Saturday, January 22, 2022
Hi All,
Did you know, that you can create a Microsoft List in M365 from an Excel?
I have created this Example Excel
From the Office 365 Portal in the Browser i open Lists
Here i create a "New List"
I select "From Excel"
The Excel File has to be on your OneDrive
If the Table is not yet properly formated you need to fix that
With the klick on the above "Open" the Excel File will loaded in Excel Online. You then Select the Data and "Format as Table". Then close Excel Online
Now your are able to fix some collumn Namens an check the Type
Give the List a Name and Save it
And here you go: A List imported from Excel
With "New" you can add new Entrys
You will find your Lists under "My Lists"
Regards
Andres Bohren
Friday, January 21, 2022
Hi All,
You might have stumbled over the Microsoft Anouncement of DNSSEC/DANE for Exchange Online.
In this Blog i would like to explain how it works in detail
Microsoft 365 roadmap
What is DANE?
DANE is the abbreviation for "DNS based Authentification of Named Entities".
Dane is defined in the RFC6698
Requires a TLSA DNS Record. In the RFC above there is this Statement:
TSLA Record ("TLSA" does not stand for anything; it is just the name of the RRtype)
Maybe that's true. I would consider it as a TLS Anchor.
Kind of HTTP Public Key Pinning (HPKP) Pinning for SMTP.
Interesting Note is that, HPKP is already depreciated and not supported anymore in any browser.
How does DANE work?
In short, these are the Steps that are performed
- MX Lookup
- DANE Lookup (TLSA Record for the Mailserver Hostname)
- Connect to the Mailserver and get the TLS Certificate
- Check if the Certificate matches the Hash of the TLSA Record
MX Lookup
As an Mailserver or Exchange Admin, you will be familiar with MX Lookups. There are many ways to do it.
With the Windows command prompt
nslookup -type=mx hostpoint.ch
With Powershell cmdlets
nslookup -type=mx hostpoint.ch
Resolve-DnsName -Name hostpoint.ch -Type MX
Via DNS over HTTPS
$Domain = "hostpoint.ch"
$json = Invoke-RestMethod -URI "https://dns.google/resolve?name=$Domain&type=MX"
$MX = $json.Answer.data
$MX
DNSSEC
But wait, didn't you say that the DNS Zone has to be Secured with DNSSEC?
Yes that's true. But how can i check that?
DNSSEC Analyzer
Another interesting Method is to use DNS over HTTPS with Powershell.
The DNS Zone hostpoint.ch is protected with DNSSEC, while the DNS Zone icewolf.ch is not.
$Domain = "hostpoint.ch"
$json = Invoke-RestMethod -URI "https://dns.google/resolve?name=$Domain&type=MX"
$json
As you can see there are some Flags in the Rest Response. AD = true is what we are looking for.
- TC: TrunCation (truncated due to length greater than that permitted on the transmission channel)
- RD: Recursion Desired
- RA: Recursion Available
- AD: Authentic Data
- CD: Checking Disabled
My DNS Zone icewolf.ch is hosted on Azure DNS. Interesting sidenote is that Azure DNS does not support DNSSEC at this time
TLSA DNS Record
The TLSA DNS Record looks like this
_<Port>._tcp.<Servername> IN TLSA <Certificate usage> <Selector> <Matching Type> <Fingerprint>
Certificate Usage (0 - 3)
| 0 |
The Hash belongs to the Certificate Authority who is allowed to issue Certificates for this Host. The Client must trust this CA (Trusted Root CA or Trusted Subordinate CA) |
| 1 |
The Hash belongs to the Servercertificate. It has to be from a CA that the Client trusts. |
| 2 |
The Hash belongs to the Certificate Authority who is allowed to issue Certificates for this Host. The Client must thrust this CA even its not in the List of the Trusted Root CA or Trusted Subordinate CA of the Client |
| 3 |
The Hash belongs to the Servercertificate and the Client shall trust it without having a look at the Certificate Chain |
Selector (0 or 1)
| 0 |
Hash will be from the complete Certificate |
| 1 |
Hash will only be from the Public Key and the algorithm |
Matching Type (0-2)
| 0 |
Hash contains the full certificate |
| 1 |
Hash contains a SHA-256 hash |
| 2 |
Hash contains a SHA-512 hash |
Let's check with the Windows command promt - that does not know that resource Record
nslookup -type=tlsa _25._tcp.mx.hostpoint.ch
Let's check with the Powershell Commandlets - same here, the Resource Type is not known
Resolve-DnsName -Name _25._tcp.mx.hostpoint.ch -Type TLSA
Let's try with DNS over HTTPS - here it works
$TLSAQuery = "_25._tcp.mx.hostpoint.ch"
$json = Invoke-RestMethod -URI "https://dns.google/resolve?name=$TLSAQuery&type=TLSA"
$TLSA = $json.Answer.data
$TLSA
If you're working on Linux, that's your command:
Install the Bind utils
sudo yum install bind-utils
DNS Query
dig _25._tcp.mx.hostpoint.ch IN TLSA +short
Most of the DNS Providers out there currently do not support tho create TLSA DNS Records
Even in the Control Panel of Hostpoint (Remember it does support DNSSEC and has published it's own TLSA Record) it's not possible to publish a TLSA Record.
