overview / popularization about Exchange Server.
This document is a short understanding regarding mail réputation, Exchange setup and my main useful powershell Script.
2. 1
I. INDEX
I. INDEX............................................................................................................................................... 0
II. THIS DOCUMENT............................................................................................................................. 2
III. UNDERSTANDING MAIL REPUTATION......................................................................................... 3
1. Name of your mail infrastructure over internet, Starttls, and SMTP Banner ............................. 3
2. Records in your Domain Provider................................................................................................ 3
3. Securing potential Spam.............................................................................................................. 4
4. Blacklisting and Health check...................................................................................................... 4
5. Banned over internet .................................................................................................................. 4
IV. INSTALL EXCHANGE SERVER (2010) ............................................................................................ 5
1. Edge Role..................................................................................................................................... 5
V. INSTALL EXCHANGE SERVER (2016) ................................................................................................ 7
1. Edge Role..................................................................................................................................... 7
VI. MANAGE SERVER....................................................................................................................... 10
1. Licensing.................................................................................................................................... 10
2. Configure Virtual Directory ....................................................................................................... 10
3. Enable Outlook Anywhere......................................................................................................... 11
4. Renew Autosigned Certificate................................................................................................... 11
5. Check the message Queue ........................................................................................................ 11
6. Test Health of your Server......................................................................................................... 11
7. Test Mail “In”............................................................................................................................. 12
8. Change SMTP Banner................................................................................................................ 12
9. Disable/enable antispam........................................................................................................... 12
10. Send / Receive Connector ..................................................................................................... 12
VII. MANAGE MAILBOX.................................................................................................................... 13
1. List mailbox / distribution group............................................................................................... 13
2. Give access right........................................................................................................................ 13
3. Mailbox details .......................................................................................................................... 13
VIII. EXPORT/IMPORT MAILBOX ....................................................................................................... 14
1. Give import/export access right................................................................................................ 14
2. Export one MailBox: .................................................................................................................. 14
3. Export All Mailbox: .................................................................................................................... 14
4. Check the task running:............................................................................................................. 14
5. Flush Mailbox Import/Export Request ...................................................................................... 15
6. Import all mailbox in Exchange ................................................................................................. 15
3. 2
II. THIS DOCUMENT
This document explain the main useful PowerShell command to manage exchange Server, It is not a
tutorial for “how to manage daily” your exchange Infrastructure
Because of the reputation of your mail infrastructure over internet is really important, this document
explain shortly the “Good Mail Reputation” and how to set up correctly an Exchange Infrastructure
(2010, 2016(2013))
Each command must be run from Exchange PowerShell (Administrator Mode).
Except for Telnet must be run in DOS
These Command are Available for Exchange Server 2010 SP2 to Exchange Server 2016
Most of these command can be done by Exchange interface MMC (2010) or HTTP (2013-2016)
All Green Command should not be modified
All Red Command Should be adapted to your infrastructure (server, domain, ect)
All Purple Command Should be adapted to your context (user, name, date, ect …)
4. 3
III. UNDERSTANDING MAIL REPUTATION
Mail Reputation; You can find a lot of literature about this subject, with much more details than this
documents but you have to respect at least all these topics :
1. Name of your mail infrastructure over internet, Starttls, and
SMTP Banner
Your mail server must be reachable over internet, so this one must have a name which does not refer
to your local domain name (reply to ehlo).
SMTP Banner is the announcement when you run a telnet request to an Exchange Server.
I will not explain what are SMTP Banner, ehlo and telnet protocol is, please check Google and chapter
VI.7 and VI.8
When you set up your exchange Server (using wizard), the receive connector will be set automatically
with the local FQDN (exch2k.contoso.local for example).
But your mail infrastructure should not have this name over internet, so you have to change it
For example if the local domain name of your server is Exch2k.contoso.local, this one must reply to
ehlo (over internet) by mailhost.contoso.com
The configuration of “reply to Ehlo” must be set on Send/Receive Connector.
Warning! :
If you change the reply to ehlo on the exchange on Receive Connector server, this one will lose “250
Startlts” Announcement; Starttls is not mandatory, but if you can keep it, do it.
So to keep Starttls announcement you have two options:
1) After your full set up mail infrastructure, buy a SSL Certificate to an official organism
(Verisign) and add it to your exchange infrastructure
2) Let all you Send/Receive connector and set up an Edge Server (workgroup) in DMZ, this one
must be named Mailhost and add in DNS Suffix mailhost.contoso.com before install edge rôle
and Edge Subscription (see chapter IV.1 and V.1)
If your proceed like your Send/Receive connector on the Edge Server (front mail) will be
correctly named from scratch
2. Records in your Domain Provider
Records in your Domain Provider interface must be correctly set.
