DKIM simplified and how it works (but not for beginners)

Lifting shrouds from IT-related mysteries is what we do here.

DKIM… yet another mys(t)ery to so many, but actually not that much rocket science as it seems.
Let me explain : 

Simplified as an acronym, DKIM stands for “Domain Keys Identified Mail” and is nothing more than “just another TXT record” in your DNS.
In a previous post, you could read up about SPF records and how they can diminish the amount of spam being sent FROM your domain name. DKIM takes this to a next step.
It’s the implementation of DKIM that will require some extra feedback from me, though.

Extremely simplified

Woodpecker.co explains DKIM as following :

“Take Game of Thrones to get the bigger picture of DKIM. Ned Stark is sending a raven with a message to king Robert. Everyone could take a piece of paper, write a message and sign it Ned Stark. But there’s a way to authenticate the message – the seal. Now, everyone knows that Ned’s seal is a direwolf (that’s the public key). But only Ned has the original seal and can set it on his messages (that’s the private key).”

Quite the analogy, if you’ve seen GoT (and no spoilers, even !)

 

What happens when using DKIM ?

The entire concept is based on encryption of a specific value that uses a public and a private key, that are generated in pairs and therefore cannot exist apart from each other.

The public value is stored (obviously) in a public location where all e-mail servers and clients can access it : the DNS server that holds your domain name (OVH, Skynet, Godaddy, Combell, …)

The private value is sent in an encrypted way over internet and can be verified through means of that private key, to check if it used the original correct signature.
It’s comparable to how an MD5 checksum works

(with the exception that at the time of this writing, DKIM can not yet be broken and it’s possible to “fake” an MD5 lol)
Image courtesy of postmarkapp.com

This hidden signature is then verified by the mail server, through which you send your signed mail, as well as all other mail servers where this message passes (in its original form).

Because…. the signature is added to the mail headers and is completely independant from how SPF records work, a proxy’ing mail server that just passes on your message, retains headers.
Theoretically, your mail could fail on an SPF, but could be perfectly valid on a DKIM basis !

 

Fool-proof ?

Is this method a fool-proof way of confirming ALL mails from your domain are safe now ?

A simple answer : NO.

DKIM is kind of the reverse of SPF, whereas SPF tells the receiving mail server what mail NOT to trust.
DKIM tells the receiving mail server that this specific mail, sent from this specific source is – in fact – OK to receive. DKIM does not guarantee that mails from your domain name, sent from a source other than the one defined in the key verification, are in fact safe, because the key in the verified mail message only counts for the specified source.

“Should I not bother to use DKIM, then ?”

You should still try to implement DKIM wherever possible, as all methods of securing your mail flow and getting spam/phishing mails out of this digital world, are most welcome.

 

What does DKIM look like & “comment ça marche” ?

Enough with the theory; let me explain how (and when) this works.

First of all, your own mail server, through which YOU send outgoing mail, has to have support for DKIM key generation.
Most ISPs (I think we can say “all ISPs”) will not use DKIM, as this would mean having to sign every friggin mail message that the millions of their customers send out on a daily basis.
All mail software would first have to talk on an encrypted basis to a public SMTP server to stuff that signed key in the mail header of their own mail message.
Seeing as most ISPs allow sending over their mailservers, without any authentication whatsoever, except for sending from their IP address range, this can ony mean : a big no-no.

Onward.

If your mail server supports DKIM (we’ll be using Microsoft 365 as an example), we can go ahead and create a DKIM.

https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/email-authentication-dkim-configure?view=o365-worldwide  explains in heavy detail how to create a DKIM pair on a M365 mail-based subscription (Exchange Online in short).
Go ahead and read the article.
The come back here, for a small moment of enlightenment.

All caught up?
Good.

The original private key is never shown and is only known to your very own mailserver.
You get to see – usually in the form of a next-next-next wizard – the entries you have to add as a CNAME record in your own DNS server that hosts the domain name from which you’re sending mail.

