In order to test Office 365 SMTP relay you will have to create a user with an Exchange online license. After the email is activated for this user you can test this user for relay with the following powershell.
First connect to Microsoft Online service with this user that you’ll be using for relaying.
$msolcred = Get-Credential
Next edit the following powershell with the user’s e-mail and the recipient’s too
This test is known as Client SMTP submission you can also use a different method for multiple devices where you can configure them all to point to a single server (IIS) in a method known as IIS for relay with Office 365 however, all the methods what involve office 365 (Only) for relay will require a user with Exchange online license assigned to it.
The use of this command is not recommended for security reasons in particular for not supporting the modern protocols. use it on your own risk and make sure the user assigned to this service has no privilege’s or not any Office 365 feature admin or power user.
After the recent vulnerabilities that hit Exchange Servers On-premises I found sometime to install KaliLinux and try to check what kind of information would I get from the patched servers.
I downloaded the payloads and tried to run it against couple of clients that I have patched the servers for luckily no authentication was made.
– Using Nikto scanner
By using Nikto command from Kali Linux I could see what Information could Exchange expose using
The command line is nikto –h mail.domain.com and the result of the scan would be exposing the Server’s name, local IP address, OWA Version, ASP Net platform and version.
Since I have my Exchange Server published via HAProxy 1.8 on Pfsense then I had to tweak HAProxy to strengthen the ciphers, make sure that HSTS is in place and deny the headers that expose the server’s sensitive information.
The result is pretty good as it also has affected the server’s score on ssllabs.com
Prior to the tweaking my owa scan result on SSL Labs would get an A
– Pfsense’s HAProxy Settings before
Before upgrading Pfsense to the latest version HAProxy was on 1.6 and the ssl/tls settings were also different as they were setup through the Advanced SSL options on the frontend however, now this is no longer supported and you’ll have to remove that and set it up on the “Global Advanced pass thru” in the General setting page.
In the below result, I have got almost everything protected well except for the OWA version which can be a bit problematic. In the next article I am going to try and mitigate this so the server can be protected in the expected manner.
– The Result
Now the server is showing a totally different result and the Nikto scan is not revealing anything anymore.
The reason why I got B on security headers is due to the fact that Content-Security-Policy header will malfunction the ECP and OWA Login pages. Permission Policy is new feature and I couldn’t find anything about it on HAProxy.
After the disastrous exploit that was found in Microsoft Exchange Servers lots of corporations started immediately patching their servers with the latest Cumulative update and Security patches. The question is would those patches be enough if the server is already hacked or have a backdoor installed already?
What are those 0-day exploits ?
The vulnerabilities recently being exploited were CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065 which are part of alleged “State-sponsored Chinese group” according to Microsoft.
Let’s get into details of those exploits one by one:
CVE-2021-26855 is a server-side request forgery (SSRF) vulnerability in Exchange which allowed the attacker to send arbitrary HTTP requests and authenticate as the Exchange server.
CVE-2021-26857 is an insecure deserialization vulnerability in the Unified Messaging service. Insecure deserialization is where untrusted user-controllable data is deserialized by a program. Exploiting this vulnerability gave HAFNIUM the ability to run code as SYSTEM on the Exchange server. This requires administrator permission or another vulnerability to exploit.
CVE-2021-26858 is a post-authentication arbitrary file write vulnerability in Exchange. If HAFNIUM could authenticate with the Exchange server then they could use this vulnerability to write a file to any path on the server. They could authenticate by exploiting the CVE-2021-26855 SSRF vulnerability or by compromising a legitimate admin’s credentials.
CVE-2021-27065 is a post-authentication arbitrary file write vulnerability in Exchange. If HAFNIUM could authenticate with the Exchange server then they could use this vulnerability to write a file to any path on the server. They could authenticate by exploiting the CVE-2021-26855 SSRF vulnerability or by compromising a legitimate admin’s credentials.
How to proceed ?
Microsoft released couple of tools that could diagnose your servers and check if you already have been infected with a backdoor or any of these nasty malware and also remove those infected files or clean them and ask you for a restart if it’s required.
MSERT (Microsoft Safety Scanner) detects web shells, Download here .