You have to set MX, HOSTA, DMARC and SPF Record.
MX and HostA records must be redirect to your public IP and must match with your reply to EHLO:
mx.contoso.com <> 197.x.x.x
mailhost.contoso.mx <> 197.x.x.x
5. 4
MX toolbox can help you to generate DMARC and SPF
https://mxtoolbox.com/SPFRecordGenerator.aspx
https://mxtoolbox.com/DMARCRecordGenerator.aspx
3. Securing potential Spam
To protect your infrastructure, you have three solutions:
- Install anti-spam provide with exchange (free) but you do not have many options to
configure it
- Install a specific software attached to your Exchange (Ex: Symantec Bright Mail)
- Use a SAAS Solution (Ex: AltoSpam), in that case you have to configure a specific send
connector for this SAAS Soltution (relay to SAAS host with authentication or not)
4. Blacklisting and Health check
If you respect all of this you will not be blacklisted by Spam entity, but it can’t prevent your
infrastructure from a hacked computer or user who send spam mail from your infrastructure.
In any case you can easily check the Health of your infrastructure by using MXTOOLBOX and their
blacklist check solution
MxToolBox offers many other useful tool as SMTP Test, ect...
5. Banned over internet
There is really one main things to respect: Your mail server should not be an OPEN RELAY it’s banned.
To resume an open relay is a mail server which can accept and resend mail without authentication
(anyone can use your server to send spam).
So if you need some connector to send mail without authentication for specific applications inside
your organization (Ex: VmWare Vsphere) please be sure that these connector are not able to send
mail outside directly.
6. 5
IV. INSTALL EXCHANGE SERVER (2010)
Install NetFramework 3.5
import-module servermanager
Add-WindowsFeature NET-Framework,NET-HTTP-Activation,Web-Server,Web-ISAPI-Ext,Web-Basic-
Auth,Web-Digest-Auth,Web-Windows-Auth,Web-Dyn-Compression,Web-Metabase,Web-Net-
Ext,Web-Lgcy-Mgmt-Console,WAS-Process-Model,RSAT-ADDS,RSAT-Clustering,RSAT-Web-
Server,RPC-Over-HTTP-proxy
Set-Service NetTcpPortSharing -StartupType Automatic
reboot the server
Servermanager -i RSAT -ADDS
Close the window
In PowerShell go to the Exchange 2010 folder Install then:
.Setup /PrepareSchema
.Setup /PrepareAD /OrganizationName:mydomain
.Setup /PrepareDomain
1. Edge Role
Edge Server Role must be install on separate server in workgroup and in DMZ, DMZ and LAN should
allow all Activ directory Communications (check Technet) and mail flow :
- HTTPS (443)
- SMTP (25)
- POP (110)
- IMAP (587)
- EDGE SYNC (50636)
On the DNS Server:
Add a host A for the server Edge
On the Edge Server:
- In IPv4 Setting go to advance, then DNS Tab, add the server DNS and the Suffix of your
domain (test.local)
- In the Name server add the suffix DNS
- Launch the Edge Installation Wizard
- Install role AD LDS
- Run the wizard AD LDS (administration tool)
- Test the Health of your EDGE Server (see Chapter 3.6)
7. 6
Generate the EDGE XML Subscription From Exchange PowerShell:
C:>New-EdgeSubscription -FileName C:edgesubscription.xml
Answer yes to all
Copy the XML file to the Exchange Server
On the Exchange Server:
Open the Exchange management, go to hub transport, in the “action” right pane clic on “new edge
subscription” and follow the wizard.
Set “credential manager” service automatic and wait 5 minutes (replication)
Start-EdgeSynchronization -Server "fqdn.exchangeserver"
You Should have two success.
