We’ve had a very busy summer, working on all sorts of features that are helping our clients and partners run a more profitable & predictable business. All of these new features will be available through ExchangeDefender as well as Wrkoo shortly.
This post is unfortunately not about one of those features. During the implementation of full automation for service subscriptions, terminations, and billing we found several partners that were committing outright financial fraud against us. This has caused us to revise our billing process and policies so that we can continue to provide a service that is both affordable and profitable for everyone.
In 2019, we’ve spent an average of ~62 hours per month dealing with delinquent accounts.
Delinquent accounts are those that do not pay their bills by the 5th of the month. By our policy every account that does not pay their invoice in full on the 1st has a ticket generated and assigned to the Billing Contact for the company. We then follow up with an email and a phone call to the billing contact. We understand that business can be difficult and unpredictable (credit cards get compromised, it’s hard to track expirations with all the vendors, some clients pay slow, etc) and we go out of our way to make sure the business is aware of an unpaid invoice. Invoices that are not paid by the 5th (after we’ve contacted the billing contact every possible way) are charged a late fee. If the invoice is still not paid we continue to make the best effort, and if it’s still not paid after the 15th the service is disconnected.
Delinquent Account Handling
If you were seriously late paying an invoice more than twice in 2020, your account will be flagged as delinquent. If any of the future invoices are unpaid by the 5th, you will be asked to provide a secondary funding source:
If neither funding source can be charged by EOD on the 3rd (after tickets have been opened and emails sent), the services will be suspended.We are hoping that this automation helps our partners and clients avoid service interruptions and late fees.
Due to popular demand, we’ve added some new Distribution Group features to our Exchange/M365 Service Manager. The features are all about external (mail enabled) contacts that have a huge presence in the SMB/consulting organizations:
External Contacts or Mail Enabled Contacts are great when you need to give a person an email address on your domain without giving them their own mailbox. This is a very popular feature in SMB/consulting community when it comes to contractors and third parties that already have their own email infrastructure but for compliance (or vanity) purposes they need an email on your domain.
External Contacts allow you to assign an email address on your domain (email@example.com) and automatically forward all their mail to their existing email address (firstname.lastname@example.org).
Not only does this feature help save money on licensing costs, it also eliminates the need for the person to setup another account and check mail at a new place.
The upgrade we’re announcing today has to do with External or Mail Enabled contacts as a part of a Distribution Group (Exchange term for “mailing list”): You can now add external email addresses to any internal/external distribution group from the Service Manager at https://support.ownwebnow.com. Now when you try to create or modify a distribution group, your “Add a new member” screen will show your defined external contacts as well!
This is one of the most demanded features in Service Manager, and we hope it serves your business well!
But her (external) emails!
Unfortunately for some, the Internet standards still apply and most service providers are rapidly removing features that have anything to do with external mail forwarding. This is mainly due to rise of SMTP authentication/authorization protocols like SPF, DomanKeys (DKIM) that do not work with the way mail enabled external contacts are implemented in Microsoft Exchange and other email servers. When the mail is being forwarded to the external contact, the From line remains intact so that the recipient can identify the person sending the email (for example, email@example.com). But when the message is forwarded to the external contact, the receiving server will look at the from line and see that the message is from a domain hosted on Gmail but sent from the ExchangeDefender address space (that is obviously not a part of Google Gmail SPF/DKIM record) and depending on configuration might consider that message to be a forgery/spoof/SPAM.
This isn’t an ExchangeDefender issue, or a Microsoft issue, or a Gmail issue, it’s a part of the protocol specification. And while everyone else is making this feature go away (because it can affect server reputation), we’re working on rewriting/improving it. We are currently working on a feature that will rewrite the From line, so when Exchange forwards an email “From: Vlad Mazek <firstname.lastname@example.org>” to an external contact, the recipient will get an email that shows this on the from line: “From: Vlad Mazek <email@example.com>” that will help bypass SPF/DKIM checks on the receiving side.
It’s been a year since we launched the ExchangeDefender Automatic Enrollment feature and it recently got a major upgrade to function with our new cloud infrastructure. This is our favorite way to enroll ExchangeDefender users for two reasons: it’s the simplest and the most seamless way to onboard new users.
