Sender -> Forward Server -> Reciepient

Exchange 2010 uses a Resent-From header that is added to the message while it is being forwarded externally by the forward server ( this address is the email account used to forward the email )  so emails to the Reciepient server, are checked for SPF check using the Resent-From address and IPs. Which Pass!

With 2016 or Office 365 this Resent-From header is not there and the external contact server does the SPF check using the original sender’s domain and forward server IP address and it hard fails spf.

Workaround: Message Header ReWrite

Use Mimecast to Rewrite the Envelop from Address to the Resent-From Address instead

Configuring Address Alteration Definitions and Policies (mimecast.com)

SRS Should be doing this as well

Sender Rewriting Scheme (SRS) in Office 365 – Office 365 | Microsoft Docs

• No Comments

You can send emails via Mimecast instead of 365 , so you don’t need a licensed 365 user.

Login and enable SMTP Email submissions for that user

Use the users Cloud password and email address for Auth

$creds = get-credential

Send-MailMessage -From [email protected] -To [email protected] -Subject "Test Email" -Body "Test SMTP Service from Powershell on Port 587" -SmtpServer au-smtp-outbound-1.mimecast.com -Credential $creds -UseSsl -Port 587

If you see

Send-MailMessage : Unable to read data from the transport connection: net_io_connectionclosed

You need to create an Authentication profile with 2fa disabled , and apply it to that user via Application Settings

“Send-MailMessage : A call to SSPI failed, see inner exception”

Trying to send email comes back with this error , you need to change TLS1.2

‘ServicePointManager.SecurityProtocol’ is not recognized as the name

Trying to use

ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12;

# Enable TLS 1.2 as Security Protocol
[Net.ServicePointManager]::SecurityProtocol = `
    [Net.SecurityProtocolType]::Tls12 ;

• No Comments

Sending an email to the address stated on your Teams channel, does not come through

You check with SMTP server and it says delivered correctly

Reading a few articles online showed this was an SPF issue , however you can’t prove this , and 365 Support at the moment is very bad so its better trying a few other things. So if teams\sharepoint doesn’t like you using a smarthost , then you can use a Mail Connector in 365 , so separate the domains for teams to use the MX directly per below 

This solved the issue

• No Comments

Use below XML File

Make sure the ODT cache is copied to local PC before installing , does not seem to work on UNC patchs

Use Elevated Token

<Configuration ID="b34f7df2-db1f-476b-ac0d-a9b0142ec695">
  <Add OfficeClientEdition="32" Channel="Current" SourcePath="C:\Program Files\BatchPatch\deployment\ODT" AllowCdnFallback="TRUE">
    <Product ID="O365ProPlusRetail">
      <Language ID="MatchOS" />
      <ExcludeApp ID="Groove" />
      <ExcludeApp ID="Lync" />
      <ExcludeApp ID="Bing" />
    </Product>
  </Add>
  <Property Name="SharedComputerLicensing" Value="0" />
  <Property Name="SCLCacheOverride" Value="0" />
  <Property Name="AUTOACTIVATE" Value="0" />
  <Property Name="FORCEAPPSHUTDOWN" Value="TRUE" />
  <Property Name="DeviceBasedLicensing" Value="0" />
<Property Name="ForceAppShutdown" Value="TRUE" />
<Property Name="PinIconsToTaskbar" Value="TRUE" />

  <Updates Enabled="TRUE" />
  <RemoveMSI>
    <IgnoreProduct ID="InfoPath" />
    <IgnoreProduct ID="InfoPathR" />
    <IgnoreProduct ID="PrjPro" />
    <IgnoreProduct ID="PrjStd" />
    <IgnoreProduct ID="SharePointDesigner" />
    <IgnoreProduct ID="VisPro" />
    <IgnoreProduct ID="VisStd" />
  </RemoveMSI>
  <AppSettings>
    <Setup Name="Company" Value="Yarra Capital" />
  </AppSettings>
  <Display Level="None" AcceptEULA="TRUE" />
</Configuration>

• No Comments

When trying to edit settings of an Office 365 group you see the follow error

“You cannot manage the General settings for this group in admin on behalf of mode. Please edit them as a client administrator.”

It means you can’t use delegated access . you will need to login to 365 as a Global admin to change

• No Comments

Receiving an email into 365 in a hybrid setup shows the following error

Make sure if you are in Hybrid you add the External IP of your onprem Exchange server during migration to the SPF Record , as this is used by the connector 

• No Comments

Had an issue with a backup chain that was syncing files to/from the azure repo, one of which is 6TB.
This large file caused a bunch of errors due to insufficient space in the system %temp% directory (c:\windows\temp\)

The solution is to set a custom temp directory (with sufficient space) on the backup server where the extents are connected (in this case, the backup proxy).

HKEY_LOCAL_MACHINE\SOFTWARE\Veeam\Veeam Backup and Replication\
Name: CustomTempDirPath
Type: REG_SZ
Value: should be system Variable for %Temp% by default. 

