blog.icewolf.ch

Let's talk about IT!
posts - 1950, comments - 295, trackbacks - 0

My Links

Archives

Post Categories

icewolf

Saturday, January 22, 2022

M365 Import List from Excel File

Hi All,

Did you know, that you can create a Microsoft List in M365 from an Excel?

I have created this Example Excel


From the Office 365 Portal in the Browser i open Lists


Here i create a "New List"


I select "From Excel"


The Excel File has to be on your OneDrive


If the Table is not yet properly formated you need to fix that


With the klick on the above "Open" the Excel File will loaded in Excel Online. You then Select the Data and "Format as Table". Then close Excel Online



Now your are able to fix some collumn Namens an check the Type


Give the List a Name and Save it


And here you go: A List imported from Excel


With "New" you can add new Entrys


You will find your Lists under "My Lists"



Regards
Andres Bohren


posted @ Saturday, January 22, 2022 8:34 PM | Filed Under [ Microsoft365 ]

Friday, January 21, 2022

DANE - DNS based Authentification of Named Entities

Hi All,

You might have stumbled over the Microsoft Anouncement of DNSSEC/DANE for Exchange Online.
In this Blog i would like to explain how it works in detail


Microsoft 365 roadmap


What is DANE?

DANE is the abbreviation for "DNS based Authentification of Named Entities".

Dane is defined in the RFC6698
The DNS-Based Authentication of Named Entities (DANE)
Transport Layer Security (TLS) Protocol: TLSA
https://datatracker.ietf.org/doc/html/rfc6698

Requires a TLSA DNS Record. In the RFC above there is this Statement:
TSLA Record ("TLSA" does not stand for anything; it is just the name of the RRtype)

Maybe that's true. I would consider it as a TLS Anchor.

Kind of HTTP Public Key Pinning (HPKP) Pinning for SMTP.
Interesting Note is that, HPKP is already depreciated and not supported anymore in any browser.

How does DANE work?

In short, these are the Steps that are performed
  • MX Lookup
  • DANE Lookup (TLSA Record for the Mailserver Hostname)
  • Connect to the Mailserver and get the TLS Certificate
  • Check if the Certificate matches the Hash of the TLSA Record


MX Lookup

As an Mailserver or Exchange Admin, you will be familiar with MX Lookups. There are many ways to do it.

With the Windows command prompt

nslookup -type=mx hostpoint.ch


With Powershell cmdlets

nslookup -type=mx hostpoint.ch
Resolve-DnsName -Name hostpoint.ch -Type MX



Via DNS over HTTPS

$Domain = "hostpoint.ch"
$json = Invoke-RestMethod -URI "https://dns.google/resolve?name=$Domain&type=MX"
$MX = $json.Answer.data
$MX



DNSSEC

But wait, didn't you say that the DNS Zone has to be Secured with DNSSEC?
Yes that's true. But how can i check that?

DNSSEC Analyzer



Another interesting Method is to use DNS over HTTPS with Powershell.
The DNS Zone hostpoint.ch is protected with DNSSEC, while the DNS Zone icewolf.ch is not.

$Domain = "hostpoint.ch"
$json = Invoke-RestMethod -URI "https://dns.google/resolve?name=$Domain&type=MX"
$json

As you can see there are some Flags in the Rest Response. AD = true is what we are looking for.
  • TC: TrunCation (truncated due to length greater than that permitted on the transmission channel)
  • RD: Recursion Desired
  • RA: Recursion Available
  • AD: Authentic Data
  • CD: Checking Disabled

My DNS Zone icewolf.ch is hosted on Azure DNS. Interesting sidenote is that Azure DNS does not support DNSSEC at this time


TLSA DNS Record

The TLSA DNS Record looks like this
_<Port>._tcp.<Servername> IN TLSA <Certificate usage> <Selector> <Matching Type> <Fingerprint>


Certificate Usage (0 - 3)

0 The Hash belongs to the Certificate Authority who is allowed to issue Certificates for this Host. The Client must trust this CA (Trusted Root CA or Trusted Subordinate CA)
1 The Hash belongs to the Servercertificate. It has to be from a CA that the Client trusts.
2 The Hash belongs to the Certificate Authority who is allowed to issue Certificates for this Host. The Client must thrust this CA even its not in the List of the Trusted Root CA or Trusted Subordinate CA of the Client
3 The Hash belongs to the Servercertificate and the Client shall trust it without having a look at the Certificate Chain

Selector (0 or 1)

0 Hash will be from the complete Certificate
1 Hash will only be from the Public Key and the algorithm

Matching Type (0-2)

0 Hash contains the full certificate
1 Hash contains a SHA-256 hash
2 Hash contains a SHA-512 hash

Let's check with the Windows command promt - that does not know that resource Record

nslookup -type=tlsa _25._tcp.mx.hostpoint.ch


Let's check with the Powershell Commandlets - same here, the Resource Type is not known

Resolve-DnsName -Name _25._tcp.mx.hostpoint.ch -Type TLSA


Let's try with DNS over HTTPS - here it works

$TLSAQuery = "_25._tcp.mx.hostpoint.ch"
$json = Invoke-RestMethod -URI "https://dns.google/resolve?name=$TLSAQuery&type=TLSA"
$TLSA = $json.Answer.data
$TLSA



If you're working on Linux, that's your command:

Install the Bind utils
sudo yum install bind-utils

DNS Query
dig _25._tcp.mx.hostpoint.ch IN TLSA +short


Most of the DNS Providers out there currently do not support tho create TLSA DNS Records

Even in the Control Panel of Hostpoint  (Remember it does support DNSSEC and has published it's own TLSA Record) it's not possible to publish a TLSA Record.