When ExchangeDefender detects a new email, it will put it in the enrollment process which consists of the following:
– Creating an ExchangeDefender account and supporting service accounts
– Applying existing policy defaults for the organization
– Creating LiveArchive account and routing policy
– Updating administrative and licensing systems
– Generating a welcome email
On the service provider side, there is a full and searchable log of all account enrollments so everyone is kept in the loop in real-time.
As for the user experience, everything is branded and automatically taken care of. When they send an email to any external email, their address will be provisioned within 1 hour and they’ll get the following email inviting them to get started. Even if they ignore it, the ExchangeDefender auto attendant will automatically apply all the domain/organization specific policies for them automatically. And of course, if something on your network is sending email by mistake you can just block it and you won’t be billed for it.
There is a lot of work and testing currently being done on several Microsoft integrations (Azure Directory sync, Outlook/OWA addin) but more on that during our August webinar. We are also doing some very interesting integrations on the Enterprise side, and some of those features may appeal to our MSP partners (although some may be cost / infrastructure prohibitive). For example, we have a client who required accounts to be approved before they could be auto-created (even though they were synced through our Azure integration) and we were able to enable them to do that. If you’ve got feature ideas we’d love to hear them, but there is a lot we can also build with our partners.
At ExchangeDefender we get an over-sized serving of “weird email problems” on a daily basis, and keeping the client up and running and email flowing securely is our first priority. Trouble is, some of the issues our clients face can’t be easily replicated because they often involve a complex setup or a device that we do not have control over, naturally leaving the paying client in a position to make us prove that we aren’t causing the problem. And the customer is always right.
Today we are announcing a new service, included with ExchangeDefender Pro, that will help improve monitoring, problem detection, recovery, and diagnostics for email problems that fall in the weird category. By simulating real-world email traffic we can match up our timestamps, headers, diagnostics logs, and identify problems and their cause in real-time. Our email diagnostics service can be scheduled with preset intervals, message specifications, test parameters and more to help detect a problem with the mailbox or mail routing in general.
What kind of tests can we run? Here are a few of the top used cases:
– Email sometimes experiences a delay
– None of the emails with attachments sync with the mobile device
– Messages aren’t consistently signed with DKIM
– Messages to/from different sources cause a delay
– Messages “arrive all at once” or “never at all from 9PM to 11PM”
In the two months that we’ve been testing this new service, we have yet to find a problem that can either not be identified by this tool or that we cannot fix very quickly. This system can detect issues within the ExchangeDefender cloud, as well as any other email infrastructure out there (Office/Microsoft 365, Gmail, etc). This feature is a part of a much larger set of security enhancements we’ve been developing/testing, and would welcome any feedback and suggestions.
If you have found an issue that is causing a problem for the client, please let us know by opening a ticket. From there we can simulate the sort of traffic that is not reaching their mailbox correctly and give you tons of samples that will help identify exactly where the issue likely is.
To get started, open a ticket with “Email Diagnostics Request” and the type of problem you’re trying to solve and we’ll get right on it. This service is a part of a more elaborate mail testing package we are currently building to assure all our clients are properly setup, properly locked down, and ensure any issues are detected and addressed before they impact productivity.
Today we received word from Microsoft explaining that they are currently investigating the technical issues involving the sudden crashing of their Outlook email app. (For the record, no – it’s not us.) Their twitter confirmed later in the day with the following alert:
“We’re investigating whether a recently deployed update could be the source of this issue,” explains Microsoft… “As a workaround, users can utilize Outlook on the web or their mobile clients.”
This comes after thousands of Office 365 users reported that the email app immediately shuts down upon opening. This has come after the recent upgrade to Exchange 2016.
As for ExchangeDefender, we have not received any support requests as of yet, but we wanted to give you a heads up in the event that you experience difficulty using the app.
Our tip: Use OWA with your web browser, you should be able to login with no issue. If you are still experiencing delays, please submit a ticket via our support portal, so that we can troubleshoot your issue further.
Our Official NOC announcement is available here!
We’ve been running Exchange migrations to/from Microsoft 365 and Gmail since 2015 and as of this month all our users are on our latest tech (Microsoft 365 / Office 365). With all the new modern tools and Microsoft cloud tech you’ll automatically get backend updates from here on out and hopefully the words “email migration” will never come up for you.