As cryptography goes, the mailserver recieves your request to send a mail to somebody.
Next, it adds a specific unique mail header to your outgoing mail, based on its own private key, in combination with the key known to the public (and thus shown in your DNS records, for others to reverse verify)

Before showing the layout of the DKIM record, let me show you what a signed mail header looks like.
If you’ve been following my instructions, you’ve already seen a DKIM record on the Microsoft website mentioned above, by the way :p

DKIM-Signature: v=1; a=rsa-sha256; d=example.net; s=newyork;
c=relaxed/simple; q=dns/txt; t=1117574938; x=1118006938;
h=from:to:subject:date:keywords:keywords;
bh=MTIzNDU2Nzg5MDEyMzQ1Njc4OTAxMjM0NTY3ODkwMTI=;
b=dzdVyOfAKCdLXdJOc9G2q8LoXSlEniSbav+yuU4zGeeruD00lszZVoG4ZHRNiYzR

Analysis time :

  • Every DKIM signed mail starts with “DKIM-Signature:”
  • The obvious part “v=1” defines the versioning (duh). Ironically at the time of writing, the version will always be “1”
  • “a” defines the signing algorithm, usually RSA-SHA or RSA-SHA256
  • “d” stands for the domain name of the sender
  • “s” is short for “selector” which can be found in the corresponding DNS record (in this case) newyork._domainkey.example.net 
  • “c” is the abbreviation for “canonicalization algorithm”. A tricky one to explain, but I’ll try my best.
    You can see it contains 2 values. They represent header/body and define the (dis)allowing of slight header changes in mail forwarding.
    “Relaxed” allows a certain change in the header (for instance when forwarding a mail).
    “Simple” just tells the receiving mail server, that no change in the mail header part is allowed for it to still be a trusted DKIM key.
  • “q” is for “query” and tells the receiving end how to perform the DKIM check.
    The q-part is optional. At the time of writing, the only valid entry here is “DNS/TXT”, which defines that a DNS lookup needs to be done, looking into a certain TXT field.
  • “t” is the timestamp
  • “x” falls together with the timestamp and stands for “expiration”, in case you have a fast-rotating key-pair in your DKIM setup and want to assure the receiving end of a higher security level.
  • h” lists the signed header fields …
  • …while “bh” is the hash for the body part of the mail
  • “b” is the actual signature data.

Should you totally want to geek out more on the RFC for DKIM, you can get your groove on at https://dkim.org/specs/rfc4871-dkimbase.html

 

The DNS record(s)

Why did I keep this part for last ?
You could see in the above example, that the RFC leaves space for a different way of reading your DKIM record.
For now, we don’t have a different technology other than DNS to exchange DKIM data, but if DKIM were to be upgrading, so to speak, the possibilities would not be limited to DNS.

 

The actual public key would look like this :

NAME : 
nameofyourselector._domainkey.example.net

TYPE : 
TXT

CONTENTS OF RECORD : 
v=DKIM1; k=rsa; p=KLJHLHkjhkhkluhiukhjiulYUHKJUIYUYNJKHLKHIOUHJhjkhkjhklhjkh

The content of this record will be provided by your mail server, when you go through the DKIM generating process

 

A different approach is the use of a CNAME record instead of a TXT record, where your key is stored elsewhere.
Depending on the suggestion your mail server gives you, you’ll implement one or the other.

Your CNAME record could look like this :

NAME : 
nameofyourselector._domainkey.example.net

TYPE : 
CNAME

CONTENTS OF RECORD : 
heresmykey.something.anotherdomain.com

 

There we have it.
Theory and samples.

If you have any questions, don’t hesitate to contact me by mail, postal pigeon, smoke signal, …

Zuper out

 

Handy websites concerning this subject :

  • https://mxtoolbox.com/
  • https://easydmarc.com/tools/dkim-record-generator

 

O365 product training

Good news

Microsoft just recently sent me one of their spammy messages that I usually overlook.
Instead, this time, it was a bringer of good tidings. Finally, Microsoft will force-feed you or your users with documentation, tips and tricks on how to use your Office 365 products and get the most out of it.  There has been a built-in training centre for admins as well as regular users in the portal.microsoftonline.com landing page for a while now, but – speaking out of personal experience – not a lot of end-users visit this page.

Kindly read the message below, that contains the interesting part of the original mail :

The mail :

We’re pleased to announce that starting on November 29, 2018, all users of Microsoft 365 and Office 365 will receive helpful product training and tips for services in their subscriptions via email. This feature has administrative controls to enable and disable.