Same applies also to Azure DNS


Normally you can check any DNS Record with MXToolbox.com - not for TLSA Records. At least not for the moment. I guess that will change soon.


But there are alternatives like this one

DANE SMTP Validator



or this one


Mail Server Certificate

It's now time to get the Mailserver Certificate. A while ago i've created a Powershell Script for getting the SMTPCertificate.

\Get-SMTPCertificate.ps1 -ServerName $Mailserver -Port 25 -SendingDomain icewolf.ch -CertificateFilePath C:\GIT_WorkingDir\PowerShellScripts\mx.hostpoint.ch.cer


Create the Hash

To be honest, i was strugeling with that part. None of my effords in creating a SHA-256 Hash of the Certificate / Certificate Public Key did match the Hash in the TLSA Record.

It's not as simple as creating a SHA-256 Hash.

# The GetSpkiFingerprint method returns the SPKI Fingerprint suitable for use in pinning.
#  (See RFC 7469.)  An SPKI Fingerprint is defined as the output of a known cryptographic hash
#  algorithm whose input is the DER-encoded ASN.1 representation of  the Subject Public Key Info
# (SPKI) of an X.509 certificate.  The first argument specifies the hash algorithm and may be
# "sha256", "sha384", "sha512", "sha1", "md2", "md5", "haval", "ripemd128",
# "ripemd160","ripemd256", or "ripemd320".   
# The second argument specifies the encoding, and may be "base64", "hex",


But you can use Certutil with the *.cer File

certutil.exe -dump C:\GIT_WorkingDir\PowerShellScripts\mx.hostpoint.ch.cer


Or create a PowerShell Script around certutil

###############################################################################
# Hash with Powershell and Certutil
###############################################################################
$dump = certutil.exe -dump C:\GIT_WorkingDir\PowerShellScripts\mx.hostpoint.ch.cer
$line = $dump | Select-String -pattern "pin-sha256-hex"
$Line = $Line.Tostring()
$SpkiFingerprint = $line.Split(" ")[1]
$SpkiFingerprint



Or use openssl

openssl x509 -in hostpoint.cer -pubkey -noout | openssl pkey -pubin -outform DER | openssl sha256



Summary
The requirements for DANE are pretty high with DNSSEC and a TLSA Record.
Administrators need to understand how to create these DNS Records and how to rollover when a certificate expires.
Anyway i am exited to see that Exchange Online will support DANE soon.
So prepare yourself to be able to troubleshoot if something isn't set up correctly.

Regards
Andres Bohren


posted @ Friday, January 21, 2022 11:38 AM | Filed Under [ Exchange ]

Azure Active Directory Connect 2.0.91.0 released

Hi all,

Microsoft has released a new version of Azure Active Directory Connect (AAD Connect). AAD Connect Health Component is now FIPS compliant.












In the Microsoft 365 Admin Center you will see also the new Version https://admin.microsoft.com/Adminportal/Home#/dirsyncmanagement



Regards
Andres Bohren


posted @ Friday, January 21, 2022 10:07 AM | Filed Under [ Microsoft365 Azure ]

Thursday, January 20, 2022

How does Brand Indicators for Message Identification (BIMI) work?

Hi all,

Recently i was stumbled over a new expression called "BIMI"

What is BIMI?
Brand Indicators for Message Identification or BIMI (pronounced: Bih-mee) is an emerging email specification that
enables the use of brand-controlled logos within supporting email clients. BIM' leverages the work an organization
has put into deploying DMARC protection, by bringing brand logos to the customers inbox. For the brands logo to
be displayed. the email must pass DMARC authentication checks. ensuring that the organization's domain has not
been impersonated.


The promise of BIMI is, that the Inbox shows your brand logo.