We realize that there are some clients that would prefer to move their mail elsewhere so before we retire all our legacy infrastructure, we are making one final offer. We can manage your migration, either by just providing the pst export of data or managing the entire process end to end.
The cost for the PST export is $39/mailbox if you’d like us to handle it for you (or you can do it for free yourself), and the cost for the full migration service is $59/mailbox.
PST Export ($39/mailbox) includes exporting your data to a standard PST file and making it available on a secure web site.
Full migration ($59/mailbox) includes the export as well as the following:
– Mail proxied through ExchangeDefender delivering to current mailbox as well as the mailbox at the new location, allowing you to stay in business even while we do the mail moves.
– DNS management including configuration of the new SPF, DKIM/DMARC, and MX records.
– Current mail (pst) upload to the new mailbox
– Disconnection/removal of the existing email infrastructure
– Warranty and support for the whole process.
We recommend going with the full migration including a year of ExchangeDefender service. This option allows us to make sure the configuration is accurate on both clouds, that data is moved correctly and securely, that MX/SPF/DKIM/DMARC are operational and do not cause issues down the road, as well as LiveArchive to assure that should anything go wrong you can still send/receive email.
P.S. If you have basic IT skills, or if you work with an IT/MSP/VAR/tech provider, you can do this on your own. Simply make the following changes to your hosts file and you will be able to connect Microsoft Outlook and export mail to a pst file on your own. Our legacy systems will be permanently retired on August 1st, 2020.
If you are interested in this offering, please download the application and submit it to us via ticket at https://support.ownwebnow.com
or call us at 877-546-0316 x720
We wanted to offer a major update on the migration, specifically covering the major issues we have addressed for some clients during the cleanup phase.
Distribution groups, forwarding
We have received reports from several organizations regarding issues covering distribution groups, group members, forwarding account directions (forward vs. store & forward). If any objects failed to import due to configuration/contents/policy/etc it is in the retry queue and will be published shortly.
Add / Delete Mailbox
We have addressed a bug in the add/remove process that was prohibiting certain organizations to add/remove accounts. Originally, as noted on anythingdown.com NOC, we blocked this function entirely because users were looking at an empty list and creating mailboxes (that would cause a collision when the new mailbox was migrated from the source). This problem is fixed, if you encounter an issue please open a ticket with a screenshot and as much info as you can provide.
Add / Delete Organization/Domain
At this moment it is not possible to add/remove organizations, or those that were in the system recently. In order to finalize the migration, the routing policies are locked down (meaning if you deleted a domain, ExchangeDefender will still treat them as local). We look forward to wrapping this up shortly.
Password / Login issues
This is by far the biggest ticket group category, we are still processing double digit requests for credentials, credential resets, and credential tests. Similar to the next group:
We are still spending a lot of time going through the basic Outlook configuration steps. For an overwhelming majority, this transition has been transparent. Those that did not and had to take a manual configuration route, the process has been described at anythingdown.com 1) Make sure you have an autodiscover record 2) Make sure it propagates, then run the autodiscoverregistryhacks.zip 3) If you don’t control your DNS, make adjustments to your local systems hosts file 4) Setup Outlook with autodiscover, the UPN must be used as your login address if you’ve changed it from your primary SMTP address.
Missing & Syncing Emails
Every mailbox that has been reconnected has either had all it’s mail delivered directly, delivered in a Catchall account – firstname.lastname@example.org. Some users are confusing items they see in their Inbox in LiveArchive but not in their Outlook/OWA (but after extensive searching we keep on finding missing messages in folders, Deleted Items, etc). If something is missing and absolutely critical in LiveArchive just click on the message and click Forward to your email address and the message will be forwarded to your Outlook/OWA.
Store & Forward
Several users were also unfortunately caught up in a custom policy that did not get migrated to the new Exchange. These are more legacy configs we did for some users in AUDC, things like renaming the OU or primary domains. For some of those accounts, the store and forward rule because a forwarding only rule, skipping the Inbox and going straight to the person that it’s being copied to. We have fixed this issue and it should not be happening again.