8. 7
V. INSTALL EXCHANGE SERVER (2016)
Install netframework 4.5
Install-WindowsFeature RSAT-ADDS
Install-WindowsFeature AS-HTTP-Activation, Desktop-Experience, NET-Framework-45-Features, RPC-
over-HTTP-proxy, RSAT-Clustering, RSAT-Clustering-CmdInterface, RSAT-Clustering-Mgmt, RSAT-
Clustering-PowerShell, Web-Mgmt-Console, WAS-Process-Model, Web-Asp-Net45, Web-Basic-Auth,
Web-Client-Auth, Web-Digest-Auth, Web-Dir-Browsing, Web-Dyn-Compression, Web-Http-Errors,
Web-Http-Logging, Web-Http-Redirect, Web-Http-Tracing, Web-ISAPI-Ext, Web-ISAPI-Filter, Web-
Lgcy-Mgmt-Console, Web-Metabase, Web-Mgmt-Console, Web-Mgmt-Service, Web-Net-Ext45,
Web-Request-Monitor, Web-Server, Web-Stat-Compression, Web-Static-Content, Web-Windows-
Auth, Web-WMI, Windows-Identity-Foundation
Install updates .NET4.6.2
Install Win8.1 KB3146717-x64
Install Ucma Runtime
1. Edge Role
Repeat the DMZ and Firewall configuration (refers to 1.1 chapter)
Repeat the DNS configuration (refers to 1.1 chapter)
Once it’s done:
Install-WindowsFeature ADLDS
Install updates .NET4.6.2
Install-WindowsFeature NET-Framework-45-Features, RPC-over-HTTP-proxy, RSAT-Clustering, RSAT-
Clustering-CmdInterface, RSAT-Clustering-Mgmt, RSAT-Clustering-PowerShell, Web-Mgmt-Console,
WAS-Process-Model, Web-Asp-Net45, Web-Basic-Auth, Web-Client-Auth, Web-Digest-Auth, Web-
Dir-Browsing, Web-Dyn-Compression, Web-Http-Errors, Web-Http-Logging, Web-Http-Redirect,
Web-Http-Tracing, Web-ISAPI-Ext, Web-ISAPI-Filter, Web-Lgcy-Mgmt-Console, Web-Metabase, Web-
Mgmt-Console, Web-Mgmt-Service, Web-Net-Ext45, Web-Request-Monitor, Web-Server, Web-Stat-
Compression, Web-Static-Content, Web-Windows-Auth, Web-WMI, Windows-Identity-Foundation,
RSAT-ADDS
Install Cumulative Update for server 2016
Install Media Foundation Feature
Install Ucma Runtime
9. 8
Run Set Up Exchange for Edge Role
Test the Health of your EDGE Server (see Chapter VI.6)
Generate the EDGE XML Subscription From Exchange PowerShell:
New-EdgeSubscription -FileName C:edgesubscription.xml
Answer yes to all
Copy the XML file to the Exchange Server
On the Exchange Server:
In Exchange PowerShell
New-EdgeSubscription -FileData ([byte[]]$(Get-Content -Path C:edgesubscription.xml –Encoding
Byte -ReadCount 0)) -Site “Default-first-site-name”
Red command should be adapted, if you have further subdomain
Check port 50636 open between Lan and EDGE
Check in your Exchange
> Server, Edge server should appears
> Mail Flow, check Send Receive Connectors
Receive Connector
There is no new receive connector required.
Don’t change Send connector Configuration
“–” is part of the configuration on the “EdgeSync – Inbound to AD Site” Connector so don’t change it. We will
see this in the smart host and accepted domain
The — value in the address space represents all authoritative and internal relay accepted domains for the
Exchange organization.
The — value in the list of smart hosts represents all Mailbox servers in the subscribed Active Directory site.
Configure Internal SMTP
Use the InternalSMTPServers parameter on the Set-TransportConfig cmdlet to specify a list of
internal SMTP server IP addresses or IP address ranges to be ignored by the Sender ID and
Connection Filtering agents on the Edge Transport server.
Configure Internal SMTP server on Transport Configuration
Use the InternalSMTPServers parameter on the Set-TransportConfig cmdlet to specify a list of
internal SMTP server IP addresses or IP address ranges to be ignored by the Sender ID and
Connection Filtering agents on the Edge Transport server.
Run the below command on the mailbox server
Set-TransportConfig –InternalSMTPServers IP, IP (range)
10. 9
Start Edge Sync
Once all above completed, run the below command
Start-EdgeSynchronization -Server MailboxserverFQDN -TargetServer EDGEServerFQDN -
ForceFullSync
Restart Service
Reboot Edge Server
11. 10
VI. MANAGE SERVER
1. Licensing
Get-ExchangeServerAccessLicenseUser -LicenseName "exchange server 2016 standard cal" |
Measure-object | Select Count
Get-ExchangeServerAccessLicenseUser -LicenseName "exchange server 2016 enterprise cal" |
Measure-object | Select Count
2. Configure Virtual Directory
Modify virtual directory will change the name announcement of your exchange (example:
mailhost.domain.com) server from:
- HTTP and HTTPS request
- Telnet Request
- Autodiscover Request
All PS command listed under can be done with Exchange MMC under “Server Configuration”
Take in consideration that your Exchange certificate must be compliant with these name
announcement. So after your fresh install of exchange and your fresh configuration of Virtual
Directory you have to renew your Auto signed Certificate and disable the older, the new one will
automatically published.
