Exchange 2013 LED 441 4.4.1 Mail Flow stuck because of Receive Connector SELF MADE wrong

 

ERROR:

LED=441 4.4.1 Error encountered while communicating with the Primary Target IP address (Failed to connect. Winsock error code: 10060, Win32 error code 10060. Attempted failover to alternate host)

 

You see E-Mail in the Queue and have no E-Mail flow on Exchange 2013:

This can have following error sources:

  1. DNS Settings of NIC (Server)
  2. DNS Settings of Exchange itself (Not the OS DNS the under /ECP)
  3. HIDDEN OLD NIC as example replaced or in VM
  4. RECEIVE CONNECTOR with DUBLETTE criteria (SELF MADE which reflects built in CRITERIA)

 

Here is how to resolve in steps:

  1. Check if all AUTOMATIC Services from Exchange are running (Exchange 2013 CAN take Services DOWN if he thinks something is wrong)
  2. Restart full Exchange or all *TRANSPORT* Services
  3. Check your DNS Settings in Exchange ITSELF (/ECP) and on your NIC's (http://www.butsch.ch/post/Exchange-2013-451-470-Temporary-Server-errors-Please-Try-Again-Later-PRX.aspx
  4. Check if you have hidden NIC's (http://www.butsch.ch/post/W7-Show-hidden-Hardware-devices.aspx)
  5. Receive Connector > Check all additional RECEIVE Connector and IF they have common criteria with OTHER built in receive connector. If worst CASE both have the MANY identical Criteria on your SELF MADE you may have to change from Port 25 to 26. Test by removing the SELF MADE receive connector and Restart the Exchange. If Mail Flow is ok then it was the connector you made. (http://www.butsch.ch/post/Exchange-2007-2010-How-to-RELAY-ANONYMOUS-for-clients-or-Servers-(GermanEnglish).aspx) < THIS has not changed from 2007/2012 in terms of selection through Criteria.

     

     

Look out for IP ranges which are in Connector two times AND have the same setting on PORT, Authentication etc. If Exchange DOES not KNOW WHICH receive connector to take/use he will end up in a loop and may take down services in 2013 if this happen many times.

 

 

Some sample Connector Criteria:

Sample wrong Connector range which covers the "OTHER" Exchange Server which would have IP 192.168.200.10 and thus Exchange would FALSE use this connector for INTERNAL MAIL FLOW (Exchange Mail Flow). Beside this would open MAIL RELAY for the Full VLAN segment in Ransomware days.

 

 

Exchange Services:

Exchange Internal DNS

Exchange 2010/2013 POP or IMAP with Wildcard Certificate activation

You try to activate a WILDCARD Certificate for IMAP or POP Services for Exchange 2010.

Either GUI or Powershell this does not work as wanted:

Enable-ExchangeCertificate -Server ' exchange2010' -Services 'IMAP, IIS, SMTP' -Thumbprint 'C22E2AE9FC07C7DA55454522B0E0ACF996C8'

 

ERROR:

This certificate with thumbprint C22E2AE9FC0646473449422B0E0ACF996C8 and subject '*.butsch.ch' cannot used for IMAP SSL/TLS connections because the subject is not a Fully Qualified Domain Name (FQDN). Use command Set-IMAPSettings to set X509CertificateName to the FQDN of the service.

Solution:

Is to set the parameter with SET-POPSETTINGS and set-IMAPSETTINGS:

Set-POPSettings -X509CertificateName exchange2010internalname.butsch.ch

Set-IMAPSettings -X509CertificateName exchange2010internalname.butsch.ch

Restart the services:

restart-service MSExchangePOP3

restart-service MSExchangeIMAP4

Check what you changed:

Get-popsettings

Get-imapsettings

Technet Links:

 

Exchange 2010

https://technet.microsoft.com/de-de/library/bb691401(v=exchg.141).aspx

For Exchange 2013:

If you want this active FROM External (Which we don't recommend!) on your 2013 don't forget to set these parameters:

Set-POPSettings -ExternalConnectionSetting {mysamplenamethirdleveldomain.butsch.ch:995:SSL}

Set-ImapSettings -ExternalConnectionSetting {mysamplenamethirdleveldomain.butsch.ch:993:SSL}

https://technet.microsoft.com/en-us/library/jj657728(v=exchg.150).aspx

Exchange 2013 Log Options:

https://technet.microsoft.com/de-de/library/aa997690(v=exchg.150).aspx

Done forget to enable (Turn to automatic) the POP or IMAP3 Service and start it.

 

 

WIN 10 Debug Unattend Setup and malformed or Deprecated Options 1607.1

 

Changes in Windows 10 CBB Version 1607.1

There seem to be some Unattend option which don't work anymore or have changed.