We have gotten several complaints about autodiscover. Microsoft has removed manual configurations in 2013 and no modern version of Microsoft Exchange supports a manual server setup. However, this is something that could be easily rectified even with minimal technical skills by modifying the local hosts file if you don’t have the credentials to do it properly by modifying the DNS. Absolutely everything in the new infrastructure relies on the autodiscover record!
iPhone / Android Setup
For the most part, we are just confirming that all mobile devices should work fine with owa.xd.email as the server name, ditto for EWS integrated applications, we have not received more than an inquiry for the server name. For Android, things get sketchier when you consider all the different vendors, apps, and configurations. Again, so long as autodiscover is present and configured properly and your device is using a modern client, it should just work. When it doesn’t, recreating it takes a few minutes.
Non delivery receipts and errors are always of high interest to our NOC team as we continue to go through cleanup and audit all the tickets and users.
These are the issues we are currently working on, in 3 shifts, and sorting them all out as fast as possible. I know that for many of our clients this transition has been messy, but you are on such a better and more secure platform that won’t require you go through this process again. While modern platforms are more secure, their recovery from a disaster or issue (as some of you unfortunately went through) is extensive and at times unpredictably slow – so you have this much of a commitment for us, we will make sure LiveArchive is able to step in on a whole new level when things like this happen.
Important links to remember
ExchangeDefender Exchange Setup
Autodiscover Registry Hacks
ExchangeDefender Service Documentation (Knowledgebase)
This guide is intended for IT solution providers, CIO, and technical staff that is in charge of setting up and managing email. While Exchange is a very complex and robust environment, our control panel is designed to help personnel of all technical skill levels manage email. In Figure 1 above you can see our Service Manager, the user friendly way to manage every aspect of email in your Exchange organization.
This site is accessible at https://support.ownwebnow.com and your MSP/CIO has access to manage the Service Manager on demand. For the purposes of this guide, we only reference this site because it is where management begins: the rest of the guide is to help every user configure their Microsoft Outlook, or mobile Android / iOS devices.
Important Server Names
Microsoft Outlook, iOS and Android devices connect to the Microsoft Exchange infrastructure through several web services. If your IT provider has configured your Autodiscover DNS properly, you will never need to know about these sites, but it is important to know where the resources are in the event that you need to configure something more complex to work with Exchange. Figure 2.
Each Exchange organization managed by ExchangeDefender has their own branded set of OWA, EWS, and Autodiscover records. While we recommend you use the branded one for your organization, the default ones will work the same way and they all point to the same network resources.
Outlook Web App
Outlook Web App (formerly known as Outlook Web Access) is the web version of Outlook that works in your browser. While not as powerful or as flexible as Outlook, unless you are a power user, it will do the job. You can point your cell phone, tablet, laptop, or workstation to the URL above and it will give you access to the most popular Outlook features over the web.
Exchange Web Services (EWS) is the web service endpoint for advanced configurations. If you need to integrate a service or a device with Exchange Web Services, this is the URL to use. As of Exchange 2013, there is no support MAPI.
Exchange Autodiscover service makes it easy to deploy Outlook without providing manual configuration parameters – all you need is your email address and your password. Since 2013, Autodiscover has become the only way to configure Outlook/Exchange and manual configuration is no longer possible. If you do not have Autodiscover record in your DNS you need to create it and point it as a CNAME to autodiscover.xd.email (if this is not possible for some reason, see Appendix A)
ExchangeDefender Admin Control Panel
Managing ExchangeDefender security, including the included Exchange antispam, antiphishing, and business continuity services, is done through our admin control panel. Most organizations are managed through the domain login (domain.com) or user login (email@example.com). Please see https://www.exchangedefender.com/docs for more information on how to manage this powerful service.
ExchangeDefender Next Generation LiveArchive (NGE)
ExchangeDefender LiveArchive is a business continuity (email resilience) platform independent of Microsoft Exchange that is running in parallel with your email infrastructure. When Microsoft Exchange experiences a technical problem, you can still send and receive email from any device using the same email and password that you use for Outlook and OWA. Please see https://www.exchangedefender.com/docs for more information.
For the purposes of this guide, we are assuming that your IT personnel has already created all the required DNS records (MX, SPF, DKIM, and most importantly, Autodiscover) and that you know your login credentials (you can test them by going to https://owa.xd.email/owa/)
Step 1: Download and run Outlook Registry Tools
Open your web browser and go to the following site: https://www.exchangedefender.com/media/autodiscoverregistryhacks.zip
Step 2: Open the Outlook Registry Tools
Click on autodiscoverregistryhacks.zip to open the archive (Figure 3):
Find the version of Outlook you have (registryhacks2016 will work for both Outlook 2016 and 2019) and drag it to the desktop.