($Server = "ServerName" $HTTPS_FQDN = "mail.domain.com")
Get-OWAVirtualDirectory -Server $Server | Set-OWAVirtualDirectory -InternalURL
"https://$($HTTPS_FQDN)/owa" -ExternalURL "https://$($HTTPS_FQDN)/owa"
Get-ECPVirtualDirectory -Server $Server | Set-ECPVirtualDirectory -InternalURL
"https://$($HTTPS_FQDN)/ecp" -ExternalURL "https://$($HTTPS_FQDN)/ecp"
Get-OABVirtualDirectory -Server $Server | Set-OABVirtualDirectory -InternalURL
"https://$($HTTPS_FQDN)/oab" -ExternalURL "https://$($HTTPS_FQDN)/oab"
Get-ActiveSyncVirtualDirectory -Server $Server | Set-ActiveSyncVirtualDirectory -InternalURL
"https://$($HTTPS_FQDN)/Microsoft-Server-ActiveSync" -ExternalURL
"https://$($HTTPS_FQDN)/Microsoft-Server-ActiveSync"
Get-WebServicesVirtualDirectory -Server $Server | Set-WebServicesVirtualDirectory -InternalURL
"https://$($HTTPS_FQDN)/EWS/Exchange.asmx" -ExternalURL
"https://$($HTTPS_FQDN)/EWS/Exchange.asmx"
Get-MapiVirtualDirectory -Server $Server | Set-MapiVirtualDirectory -InternalURL
"https://$($HTTPS_FQDN)/mapi" -ExternalURL https://$($HTTPS_FQDN)/mapi
12. 11
3. Enable Outlook Anywhere
Enable-OutlookAnywhere -Server $Server -ClientAuthenticationMethod Basic -SSLOffloading $False -
ExternalHostName $HTTPS_FQDN -IISAuthenticationMethods NTLM, Basic
4. Renew Autosigned Certificate
Get the list of all certificate and copy the thumbprint of the concerning certificate
Get-ExchangeCertificate | FL ThumbPrint, isSelfSigned, NotBefore, NotAfter, Services
Create new certificate:
Get-ExchangeCertificate “ThumbprintNumber” | New-ExchangeCertificate
Activate IIS et SMTP on the new certificate:
Enable-ExchangeCertificate -ThumbPrint “ThumbprintNumber” -Services IIS SMTP
Remove old certificate:
Remove-ExchangeCertificate –ThumbPrint “ThumbprintNumber”
5. Check the message Queue
Get-Queue –Identity Submission | Select Identity,Status,MessageCount
6. Test Health of your Server
Get-servercomponentstate
Get-transportagent
Get-receiveconnector
Get-recieveconnector | FL
Test –Servicehealth
Test –Servicehealth | FTrole,RequiredServicesRuninning -Autosize
Run test-smtpconnectivity –identity
13. 12
7. Test Mail “In”
Install telnet client on a computer / server and run these commands from DOS as admin
With Telnet you can easily identify which receive connector reply.
It is very useful when you set further receive connector dedicated to specific IP
telnet serverIP 25
helo name.domain.com
MAIL FROM:user@domain.com
RCPT TO:user@domain.com
DATA
SUBJECT:MAIL TEST!.
(In telnet an empty Space necessary between subject and mail)
THIS IS A MAIL TEST FROM TELNET
.
Quit
8. Change SMTP Banner
By default SMTP Banner is $Null, but you may have to change it to do this:
Set-ReceiveConnector "From the Internet" -Banner "220 Contoso Corporation"
9. Disable/enable antispam
& $env:ExchangeInstallPathScriptsDisable-Antimalwarescanning.ps1
& $env:ExchangeInstallPathScriptsEnable-Antimalwarescanning.ps1
10.Send / Receive Connector
You do not have to change anything on the existing receive connector unless if you need to change
reply to ehlo
Keep attention that if you change the reply to EHLO you have to uncheck “Exchange server
authentication” in security tab.
