Posts made by Mr. Jones

@Mario-Jakovina said in Unable to send emails to Gmail from my domain:

@Mr-Jones said in Unable to send emails to Gmail from my domain:

Seems like a good time to try convincing the boss we should move our emails to O365. I know he'll say no, but this is ammo for sure.

I don't think that email only justify cost of O365.
I have excellent mail experience with different web hosting providers that provide email service included for a fraction of price of O365.

For example, Hetzner offers 300GB space with unlimited mail accounts for 17 EUR / cca. 20 USD a month.
(I have not used Hetzner's mail services but I have very good experinece with them in cloud/bare metal services)

I mean - you would not convince me to buy O365 with this argument

Agreed. We already have O365, but I've been instructed to keep Exchange On-Prem exclusively. Sorry that wasn't implied more clearly.

@Pete-S said in Unable to send emails to Gmail from my domain:

@Mr-Jones said in Unable to send emails to Gmail from my domain:

*I'm still waiting for Budget approval/acquisition for the DMARC stuff.

There is nothing you need to buy to implement it.

You should implement SPF, DKIM and DMARC.

The only thing you might want to buy is a service that will watch your DMARC reports and generate notifications if there is a problem.

I think this is very good and good value as well:
https://www.uriports.com/pricing

Use their awesome free service to test your email setup and learn more about DMARC.
https://www.learndmarc.com/

Really cool links there! Thank you!

@scottalanmiller said in Unable to send emails to Gmail from my domain:

@Pete-S said in Unable to send emails to Gmail from my domain:

Also the fact that you are sending from your own IP is also a sign that it is spam. Mail servers build up IP reputation on servers that send them emails. This is different from the blacklists.
If you haven't checked your IP against blacklists you must do so as well.

That implies that you are running your own email server which isn't exactly forbidden, but it's a "no no". If you are running your own email server, it's expected that you will proxy through a big sender with clean IPs that have been cleared already.

For all intents and purposes, the modern email frameworks are built around limiting email sending from big senders (Amazon, MS, Google, Zoho) only and all others are suspect and/or blocked outright. Even people running their own email servers typically (without knowing) block or restrict receiving emails from anyone but the giant carriers.

Seems like a good time to try convincing the boss we should move our emails to O365. I know he'll say no, but this is ammo for sure.

@scottalanmiller said in Unable to send emails to Gmail from my domain:

@Pete-S said in Unable to send emails to Gmail from my domain:

@Mr-Jones said in Unable to send emails to Gmail from my domain:

*I'm still waiting for Budget approval/acquisition for the DMARC stuff.

There is nothing you need to buy to implement it.

You should implement SPF, DKIM and DMARC.

The only thing you might want to buy is a service that will watch your DMARC reports and generate notifications if there is a problem.

I think this is very good and good value as well:
https://www.uriports.com/pricing

Use their awesome free service to test your email setup and learn more about DMARC.
https://www.learndmarc.com/

Exactly, it's just part of the configuration of setting up email. It's a setting.

Expand on this, please. It's my understanding there is no out-of-the-box support for DMARC or DKIM for On-Prem Exchange Servers.

@Pete-S
Very first thing I did.

I found one of the issues to be that our Network Firewall was configured with the wrong IP address for outbound traffic of that Exchange Server, so it was picking up the next available (our VPN IP) and using that to pass traffic. The SPF didn't match because of this.

Currently I can send now, but it always goes straight to Spam folder. Likely because we don't have DMARC set up yet.

@Pete-S
Good catch. There wasn't actually a space there, I just goofed.

I'll try ~all.

I recently started having trouble sending emails to Gmail from our domain.

Error:
"mx.google.com gave this error:
Our system has detected that this message is likely unsolicited mail. To reduce the amount of spam sent to Gmail, this message has been blocked. "

The only thing that changed was that I made an SPF record on GoDaddy for our On-Prem Exchange server. I've used Mxtoolbox to troubleshoot.

*I'm still waiting for Budget approval/acquisition for the DMARC stuff.

Mxtoolbox SPF Lookup:
spf:mail.contoso.com - Green on everything
mx:mail.contoso.com - No DMARC Record Found
mx:mail.contoso.com - DNS Record not found
mx:mail.contoso.com - DMARC Quarantine/Reject policy not enabled

It appears to me, as someone with no prior experience configuring an SPF record, that the issue might be the GoDaddy MX record. I'll disclose both in hopes that someone might be able to point out where I went wrong.

GoDaddy TXT Record:
v=spf1 a:mail.contoso.com ip4: 104.200.130.82 -all

GoDaddy A Record:
mail.contoso.com > 104.200.130.82

GoDaddy MX Record:
@ > mail.contoso.com (should this be mail > mail.contoso.com)?

On-Prem Exchange Server: EXCH01 with IP of 172.16.10.100

On-Prem A Records:
EXCH01 > 172.16.10.100
mail > 172.16.10.100

On-Prem Reverse Lookup Zone PTR Record:
172.16.10.100 > EXCH01.contoso.com
172.16.10.100 > mail.contoso.com

So I get the Network Firewall folks on the phone, and now everything wants to work as smooth as ever. Ugh.

I've spent maybe 30 minutes trying to replicate the issue that's plagued me repeatedly since 6:15am yesterday, and I cannot now.

Great news that it's all working now, embarrasing that I can't replicate it when asked.