It's still an IETF Draft and started back in 2019 and had a new Version published in Oktober 2021


How does it work and what are the requirements. Here's the Overview and below i will go more into details
  • The Domain is protected with SPF/DKIM/DMARC
  • DMARC must be enforced: quarantine or reject for domain (p=)  and subdomain (sp0)
  • SVG File should be a square, but also fit nicely in a circle (see screenshot above)
  • SVG File must meet Tiny 1.2 Specification
  • SVG File must be less than 32kb
  • SVG File must be published in the Internet
  • BIMI DNS Record (TXT Record) must be published
  • If your logo is protected by trademark, you can buy Verified Mark Certificates (VMC)
  • VMC is a Certificate that will be published in the BIMI DNS Record

SPF / DKIM / DMARC


Sender Policy Framework (SPF)
Resolve-DnsName -name icewolf.ch -Type TXT -Server 8.8.8.8

icewolf.ch TXT v=spf1 ip4:95.143.60.16/29 include:spf.protection.outlook.com -all



DomainKeys Identified Mail (DKIM)

For Exchange Online / M365 the DNS Records looks like this
Resolve-DnsName -name selector1._domainkey.icewolf.ch -Type CNAME -Server 8.8.8.8
Resolve-DnsName -name selector1._domainkey.icewolf.ch -Type CNAME -Server 8.8.8.8

selector1._domainkey.icewolf.ch CNAME selector1-icewolf-ch._domainkey.icewolfch.onmicrosoft.com
selector2._domainkey.icewolf.ch CNAME selector2-icewolf-ch._domainkey.icewolfch.onmicrosoft.com

To check the DKIM Config in Exchange Online
Get-DkimSigningConfig



Domain-based Message Authentication, Reporting and Conformance (DMARC)
Important is here that domain and subdomain (p= / sp=) must be enforced. Means the value must be quarantine or reject.

Resolve-DnsName -name _dmarc.icewolf.ch -Type TXT -Server 8.8.8.8

_dmarc.icewolf.ch TXT v=DMARC1; p=reject; sp=reject rua=mailto:skmtvc6p@ag.eu.dmarcadvisor.com, mailto:dmarc_agg@vali.email; ruf=mailto:skmtvc6p@fr.eu.dmarcadvisor.com;



SVG File

I had to create a Scalable Vector Graphics (SVG) File. I use paint.net and it does not support *.svg files per default.
So i've created a *.jpg file with 64x64 Pixel


Then i used an Online Converter

JPG-zu-SVG-Konverter

https://convertio.co/de/jpg-svg/



The downloaded SVG File now must be converted to the SVG Tiny 1.2 Standard. I used the Tool below



The *.svg file can be viewed in the Browser


BIMI DNS Record

A BIMI record has three attributes:

 

v=bimi1 – the record declaration indicating that this is a BIMI record

l=URL – the hosting location of the SVG image.

a=URL – the hosting location of the VMC/Assertion record

Each attribute is separated by a semicolon (;) and the final record will look similar to this:

 

default._bimi.example.com in txt

"v=BIMI1; l=https://www.example.com/path/to/logo/example.svg; a=https://www.example.com/path/to/vmc/VMC.pem;"


Resolve-DnsName -name default._bimi.icewolf.ch -Type TXT -Server 8.8.8.8


My DNS Record looks like this. As you can see there is no VMC Certificate.
default._bimi.icewolf.ch TXT v=BIMI1; l=https://www.icewolf.ch/images/icewolf_tiny.svg; a=;


MX Toolbox supports also a BIMI Query


Testing

My setup looks like this. I send via Relay Connector on my Exchange 2016 to Exchange Online. There the Mail will be signed with DKIM. All Records SPF, DKIM, DMARC,BIMI will be valid from here.


I've disabled the Internet Connector and addet the * AddressSpace to the "Outbound to Office 365" Send Connector.


In some Articles i've found they talk about a BIMI Mailheader. In my Tests with Fastmail i didn't have to use that

BIMI-Selector: v=BIMI; s=default;

So, now sending the Mail with Telnet
Telnet 172.21.175.61 25
ehlo mail.icewolf.ch
mail from: <postmaster@icewolf.ch>
rcpt to: <abohren@fastmail.com>
data
BIMI-Selector: v=BIMI; s=default;
From: Postmaster <postmaster@icewolf.ch>
To: abohren@fastmail.com
Subject: Testmail BIMI

