Exchange 2016 CU6 and inaccessible OWA.

A lot of users faced inaccessible Outlook Web Access after CU6 installation. This can also affect users who reissue “Microsoft Exchange Server Auth Certificate” (if they are running CU6 version).
This is applied to situation when user gets “Something went wrong” and error with ID 500, on the server side warning appeared in the eventLog as:
—————————————————–
Log Name: Application
Source: ASP.NET 4.0.30319.0
Date: 3/24/2018 12:46:43 PM
Event ID: 1309
Task Category: Web Event
Level: Warning
Keywords: Classic
User: N/A
Computer: mail16.domain.com
Description:
Event code: 3005
Event message: An unhandled exception has occurred.
Event time: 3/24/2018 12:46:43 PM
Event time (UTC): 3/24/2018 8:46:43 AM

You should get following phrase in the logEntry: Encryption certificate is absent
—————————————————–
This is Microsoft guys, you will never understand whats going wrong when you read log error.

As a workaround you can change your TimeZone to match UTC. From my event you can see that the time is 12:46 PM, just change time zone to UTC, in my case time has been changed from 12 PM to 8 AM and issue with OWA disappeared. I suppose that you can roll-back your timeZone (in my example with GMT +4 timeshift to UTC is 6 hours).

So thanks to Microsoft that they are pushing us out to use O365:)

Update: After 6 hours I changed time zone back and did IISRESET, everything is working so far.

Relay Postfix emails to MS Exchange. SpamAssassin,Postfix,Exchange Step-by-Step. Part 2.

In previous article we’ve installed spamassassin and pair it with Postfix.
It’s time to relay all external filtered emails to our exchange.

From now your Postfix should relay all filtered by spamassassin emails to Microsoft Exchange, you can stop here or you can enable Postfix as Smart Host in Exchange send connector, relay for exchange already configured above.

About Open Source Antispam: SpamAssassin,Postfix,Exchange Step-by-Step. Part 1.

Here is a quick start guide for SpamAssassin that works in pair with PostFix MTA in front and MS Exchange in back end.
We’ll also configure Statistic Analyzer for SpamAssassin and pair Postfix with Microsoft Exchange in next Parts.
This guide has been tested by non-Linux user by copy-pasting this config.
I’ve added description for each command and config file to make article more clear. All comments starts with ‘#’ symbol.

In my lab smtp1.digitalbears.net server will be used as SpamAssassin and Postfix server, cas-n01.digitalbears.net will be act as MS exchange backend. CentOS 7 x64 installed with minimall installation on smtp1.

Past following content:

Execute from smtp1 terminal:

Past following content:

Execute from smtp1 terminal:

Past following content:

From smtp1 terminal:

Now our SA configured and running.

Lets config our Postfix, we should redirect all coming to Postfix emails to SA.
Execute from smtp1 terminal:

Past following content:

Execute from smtp1 terminal:

From now you should be able to connect using telnet to our postfix&spamassassin server via 25 port and check wheather our antispam checks work or not:
Run from any server except smtp1

smtp1 is our antispam server. email queued for delivery, lets check root@smtp1 mailbox:

Execute from smtp1 terminal:

I’ve specify required_hits to 3 and add my network to trusted for testing purpose , as you can see message subject now is [SPAM], we also get a positive point from trusted ip LIST (-1 , more negative is better). Final score for email is 4.5 which is greater than 3, therefore message marked as spam.

SA Log File /usr/local/spamassassin/spamd.log
Postfix Log File /var/log/messages

In the next Part We’ll pair Postfix with MS Exchange.

Used Articles:
https://spamassassin.apache.org/full/3.1.x/doc/Mail_SpamAssassin_Conf.html
https://wiki.apache.org/spamassassin/ImproveAccuracy

Exchange. Change TimeZone via Powershell.

Due many requests about TimeZone settings in Exchange I decide to share additional solution.
As you may know from previous post DST is cancelled for AZT time zone.

Exchange doesn’t use your computer time setting for mailboxes and therefore when you will switch DST off on your server- OWA will ignore this and time will be shifted for a one hour for Web Clients.
To avoid problem with OWA and your Web Calendar you should use following command:

This will get all mailboxes with AZT timezone and change it to Arabian Standard Time.
You should change it back when exchange will update their timezone db.