Click on Start, type cmd, and then right click on the Command Prompt.
Click on Run as administrator.
Change directory to your desktop: cd C:\Users\YourUsername\Desktop\
Note: Please substitute your username for YourUsername in the path. My example is C:\Users\Vlad\Desktop\
Run the batch file you extracted and moved to your desktop in the previous step. If you do it right, this is the output you will see (Figure 4):
IMPORTANT: Reboot your PC.
Step 4: Outlook Configuration
Start Microsoft Outlook and your configuration wizard will start. This process can take a few minutes for each step to be complete, if you’re waiting more than 10 minutes something is likely not done correctly.
Figure 5: Outlook Welcome
Your system will now contact the Autodiscover web service to obtain all the Microsoft Outlook configuration credentials. If it worked, you will be prompted to accept server settings:
Next you will have to provide your password.
Microsoft Outlook will now authenticate with our servers and configure everything for you. Next you should see the notification that Account successfully added.
Click on the link on the bottom under Done and confirm that checkbox is not checked next to Set up Outlook Mobile on my phone, too. Figure:
That is all! You are set and ready to go. Microsoft Outlook will now continue to set everything up and in a few moments.
That is all, enjoy Microsoft Outlook powered by ExchangeDefender managed Exchange.
Managing Calendar Permissions
Designed for Outlook 2013/2016
Select the Calendar button in the Navigation Bar.
Select the calendar that you would like to share, right-click on the Calendar and choose Share > Calendar Permissions.
On the Permissions tab, you may add or remove users to whom you have delegated access to your calendar.
To add a new delegate, select Add… and search for the desired user by Last Name. You can search the Global Address List or your personal contacts list by selecting the appropriate dropdown menu under Address Book. Under the Permissions heading, choose the level of detail you would like to provide to the user.
To remove a delegate, select the user and choose Remove.
Choose Apply > OK.
Configuring iOS Devices (iPhone, iPad)
Configuring iOS Devices is very simple. Just start your Mail app and you will be prompted to setup a new account. Select Microsoft Exchange, second option from the top.
Next, you will be prompted for your account credentials. Your login credentials are the same as for Outlook Web Access.
Tap on Next.
Your device will now attempt to locate the Autodiscover server and obtain all the settings.
You will be prompted to verify server identity, tap on Continue.
Next, you will be prompted to provide the server and login credentials, same as in the previous screen.
Server for iOS is owa.xd.email
Tap on Next.
After a few minutes the device will autoconfigure and allow you to select which iOS applications should sync data with the Exchange server.
Android setup is very similar to iOS but most vendors use their own email app. If you choose to use the stock Android Gmail app, or other Android phone vendor email app, you will need to know your:
Server address: owa.xd.email
Username & password which are the same as the ones you use to login to https://owa.xd.email/owa/
Configuring MacOS X with ExchangeDefender Exchange
The following instructions are for MacOS Catalina, and the instructions work very similarly for all other versions of MacOS X. So long as you have your Autodiscover record configured properly, your setup process will just require your email address, password, and a few clicks along the way.
1.First, start the MacOS Mail app. If you aren’t prompted to add an account click on Mail > Add Account
2. Select Exchange from the “Choose a Mail account provider…” screen. Click Continue.
3. You will now be prompted for your name and email address. Type them in and click Continue.
4. This is where Autodiscover kicks in. Manual setup is not supported. Click on Sign In.
5. Type in your ExchangeDefender password and click on Sign In.
6. You will be prompted to accept an SSL certificate. Click on Continue.
7. You will now be prompted to add the certificate. Please type in your MacOS X password here. Click on Update Settings.
8. You will now be prompted which apps you want to have access and sync with your Exchange data. Make an appropriate selections and click Done.
Congratulations, you’re all set. Exchange will now sync with your MacOS. If you need to make changes, you can always click on Mail > Accounts and go from there.
If the process fails for any reason, make sure you have an Autodiscover record set and pointed to the right direction. Make sure you are using the right credentials, you can test them at https://owa.xd.email/owa/ and if they work there, they should work on your Mac.