Same applies also to Azure DNS
Normally you can check any DNS Record with MXToolbox.com - not for TLSA Records. At least not for the moment. I guess that will change soon.
But there are alternatives like this one
DANE SMTP Validator
or this one
Mail Server Certificate
\Get-SMTPCertificate.ps1 -ServerName $Mailserver -Port 25 -SendingDomain icewolf.ch -CertificateFilePath C:\GIT_WorkingDir\PowerShellScripts\mx.hostpoint.ch.cer
Create the Hash
To be honest, i was strugeling with that part. None of my effords in creating a SHA-256 Hash of the Certificate / Certificate Public Key did match the Hash in the TLSA Record.
It's not as simple as creating a SHA-256 Hash.
# The GetSpkiFingerprint method returns the SPKI Fingerprint suitable for use in pinning.
# (See RFC 7469.) An SPKI Fingerprint is defined as the output of a known cryptographic hash
# algorithm whose input is the DER-encoded ASN.1 representation of the Subject Public Key Info
# (SPKI) of an X.509 certificate. The first argument specifies the hash algorithm and may be
# "sha256", "sha384", "sha512", "sha1", "md2", "md5", "haval", "ripemd128",
# "ripemd160","ripemd256", or "ripemd320".
# The second argument specifies the encoding, and may be "base64", "hex",
But you can use Certutil with the *.cer File
certutil.exe -dump C:\GIT_WorkingDir\PowerShellScripts\mx.hostpoint.ch.cer
Or create a PowerShell Script around certutil
###############################################################################
# Hash with Powershell and Certutil
###############################################################################
$dump = certutil.exe -dump C:\GIT_WorkingDir\PowerShellScripts\mx.hostpoint.ch.cer
$line = $dump | Select-String -pattern "pin-sha256-hex"
$Line = $Line.Tostring()
$SpkiFingerprint = $line.Split(" ")[1]
$SpkiFingerprint
Or use openssl
openssl x509 -in hostpoint.cer -pubkey -noout | openssl pkey -pubin -outform DER | openssl sha256
Summary
The requirements for DANE are pretty high with DNSSEC and a TLSA Record.
Administrators need to understand how to create these DNS Records and how to rollover when a certificate expires.
Anyway i am exited to see that Exchange Online will support DANE soon.
So prepare yourself to be able to troubleshoot if something isn't set up correctly.
Regards
Andres Bohren
Hi all,
Microsoft has released a new version of Azure Active Directory Connect (AAD Connect). AAD Connect Health Component is now FIPS compliant.
Regards
Andres Bohren
Thursday, January 20, 2022
Hi all,
Recently i was stumbled over a new expression called "BIMI"
What is BIMI?
Brand Indicators for Message Identification or BIMI (pronounced: Bih-mee) is an emerging email specification that
enables the use of brand-controlled logos within supporting email clients. BIM' leverages the work an organization
has put into deploying DMARC protection, by bringing brand logos to the customers inbox. For the brands logo to
be displayed. the email must pass DMARC authentication checks. ensuring that the organization's domain has not
been impersonated.
The promise of BIMI is, that the Inbox shows your brand logo.