Microsoft will distribute DST patch approximately with regular “Second Thuesday Update” on May.

Exchange Load Balancing clients using Linux+PCS+Corosync+Apache.

In Exchange 2016 we cannot split roles between servers and all roles will be installed together including CAS and Mailbox.
It’s ok if you have only one server because you doesn’t need load-balance client traffic.

But if you have clustered mailbox and you want to exlude single point of failure on client access side you cannot use windows NLB (Because using NLB on host with failover cluster role installed is unsupported).
Therefore in clustered environment you need to find solution for CAS servers, of course you can buy Hardware or Software loadbalancer which
will make your deployment easy.
The other way is Open Source, and here we will talk about clustered Apache.
You can split this article by two parts. First one will describe how to install linux cluster based on Pacemaker,pcs and corosync, you can skip this part if you decide to use only one Apache for load balancing.
The second one is about Apache configuration.

Here is my lab:
mail.digitalbears.net 172.17.14.35 (My VIP Address)
|
|
|
—————————-
|                                       |
|                                       |
nlb01.digitalbears.net  nlb02.digitalbears.net
172.17.14.33  172.17.14.34
—————————-
|
|
—————————-
|                                       |
|                                       |
cas-n01.digitalbears.net  cas-n02.digitalbears.net
172.17.14.24   172.17.14.25
nlb01 and nlb02 have CentOS 7 installed. You can find iso on their website.
i just installed my CentOS servers and only assign ip addresess.

Lets config:

Give name for your servers
[root@localhost ~]# echo “nlb01.digitalbears.net” > /etc/hostname
[root@localhost ~]# hostname nlb01.digitalbears.net
Same for second host, after you recconect your ssh session you will see that hostname has been changed.

Adding firewall exceptions

Same for nlb02
Installing cluster

Same for nlb02

Creating cluster
Do it for all nodes

Only once run

Only once from any nodes

Now check your cluster, you should expect that virtual_ip resource is started

Now lets move to the second part and install Apache Server and modules for RPC (Outlook Anywhere).

Past folowing

Creating cluster resource, should be done once from any cluster member

Configure that IP must be placed with Apache resource

Now we need configure order, first our VIP then Apache

Lets bind our two apache to clustered ip (change ip address to your IP)

Now i’ve check that module file doesn’t copied into apache modules direcroty and copy it manually. Doit for both servers

We need to extract .pfx certificate to linux supported format (one file will contain public part of certificate and second only private key).
Install certificate tool

Then you need to place your certificate to server, you can use winscp app to transfer certificate, in my example i will copy my certificate into root home folder “/root”.

Now lets copy this files into Apache folder, doit for two servers

Lets create configuration for our exchange, you can doit also on all cluster nodes for both nodes

Past following connfig by replacing cas-n0*.digitalbears.net with your exchange server names.
With this configuration Apache balancer will point one client to first Exchange server and second client to second Exchange server.

You can check LB by access your CAS
https://mail.digitalbears.net/owa/healthcheck.htm
The answer should be
200 OK
CAS-N01.digitalbears.net

If you open this page from another computer they should be point you to second node
200 OK
CAS-N02.digitalbears.net

Here is some commands which will help you to do simple tasks with your cluster:

If resource failed and doesn’t start, you can try to cleanup it
[root@nlb01 ~]# pcs resource cleanup webserver
Start cluster will be done on boot automatically but here is a command which will start cluster manually
[root@nlb01 ~]# pcs cluster start –all
You can track log files by running
[root@nlb01 ~]# tail -f /var/log/httpd/access_log
Or Errors
[root@nlb01 ~]# tail -f /var/log/httpd/error_log

I remove my cluster and started for scratch following this artical and can deploy cluster.
Cluster has been tested in production environment (running 3 days) with following clients: MacBooks with Outlook, Windows 7,8 with MS Outlook 2010,2013, Windows Phones, Iphones, Androids.

PS. Be informed: After 2 weeks some clients from MAC OS reported that client loss connectivity with server and only reopen mail application can help. If you will have this kind of problems you can troubleshoot this by yourself or you can download open source load balancer as well from http://www.zenloadbalancer.com/