[How does this affect me?]
After this change takes place, email communications will be enabled-by-default for your organization’s users, allowing us to provide product training and tips aimed at helping them increase their productivity and to maximize their utilization of the products and services they use most. End users will only receive emails regarding services that they have been enabled for, and you can control whether or not your users receive these communications in the End User Communication tab in your Office 365 admin center. Your users also have the ability to opt-out of receiving these emails on an individual basis by accessing the Security and Privacy pane of their My Account Portal.

This feature will be on-by-default for all Office 365 and Microsoft 365 organizations on November 29, 2018.

If you wish to disable this service for your users, you can do so between now and November 29, 2018 and your settings will be honored.

[What do I need to do to prepare for this change?]
If you prefer your users receive product training and tips that are all tailored to the services in their subscription, then there’s nothing you need to do to prepare for this change.

If you do not want us to send product training and tips to your end users, please follow these steps to disable:

  1. Log into the Office 365 admin center
  2. Click on Services & Add-ins
  3. Click on End User Communication
  4. Flip toggle to “Off”

 

 

Sharepoint (online) for beginners (2)

Preparation (again) is everything

Should you eventually still be interested in Sharepoint Online after reading all the horror-stories and getting yourself mentally up to the task of making this key decision, prepare yourself for a lot more decisions 😉

If you’re a Belgian SME, you can probably skip most of this thought process. If you’re a somewhat larger company or an SME according to American standards, you’re in for a treat if you love planning things.
Consider the following tasks, depending on the size of you IT implementor and the size of the Sharepoint customer :

  • Plan hub sites 
    In short, hubs connect your libraries and sites into one easy-to read-and-manage central entity with its own look and feel.
    The example picture (for a larger company) shows a specific hub (in green) for the HR department, where all department libraries are centralized.
    The general idea behind this is to create a seperate hub for (e.g.) Finance, Marketing, Sales, …It’s common practice for smaller companies to put everything in one hub (with maybe the IT documentation in a separate one)
  • Managing your Search and Discovery result sets.
    You can take feature this as far as you want. Managing search results in a Sharepoint environment and administring keywords can either be something you completely let live a life of its own OR you can fully manage your keywords, result templates OR anything in between.
  • Actually creating the site and developing graphical layout, customizing content.
  • Will you be sharing your documents externally to users not in your organization ?
  • Mentioned before in the previous post : plan the physical content of the Sharepoint site.
    What will you be showing your users ? Will your SP environment become a complete file archive of all your documents or will you just be using the platform’s collaboration function on a project-basis ?

I won’t go as far as explaining everything in detail, seeing Microsoft has done this for me already.
You can find a very extensive planning overview on https://docs.microsoft.com/nl-be/sharepoint/introduction

As mentioned before, small enterprises are likely to use 1/10th of Sharepoint and might require a very limited amount of planning, to the point where it even comes down to replicating the original folder structure of a to-be-decomissioned on-premise server.
Sounds like a mouth-full, but practically speaking this is nothing more than a copy-paste action (albeit a tad more technical in the background)

On a note of keeping things simple and understandable, I’ll provide examples for an imaginary small company that starts using Sharepoint for the first time, so we can skip the whole larger planning phase and go straight to using Sharepoint Online (SPO).

 

Situation sketch

Remember our straw-producing company in an earlier example ?
They’ve gotten inspired by the entire Office 365 thing after experiencing the fun technical advantages of their mail and decided to move their data to ‘the cloud‘ as well.

Being the Belgian SME that they are, Shortstraw LLC has data hanging all over the place, spread among various computers, USB disks, cell phones and tablets.

They started out without a centralized server and are now ready to move to Sharepoint as a data storage platform. (or at least, that’s what they told you   *dramatic music*)

Questions, questions, questions …

You, as IT partner for Shortstraw, can now start a limited amount of planning and meet up with CEO and CFO Oliver and Annie.
There’s a certain amount of practical questions you will need answers to, before even starting your move to SPO.