It's still an IETF Draft and started back in 2019 and had a new Version published in Oktober 2021
How does it work and what are the requirements. Here's the Overview and below i will go more into details
- The Domain is protected with SPF/DKIM/DMARC
- DMARC must be enforced: quarantine or reject for domain (p=) and subdomain (sp0)
- SVG File should be a square, but also fit nicely in a circle (see screenshot above)
- SVG File must meet Tiny 1.2 Specification
- SVG File must be less than 32kb
- SVG File must be published in the Internet
- BIMI DNS Record (TXT Record) must be published
- If your logo is protected by trademark, you can buy Verified Mark Certificates (VMC)
- VMC is a Certificate that will be published in the BIMI DNS Record
SPF / DKIM / DMARC
Sender Policy Framework (SPF)
Resolve-DnsName -name icewolf.ch -Type TXT -Server 8.8.8.8
icewolf.ch TXT v=spf1 ip4:95.143.60.16/29 include:spf.protection.outlook.com -all
DomainKeys Identified Mail (DKIM)
For Exchange Online / M365 the DNS Records looks like this
Resolve-DnsName -name selector1._domainkey.icewolf.ch -Type CNAME -Server 8.8.8.8
Resolve-DnsName -name selector1._domainkey.icewolf.ch -Type CNAME -Server 8.8.8.8
selector1._domainkey.icewolf.ch CNAME selector1-icewolf-ch._domainkey.icewolfch.onmicrosoft.com
selector2._domainkey.icewolf.ch CNAME selector2-icewolf-ch._domainkey.icewolfch.onmicrosoft.com
To check the DKIM Config in Exchange Online
Get-DkimSigningConfig
Domain-based Message Authentication, Reporting and Conformance (DMARC)
Important is here that domain and subdomain (p= / sp=) must be enforced. Means the value must be quarantine or reject.
Resolve-DnsName -name _dmarc.icewolf.ch -Type TXT -Server 8.8.8.8
_dmarc.icewolf.ch TXT v=DMARC1; p=reject; sp=reject rua=mailto:skmtvc6p@ag.eu.dmarcadvisor.com, mailto:dmarc_agg@vali.email; ruf=mailto:skmtvc6p@fr.eu.dmarcadvisor.com;
SVG File
I had to create a Scalable Vector Graphics (SVG) File. I use paint.net and it does not support *.svg files per default.
So i've created a *.jpg file with 64x64 Pixel
Then i used an Online Converter
The downloaded SVG File now must be converted to the SVG Tiny 1.2 Standard. I used the Tool below
The *.svg file can be viewed in the Browser
BIMI DNS Record
A BIMI record has three attributes:
v=bimi1 – the record declaration indicating that this is a BIMI record
l=URL – the hosting location of the SVG image.
a=URL – the hosting location of the VMC/Assertion record
Each attribute is separated by a semicolon (;) and the final record will look similar to this:
default._bimi.example.com in txt
"v=BIMI1; l=https://www.example.com/path/to/logo/example.svg; a=https://www.example.com/path/to/vmc/VMC.pem;"
Resolve-DnsName -name default._bimi.icewolf.ch -Type TXT -Server 8.8.8.8
My DNS Record looks like this. As you can see there is no VMC Certificate.
default._bimi.icewolf.ch TXT v=BIMI1; l=https://www.icewolf.ch/images/icewolf_tiny.svg; a=;
MX Toolbox supports also a BIMI Query
Testing
My setup looks like this. I send via Relay Connector on my Exchange 2016 to Exchange Online. There the Mail will be signed with DKIM. All Records SPF, DKIM, DMARC,BIMI will be valid from here.
I've disabled the Internet Connector and addet the * AddressSpace to the "Outbound to Office 365" Send Connector.
In some Articles i've found they talk about a BIMI Mailheader. In my Tests with Fastmail i didn't have to use that
BIMI-Selector: v=BIMI; s=default;
So, now sending the Mail with Telnet
Telnet 172.21.175.61 25
ehlo mail.icewolf.ch
mail from: <postmaster@icewolf.ch>
rcpt to: <abohren@fastmail.com>
data
BIMI-Selector: v=BIMI; s=default;
From: Postmaster <postmaster@icewolf.ch>
To: abohren@fastmail.com
Subject: Testmail BIMI
Just a little test
.