Just a little test
.
Quit




In the Inbox, the Logo is not visible


but when open the Mail, the logo appears


ARC-Authentication-Results: i=2; mx6.messagingengine.com;     x-csa=none;     x-me-sender=none;     x-ptr=fail smtp.helo=EUR05-DB8-obe.outbound.protection.outlook.com     policy.ptr=mail-db8eur05on2099.outbound.protection.outlook.com;     bimi=pass header.d=icewolf.ch header.selector=default;     arc=pass (as.1.microsoft.com=pass, ams.1.microsoft.com=pass)     smtp.remote-ip=40.107.20.99;     x-arc-spf=pass (sender ip is   95.143.60.18)     smtp.rcpttodomain=fastmail.com smtp.mailfrom=icewolf.ch     x-arc-instance=1 x-arc-domain=microsoft.com     (Trusted from aar.1.microsoft.com);     dkim=pass (2048-bit rsa key sha256) header.d=icewolf.ch     header.i=@icewolf.ch header.b=hkb29Gpe header.a=rsa-sha256     header.s=selector1 x-bits=2048;     dmarc=pass policy.published-domain-policy=reject     policy.published-subdomain-policy=reject     policy.applied-disposition=none policy.evaluated-disposition=none     (p=reject,sp=reject,d=none,d.eval=none) policy.policy-from=p     header.from=icewolf.ch;     iprev=pass smtp.remote-ip=40.107.20.99     (mail-db8eur05on2099.outbound.protection.outlook.com);     spf=pass smtp.mailfrom=postmaster@icewolf.ch     smtp.helo=EUR05-DB8-obe.outbound.protection.outlook.com X-ME-Authentication-Results: mx6.messagingengine.com;     x-aligned-from=pass (Address match);     x-return-mx=pass header.domain=icewolf.ch policy.is_org=yes       (MX Records found: icewolf-ch.mail.protection.outlook.com);     x-return-mx=pass smtp.domain=icewolf.ch policy.is_org=yes       (MX Records found: icewolf-ch.mail.protection.outlook.com);     x-tls=pass smtp.version=TLSv1.2 smtp.cipher=ECDHE-RSA-AES256-GCM-SHA384       smtp.bits=256/256;     x-vs=clean score=50 state=0 Authentication-Results: mx6.messagingengine.com;     x-csa=none;     x-me-sender=none;     x-ptr=fail smtp.helo=EUR05-DB8-obe.outbound.protection.outlook.com       policy.ptr=mail-db8eur05on2099.outbound.protection.outlook.com Authentication-Results: mx6.messagingengine.com;     bimi=pass header.d=icewolf.ch header.selector=default Authentication-Results: mx6.messagingengine.com;     arc=pass (as.1.microsoft.com=pass, ams.1.microsoft.com=pass)       smtp.remote-ip=40.107.20.99;     x-arc-spf=pass (sender ip is   95.143.60.18)       smtp.rcpttodomain=fastmail.com smtp.mailfrom=icewolf.ch       x-arc-instance=1 x-arc-domain=microsoft.com       (Trusted from aar.1.microsoft.com) Authentication-Results: mx6.messagingengine.com;     dkim=pass (2048-bit rsa key sha256) header.d=icewolf.ch       header.i=@icewolf.ch header.b=hkb29Gpe header.a=rsa-sha256       header.s=selector1 x-bits=2048;     dmarc=pass policy.published-domain-policy=reject       policy.published-subdomain-policy=reject       policy.applied-disposition=none policy.evaluated-disposition=none       (p=reject,sp=reject,d=none,d.eval=none) policy.policy-from=p       header.from=icewolf.ch;     iprev=pass smtp.remote-ip=40.107.20.99       (mail-db8eur05on2099.outbound.protection.outlook.com);     spf=pass smtp.mailfrom=postmaster@icewolf.ch       smtp.helo=EUR05-DB8-obe.outbound.protection.outlook.com BIMI-Indicator: 77u/PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0idXRmLTgiIHN0YW5kYWxvbmU9Im     5vIj8+DQo8c3ZnIHZlcnNpb249IjEuMiIgd2lkdGg9IjY0LjAwMDAwMHB0IiBoZWlnaHQ9     IjY0LjAwMDAwMHB0IiB2aWV3Qm94PSIwIDAgNjQuMDAwMDAwIDY0LjAwMDAwMCIgcHJlc2     VydmVBc3BlY3RSYXRpbz0ieE1pZFlNaWQgbWVldCIgYmFzZVByb2ZpbGU9InRpbnktcHMi     IHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyI+DQogIDx0aXRsZT5JY2V3b2     xmPC90aXRsZT4NCiAgPGcgdHJhbnNmb3JtPSJ0cmFuc2xhdGUoMC4wMDAwMDAsNjQuMDAw     MDAwKSBzY2FsZSgwLjEwMDAwMCwtMC4xMDAwMDApIiBmaWxsPSIjMDAwMDAwIiBzdHJva2     U9Im5vbmUiPg0KICAgIDxwYXRoIGQ9Ik0zNDMgNjI4IGMtMTAgLTQgLTM5IC03IC02NSAt     NyAtMjcgLTEgLTQ4IC0zIC00OCAtNiAwIC00IDcgLTIwIDE2IC0zNiAxMSAtMjEgMTkgLT     I4IDI3IC0yMSA3IDUgMjEgNiAzMiAyIDE5IC03IDE5IC04IDIgLTE1IC0xMCAtNCAtMzEg     LTUgLTQ4IC0xIC0yMiA0IC0yOSAyIC0yNyAtNyAzIC02IDE1IC0xNCAyOSAtMTYgMTMgLT     EgMjcgLTcgMzAgLTEyIDMgLTYgMTYgLTYgMzIgMCAyNyAxMSA1NyA2IDU3IC05IDAgLTgg     LTczIC03MCAtODMgLTcwIC0yIDAgLTEwIDE0IC0xNyAzMCAtMTYgMzkgLTEyMCAxMzUgLT     E1NiAxNDQgLTM2IDkgLTUzIC0xNSAtMjEgLTI5IDcyIC0zMiAxMDEgLTcxIDEyMyAtMTYz     IDEyIC01MiAxMiAtNTMgLTkgLTQ2IC0xMiA0IC00NyA3IC03NyA3IC04NiAwIC0xODMgLT     YwIC0xMjIgLTc1IDEwIC0zIDI5IDMgNDEgMTMgMTUgMTIgMzkgMTkgNjYgMTkgNDQgMCAx     MTkgLTI1IDExMSAtMzggLTIgLTQgNCAtNDggMTMgLTk5IDE1IC03NiAxNSAtOTMgNCAtOT     cgLTcgLTMgLTEzIC0yIC0xMyAyIDAgNCAtOSA4IC0yMCA5IC0xMSAxIC0yMCAtMyAtMjAg     LTggMCAtNiAtOSAtNyAtMjAgLTQgLTI0IDggLTI4IC0yMCAtNCAtMjkgOCAtMyAxMiAtMT     AgOSAtMTYgLTQgLTYgMSAtNyAxMSAtMyAxMyA1IDE1IDMgOSAtOCAtNyAtMTIgLTYgLTEy     IDcgLTEgMTMgMTAgMTcgMTAgMjEgMCA0IC0xMCAxMCAtOCAyMSA2IDEyIDE1IDE2IDE2ID     E2IDUgMSAtOCA4IC0yIDE2IDE0IDEyIDIzIDIxIDI3IDU3IDI3IDU0IDAgODYgLTIxIDgz     IC01NSAtMiAtMTMgMSAtMjIgNSAtMTkgNSAzIDkgMSA5IC00IDAgLTUgMTAgLTggMjMgLT     cgMjggMyAyNiAzNyAtNCA3OSAtMjEgMjggLTIxIDI5IC0zIDY5IDI3IDU5IDcwIDEwNCAx     MjUgMTMzIDMxIDE1IDQ4IDMwIDQ3IDQxIDAgMTAgMyA0NCA2IDc2IGw3IDU3IC0zOCAtMj     UgYy03NCAtNDggLTg1IC01OCAtMTAwIC04OSAtOCAtMTcgLTIzIC00NyAtMzQgLTY2IC0x     MCAtMTkgLTE5IC00NiAtMTkgLTU5IDAgLTIyIC0zNSAtOTEgLTQ3IC05MSAtMTAgMCA3ID     g2IDI4IDE0MCAxMSAyOSAxOSA2NSAxOCA3OSAtMiAxNCA3IDQ1IDE5IDY3IDMwIDU4IDQ2     IDEyOCAzNCAxNDkgLTcgMTMgLTQgMjMgOSAzNiAxMSAxMSAxOSAyMyAxOSAyNyAwIDEwIC     0xNjIgMTAgLTE4NyAweiBtMjYgLTkyIGMtMiAtMiAtMjAgLTYgLTM5IC0xMCAtMjUgLTQg     LTMxIC0zIC0yMCA0IDE0IDkgNjkgMTUgNTkgNnoiIC8+DQogIDwvZz4NCjwvc3ZnPg== BIMI-Location: v=BIMI1; l=https://www.icewolf.ch/images/icewolf_tiny.svg