I still feel like I need to know what happened.

Would a PHP error cause this? That's the only thing I can think of, as I was editing some conditional logic on the website yesterday morning, but I'm failing to see the correlation given the context of the issue. I feel like if the site had funky PHP, that would take the site down for everyone.

@scottalanmiller said in Website down, but only for organization Network:

@Mr-Jones said in Website down, but only for organization Network:

If resetting the Modem, Router, switches doesn't work, I'll move to the Network Firewall as I agree there might be some security DDOS protection or otherwise that's at play here.

Possible. What kind of firewall is it?

Barracuda.

@dafyre said in Website down, but only for organization Network:

Does your network have any kind of security stuff on the workstations or firewalls that monitors that kind of traffic? I've seen some rare instances where the Firewall or AV software would start blocking after a minute or two, and then it would crash and restart and then everything would be happy for another few minutes.

I've disabled local firewall, and put Web Filter in Audit Mode with no affect.

If resetting the Modem, Router, switches doesn't work, I'll move to the Network Firewall as I agree there might be some security DDOS protection or otherwise that's at play here.

Well, ISP wiped their hands with this one.

Next step is resetting Modem, Router when I can find an appropriate window.

Scratching my head on this one.

During website edits for our website, when making changes I get ERR_TIMED_OUT (Chrome) when trying to publish edits. I might get a few edits published, but then it inevitably loses connection.

The website goes down, or appears to for about 5 minutes. Hosting Provider assures me there is no PHP issues and everything looks to be in order.

Tricky thing is, if I take my phone off of our organizations WiFi, the site is still operational. In fact, the site never really goes down to the rest of the world.

I ran tracert from my workstation and everything appears to be fine with DNS.

It appears to affect all devices on domain.

My next step is going to be contacting ISP, but I figured anyone who's ever experienced this would remember what the issue was.

Does this ring any bells for anyone?

@pete-s said in "Site not secure" | Self-signed Certificate?:

I'm not sure how you set up CA on Windows AD but I believe you can. Don't know if you can use that for non-Windows appliances.

I ended up using this approach. As usual, it took a bit of reading and research along with poking at the server, but I was able to use this approach.

@scottalanmiller said in "Site not secure" | Self-signed Certificate?:

So the answer is... it depends. Do you control the computer in question? If so, you can normally add the certificate to it and it will trust it.

But if you don't want to have to install the cert for every computer that will use it, then sadly only a CA signed cert (which are free, though) will work as you need to have the browser trust it and that is the only mechanism.

Okay, so if what you are saying is true, then I'm doing it incorrectly.

I was using :8443 btw, I don't know why I used :8080 as an example.

What are the steps here?

Do I create a .p12, split out the private .key and store that on the server, then split out the public .pem and push that to all domain computers into the Trusted Root Certificates directory via Group Policy?

Or do you have to have a .crt in the mix and that's why this approach would be such a pita.

Can you prevent the formentioned error when visiting a domain server from a domain computer with a self-signed certificate? i.e. https://server:8080

I've been doing a lot of reading on it and after failing repeately at the task, I read somewhere that no matter what you'll get that error unless the certificate is from a public Certificate Authority. But I read a lot of things on the internet that aren't quite right. My brain hurts, it's Friday, and I know this group would know the right answer.

I'm wondering if I'm just doing things wrong, but before I dive into what I've tried, I wanted this question answered so I know if I need a different approach or not. Ultimately, I don't want to have to pay for an SSL, but I'll cross that road when I come to it.

@scottalanmiller Do you recommend any books that deep dive into this stuff? I know there's always google, but I feel like you would know of some really good reads.

@pete-s I can try to clarify what I meant with some pretend numbers.

Server = Actual server Asset Management is hosted on (192.168.0.20)
Client = Client Machine (192.168.0.50)

What I saw on the Network Firewall:
TCP - Server > Client Port 135 (server to client)
TCP - Server <> Client Port 135 (bi-directional)
TCP - Server > Client Port 65849 (server to client) - Time-out

I was looking specifically for 192.168.0.20 (server) as SOURCE and 192.168.0.50 (client) as DESTINATION, so it's possible I missed a bit of it.

I would love to take this opportunity to learn a bit on the matter though. Could you expand on why that doesn't make sense? Is port negotiation not a functionality of TCP?

Have you added the APPLICATION to the firewall. Rather than a port? Windows Firewall is "meant" to be done that way, so that it monitors the application itself rather than assigning ports statically.

Damnit, Scott. Take my upvote.

I was able to add a custom rule to allow the Windows Management Instrumentation SERVICE, and that solved it. Now, I know you said APPLICATION, and now I'm wondering if that's basically what you meant, and if not, what the security concern is now that I've whitelisted a whole service. Got some reading to do!

@dashrender said in Help Sorting out a Firewall Issue:

Sounds like Windows firewall is involved.

What software solution are you using to do this inventory?

...SW Web Help Desk

Assuming the server is what is reaching out to the client - the client is likely where the incoming random port needs to be open - but that will be challenging since it's a random port. If there is an agent on the client machine - the agent could open the port on the fly.

Yea that was my hang-up, how do you allow a random port number? I tried allowing all traffic from the server IP as a workaround to test it, but either I'm not doing it right, or it doesn't fix the issue. Probably the former.

Mini Remote agent is deployed already in most cases, I'm wondering if there isn't an avenue there.