Health Checker (Scans your server for any vulnerabilities and whether you have updated Server CU and installed patches). Download here
Exchange WebShell Detection (A simple PowerShell that is fast and checks if your IIS or Exchange directory has been exploited). Download here
Microsoft very recently created a mitigation tool for Exchange on-premises that would rewrite url for the infected servers and recover the files that were changed. You can download the tools from this github link.
Until this moment Microsoft Windows OS doesn’t support DNS over HTTPS, The feature will most likely be implemented in future builds but no body knows when is that however, You can still take a peak into the feature which is in preview mode/
Benefit of using DoH on an OS level
The benefit of using DoH on an Operating System level would provide more certainty that your DNS queries leave your computer without being read by any other party even if that is your ISP.
A simple DNS nslookup query using Wireshark on your computer would show you how serious this topic is. After installing Wireshark you’ll be able to see that all of your dns queries are in clear text and can be read by anyone until it gets to the destination website/server.
Demonstration of DNS lookup without DoH
After installing Wireshark, I fire up Powershell or CMD and try to nslookup google.com and it’ll show what I just queried for.
So how to make sure that your DNS queries don’t leave your computer in clear text format? and since Microsoft OS is not DoH ready yet what can you do?
In my case, I am already using encrypted DNS on firewall level as I have Pfsense acting as a router and it already supports DoH but still not pretty satisfied :).
DNSCrypt as a solution
Since the foundation of DoH I have been looking for a solution that would work on Microsoft Windows OS and luckily someone already created this great project called Simple DNSCrypt which not just enables the encryption of DNS queries on your OS but also enables this to work as a service.
Installing DNSCrypt would create a Windows based Service which would start automatically when your OS boots and logs into Windows.
The service is called DNSCrypt Client Proxy
Add alt text
DNSCrypt has a simple interface, You can pick up the DNS Server where to forward queries to and it works with proof.
Right after the installation of this tiny app, launch it as an administrator and configure it as in the below screenshot. You can choose to install the service or not.
Add alt text
Right after you enable it (By clicking on your Network Card box) that will start protecting your DNS queries. Let’s go ahead with a little demo
I am going to start Wireshark after enabling DnsCrypt and do a google dns lookup , As you can see below on wireshark it’s not returning any dns queries.
When you install Simple DNSCrypt it changes your Preferred DNS configuration to localhost so that all queries is passed through the app in DNS over HTTPS which doesn’t allow even Wireshark to see it as DNS.
So that makes it pretty secure and not even your firewall will see it.
If you have any question please don’t hesitate to ask me
Official DNScrypt website https://simplednscrypt.org/
Support the project founder https://github.com/bitbeans/SimpleDnsCrypt
In my last post about Skype for Business / Office 365 Skype for Business Online/Teams migration article I discussed the steps of how to create a hybrid environment between Skype for Business on-premises and went through the troubleshooting of each issue I have been through. In this article I am going to discuss the migration of users from on-premises to the cloud through UI and PowerShell.
This article will assume that you are planning to migrate users from Skype for Business Frontend 2015 Server and that you already have a hybrid configuration in place. If so then you’re going to fulfill the following prerequisites:
To check the currently installed PowerShell run the following cmdlet
After you Download and install PowerShell 5.1 you might need to restart the server. In which case the PowerShell will show that it is updated to the required version.
After Installing the Skype Online Connector Module, We will be able to connect right after launching PowerShell
To do so type:
Connecting to Office 365 (Teams Online or Skype for Business Online)
The process of connecting to Office 365 Online PowerShell sounds easy but with MFA enforced in your environment you’ll have a nightmare mix of errors when you try so.
I have came through a lot of errors trying to force the use of PowerShell with MFA user authentication but eventually came to realize that Microsoft still does not support MFA for some cmdlets like Move-CsUser for instance.
So In short, to connect you’ll need to have a global or Teams admin user with MFA disabled to do so.
To create a new Skype Online Session enter:
– Make sure you start the regular PowerShell as admin and not Skype for Business Management Shell.
If you run these commands from SfB Management Shell you’ll get an error
So first, We will import the Skype Online connector Module
Then get the OverRidePowershell URI using the command:
Next, We will connect and authenticate to our tenant using the following cmdlet
When you have your on-premises user enabled for dialin you will probably get the following error if you try to migrate them to Skype for Business online or teams.
Move-Csuser :: HostedMisrat ion fault: Error=(511), Description=(The user could not be moved because he or she is enabled for dial-in conferencing on-premises, but has not been an assigned an Audio Conferencing license in Office 365. Users must be licensed before they can be moved to Teams or Skype for Business Online.)