Didn't work with google or yahoo without VMC verified BIMI Image



Verified Mark Certificates (VMC)


Before we can issue a VMC, your logo must be registered with the appropriate trademark office for your region. It can be a lengthy process, so we recommend getting started as soon as possible. Learn more about trademarking your logo.

You can buy Verified Mark Certificates (VMC) from Entrust or Digicert




Trademark
In Switzerland you can protect a Brand at "Eidgenössisches Institut für Geistiges Eigentum (IGE)"


You can check the Database in Switzerland or EU with the following Links


BIMI Radar

If you are interested in the adoption rate of DMARC and BIMI, check out the BIMI Radar



BIMI Subdomains

I've also tested with a subdomain. Please note i have used here another svg (blue color)

Resolve-DnsName -name default._bimi.subdomain.icewolf.ch -Type TXT -Server 8.8.8.8

default._bimi.subdomain.icewolf.ch TXT v=BIMI1; l=https://www.icewolf.ch/images/icewolf_tiny_blue.svg; a=;


Send again a Mail with Telnet

Telnet 172.21.175.61 25
ehlo mail.icewolf.ch
mail from: <demo@subdomain.icewolf.ch>
rcpt to: <abohren@fastmail.com>
data
From: Demo <
demo@subdomain.icewolf.ch>
To: abohren@fastmail.com
Subject: Testmail BIMI