  • Total amount of data in GB/TB ?
    This M$ page will tell you more about these limits.
  • Do they want all data synchronized on their computer(s) as local files ?
  • Who REALLY shot JFK ?
  • Will they be sharing files through SPO (especially to external sources) ?
  • What files will you split up into a personal Onedrive for Business account and a Sharepoint library?
  • How fast is the internet on-premise ?
  • Free disk space and operating system on the machine(s) that holds the data.
    In case you’re wondering : Windows 10’s native Onedrive has support since halfway 2018 for so-called ‘streaming files’, which downloads your files on-the-go when you open it from Onedrive. Windows 8/7/… all need an actual physical copy on the disk when synchronising.

 

Setting it up. Getting started. Doing your thing.

The right tools for the job.

When starting a migration to Sharepoint Online, a couple of tools come to mind. There are a few nifty pieces of software that can do the job quite well.

I’ll be discussing the last three, as they are free of charge (not counting the actual license cost of your O365 subscription obviously) and have little to no learning curve.

For the ease of this example, I’ll just assume we have some structurally placed files and folders on an on-premise file server/NAS/other easily accessible location for a Windows computer.

More prep !

Nothing ever comes easy (except for your mom – obligatory mom joke, couldn’t resist). More prep work is required before we can move our files to SPO.

A small theoretical explanation (practical examples will follow, don’t worry) :

First of all we’re going to want to create the location(s) where we want to store the files online. This is usually done by creating one or more document libraries. Simplified, you could compare them to shared folders on a file server.
Best practices tell us to set your initial user rights (more on this later) on a library basis, if necessary.
In a more extreme manner, you could even create Sharepoint subsites or Site Collections.

Secondly, you’re going to need to create security groups to apply to your libraries, where we’ll be removing the default security settings, in order to set specific rights to specific libraries.
This can either be done in Azure AD or straight from Sharepoint.

My n°1 suggestion is to keep the admin user as an owner of your libraries – or at least as power user – as we’ll be needing a specific user account for the automated migration process anyway.
If you’re into manual labor, you can have your users perform their own migration, but this is ill-advised.

My three free tools

Before you start to panic, I promise I’ll get more into detail about every method mentioned. The examples below will just give you a sneak peek on the easy of use.

Sharepoint out-of-the-box upload/drag-and-drop

Quite straightforward.
You either choose ‘Upload’ in the menu above your library or just drag and drop your file to where the library is located on-screen.

Screenshot of the open Upload menu in a document library.

OneDrive synchronisation

Same approach, different method.
You select the ‘synchronize’ button above the library, whereas you’ll get a verification from OneDrive to see if you really want to start a synchronization between your computer and this specific library.

Sychronizing will require a significant amount of disk space if you’re not working on Windows 10 (W10 uses the aforementioned file streaming method)

Microsoft Sharepoint Migration Tool

This tool automates the uploading (and pre-analysis) for your data towards the Microsoft Cloud.
Preferably, use the migration tool, when all your local data is stored somewhat centralized. This tool is best run from the (Windows) server itself where the data is held, for speed reasons, among others.

Microsoft SPMT has a very easy and intuitive look and feel, but will require you to create the libraries before starting the migration process.
Also make sure you have sufficient disk space, as this tool creates a temp folder as large as the entirety of the data to be transferred. (temp folder can be selected in the migration options)

SharePoint Migration Tool

That’s all folks.

Prepare for a hands-on moment in the next Sharepoint post  !

Sharepoint (online) for beginners (1)

What the flip ?

Introducing “Sharepoint” is always a tricky one.

Microsoft simply puts it down as an “Online Collaboration Platform”, which is actually one of the most simple ways of explaining the whole thing.
Sharepoint can be used as a sort of online organized file dump, but that would be something like using only the glove compartment of a Ferrari.

It’s often compared to a mixture of “Google Drive”, “Huddle” and a WYSIWYG website editor like WordPress, where you can manage all of your corporate content (to a certain limit), create intranet webpages, automate business processes through workflows, build custom apps etc.

I’ll mainly be talking about Sharepoint Online (SPO) , from hereon. Know that there exists an on-premise version as well, that had its root somewhere between the year 2003 and 2007, but still exists on current-gen Windows servers.

 

Is Sharepoint the right product for you ?

As with all products, it’s best to perform a study on why you would need it and if it’s the best solution for you, before you actually buy it. There’s a very big change SPO might not be exactly what you need and there’s that other chance, you’ve struck gold and it fits your needs perfectly.

