Posts Tagged ‘365’

It is possible to disable certain autodiscover steps by creating DWORD entries in the HKEY_CURRENT_USER\Software\Microsoft\Office\<version>\Outlook\AutoDiscover registry key.

Note. <version> can be 16.0 for Outlook 2016, 15.0 for Outlook 2013 and 14.0 for Outlook 2010.

The following DWORD entries can be created:

  • ExcludeHttpRedirect
  • ExcludeHttpsAutoDiscoverDomain
  • ExcludeHttpsRootDomain
  • ExcludeScpLookup
  • ExcludeSrvRecord
  • ExcludeLastKnownGoodURL (Outlook 2010 version 14.0.7140.5001 and later)
  • ExcludeExplicitO365Endpoint (Outlook 2016 version 16.0.6741.2017 and later)

Add the DWord of 1 to any of the above to skip the check

Per here https://support.microsoft.com/nl-nl/help/2212902/unexpected-autodiscover-behavior-when-you-have-registry-settings-under

 

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

An email from this sender could not be delivered to your mailbox as it has failed DKIM verification. To comply with government security standards the ATO cannot accept emails that fail DKIM integrity checks because the email cannot be verified as genuine.

Currently there is an issue causing emails from organisations using Office 365 to fail DKIM verification.

Office 365 has implemented its own DKIM features and customers must ensure that outbound DKIM is correctly configured for their domain (DNS) and namespace (Office 356 Administration).

 

Resolution

How to enable DKIM on 365

You will need to enable DKIM outbound DNS Verification on either 365 

selector1._domainkey.domain.com
selector2._domainkey.domain.com

These need to point to 

selector1-domain-com._domainkey.onmicrosoftalias.onmicrosoft.com
selector2-domain-com._domainkey.onmicrosoftalias.onmicrosoft.com

Your onmicrosoftalias is the domain GUID and can be retrieved from the MX record for your domain

You then need to enable

View Powershell :  

New-DkimSigningConfig –DomainName domain.com –Enabled $true

Or through GUI : 

 

If you send out via another provider e.g. a spam filter you will need to check the method on the spam filter of enabling this

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

When trying to add your email account to Outlook 2016 you get the follow error

an encrypted connection to your mail server is not available

365 is obviously  encrypted which means there must be something wrong with Autodiscover

  1. Check Autodiscover

Should be a CNAME to autodiscover.outlook.com. ( Put full stop on the end )

2. Make sure you have finished setting up the domain in 365 or it won’t listen for the domain

Test Autodiscover via : https://testconnectivity.microsoft.com/

Try logging in to powershell on your 365 Tenant and disabling OAuth2 (2fa ) 

Set-OrganizationConfig -OAuth2ClientProfileEnabled:$true
VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

When trying to create an IMAP Mailbox Sync via Office 365 , I was getting the following Failed Error next to the Sync Status

TLS negotiation failed with status AlgorithmMismatch

The IMAP Server I was syncing from was using SSL  on port 993 however the SSL cert was self signed rather than from a proper cert authority

In the end I had to enable syncing through 143 Uncrypted or you can purchase a sign SSL cert for the migration

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

In Office 365 when trying to Release selected message and allow Sender in the Exchange Administration portal is shows the following error

“You don’t have permission to open this page. If you’re a new user or were recently assigned credentials, please wait 15 minutes and try again”

It does allow you to just release messages. The issue is the user needs to be a Member of Hygiene Management and Organization Management Roles in 365  ( Under Permissions and Admin Roles ) 

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)


Get Distinguished Name:

get-Mailbox [Username] | fl Name,Distinguishedname

Groups:

get-group -ResultSize Unlimited -Filter ‘Members -eq “[User Distinguished Name]”‘

Distribution Groups:

Get-DistributionGroup -ResultSize Unlimited -Filter ‘Members -eq “[User Distinguished Name]”‘

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

What you need to do to enable Mailguard Filtering and Officemailguard 365

Login to 365 Portal 

Inbound Filter by IP

This forces all internal mail to only be accepted by 365 from Mailguard IP’s. Spammers start caching DNS records so even though you changed MX records they use old ones!

  • Exchange Administration 
  • Mailflow
  • Connectors

From Partner Organization
To Office 365
How do you want to identify the partner organization? Domain
Specify one or more sender domains: *
Reject email messages if they aren’t sent from within this IP address range ( IP Range from Mailguard )

203.21.125.32/32
69.16.202.203/32
174.36.235.195/32
69.16.202.216/32
50.23.246.238/32
50.23.252.166/32
108.168.255.216/32
108.168.255.217/32
203.21.125.33/32

Outbound Filter forcing SMTP relay

Make sure all Office 365 IP’s http://pastebin.com/6UZZcWPQ are in trusted networks

  • Exchange Administration 
  • Mailflow
  • Connectors

Only when I have a transport rule set up that redirects messages to this connector – Tick
Route email through these smart hosts : filter.riskca-1.mailguard.com.au
Always use Transport Layer Security (TLS) to secure the connection (recommended)

  • Exchange Administration 
  • Mailflow
  • Rules

Name : Relay Outbound through MailGuard
*Apply this rule if… – The Sender is Located … Inside the organization
*Do the following… : Use the following connector Name of Connector Above

SMTP SPF

Add this include to the TXT record for the outgoing domains

include:customer.mailguard.com

VN:F [1.9.22_1171]
Rating: 10.0/10 (1 vote cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

IOffice-365-New[1] used the AZCopy to copy some PSTS up to the Azure blob to copy them to 365 

All users apart from one imported OK

One user came back with “Completed With Errors  View details”

 
Status Failed – Import in progress
 
After checking with 365 , this was due to the user having a soft deleted mailbox
 
Login to MSOLINE via powershell and run
 
Remove-MsolUser –UserPrincipalName <account id> -RemoveFromRecycleBin
 
 
VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

Office-365-New[1]You can forward these emails to : junk@office365.microsoft.com or use the Outlook plugin to report and hopefully Microsoft should block these in future : https://www.microsoft.com/en-us/download/details.aspx?id=18275

 

Microsoft have actually now got a new filtering service for 365 however its paid for and by user you could maybe try : https://products.office.com/en-us/exchange/online-email-threat-protection

It’s not uncommon nowadays to have another third party appliance such as a barracuda or a hosted service such as post fix to filter items before they get to 365. It seems once a spammer figures out how to exploit 365 , all domains get the same spam. 2 layers of protection is safer!

 

1) Make sure your own SPF Records are in check : http://www.spfwizard.net/

2) Get your DKIM records in check : http://blogs.msdn.com/b/tzink/archive/2015/10/08/manually-hooking-up-dkim-signing-in-office-365.aspx

3) Get your DMARC Records in check : http://blogs.msdn.com/b/tzink/archive/2014/12/03/using-dmarc-in-office-365.aspx

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)