For some reason nothing of that info can be found under:

https://msdn.microsoft.com/en-us/windows/hardware/commercialize/customize/desktop/unattend/changed-answer-file-settings-for-windows-10-build-1607

We talk about this CBB 1607 Release which included updates from November 2016.

SW_DVD5_WIN_ENT_10_1607.1_64BIT_German_MLF_X21-27039.ISO

Here is the error you see:

Open the COMMAND LINE with:

SHIFT + F10

Hier findet man nicht viele Infos.

 

The Panther Directory

N

In dem Folder c:\windows\panther\unattendGC gibt es dann interessante Files.

Im setuperr.log sieht man warum Windows 10 die Unattend nicht sauber verarbeitet hat. Dies hat wohl vom CBB 1607 zum 1607.1 (November Kumulative) release geändert. Wir konnten dies im 1607 RTM ohne Probleme machen beim letzten ISO ging es nicht mehr.

Wir reden von dem ISO:

SW_DVD5_WIN_ENT_10_1607.1_64BIT_German_MLF_X21-27039.ISO

Auch die Option <WindowsFeature> geht wohl bei 1607.1 in der Form nicht mehr….

Es gab mal ähnliche Fehler schon bei anderen OS. Hier mit dem SHOWMEDIACENTER. Dies war es aber nicht. Trotzdem immer gut zu wissen.

https://support.microsoft.com/de-de/help/947303/error-message-when-you-perform-an-unattended-installation-of-windows-server-2008-windows-could-not-parse-or-process-unattend-answer-file-drive-windows-panther-unattend.xml-for-pass-oobesystem

 

 

Even now:

After REMOVE of the complete <WINDOWSfeature> stuff this also works under 1607.1 ISO. You will have to rip out those things with DISM after OS setup or within the WIM.

We TEND to NOT change THE wim ITSELF FOR ALL DEPLOYMENTS.

 

Some ENTEO/Frontrange related DIAGNOSE

If you have errors with Enteo/Frontrange/Heat in the First Windows PE Phase

Es gibt auch eine neue Methode dies im Windows PE selber zu machen. Falls das Problem ganz vorne liegen würde. Einfach beim COMPUTER Objekt (test Client) diesen Wert anpassen. Dann fragt Enteo selber und macht falls niemand was klickt in 5 Sekunden weiter.

Falls man ein separates DEBUG Windows PE machen will gibt es dazu FIX eine Option:

http://www.butsch.ch/post/EnteoFrontrange-Debug-MODE-PE-5X-WIN-10-aktivieren-in-Boot.aspx

 

 

 

Deployment: Adobe Flash 24.0.0.221 downloads Links

Since the website to register and then download for Enterprise DOES not seem to respond or handle Request the actual Flash Binary's from 15.02.2017 here.

 

FILENAME OLD: Flash32_24_0_0_194.ocx

FILENAME NEW: Flash32_24_0_0_221.ocx

FILENAME OLD: Flash64_24_0_0_194.ocx

FILENAME NEW: Flash64_24_0_0_221.ocx

Version OLD: 24.0.0.194

Version NEW: 24.0.0.221

 

Download Binary:

https://fpdownload.macromedia.com/get/flashplayer/pdc/24.0.0.221/install_flash_player_ax.exe

https://fpdownload.macromedia.com/pub/flashplayer/pdc/24.0.0.221/install_flash_player_24_plugin.msi

https://fpdownload.macromedia.com/get/flashplayer/pdc/24.0.0.221/install_flash_player.exe

https://forums.adobe.com/thread/2277707

 

In today's release, we've updated Flash Player with important bug fixes and security updates.

The most recent Flash Player security bulletin can be found here: Security Bulletin (APSB17-04)

 

Extract from Deployment batch silent sample for ALL deployment from SSCM to Heat Frontrange Enteo to Matrix 42.

 

</CODE>

MCAFEE ENS 10.5 detects Modernizr JS-Library as Malware

Well some Javascript library devlopers don't seem to understand that there is Ransomware. They could make sure all Security Firms know their code and trust it.

THREAT: Suspicious Attachment!script

Mcafee hat eine Malware mit dem Namen "Suspicious Attachment!script" entdeckt.

 

FILENAME: C:\Users\u3340437\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9FIW5LMY\modernizr[1].js

CLIENT: WSUB106764

TYPE: Potenziell unerwünschtes Programm

DAT: 2892.0

CATEGORY: Malware entdeckt

DESK/LAP: Workstation

OS: Windows 7

ZEIT: 02/17/17 09:46:09 UTC (Achtung UTC Coordinated Universal Time Timezone!)

 

What is Modernizr?

It's a collection of superfast tests – or "detects" as we like to call them – which run as your web page loads, then you can use the results to tailor the experience to the user.

https://modernizr.com/download#batteryapi-flash-setclasses

 

I would delete such a class from a security view. So does Mcafee Endpoint 10.5 on 20.02.2017