Quit
In the Inbox, the Logo is not visible
but when open the Mail, the logo appears
ARC-Authentication-Results: i=2; mx6.messagingengine.com; x-csa=none; x-me-sender=none; x-ptr=fail smtp.helo=EUR05-DB8-obe.outbound.protection.outlook.com policy.ptr=mail-db8eur05on2099.outbound.protection.outlook.com; bimi=pass header.d=icewolf.ch header.selector=default; arc=pass (as.1.microsoft.com=pass, ams.1.microsoft.com=pass) smtp.remote-ip=40.107.20.99; x-arc-spf=pass (sender ip is 95.143.60.18) smtp.rcpttodomain=fastmail.com smtp.mailfrom=icewolf.ch x-arc-instance=1 x-arc-domain=microsoft.com (Trusted from aar.1.microsoft.com); dkim=pass (2048-bit rsa key sha256) header.d=icewolf.ch header.i=@icewolf.ch header.b=hkb29Gpe header.a=rsa-sha256 header.s=selector1 x-bits=2048; dmarc=pass policy.published-domain-policy=reject policy.published-subdomain-policy=reject policy.applied-disposition=none policy.evaluated-disposition=none (p=reject,sp=reject,d=none,d.eval=none) policy.policy-from=p header.from=icewolf.ch; iprev=pass smtp.remote-ip=40.107.20.99 (mail-db8eur05on2099.outbound.protection.outlook.com); spf=pass smtp.mailfrom=postmaster@icewolf.ch smtp.helo=EUR05-DB8-obe.outbound.protection.outlook.com X-ME-Authentication-Results: mx6.messagingengine.com; x-aligned-from=pass (Address match); x-return-mx=pass header.domain=icewolf.ch policy.is_org=yes (MX Records found: icewolf-ch.mail.protection.outlook.com); x-return-mx=pass smtp.domain=icewolf.ch policy.is_org=yes (MX Records found: icewolf-ch.mail.protection.outlook.com); x-tls=pass smtp.version=TLSv1.2 smtp.cipher=ECDHE-RSA-AES256-GCM-SHA384 smtp.bits=256/256; x-vs=clean score=50 state=0 Authentication-Results: mx6.messagingengine.com; x-csa=none; x-me-sender=none; x-ptr=fail smtp.helo=EUR05-DB8-obe.outbound.protection.outlook.com policy.ptr=mail-db8eur05on2099.outbound.protection.outlook.com Authentication-Results: mx6.messagingengine.com; bimi=pass header.d=icewolf.ch header.selector=default Authentication-Results: mx6.messagingengine.com; arc=pass (as.1.microsoft.com=pass, ams.1.microsoft.com=pass) smtp.remote-ip=40.107.20.99; x-arc-spf=pass (sender ip is 95.143.60.18) smtp.rcpttodomain=fastmail.com smtp.mailfrom=icewolf.ch x-arc-instance=1 x-arc-domain=microsoft.com (Trusted from aar.1.microsoft.com) Authentication-Results: mx6.messagingengine.com; dkim=pass (2048-bit rsa key sha256) header.d=icewolf.ch header.i=@icewolf.ch header.b=hkb29Gpe header.a=rsa-sha256 header.s=selector1 x-bits=2048; dmarc=pass policy.published-domain-policy=reject policy.published-subdomain-policy=reject policy.applied-disposition=none policy.evaluated-disposition=none (p=reject,sp=reject,d=none,d.eval=none) policy.policy-from=p header.from=icewolf.ch; iprev=pass smtp.remote-ip=40.107.20.99 (mail-db8eur05on2099.outbound.protection.outlook.com); spf=pass smtp.mailfrom=postmaster@icewolf.ch smtp.helo=EUR05-DB8-obe.outbound.protection.outlook.com BIMI-Indicator: 77u/PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0idXRmLTgiIHN0YW5kYWxvbmU9Im 5vIj8+DQo8c3ZnIHZlcnNpb249IjEuMiIgd2lkdGg9IjY0LjAwMDAwMHB0IiBoZWlnaHQ9 IjY0LjAwMDAwMHB0IiB2aWV3Qm94PSIwIDAgNjQuMDAwMDAwIDY0LjAwMDAwMCIgcHJlc2 VydmVBc3BlY3RSYXRpbz0ieE1pZFlNaWQgbWVldCIgYmFzZVByb2ZpbGU9InRpbnktcHMi IHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyI+DQogIDx0aXRsZT5JY2V3b2 xmPC90aXRsZT4NCiAgPGcgdHJhbnNmb3JtPSJ0cmFuc2xhdGUoMC4wMDAwMDAsNjQuMDAw MDAwKSBzY2FsZSgwLjEwMDAwMCwtMC4xMDAwMDApIiBmaWxsPSIjMDAwMDAwIiBzdHJva2 U9Im5vbmUiPg0KICAgIDxwYXRoIGQ9Ik0zNDMgNjI4IGMtMTAgLTQgLTM5IC03IC02NSAt NyAtMjcgLTEgLTQ4IC0zIC00OCAtNiAwIC00IDcgLTIwIDE2IC0zNiAxMSAtMjEgMTkgLT I4IDI3IC0yMSA3IDUgMjEgNiAzMiAyIDE5IC03IDE5IC04IDIgLTE1IC0xMCAtNCAtMzEg LTUgLTQ4IC0xIC0yMiA0IC0yOSAyIC0yNyAtNyAzIC02IDE1IC0xNCAyOSAtMTYgMTMgLT EgMjcgLTcgMzAgLTEyIDMgLTYgMTYgLTYgMzIgMCAyNyAxMSA1NyA2IDU3IC05IDAgLTgg LTczIC03MCAtODMgLTcwIC0yIDAgLTEwIDE0IC0xNyAzMCAtMTYgMzkgLTEyMCAxMzUgLT E1NiAxNDQgLTM2IDkgLTUzIC0xNSAtMjEgLTI5IDcyIC0zMiAxMDEgLTcxIDEyMyAtMTYz IDEyIC01MiAxMiAtNTMgLTkgLTQ2IC0xMiA0IC00NyA3IC03NyA3IC04NiAwIC0xODMgLT YwIC0xMjIgLTc1IDEwIC0zIDI5IDMgNDEgMTMgMTUgMTIgMzkgMTkgNjYgMTkgNDQgMCAx MTkgLTI1IDExMSAtMzggLTIgLTQgNCAtNDggMTMgLTk5IDE1IC03NiAxNSAtOTMgNCAtOT cgLTcgLTMgLTEzIC0yIC0xMyAyIDAgNCAtOSA4IC0yMCA5IC0xMSAxIC0yMCAtMyAtMjAg LTggMCAtNiAtOSAtNyAtMjAgLTQgLTI0IDggLTI4IC0yMCAtNCAtMjkgOCAtMyAxMiAtMT AgOSAtMTYgLTQgLTYgMSAtNyAxMSAtMyAxMyA1IDE1IDMgOSAtOCAtNyAtMTIgLTYgLTEy IDcgLTEgMTMgMTAgMTcgMTAgMjEgMCA0IC0xMCAxMCAtOCAyMSA2IDEyIDE1IDE2IDE2ID E2IDUgMSAtOCA4IC0yIDE2IDE0IDEyIDIzIDIxIDI3IDU3IDI3IDU0IDAgODYgLTIxIDgz IC01NSAtMiAtMTMgMSAtMjIgNSAtMTkgNSAzIDkgMSA5IC00IDAgLTUgMTAgLTggMjMgLT cgMjggMyAyNiAzNyAtNCA3OSAtMjEgMjggLTIxIDI5IC0zIDY5IDI3IDU5IDcwIDEwNCAx MjUgMTMzIDMxIDE1IDQ4IDMwIDQ3IDQxIDAgMTAgMyA0NCA2IDc2IGw3IDU3IC0zOCAtMj UgYy03NCAtNDggLTg1IC01OCAtMTAwIC04OSAtOCAtMTcgLTIzIC00NyAtMzQgLTY2IC0x MCAtMTkgLTE5IC00NiAtMTkgLTU5IDAgLTIyIC0zNSAtOTEgLTQ3IC05MSAtMTAgMCA3ID g2IDI4IDE0MCAxMSAyOSAxOSA2NSAxOCA3OSAtMiAxNCA3IDQ1IDE5IDY3IDMwIDU4IDQ2 IDEyOCAzNCAxNDkgLTcgMTMgLTQgMjMgOSAzNiAxMSAxMSAxOSAyMyAxOSAyNyAwIDEwIC 0xNjIgMTAgLTE4NyAweiBtMjYgLTkyIGMtMiAtMiAtMjAgLTYgLTM5IC0xMCAtMjUgLTQg LTMxIC0zIC0yMCA0IDE0IDkgNjkgMTUgNTkgNnoiIC8+DQogIDwvZz4NCjwvc3ZnPg== BIMI-Location: v=BIMI1; l=https://www.icewolf.ch/images/icewolf_tiny.svg
Didn't work with google or yahoo without VMC verified BIMI Image
Verified Mark Certificates (VMC)
Before we can issue a VMC, your logo must be registered with the appropriate trademark office for your region. It can be a lengthy process, so we recommend getting started as soon as possible. Learn more about trademarking your logo.
You can buy Verified Mark Certificates (VMC) from Entrust or Digicert
Trademark
In Switzerland you can protect a Brand at "Eidgenössisches Institut für Geistiges Eigentum (IGE)"
You can check the Database in Switzerland or EU with the following Links
BIMI Radar
If you are interested in the adoption rate of DMARC and BIMI, check out the BIMI Radar
BIMI Subdomains
I've also tested with a subdomain. Please note i have used here another svg (blue color)
Resolve-DnsName -name default._bimi.subdomain.icewolf.ch -Type TXT -Server 8.8.8.8
default._bimi.subdomain.icewolf.ch TXT v=BIMI1; l=https://www.icewolf.ch/images/icewolf_tiny_blue.svg; a=;
Send again a Mail with Telnet
Telnet 172.21.175.61 25
ehlo mail.icewolf.ch
mail from: <demo@subdomain.icewolf.ch>
rcpt to: <abohren@fastmail.com>
data
From: Demo <demo@subdomain.icewolf.ch>
To: abohren@fastmail.com
Subject: Testmail BIMI
Just a little test
.