A 30 day demo can be obtained through various means, of which the classic Microsoft demo environment is the most popular one : https://products.office.com/nl-be/try
If in doubt –> always demo it first.

Consider the following questions before usage :

  • Do your employees work remotely?
  • Do your employees often move from one client location or meeting to another?
  • Do your employees need access to various devices so they can do their jobs?
  • How are your employees currently accessing the content that they need?
  • Do you have customer-facing requirements, like a place to share information, an online catalogue, an online Request for Information form, or an online Request for Quote form that your customers need to fill out?
  • Do you share documents with your customers often?
  • Are you using USBs to transport and work on presentations, requests for information, or marketing collateral?
  • Does your staff ever complain that they wish there was an easier way to access your content?

You might have guessed, from the commercial way these questions have been formed (thank you, proserveit.com) , that Sharepoint will be a fitting answer for all of them.

 

I’ll also gladly push away some common misconceptions surrounding Sharepoint and its use, since potential users will start Googling and will eventually find articles that scare them away from this online platform.

Sharepoint is just a place to store your files

NO!
It’s a friggin’ collaboration platform. You’ll be able to work on project-based or group-based items, follow up your colleagues, create automated tasks, …

The IT department will be in charge of setting up our environment and maintaining it

NO!
Maybe the IT department will need to explain the very concept of Sharepoint and set up the initial workspace environment a bit, but you as a user will be very able to create your own project pages, invite colleagues, change the look and feel of your SP workplace and much more.

You can’t customize Sharepoint. It will look like any other SP environment

NO!
Sharepoint (Online as well as the on-premise version) has a relatively easy way of customizing every page and/or creating templates based on your company colors or personal preferences. Not only the page theme, but also the way your libraries are shown and much more can be fully customized.

SP is not user-friendly

NO!
C’mon, really ? You’ve worked with Microsoft products before, right?
Can you really say Microsoft’s end-user products are not user-friendly ? And be honest !
If you can actually find a software package by M$ that you find to be user-unfriendly, try to find an alternative and tell yourself again how great that alternative works out for you, will you ?
As with all new software, you might have to learn the basics, but even creating a new Sharepoint project or page just feels like typing a Word document or creating a flyer in Publisher.

 

 

I’m pumped! Let’s do this!

Before you get all over-hyped, there’s a few things to take into consideration before moving your data to the cloud and de-comissioning your old server(s).
Doing so, will avert potential headache afterwards, for either the IT implementor as for the users that will actually be … using … Sharepoint.
The baseline here is : “Don’t do a full copy-paste”

Just in case, we might need this document…

Take a breather and think about how much data you’d like to move over to SPO.
Do you really want to bring over all those old archived files, that you will never ever be looking into?
There’s no real harm in actually copying them over to SPO, but wouldn’t you rather work in a clean and clutter-free environment than be surrounded by piles of old paperwork ?

 

New document (1)(1)(2)-final_by_john.docx

The various options for versioning
Various options for versioning

For the love of God/Allah/Vishnu/The Flying Spaghetti Monster/…
Having a document like this is bad enough practice as it is, but don’t bring this over to your new Sharepoint environment.
Judging by this filename, there have been tons of new versions of this document created over time, while keeping the original ones around for … I don’t know … archiving ?

Sharepoint has built-in versioning, that can be customized to your heart’s content : approval options, type of numbering, amount of copies to keep, …

You’ll only end up using more storage than you actually need as well as creating a chaotic and unstructured work environment.

Next to all that, the above filename situation might be created by multiple users trying to access the same file and saving it as their own version.
Again in Sharepoint, you can actually co-author a document or even set a certain lock notification on the document for obligatory check-out of the document before editing it.

No more excuses 😉

 

Don’t think “Files and Folders” anymore

If you know how a database structure works, you’ll have better insight in why and how you shouldn’t be using the classic files and folders layout anymore, because Sharepoint, when you simplify it, is just one giant database.
Don’t feel bad if you don’t know what the internal workings of a database server are. I’ll gladly explain the Sharepoint way of thinking, so that you get the most out of your new structural storage.

First of all, keep in mind that Sharepoint is a collaboration platform. The essential part here is that one word : “collaboration“.
Obviously there’s still a need for rights and structural placement of folders, but the main idea is the working-together part.