Appendix A: Hacking Autodiscover
As of Microsoft Exchange 2013 and Outlook 2013, you have to use Autodiscover records to configure Outlook. Your domain administrator must create an Autodiscover record in your domain.
Host Type: CNAME
Host value: Autodiscover.xd.email
After the host is created, it can take up to 72 hours for the DNS change to propagate (most should propagate in minutes).
If you cannot modify your DNS, you can hack it by using the Windows Hosts File. This is not recommended nor supported by ExchangeDefender and will likely be blocked by your antivirus, but if you’re technically sophisticated and can troubleshoot DNS you can point the Autodiscover.yourdomain.com hostname to the IP address of Autodiscover.xd.email. This is a temporary measure only, if you cannot immediately create a DNS record in your domain, and is not supported by our team.
We have been keeping our partners and clients in the loop on the migration issues, around 340 accounts are still affected and we are doing everything in our power to get the last users back to productivity. As usual, all technical stuff is located on our NOC which has been updated regularly through the day/night since the first issue with legacy disconnections started:
In the meantime:
If you are among the affected users rest assured we are doing all we can and working around the clock to get you back into your Inbox. However, just because your Outlook won’t start up doesn’t mean you cannot send and receive email from anywhere in the world. Here are the steps to enable the LiveArchive failover:
1. Go to our admin portal at https://admin.exchangedefender.com. Login as the domain admin (just type in your domain name, if you do not have the password you can get a password reminder or open a ticket with subject “LIVE ARCHIVE UNLOCK” and we’ll reset it for you)
3. After you set the password it should take 1 minute for it to apply.
4. Instruct the user to go to https://nge.exchangedefender.com. Their username is their login, their password should let them in. If you run into an issue logging in, open a ticket “LIVEARCHIVE USER” with email, password and we will reset the credentials for you.
This is not available just for the affected ExchangeDefender mailboxes, this is available and included in your service for everything we protect – public folders, shared mailboxes, etc. If a folder or user is missing just create an address as a user in admin.exchangedefender.com, enable LiveArchive, set credentials, and you’ll be back to sending/receiving email.
We are still working on this, and we will not stop until everyone is back to normal, on the new platform that will be the end of legacy Exchange issues we’ve had to contend for so long. Please stay on top of the NOC, we are doing the best we can to keep everyone updated but priority is currently on restoring access and service. If your clients are upset, understandably, please point them to LiveArchive and get them back to work, it’s functional on mobile as well as the PC. Our current status is that we’re restoring mail flow and mail access to anyone, with public folder infrastructure to follow later today.
Access to Live Archive – https://nge.exchangedefender.com/
ExchangeDefender SPAM Reporting (Feedback Loop) is a simple way for users to report SPAM messages that get delivered to their Inbox. This is a user-level feature in ExchangeDefender that inserts a link at the bottom of each processed email and gives users one-click reporting and blacklist management. Service providers and domain administrators can customize the appearance of the link that is automatically inserted at the bottom of the message.
Feedback Loop Feature
Login as the domain administrator And click on Mail Delivery > SPAM Feedback Loop. Click on Enable Feedback Loop Feature, make any optional additions to the signature, and click Save.
Enable Feedback Loop Reporting for Users
Once the feature has been enabled for the domain, Users will get a new feature in their Settings. Click on Settings > Settings and click on the SPAM Feedback Loop to enable signatures for email addresses associated with this user.
What does it look like?
The signature you designed on the Domain admin level will appear at the bottom of every HTML/text message that arrives in your Inbox. When the users click on the link it will open a web browser and take them to their ExchangeDefender account (if they are not logged in, they will see the login screen).
Once authenticated, the user can review the message, confirm that’s something they don’t want to see again, and we’ll look into it and make sure messages similar to the one they are reporting is not delivered to the Inbox.Users also have an option of providing feedback, uploading a copy of .msg file, as well as a checkbox that will automatically place the sender domain on a blacklist.
In conclusion, we realize that not everyone lives in Outlook or a web browser all day – so we’ve designed this process to help users that are mobile, or that interact with ExchangeDefender very infrequently – reporting and getting rid of SPAM is now just a click away. It also helps us improve the performance and accuracy of our filtering.
Try it out today!