Quit
As you can see, the Mail now uses the blue svg file
ARC-Authentication-Results: i=2; mx2.messagingengine.com; x-csa=none; x-me-sender=none; x-ptr=fail smtp.helo=EUR05-AM6-obe.outbound.protection.outlook.com policy.ptr=mail-am6eur05on2135.outbound.protection.outlook.com; bimi=pass header.d=subdomain.icewolf.ch header.selector=default; arc=pass (as.1.microsoft.com=pass, ams.1.microsoft.com=pass) smtp.remote-ip=40.107.22.135; dkim=pass (2048-bit rsa key sha256) header.d=subdomain.icewolf.ch header.i=@subdomain.icewolf.ch header.b=Pzlg3fXH header.a=rsa-sha256 header.s=selector1 x-bits=2048; dmarc=pass policy.published-domain-policy=reject policy.published-subdomain-policy=reject policy.applied-disposition=none policy.evaluated-disposition=none (p=reject,sp=reject,d=none,d.eval=none) policy.policy-from=sp header.from=subdomain.icewolf.ch; iprev=pass smtp.remote-ip=40.107.22.135 (mail-am6eur05on2135.outbound.protection.outlook.com); spf=pass smtp.mailfrom=demo@subdomain.icewolf.ch smtp.helo=EUR05-AM6-obe.outbound.protection.outlook.com X-ME-Authentication-Results: mx2.messagingengine.com; x-aligned-from=pass (Address match); x-return-mx=pass header.domain=subdomain.icewolf.ch policy.org_domain=icewolf.ch policy.is_org=no (MX Records found: subdomain-icewolf-ch.mail.protection.outlook.com); x-return-mx=pass smtp.domain=subdomain.icewolf.ch policy.org_domain=icewolf.ch policy.is_org=no (MX Records found: subdomain-icewolf-ch.mail.protection.outlook.com); x-tls=pass smtp.version=TLSv1.2 smtp.cipher=ECDHE-RSA-AES256-GCM-SHA384 smtp.bits=256/256; x-vs=clean score=0 state=0 Authentication-Results: mx2.messagingengine.com; x-csa=none; x-me-sender=none; x-ptr=fail smtp.helo=EUR05-AM6-obe.outbound.protection.outlook.com policy.ptr=mail-am6eur05on2135.outbound.protection.outlook.com Authentication-Results: mx2.messagingengine.com; bimi=pass header.d=subdomain.icewolf.ch header.selector=default Authentication-Results: mx2.messagingengine.com; arc=pass (as.1.microsoft.com=pass, ams.1.microsoft.com=pass) smtp.remote-ip=40.107.22.135 Authentication-Results: mx2.messagingengine.com; dkim=pass (2048-bit rsa key sha256) header.d=subdomain.icewolf.ch header.i=@subdomain.icewolf.ch header.b=Pzlg3fXH header.a=rsa-sha256 header.s=selector1 x-bits=2048; dmarc=pass policy.published-domain-policy=reject policy.published-subdomain-policy=reject policy.applied-disposition=none policy.evaluated-disposition=none (p=reject,sp=reject,d=none,d.eval=none) policy.policy-from=sp header.from=subdomain.icewolf.ch; iprev=pass smtp.remote-ip=40.107.22.135 (mail-am6eur05on2135.outbound.protection.outlook.com); spf=pass smtp.mailfrom=demo@subdomain.icewolf.ch smtp.helo=EUR05-AM6-obe.outbound.protection.outlook.com BIMI-Indicator: 77u/PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0idXRmLTgiIHN0YW5kYWxvbmU9Im 5vIj8+DQo8c3ZnIHZlcnNpb249IjEuMiIgd2lkdGg9Ijg1LjAwMDAwMHB0IiBoZWlnaHQ9 Ijg1LjAwMDAwMHB0IiB2aWV3Qm94PSIwIDAgODUuMDAwMDAwIDg1LjAwMDAwMCIgcHJlc2 VydmVBc3BlY3RSYXRpbz0ieE1pZFlNaWQgbWVldCIgYmFzZVByb2ZpbGU9InRpbnktcHMi IHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyI+DQogIDx0aXRsZT5pY2V3b2 