Just a little test
.
Quit



As you can see, the Mail now uses the blue svg file


ARC-Authentication-Results: i=2; mx2.messagingengine.com;     x-csa=none;     x-me-sender=none;     x-ptr=fail smtp.helo=EUR05-AM6-obe.outbound.protection.outlook.com     policy.ptr=mail-am6eur05on2135.outbound.protection.outlook.com;     bimi=pass header.d=subdomain.icewolf.ch header.selector=default;     arc=pass (as.1.microsoft.com=pass, ams.1.microsoft.com=pass)     smtp.remote-ip=40.107.22.135;     dkim=pass (2048-bit rsa key sha256) header.d=subdomain.icewolf.ch     header.i=@subdomain.icewolf.ch header.b=Pzlg3fXH header.a=rsa-sha256     header.s=selector1 x-bits=2048;     dmarc=pass policy.published-domain-policy=reject     policy.published-subdomain-policy=reject     policy.applied-disposition=none policy.evaluated-disposition=none     (p=reject,sp=reject,d=none,d.eval=none) policy.policy-from=sp     header.from=subdomain.icewolf.ch;     iprev=pass smtp.remote-ip=40.107.22.135     (mail-am6eur05on2135.outbound.protection.outlook.com);     spf=pass smtp.mailfrom=demo@subdomain.icewolf.ch     smtp.helo=EUR05-AM6-obe.outbound.protection.outlook.com X-ME-Authentication-Results: mx2.messagingengine.com;     x-aligned-from=pass (Address match);     x-return-mx=pass header.domain=subdomain.icewolf.ch       policy.org_domain=icewolf.ch policy.is_org=no       (MX Records found: subdomain-icewolf-ch.mail.protection.outlook.com);     x-return-mx=pass smtp.domain=subdomain.icewolf.ch       policy.org_domain=icewolf.ch policy.is_org=no       (MX Records found: subdomain-icewolf-ch.mail.protection.outlook.com);     x-tls=pass smtp.version=TLSv1.2 smtp.cipher=ECDHE-RSA-AES256-GCM-SHA384       smtp.bits=256/256;     x-vs=clean score=0 state=0 Authentication-Results: mx2.messagingengine.com;     x-csa=none;     x-me-sender=none;     x-ptr=fail smtp.helo=EUR05-AM6-obe.outbound.protection.outlook.com       policy.ptr=mail-am6eur05on2135.outbound.protection.outlook.com Authentication-Results: mx2.messagingengine.com;     bimi=pass header.d=subdomain.icewolf.ch header.selector=default Authentication-Results: mx2.messagingengine.com;     arc=pass (as.1.microsoft.com=pass, ams.1.microsoft.com=pass)       smtp.remote-ip=40.107.22.135 Authentication-Results: mx2.messagingengine.com;     dkim=pass (2048-bit rsa key sha256) header.d=subdomain.icewolf.ch       header.i=@subdomain.icewolf.ch header.b=Pzlg3fXH header.a=rsa-sha256       header.s=selector1 x-bits=2048;     dmarc=pass policy.published-domain-policy=reject       policy.published-subdomain-policy=reject       policy.applied-disposition=none policy.evaluated-disposition=none       (p=reject,sp=reject,d=none,d.eval=none) policy.policy-from=sp       header.from=subdomain.icewolf.ch;     iprev=pass smtp.remote-ip=40.107.22.135       (mail-am6eur05on2135.outbound.protection.outlook.com);     spf=pass smtp.mailfrom=demo@subdomain.icewolf.ch       smtp.helo=EUR05-AM6-obe.outbound.protection.outlook.com BIMI-Indicator: 77u/PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0idXRmLTgiIHN0YW5kYWxvbmU9Im     5vIj8+DQo8c3ZnIHZlcnNpb249IjEuMiIgd2lkdGg9Ijg1LjAwMDAwMHB0IiBoZWlnaHQ9     Ijg1LjAwMDAwMHB0IiB2aWV3Qm94PSIwIDAgODUuMDAwMDAwIDg1LjAwMDAwMCIgcHJlc2     VydmVBc3BlY3RSYXRpbz0ieE1pZFlNaWQgbWVldCIgYmFzZVByb2ZpbGU9InRpbnktcHMi     IHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyI+DQogIDx0aXRsZT5pY2V3b2     xmPC90aXRsZT4NCiAgPGcgdHJhbnNmb3JtPSJ0cmFuc2xhdGUoMC4wMDAwMDAsODUuMDAw     MDAwKSBzY2FsZSgwLjEwMDAwMCwtMC4xMDAwMDApIiBmaWxsPSIjMDAwMGZmIiBzdHJva2     U9Im5vbmUiPg0KICAgIDxwYXRoIGQ9Ik00NTUgODMwIGMtMTYgLTQgLTUzIC04IC04MiAt     OSAtMjggMCAtNTUgLTYgLTU4IC0xMSAtNCAtNiAyIC0yNSAxMiAtNDMgMTUgLTI1IDI2IC     0zMiA1MSAtMzIgMTcgLTEgMzQgLTQgMzggLTggNCAtNCAtMTggLTcgLTQ5IC03IC02MSAw     IC03NSAtMTQgLTI5IC0zMCAxNSAtNiAzNSAtMTQgNDQgLTIwIDkgLTUgMzkgLTcgNjcgLT     MgNjQgNyA2OCAtMTAgMTQgLTUzIC01OSAtNDcgLTU5IC00NyAtODcgLTEgLTI4IDQ5IC0x     MzEgMTQ5IC0xNzcgMTczIC0zNiAxOCAtNzMgMTUgLTc3IC03IC0yIC0xMCA5IC0yMSAzMC     AtMzAgNjAgLTI1IDExNCAtOTAgMTM3IC0xNjQgMzMgLTEwNSAzNCAtMTAyIC01NiAtOTcg     LTg3IDUgLTE0NCAtNyAtMTk0IC00MSAtNzIgLTQ4IC0xNyAtNjkgODQgLTMyIDQyIDE1ID     U2IDE2IDEwMSA2IDY4IC0xNSA5NiAtMzUgOTYgLTY5IDAgLTE1IDcgLTY2IDE2IC0xMTUg     MTkgLTEwNCAxNiAtMTIyIC0yMSAtMTA1IC0xOSA5IC0yOCA5IC0zNyAwIC03IC03IC0yMi     AtMTIgLTM1IC0xMiAtMzAgMCAtMjkgLTE5IDMgLTUzIDE3IC0xOSAzMyAtMjcgNDUgLTI0     IDExIDMgMjIgMSAyNSAtNSA0IC01IDEzIC0zIDIzIDYgMTAgOSAyMCAxNCAyMyAxMSAyIC     0zIDE3IDggMzEgMjUgMjIgMjQgMzUgMzAgNjggMzAgNjggMCAxMDkgLTMwIDEwOSAtODEg     MCAtMjAgMzkgLTM1IDY1IC0yNSAyMiA4IDE5IDM2IC0xMCA5MCAtMTQgMjYgLTI1IDU1IC     0yNSA2NSAwIDkgMTkgNDYgNDMgODIgMzIgNDggNjIgNzcgMTE3IDExNSA4MyA1NiA4NyA2     MyA4OSAxNzcgbDEgNjggLTMxIC0xOCBjLTg3IC01MiAtMTI1IC04OSAtMTY2IC0xNjggLT     IzIC00NCAtNDUgLTk2IC00OSAtMTE1IC00IC0xOSAtMTggLTU3IC0zMiAtODUgLTM4IC03     NCAtMzkgLTM0IC0zIDkzIDE3IDU5IDMzIDEyNyAzNyAxNTIgNCAyNSAyMSA3NyAzNyAxMT     UgMjIgNTEgMzEgODggMzMgMTM4IDEgNDggNyA3NCAxOSA4NyA5IDEwIDE0IDI0IDEwIDI5     IC03IDEzIC0yMDMgMTMgLTI1MCAxeiIgLz4NCiAgPC9nPg0KPC9zdmc+ BIMI-Location: v=BIMI1; l=https://www.icewolf.ch/images/icewolf_tiny_blue.svg

