-284518

Fix 2

The solution I’ve found to work and the only one to stop this annoying popup of “enter your password”, is to downgrade to a lower version of office update.here is a script i wrote, in case you need to push this to several computers.

C:\Progr~1\Common Files\Microsoft Shared\officeClickToRun /update user updatetoversion=16.0.8326.2107 1>officec2rclient.exe

this will take your office 2016 to update 8326.2107 where this issue doesn’t happen.nothing will show up on the screen, but give it about 10 minutes and restart the computer. check the control panel/ add-remove programs and make sure office is on the new (or actually old…) version.

Here is a link to some helpful information in running this update: https://support.microsoft.com/en-us/help/2770432/how-to-revert-to-an-earlier-version-of-office-2013-or-office-2016-clic

Outlook Slow and Unresponsive wiht MAPI over HTTP to Exchange 2016

Outlook Slow and Unresponsive wiht MAPI over HTTP to Exchange 2016 Server

In our case the versions in question were found to be:

Outlook 2013 connecting to Exchange 2016 with MAPI over HTTP enabled.

Reported Problems

The user reported that outlook was slow to open email, and unresponsive with searching in outlook.

The CTRL right click on the Outlook connection icon (bottom right) showed the connection was made with HTTP

iMAP over HTTP

 

The Problem

It is reported that MAPI over HTTP which is a newer connection method of laterExchange servers and potential better and more reliable for devices connecting has some unreliabilities in some instances with earlier version of Outlook.

Our testing shows that later outlook versions and the Mac versions of outlook have no troubles at all.

The Solution

IN Exchange 2016 it is possible to disable MAPI for a users mailbox. The issue this may have is that they could have other more recent devices such as phones and tablets that are enjoying the advantages of MAPI over HTTP.  So rather than turning off MAPI for all their devices at the exchange server end. It is preferable to disable the connection on that users computer only.

This can be easily done using regedit.

Disabling MAPI over HTTP with Regedit

  1. Log on to the proxy client where you installed the agent.

    Use the credentials for the Windows account that you defined in the agent properties.

  2. In Windows on the client computer, click Start, and then type regedit in the Search programs and files box.
  3. Press Enter. 

    The Registry Editor appears.

  4. Expand HKEY_CURRENT_USER > Software > Microsoft > Exchange.
  5. Right-click Exchange, and then click New > DWORD

    A new DWORD entry appears in the right pane.

  6. Right-click the new DWORD entry, and then click Rename.
  7. Type MapiHttpDisabled.
  8. Right-click the MapiHttpDisabled entry, and then click Modify

    The Edit DWORD Value dialog box appears.

  9. In the Value box, type 00000001, and then click OK.
  10. Close the Registry Editor.
  11. Verify that the protocol has been changed to RPC over HTTP. 
    1. Restart Microsoft Outlook.
    2. Press Ctrl and right-click the Microsoft Outlook icon in the notification area at the far right of the task bar.
    3. Click Connection Status

      The Microsoft Exchange Connection Status dialog box appears.

    4. Verify that the value in the Protocol column is RPC/HTTP.
    5. If the value is HTTP, delete the Microsoft Outlook profile, and then recreate it.

Disable MAPI over HTTP using .reg file.

1. Download this file: MAPIoverhttp_disable.zip

2. Unzip the file

3. Double open the MAPIoverhttp_disable.reg file and it will add the above change for your.

Disabling MAPI over HTTP using Command Prompt.

1. Click Start RUN

2. Type CMD then hit ENTER.

3. Type or paste: REG.exe Add HKCU\Software\Microsoft\Exchange /V MapiHttpDisabled /T  REG_DWORD /D 0x1 /F
(Note that the above is one line that may wrap)

Disabling MAPI over HTTP using PowerShaell

We can retrieve the current configuration using the first two commands, whilst the third one disables MAPI/HTTP and the final command enables MAPI/HTTP:
Get-Item HKCU:\Software\Microsoft\Exchange
Get-ItemProperty -Path HKCU:\Software\Microsoft\Exchange -Name MapiHttpDisabled | select MapiHttpDisabled | Ft –AutoSize
New-ItemProperty -Path HKCU:\Software\Microsoft\Exchange -Name MapiHttpDisabled -PropertyType DWORD -Value “0x1” –Force
New-ItemProperty -Path HKCU:\Software\Microsoft\Exchange -Name MapiHttpDisabled -PropertyType DWORD -Value “0x0” –Force

(Note that the above are all one line that may wrap)

 

Testing When MAPI/HTTP Disabled

For reference, Outlook 2010 connection information is show.  Note that MAPI/HTTP is being used:

Outlook 2010 Connecting Using MAPI/HTTP

After disabling MAPI/HTTP using one of the above methods, reg.exe or PowerShell, we can then look to see how Outlook is connecting.  Note that you may have to wait for Outlook to perform an Autodiscover request and automatically update itself, or alternatively run a profile repair to force a full Autodiscover.  Deleting the Outlook profile would also force the change, but that is not recommend in production unless it is the last resort.  Deleting Outlook profiles causes OAB downloads, OST downloads, possibly adding PST files back into the profile and may also impact mobile devices.

In the below screenshot we can se that the client is now kicking it old skool.  The protocol type has changed, and there is now a proxy server specified. This was taken after restarting Outlook.

Outlook 2010 With MAPI/HTTP Disabled

 

Enabling Via Command Prompt

To allow MAPI/HTTP remove  the MapiHttpDisabled DWORD, or set it to a value of 0 as shown below:

REG.exe Add HKCU\Software\Microsoft\Exchange /V MapiHttpDisabled /T  REG_DWORD /D 0x0 /F

(Note that the above is one line that may wrap)