xmPC90aXRsZT4NCiAgPGcgdHJhbnNmb3JtPSJ0cmFuc2xhdGUoMC4wMDAwMDAsODUuMDAw MDAwKSBzY2FsZSgwLjEwMDAwMCwtMC4xMDAwMDApIiBmaWxsPSIjMDAwMGZmIiBzdHJva2 U9Im5vbmUiPg0KICAgIDxwYXRoIGQ9Ik00NTUgODMwIGMtMTYgLTQgLTUzIC04IC04MiAt OSAtMjggMCAtNTUgLTYgLTU4IC0xMSAtNCAtNiAyIC0yNSAxMiAtNDMgMTUgLTI1IDI2IC 0zMiA1MSAtMzIgMTcgLTEgMzQgLTQgMzggLTggNCAtNCAtMTggLTcgLTQ5IC03IC02MSAw IC03NSAtMTQgLTI5IC0zMCAxNSAtNiAzNSAtMTQgNDQgLTIwIDkgLTUgMzkgLTcgNjcgLT MgNjQgNyA2OCAtMTAgMTQgLTUzIC01OSAtNDcgLTU5IC00NyAtODcgLTEgLTI4IDQ5IC0x MzEgMTQ5IC0xNzcgMTczIC0zNiAxOCAtNzMgMTUgLTc3IC03IC0yIC0xMCA5IC0yMSAzMC AtMzAgNjAgLTI1IDExNCAtOTAgMTM3IC0xNjQgMzMgLTEwNSAzNCAtMTAyIC01NiAtOTcg LTg3IDUgLTE0NCAtNyAtMTk0IC00MSAtNzIgLTQ4IC0xNyAtNjkgODQgLTMyIDQyIDE1ID U2IDE2IDEwMSA2IDY4IC0xNSA5NiAtMzUgOTYgLTY5IDAgLTE1IDcgLTY2IDE2IC0xMTUg MTkgLTEwNCAxNiAtMTIyIC0yMSAtMTA1IC0xOSA5IC0yOCA5IC0zNyAwIC03IC03IC0yMi AtMTIgLTM1IC0xMiAtMzAgMCAtMjkgLTE5IDMgLTUzIDE3IC0xOSAzMyAtMjcgNDUgLTI0 IDExIDMgMjIgMSAyNSAtNSA0IC01IDEzIC0zIDIzIDYgMTAgOSAyMCAxNCAyMyAxMSAyIC 0zIDE3IDggMzEgMjUgMjIgMjQgMzUgMzAgNjggMzAgNjggMCAxMDkgLTMwIDEwOSAtODEg MCAtMjAgMzkgLTM1IDY1IC0yNSAyMiA4IDE5IDM2IC0xMCA5MCAtMTQgMjYgLTI1IDU1IC 0yNSA2NSAwIDkgMTkgNDYgNDMgODIgMzIgNDggNjIgNzcgMTE3IDExNSA4MyA1NiA4NyA2 MyA4OSAxNzcgbDEgNjggLTMxIC0xOCBjLTg3IC01MiAtMTI1IC04OSAtMTY2IC0xNjggLT IzIC00NCAtNDUgLTk2IC00OSAtMTE1IC00IC0xOSAtMTggLTU3IC0zMiAtODUgLTM4IC03 NCAtMzkgLTM0IC0zIDkzIDE3IDU5IDMzIDEyNyAzNyAxNTIgNCAyNSAyMSA3NyAzNyAxMT UgMjIgNTEgMzEgODggMzMgMTM4IDEgNDggNyA3NCAxOSA4NyA5IDEwIDE0IDI0IDEwIDI5 IC03IDEzIC0yMDMgMTMgLTI1MCAxeiIgLz4NCiAgPC9nPg0KPC9zdmc+ BIMI-Location: v=BIMI1; l=https://www.icewolf.ch/images/icewolf_tiny_blue.svg
Summary
Make sure, your domain are DMARC Protected (quarantine or reject)
If your logo/br is not yet registered as a trademark, that's the next thin you will have to do.
Registering a trademark and optaining a VMC Certificate will take some time and also costs a lot of money.
So make sure, your prepared for that.
Now you know, what it takes to implement BIMI and now you have to make your own opinion if the time and money is worth the effort.
Regards
Andres bohren
Wednesday, January 19, 2022
Hi there,
Jabra has released the January 2022 Version of theyr Jabra Direct Software (Version 5.11.01302)
The details can be found in the release notes
Regards
Andres Bohren
Thursday, January 13, 2022
Hi everybody
I've just seen that a new version of Microsoft Azure Information Protection (AIP UL) Client was released.
Apart from a few updates, fixes, and enhancements the new Client will only support x64 Plattform.
Regards
Andres Bohren
Wednesday, January 12, 2022
Hi Everybody,
Instead of the delayed December Exchange Cumulative Updates, we've got Security Updates for Exchange 2013/2016/2019
Please make shure you run the *.msp in an elevated CMD
Regards
Andres Bohren
Thursday, January 6, 2022
Hallo all,
I've already blogged how to read the Active Directory Attribute "userAccountControl"
How to read the value of AD Attribute userAccountControl
Today i came across some users that had the Property "PASSWD_NOTREQD" (Password not required) set.