If you are sure do want to use migrate this user without an Audio Conferencing license, specify the
“BypassAudioConferencingCheck” switch. ) At line: 1 char: 1
The Solution is to either provide an audio conferencing license or as it is showing in the error itself as it says use the switch -BypassAudioConferencingCheck to ignore that.
When trying to import the session, I got the following error
the runspace state is not valid for this operation for PowerShell Online.
Solution: To overcome this problem you’ll need to use the overridePowershellUri Parameter in the New-CsOnlineSession in order to connect to Skype online powershell.
To get your tenant’s PowerShell URI use the cmdlet Get-CsOnlinePowerShellEndPoint
What you need to use is the AbsoluteUri
When you try to import the SkypeOnlineConnector module and then run the New-CsOnlineSession cmdlet from Skype for Business Management Shell you’ll get the following error after authenticating.
Sorry, but we’re having trouble signing you in.
AADSTS50011: The reply URL specified in the request does not match the reply URLs configured for the application: ‘7716031e-6f8b-45a4-b82b-922b1af0fbb4’. More details: Reply address did not match because of case sensitivity.
If you contact your administrator, send this info to them. Copy info to clipboard
Message: AADSTS50011: The reply URL specified in the request does not match the reply URLs configured for the application: ‘7716031e-6f8b-45a4-b82b-922b1af0fbb4’. More details: Reply address did not match because of case sensitivity.
Advanced diagnostics: Disable
If you plan on getting support for an issue, turn this on and try to reproduce the error. This will collect additional information that will help troubleshoot the issue.
Run the cmdlets from Windows PowerShell as admin not Skype for Business Management shell.
Get-CsOnlinePowerShellAccessInformation : Unable to get response from https://admin4a.online.lync.com/OcsPowershellOAuth. At C:\Program Files\Common Files\Skype for Business Online\Modules\SkypeOnlineConnector\SkypeOnlineConnectorStartup.psm1:160 char:20 + … pAuthInfo = Get-CsOnlinePowerShellAccessInformation -PowerShellEndpoi … + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : NotSpecified: (:) [Get-CsOnlinePowerShellAccessInformation], Exception + FullyQualifiedErrorId : System.Exception,Microsoft.Rtc.Management.OnlineConnector.GetPowerShellAccessInformationCmdlet
Move-CsUser [Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help (default is “Y”): y move-csuser : The underlying connection was closed: An unexpected error occurred on a send. At line:1 char:1 + move-csuser -identity email@example.com -target D2-POOL01.clou … + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : InvalidOperation: (CN=user …domain,DC=net:OCSADUser) [Move-CsUser], WebException + FullyQualifiedErrorId : MoveError,Microsoft.Rtc.Management.AD.Cmdlets.MoveOcsUserCmdlet
1- Make sure you have the proper Powershell version.
2- Make sure you enable TLS1.2 as default, for a quick solution use this PowerShell script
Having to change a production Environment Virtual Machine while hosting multiple website could be a nightmare especially when you have no space left and websites are on the edge of error.
I got a complaint from one of the webmasters of the websites that her password was not working so I went and changed it from Plesk however, it didn’t actually work.
When connected to the server I realized that there was no space left on the server
Ubuntu 18.04 is the server edition.
On my Hyper-V Host I went and checked if I can resize the VM while it’s on but unfortunately since the machine has Checkpoints. After switching off the machine and removing the Checkpoints I was able to resize the disk to 700GB and start it again.
In this article I will take you through the process or resizing the Linux Machine starting from Hyper-V all the way until your Plesk Server is able to provision this disk space.
Resize Linux / Ubuntu on Hyper-V
To Resize Ubuntu/Linux Server on HyperV
Edit Machine On Hyper-V, If the edit button is greyed out then you’ll need to switch off the VM to be able to expand the physical disk.
After expanding the disk (in my case I expand it to 712GB) since the current disk is 100% full already
Scan Physical Disk Space
After expansion on Hyper-V is successful, I will switch on the VM, then will need to rescan the already connected disk, first identify which disk you want to rescan. (in my case it is sda3)
In my example, I see a symlink named 2:0:0:0, so we rescan this scsi-disk.