• No Comments

We change a rule so clients from the LAN would access items on the DMZ via the public IP instead of Private ( using DMZ ) 

DMZ <-> LAN to WAN <-> DMZ

1 ) Per this guide , make sure the Virtual IP rule has Any for extintf

https://kb.fortinet.com/kb/documentLink.do?externalID=FD33976

2) You will need to make sure there are rules from LAN -> DMZ that reference the VIP as a source for NAT  —-  ( ANY -> ANY ) on LAN -> DMZ won’t work

• No Comments

# KeySecure API endpoint and POST params
$keysecures = @(“%KeysecureIPorDNS%”)

#Import Credentials from Credential XML, this is protected by file level application for security Format <Credentials><Credential><Name\User\Password>keysecure</Name\User\Password></Credential></Credentials>
$credxml = Select-Xml -Path  “\\sydfileserver\shared\Security\Project 2020 – Huon\CLI\Credentials.xml” -XPath ‘/Credentials/Credential’ | Select-Object -ExpandProperty Node

#import credentials from XML into values to be used
$kscreds = $credxml | Where-Object {$_.Name -eq “keysecure”}
$pscpcreds = $credxml | Where-Object {$_.Name -eq “pscp”}

#change ks creds for Json
$kscreds = @{ username = $kscreds.User; password = $kscreds.Password; }

#look through all KeySecures and do
foreach ($keysecure in $keysecures) {
    #Output current Keysecure
    $keysecure

    # Make API request to get bearer token valid for 300 Seconds
    $bearer_token = Invoke-WebRequest https://$keysecure/api/v1/auth/tokens -Method Post -Body $kscreds -UseBasicParsing | ConvertFrom-Json
    $bearer_token = $bearer_token.jwt
    #Build Header with Bearer Token for Future Requests
    $headers = @{Authorization = “Bearer $bearer_token”}

    #Create Backup
    $params = @{ tiedToHSM = “false”; scope = “”; backupKey =””; }
    $response = Invoke-RestMethod -Uri https://$keysecure/api/v1/backups -Method Post -Headers $headers  -Body $params -UseBasicParsing

    #Output Backup ID for Fault Finding
    $response.id
    $response = $response.id
    #While look to check Backup status then download and delete backup once completed


    #12 tries 5 Seconds each
    $maxRetries = 12; $retryCount = 0; $completed = $false

    #Check for Loop to complete
    while (-not $completed) {

    #Get Backup Status
    $bkstaus = Invoke-RestMethod -Uri https://$keysecure/api/v1/backupStatus -Method get -Headers $headers -UseBasicParsing;
    #Output Backup Status for Fault Finding
    $bkstaus.status


        if ($bkstaus.status -eq “Completed”){

            $completed = $true

            #download File
            Invoke-RestMethod -Uri https://$keysecure/api/v1/backups/$response/download -Method get -Headers $headers -OutFile “C:\Temp\$keysecure$response.bak”
       
            #move to SCP NFS 



            #check File Exists
            IF (Test-Path C:\Temp\$keysecure$response.bak) {
                #Check not 0KB
                If ((Get-Item C:\Temp\$keysecure$response.bak).length -gt 0kb) {
                     #delete File from KeySecure
                     Invoke-RestMethod -Uri https://$keysecure/api/v1/backups/$response -Method delete -Headers $headers  -Body $params -UseBasicParsing
                     $body += $keysecure+’ backed up using ‘ + $response + ” id<br>”

                }  else { $body += “Error” + $keysecure+$response +  ” File 0kb<br>” }
            }  else { $body += “Error” + $keysecure+$response +  ” Backup file does not exist<br>” }



        }
        else {

             if ($retryCount -ge $maxRetries) {
             #output error for retries waiting for backup to complete
             $body += “Error” + $keysecure+$response+ ‘Max retries exceeded wating for backup<br>’
            } else {
            #wait 5 seconds and try again
                Start-Sleep -Seconds ‘5’
                $retryCount++

            }
        }


    }

}


#email out

$EmailFrom = %FROMEMAIL%”;
$EmailTo = ” %TOEMAIL%  “;
#Note: Use comma separated list if more than one CC email address below:
$EmailCopies = ” %TOEMAIL% “; 
if($Body -like ‘*Error*’) {$Subject= ‘Keysecure Backup Error’} Else { $Subject = ‘Keysecure Backup Success’} ;
$Body = $body;
$mailMessage = New-Object Net.Mail.MailMessage($EmailFrom, $EmailTo, $Subject, $Body);
foreach ($addr in $EmailCopies.split(‘,’)) {
$mailMessage.CC.Add($addr );
}
$mailMessage.IsBodyHtml = $true;
$SMTPServer = “%SMTP%”;
# Make Windows negotiate higher TLS version:
[System.Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;
$SMTPClient = New-Object Net.Mail.SmtpClient($SmtpServer);
$SMTPClient.EnableSsl = $true;
$SMTPClient.Send($mailMessage);

• No Comments

Per Previous post  , I had to reserve engineer a method for accessing documents in Google drive via API from WordPress , I put the access to Offline so it wouldn’t need refreshing , however after a week it suddenly stopped working with 

invalid_grant

I put the API in testing mode which means 

Authorizations by a test user will expire seven days from the time of consent. If your OAuth client requests an offline access type and receives a refresh token, that token will also expire.

Changing this to “In production” looks like a lot of trouble 

However reading through the guides a Service account would fix this task

Create a service account and create a key for that service account

JSON key file should look like below

{
"type": "service_account",
"project_id": "xxxxxxxx",
"private_key_id": "xxxxxxxxx",
"private_key": "END PRIVATE KEY-----\n",
"client_email": "[email protected]",
"client_id": "xxxxxxxxxxx",
"auth_uri": "https://accounts.google.com/o/oauth2/auth",
"token_uri": "https://oauth2.googleapis.com/token",
"auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
"client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/xxxxxxxxx.iam.gserviceaccount.com"
}

Save this json as something like service.json

Share the folders in Google Drive with your service account [email protected] with the right permissions 

Remove the need for token.json

$client->setAuthConfig(__DIR__.’/service.json’);

• No Comments