Summary

Make sure, your domain are DMARC Protected (quarantine or reject)
If your logo/br is not yet registered as a trademark, that's the next thin you will have to do.
Registering a trademark and optaining a VMC Certificate will take some time and also costs a lot of money.
So make sure, your prepared for that.
Now you know, what it takes to implement BIMI and now you have to make your own opinion if the time and money is worth the effort.

Regards
Andres bohren


posted @ Thursday, January 20, 2022 3:29 PM | Filed Under [ Exchange ]

Wednesday, January 19, 2022

Jabra Direct Update (January 2022)

Hi there,

Jabra has released the January 2022 Version of theyr Jabra Direct Software (Version 5.11.01302)









Regards
Andres Bohren


posted @ Wednesday, January 19, 2022 9:50 PM | Filed Under [ UM/Mobile ]

Thursday, January 13, 2022

Azure Information Protection Unified Labeling (AIP UL) 2.13.49

Hi everybody

I've just seen that a new version of Microsoft Azure Information Protection (AIP UL) Client was released.

Apart from a few updates, fixes, and enhancements the new Client will only support x64 Plattform.

Azure Information Protection unified labeling client - Version release history and support policy

https://docs.microsoft.com/en-us/azure/information-protection/rms-client/unifiedlabelingclient-version-release-history


Microsoft Azure Information Protection

https://www.microsoft.com/en-us/download/details.aspx?id=53018









Regards
Andres Bohren


posted @ Thursday, January 13, 2022 2:35 PM | Filed Under [ Microsoft365 Azure ]

Wednesday, January 12, 2022

Exchange Security Updates January 2022

Hi Everybody,

Instead of the delayed December Exchange Cumulative Updates, we've got Security Updates for Exchange 2013/2016/2019

Released: January 2022 Exchange Server Security Updates

https://techcommunity.microsoft.com/t5/exchange-team-blog/released-january-2022-exchange-server-security-updates/ba-p/3050699


In my Blog Post i'm covering the Exchange 2016 CU22 Security update.

 

Security Update For Exchange Server 2016 CU22 (KB5008631)

https://www.microsoft.com/en-us/download/details.aspx?id=103855


Please make shure you run the *.msp in an elevated CMD










Regards
Andres Bohren


posted @ Wednesday, January 12, 2022 12:11 AM | Filed Under [ Exchange ]

Thursday, January 6, 2022

Understand and Remove PASSWD_NOTREQD Flag from userAccountControl

Hallo all,

I've already blogged how to read the Active Directory Attribute "userAccountControl"

How to read the value of AD Attribute userAccountControl

Today i came across some users that had the Property "PASSWD_NOTREQD" (Password not required) set.
For a regular user you just can add 512 (NORMAL_ACCOUNT) + 32 (PASSWD_NOTREQD) = 544


With the following Exchange Commandlet you can show the Attribute "userAccountControl", which also translates the value.