For a regular user you just can add 512 (NORMAL_ACCOUNT) + 32 (PASSWD_NOTREQD) = 544
With the following Exchange Commandlet you can show the Attribute "userAccountControl", which also translates the value.
Get-User -Identity f.fischer | fl userAccountControl
You can also get the same with the Active Directory Module
Get-ADUser -Identity f.fischer -Properties userAccountControl | fl
To show all accounts, which have the Flag "PasswordNotRequired" use the following command.
Get-ADUser -Filter {PasswordNotRequired -eq $true} | ft name, UserPrincipalName
To remove the Flag "PasswordNotRequired" use this PowerShell Command
Set-ADUser -Identity f.fischer -PasswordNotRequired $false
Get-ADUser -Identity f.fischer -Properties userAccountControl | fl
Now it's back to 512 (NORMAL_ACCOUNT)
Get-User -Identity f.fischer | fl userAccountControl
More Information:
Understanding and Remediating "PASSWD_NOTREQD"
Best Regards
Andres Bohren
Hallo zusammen,
Ich habe am 1. Januar auf Twitter den Link auf das Blog von MVP Jaap Wesselius gesehen. Dort wurde beschrieben, dass Mails auf dem Exchange Server On Prem in der Transport Queue hängenbleiben und mal als Workaround das Malware Scanning deaktivieren soll.
THE FIP-FS SCAN PROCESS FAILED INITIALISATION. MAIL IS QUEUED ON EXCHANGE SERVERS.
CD $ExScripts
.\Disable-AntiMalwareScanning.ps1
Restart-Service MSExchangeTransport
Als ich daraufhin das Exchange Team Blog aufgesucht habe, war da noch keine Information zu lesen. Erst später dann wurde folgender Artikel veröffentlicht
Email Stuck in Exchange On-premises Transport Queues
Und dann gab es doch noch eine Meldung im M365 Admin Center
Bei mir zeigt der MX Eintrag nach Office 365 und ich habe kaum Mailverkehr von meinem Exchange 2016 nach Office 365. Auf dem Exchange Server gab es aber diese Fehlermeldung
Das PowerShell Script welches die Scan Engine resetet kann man hier herunterladen
Bei mir war danach alles wieder in Ordnung
Liebe Grüsse
Andres Bohren
Tuesday, January 4, 2022
Hallo zusammen,
Anfangs des Jahres ist jeweils ein guter Zeitpunkt um auf das alte Jahr zurückzuschauen. Im 2020 habe ich 278 Blog Artikel geschrieben, also durchschnittlich etwa 23 pro Monat - so viel wie wie noch nie.
Insgesamt hatte ich über 130'000 Pageviews. Das sind rund etwa 500 pro Tag und über 10'000 pro Monat.
Die Top 10 der Blogartikel 2021
Im letzten Jahr habe ich etwa 1320 KM auf dem Bike zurückgelegt und bin dafür knapp 69 Stunden im Sattel gesessen. Das sind fast 200 KM mehr als letztes Jahr und entspricht etwa wieder dem Durchschnitt.
Ausserdem habe ich mit einem Freund zweitägige Biketour (ca. 142 KM) von Buchs (SG) bis nach Stein am Reihn (SH) unternommen mit Übernachtung in Rohrschach.
Weitere Ausflüge mit dem Bike
- Freiburg
- Biel
- Solothurn
- Murten
Das Tauchen, ein weiteres Hobby, konnte ich dieses Jahr für zwei Wochen im September in Mexiko geniessen.
Mexico - Playa del Carmen und Cozumel
Beruflich habe ich mich mit Office 365 und Azure beschäftigt. Ich durfte bei einigen Enterprise Kunden mein Wissen und meine Fähigkeiten im Messaging und Communication (Exchange / Skype for Business / Teams) Online Umfeld zur Verfügung stellen, Migrationen durchführen und habe dafür wieder einige PowerShell Skripts geschrieben.
Ausserdem habe ich mein erstes PowerShell Modul in der PowerShell Gallery veröffentlicht
https://www.powershellgallery.com/packages/Icewolf.EXO.SpamAnalyze
Auch habe ich dieses Jahr wieder ein paar Microsoft Prüfungen abgelegt
- MS-500 Microsoft 365 Security Administration
- AZ-500 Microsoft Azure Security Technologies
Damit habe ich folgende Titel erzielt
- Microsoft 365 Certified: Security Administrator Associate
- Microsoft Certified: Azure Security Engineer Associate
Ich wünsche euch auch weiterhin viel Spass beim lesen des Blogs. Folgt mir doch bitte auch auf Twitter https://twitter.com/andresbohren
Liebe Grüsse
Andres Bohren