By doing this you will disable “250 Starttls authentication” (see chapter III.1)
Send connector must be set regarding your mail flow (relay or mx) check google
14. 13
VII. MANAGE MAILBOX
1. List mailbox / distribution group
Get-Mailbox
Get-Distributiongroup
2. Give access right
add-adpermission -identity "user" -user "mailbox or group" -extendedrights “send as”
Enable Mailbox for “Existing User” in a specific O.U (who do not have Mailbox)
Get-User -OrganizationalUnit DOMAIN.COM/O.U | Enable-Mailbox
3. Mailbox details
All Yellow Field can be replace or removed it depends of what you want to check
get-mailbox -OrganizationalUnit "OU=Name of OU,DC=domain,DC=extension" -resultsize unlimited |
get-mailboxstatistics | ft
DisplayName,TotalItemSize,Itemcount,TotalDeletedItemSize,DeletedItemCount, Database
This will expose Total Item, Deleted Item and database
Example for O.U = contoso with domain = Contoso.domain.local
get-mailbox -OrganizationalUnit "OU=contoso,DC=contoso,DC=domain,DC=local " -resultsize
unlimited | get-mailboxstatistics | ft
DisplayName,TotalItemSize,Itemcount,TotalDeletedItemSize,DeletedItemCount, Database
Example with an Export CSV
get-mailbox -OrganizationalUnit "OU=contoso,DC=contoso,DC=domain,DC=local " -resultsize
unlimited | get-mailboxstatistics | ft
DisplayName,TotalItemSize,Itemcount,TotalDeletedItemSize,DeletedItemCount, Database | export-
csv -path c:mailbox.csv
15. 14
VIII. EXPORT/IMPORT MAILBOX
1. Give import/export access right
Before running Import/Export task you have to provide access right to your Exchange Management
user
New-ManagementRoleAssignment –Role “Mailbox Import Export” –User DOMAINUser
When it’s done Close PowerShell and Restart it before run new commands
2. Export one MailBox:
It is mandatory to export PST into a share folder, (this one can be set on the same server) in the file
path you have to set the FULL file path (not only the short UNC Link provide by sharing wizard)
New-MailboxExportRequest -Mailbox “Administrator” -FilePath IP or SERVER
NAMEFOLDERFOLDERAdministrator.pst
3. Export All Mailbox:
This command will export all mailbox respecting name/alias/…. of mailbox, this exports all items
(contact, calendar, inbox, junkmail, ect)
foreach ($i in (Get-Mailbox)) { New-MailboxExportRequest -Mailbox $i -FilePath IP or SERVER
NAMEFOLDERFOLDER $($i.Alias).pst" }
You can add a range of date:
Date format is US month/day/year
Lt : Less Than
Gt: Greater Than
foreach ($i in (Get-Mailbox)) { New-MailboxExportRequest -Mailbox $i -contentfilter {(received –lt
‘01/22/2017) –and (received –gt ‘01/01/2017’)} -FilePath IP or SERVER NAMEFOLDERFOLDER
$($i.Alias).pst" }
4. Check the task running:
Get-MailboxExportRequest | Get-MailboxExportRequestStatistics
Get-MailboxImportRequest | Get-MailboxImportRequestStatistics
16. 15
5. Flush Mailbox Import/Export Request
Once your Import / export request is done do not forget to remove these request, these ones are
named and if you want to rerun an export with the same name you should flush all export history.
Get-MailboxExportRequest | Remove-MailboxExportRequest
Get-MailboxImportRequest | Remove-MailboxImportRequest
6. Import all mailbox in Exchange
Dir IP or SERVER NAMEFOLDERFOLDER*.pst | %{ New-MailboxImportRequest -Name BACKUP -
BatchName Recovered -Mailbox $_.BaseName -FilePath $_.FullName -TargetRootFolder BACKUP}
You can import only one item as it shown under:
You can add/replace calendar by contacts ect… (see technet)
Dir IP or SERVER NAMEFOLDERFOLDER*.pst | %{ New-MailboxImportRequest -Name BACKUP -
BatchName Recovered -Mailbox $_.BaseName -includefoldres “#calendars#” $_.BaseName -FilePath
$_.FullName -TargetRootFolder BACKUP}
IX. MAILFLOW TROUBLESHOOTING
1. Mails won’t go outside
Use MailQueu Viewer in Exchange MMC or EXCHANGE TOOLBOX
This tool will explain why your mails stay into your infrastructure by showing error code, you will
found a lot of literature on google about these code.
Check your exchange Service are started or not (transport)
Restart this service
Restart Microsoft Exchange Active Directory Topology (will restart all exchange services)
2. Mails go outside but are not receive
Check potential Blacklisting of your domain (MxToolBox and Queu Viewer)
Check Mail Error Reply it will always explain why the mail is refused
If necessary check with the company recipient/local ITs
3. Deblacklist your domain
Most of entity of spam offers you a way (request) for deblacklist your domain.
Most of time you just have to tell them that you’re a company with an exchange server, and
antivirus, antispam solution ect.
Other possibility check your records in domain provider and using MxToolBox (DMARC, SPF, ect…) if
necessary fix it !