Get-User -Identity f.fischer | fl userAccountControl


You can also get the same with the Active Directory Module

Get-ADUser -Identity f.fischer -Properties userAccountControl | fl


To show all accounts, which have the Flag "PasswordNotRequired" use the following command.

Get-ADUser -Filter {PasswordNotRequired -eq $true} | ft name, UserPrincipalName


To remove the Flag "PasswordNotRequired" use this PowerShell Command

Set-ADUser -Identity f.fischer -PasswordNotRequired $false
Get-ADUser -Identity f.fischer -Properties userAccountControl | fl


Now it's back to 512 (NORMAL_ACCOUNT)


Get-User -Identity f.fischer | fl userAccountControl


More Information:
Understanding and Remediating "PASSWD_NOTREQD"

Best Regards
Andres Bohren


posted @ Thursday, January 6, 2022 9:53 PM | Filed Under [ Windows ]

Exchange Y2K22 Bug in Malware Engine

Hallo zusammen,

Ich habe am 1. Januar auf Twitter den Link auf das Blog von MVP Jaap Wesselius gesehen. Dort wurde beschrieben, dass Mails auf dem Exchange Server On Prem in der Transport Queue hängenbleiben und mal als Workaround das Malware Scanning deaktivieren soll.

THE FIP-FS SCAN PROCESS FAILED INITIALISATION. MAIL IS QUEUED ON EXCHANGE SERVERS.

CD $ExScripts
.\Disable-AntiMalwareScanning.ps1
Restart-Service MSExchangeTransport


Als ich daraufhin das Exchange Team Blog aufgesucht habe, war da noch keine Information zu lesen. Erst später dann wurde folgender Artikel veröffentlicht

Email Stuck in Exchange On-premises Transport Queues

Und dann gab es doch noch eine Meldung im M365 Admin Center


Bei mir zeigt der MX Eintrag nach Office 365 und ich habe kaum Mailverkehr von meinem Exchange 2016 nach Office 365. Auf dem Exchange Server gab es aber diese Fehlermeldung


Das PowerShell Script welches die Scan Engine resetet kann man hier herunterladen



Bei mir war danach alles wieder in Ordnung




Liebe Grüsse
Andres Bohren


posted @ Thursday, January 6, 2022 9:06 PM |

Tuesday, January 4, 2022

Jahresrückblick und Blogstatistik 2021

Hallo zusammen,

Anfangs des Jahres ist jeweils ein guter Zeitpunkt um auf das alte Jahr zurückzuschauen. Im 2020 habe ich 278 Blog Artikel geschrieben, also durchschnittlich etwa 23 pro Monat - so viel wie wie noch nie.



Insgesamt hatte ich über 130'000 Pageviews. Das sind rund etwa 500 pro Tag und über 10'000 pro Monat.



Die Top 10 der Blogartikel 2021


Im letzten Jahr habe ich etwa 1320 KM auf dem Bike zurückgelegt und bin dafür knapp 69 Stunden im Sattel gesessen. Das sind fast 200 KM mehr als letztes Jahr und entspricht etwa wieder dem Durchschnitt.
Ausserdem habe ich mit einem Freund zweitägige Biketour (ca. 142 KM) von Buchs (SG) bis nach Stein am Reihn (SH) unternommen mit Übernachtung in Rohrschach.


Weitere Ausflüge mit dem Bike

  • Freiburg
  • Biel
  • Solothurn
  • Murten
Das Tauchen, ein weiteres Hobby, konnte ich dieses Jahr für zwei Wochen im September in Mexiko geniessen.
Mexico - Playa del Carmen und Cozumel


Beruflich habe ich mich mit Office 365 und Azure beschäftigt. Ich durfte bei einigen Enterprise Kunden mein Wissen und meine Fähigkeiten im Messaging und Communication (Exchange / Skype for Business / Teams) Online Umfeld zur Verfügung stellen, Migrationen durchführen und habe dafür wieder einige PowerShell Skripts geschrieben.


Ausserdem habe ich mein erstes PowerShell Modul in der PowerShell Gallery veröffentlicht

https://www.powershellgallery.com/packages/Icewolf.EXO.SpamAnalyze


Auch habe ich dieses Jahr wieder ein paar Microsoft Prüfungen abgelegt

  • MS-500 Microsoft 365 Security Administration
  • AZ-500 Microsoft Azure Security Technologies

Damit habe ich folgende Titel erzielt

  • Microsoft 365 Certified: Security Administrator Associate
  • Microsoft Certified: Azure Security Engineer Associate

Ich wünsche euch auch weiterhin viel Spass beim lesen des Blogs. Folgt mir doch bitte auch auf Twitter https://twitter.com/andresbohren


Liebe Grüsse

Andres Bohren



posted @ Tuesday, January 4, 2022 7:22 PM | Filed Under [ Web ]

Powered by:
Powered By Subtext Powered By ASP.NET