Note: This article assumes you have Brightmail Gateway
When you try to send an email to a particular Exchange Distribution group Group@domain.com the result is either users don’t exist or you might get the following error if you test with Microsoft Test connectivity online tool.
The server returned status code 554 – Transaction failed. The server response was: 5.7.1 Delivery not authorized
Other related errors
‘554 5.7.1: You are not allowed to connect’
Because the group has been cached in the Symantec gateway with its old members, The result could be an error that users don’t exist or delivery is not authorized.
To solve this problem, You need to go to Brightmail gateway Administration > Directory Integration and click on your AD Directory > Advanced and hit on Clear Cache.
This would cleared the cached group and take the most recently updated group and its members.
7. On Exchange: Enable OWA VD Instant Messaging 8. On Exchange: Enable Messaging on OWA Policy 9. On Exchange: Create Enterprise Application for Skype Pool. 10. On Exchange: Create new SettingOverride for Skype for Business. 11- Generate a new Certificate for Exchange IM 12. Assign the newly imported certificate to IIS Exchange Back End site 13. On Exchange: Restart the WebAppPool 14. Log out and sign back in to OWA to Check 15. Troubleshooting methods
7- On Exchange Server: Enable OWA VD Instant Messaging
Part of enabling IM integration between Exchange and SfB is to enable OWA Virtual Directory to allow this. The below cmdlet does the job for you on all your Exchange Servers
From Exchange, Launch Exchange Management and run the following cmdlet
The AuthMetadataUrl is going to be your local Skype for Business Pool URL. This URL should work in your Exchange server without any Certificate error. Meaning that the certificate assigned to your Skype for Business pool should already be imported to Exchange Servers to trust this URL.
If your previous configuration is correct then you should see the “The Configuration has Succeeded” Message.
10- On Exchange: Create new SettingOverride for Skype for Business.
To configure the same settings on all Exchange 2016 and Exchange 2019 servers in the Active Directory forest, don’t use the Server parameter.
The Thumbprint you use here will define if whether IM will work or not as this what secures the communication between Exchange and Skype. If you use the wrong certificate your Integration will fail and users wont be able to login to IM through OWA.
11- Generate a new Certificate for Exchange IM
In order for IM in OWA to work the certificate you will generate must have its common name set as mail.domain.com to match the configuration.
Using Digicert tool on Exchange Server I will generate the CSR of the new certificate
Click on Create CSR
Choose SSL certificate type and make sure you choose Mail.domain.com as CN
In the SANs type all of the involved servers (Skype for Business Frontends, Mailbox servers in FQDN and in Hostnames as in the screenshot below). and click on Generate
Go to your CA Server’s CertSRV URL and copy the CSR code there to generate the new certificate.
Import the new certificate to the current server, then export it in PFX format and import it to all the Exchange Servers you’re planning to use.
After importing the certificate I will verify that I can see the private key
Click on the Details and copy the Thumbprint or from MMC right click the certificate > Properties give it a friendly name e.g. (IM) and then from Exchange Management shell you can copy the Thumbprint directly.
This should generate an event ID 112 on Exchange servers involved in the deployment.
12. Assign the newly imported certificate to IIS Exchange Back End site
Once the certificate is in the server store, You will be able to easily find in from IIS and bind it to the Exchange Back End site.
This is the most crucial step to get IM to work in OWA. Don’t worry about breaking up Exchange Sites or Powershell. If you have added Exchange Servers Hostnames and FQDNs in this certificate then you should be good.
Now Launch IIS
Click on Exchange Back End
Click on the 444 port and edit
Select the newly generated certificate that has the mail.domain.com as CN. (This certificate must also have all Exchange Servers hostnames and FQDNs set as SANs)
Make sure you change the backend cert to the new on all the involved Exchange Servers.
13. On Exchange: Restart the WebAppPool
14. Log out and sign back in to OWA to Check
Log out of OWA and back in and check if you are able to Login to IM . It should normally sign you in automatically but in case of an error then you should see it.
In case of an error you should see the following.
If it works then you should see the presence
15. Troubleshooting Methods
If you follow the above steps correctly then it should work especially when applying the right certificate for your Exchange Back End IIS part however if you face an error then you should do the following steps to troubleshoot the error
Set the Eventlog for Instant Messaging on Exchange from Low to High
Set-EventLogLevel -Identity “sbg-mx01\MSExchange OWA\InstantMessage” -Level High