You can create cross-functional groups, completely separate from your existing classic company structure where you now have a CEO > Management Group > Employees rights piramid.
Consider the people who own the file content, as opposed to the ones that get to “use” it and base yourself on “projects” instead of folders. Create Sharepoint pages per project, for instance.

Try to add as much logical keywords to your documents instead of categorizing in one single folder. Remember those many times you thought about that one file that was good for folder A , folder B and even folder C, and you had to make the decision of putting it at least somewhere?
Well, Sharepoint uses sort of a labeling system called Enterprise Keywords, where the actual location of your file matters less than the correct label(s) you attach to it.
Just make sure that the users who need this file, have access to the file, folder or library it’s in and you’re good to go. The Sharepoint search function will do all the work for you.
Not even to mention the awesomess of the program called “Delve“, that digs deeper in projects, files, statistics etc.

 

Planning your libraries

The Internet, Jen !In Sharepoint everything is divided into lists and libraries. Remember my database reference above ? Well, a list or library is nothing more than a database table.
As with all database systems, there’s a certain limit to what you can do. In this case, the often discussed 5000-items limit in a Sharepoint library is to be taken with a grain of salt.

You might have heard from the above mentioned item limit.
The number of items in a Sharepoint library should not exceed 5000 according to Microsoft advice. So, what happens if you get you 5001st item in a library ? Does the internet explode ?

Let me elaborate on this.

First off, the Sharepoint definition of an item is either a folder or a file, meaning that if you have 200 subfolders that contain 1 file in total, you have 201 items.

This whole limit thing has to do with the indexing speed for the software that runs in the background.
In order to quickly find your data, your server environment needs to read and analyze your data first, after which this analyzer-process writes something like a table of contents.
This table of contents is then used for search actions, because a ToC reads faster than actually having to scan your documents on-the-fly.

Microsoft has set a pretty round number on this, so it is easily remembered.

Should you go over the limit of 5000, the automatic indexing process simply becomes not-so-automatic and will take around 24 hours, depending on the process timing by Microsoft, which is something you yourself cannot change.
There’s actually another limit : 20000 items. Here, the indexing starts to go wrong and may start reporting faulty results or missing files.

What I’m saying is : “DON’T PANIC ; don’t limit yourself to the 5000 items barrier if indexing within 24 hours is good enough”

 

Onward !

Hopefully, I didn’t scare you too much here on the whole Sharepoint thing.
If you’re still planning to move your data to Microsoft’s cloud environment, keep reading on the entire process of migrating and what tools to use best in a next post.

Peace out!

Public Contact Folder in an Office 365 environment

Get global

Imagine coming from an obscure mail system in which you got a couple of public folders, such as a Public Address Book (not to be confused with the GAL – Global Address List) or some public Agenda.
Basically, this could also be a non-obscure system, as even the most generic or widely-used mail systems provide this functionality.

Having heard so much about Office 365, you decide to take the leap towards the cloud and start migrating all you mailboxes, only to find no default out-of-the-box public folder.

Fear not, as the functionality is still there. Even though it was rumored Microsoft was going to stop support for public folders in an Exchange environment. User pressure caused M$ to re-evaluate their choice, thus public folders are here to stay (at least for 3 years minimum).
This also applies to Exchange Server 2016, by the way.

 

Howstuffworks.com

I’m going to assume you follow the necessary steps to set up a working O365 environment

In the admin menu

  1. Open the Admin > Exchange menu in your O365 admin page
  2. Once inside the Exchange Control Panel, select ‘Public Folders’ in the leftmost menu or on the dashboard.
  3. A new menu will appear, where you are to select “Public Folder Mailbox” in the topmenu.
    For some reason yet unknown to me, you have to create a public folder mailbox first before you can actually create a public folder.
    One would expect this to have all of this process automated…
    Oh well, best go with the flow.
  4. Click the little “Plus” icon and fill out the necessary info.
  5. Once this is done, you get to create the actual shared folder in that same top menu, by selecting *insert drum roll* “Public Folders”.
    Click the little “Plus” icon in order to start creating your first Public Folder and name it as such.
  6. Click save and *BOOM* your folder has been created.
    Now you should be assigning user rights to this folder, as you’re not going to be admin’in this folder yourself as global admin for this O365 tenant.
    Ideally leave the administration of public folders for contacts, agenda’s etc. to the end-customer as this is a specific task for a specific kind of manager.
    If you’re reading this as the IT guy/girl for a small company, you’re probably screwed and get to do this task yourself.
    Click the newly created folder once so that the focus is on its name and next click on “Manage” in the right column.
  7. You can choose who you want to allow specific rights to this folder, by clicking the necessary rights ticks or selecting prefab permission levels in the dropdown menu.
    Press “Save” when done.

 

 

Actually creating contacts

  1.  Start by opening Outlook as a user that has owner rights (or sufficient rights to create folders) to your public folder and go to “Folder View” (that’s the three little dots in the bottom of your left column, in case you don’t have a 4K screen)
  2. Next, open the new public folder by expanding “All public folders” until you’ve reached your root folder (which should just be one click, normally)
  3. Right click the root folder and select “New folder”, after which you give it an appropriate name and select “This folder contains Contact Items”
    As you see, other options are available, such as a public agenda etc.
  4. We’ve already set the rights for admin, but as an owner, you can easily set other user’s rights afterwards through Outlook, instead of having to run over to your Exchange Control Panel as the global admin user.
    In any case, you can right click your newly created folder, that will now have a Contact icon and select “Properties”
    …where you can tick the option  “Show this folder as an e-mail address book”, so that Outlook (and you mobile as well as webmail) will be able to display this list for you to search through.
    Confirm with OK.
  5. Clicking the “To” button in your Outlook, will now let you select your newly created address book.
    Everybody happy !
  6. Now either import your PST file from the previous public contact list or start typing.
    Good luck !

 

 

 


Many thanks to Peter from Kalmstrom.com for providing the necessary ‘missing links’ in my to-do list. I also shamelessly took the imagery from his website, as my own O365 30-day demo was expired ;).
In my defense, it looks like the Pakistani Rimza.com domain in the example is possibly not Peter’s domain either :p

Thanks, Microsoft – CredSSP error when connecting to a terminal server

Halp ! My RDP connection can no longer connect.

Imagine doing your Windows updates, like a good boy, when suddenly you get this nice little error.

An authentication error has occurred.
The function requested is not supported.
Remote computer : <insert remote desktop server name>

This could be due to CredSSP encryption oracle remediation.
For more information, see https://go.microsoft.com/fwlink/?linkid=866660

What happened ?

Microsoft has patched a security thingie, recently on all recent server OS’es.
Every good citizen, using the default Remote Desktop software, has a big chance to be screwed.

Quick fix –>

Create a DWORD registry entry as follows :

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters] “AllowEncryptionOracle”=dword:00000002

Even more “lazy mode” –>

Download and unzip credssp file.

Doubleclick the REG file after unzipping.

No matter which solution you’ve chosen, reboot the client PC.

Weird folder properties or invisible mails in Outlook after importing IMAP mails (what’s in a a title ?). Say, how much info can you actually cram in this specific title field ? Still not running out of space. Ah well, here’s the post…

Situation sketch

You’ve just imported somebody’s mailbox in a lovely new Office 365 or local Microsoft Exchange Server, coming from a somewhat older system running on IMAP or an other cool 80’s-90’s e-mail protocol.

After struggling with all the necessary issues you run into (getting rid of Mozilla Thunderbird, convincing the local Linux user that he should indeed run Windows for him to receive proper support from you, updating everything to the latest released patches, …), you finally get a version of Outlook up and running, with all mails, calendar and contacts.
Also, don’t forget your auto-complete list ! (NO THIS ISN’T YOUR ADDRESS BOOK)

WHEN SUDDENLY one of the following complaints come your way :

  • I can’t delete a certain folder in my Outlook !
  • One or more of my folders is empty, even though it says “xxx number of items in this folder” !
  • What is “FILTER APPLIED” on the bottom bar of my freshly installed Outlook and why can’t I reset my “Views” in the “Change View” menu ?

In this specific case, after a copy or import from an IMAP mailbox, there’ s a huge possibility that the properties of your folder that houses these mail messages is set to something faulty.

In most of these cases, it’s the so-called Container Class that still thinks that we’re working in an IMAP folder instead of a regular “Note” folder. (I didn’t invent the name)

 

Solving the actual problem

Before we start, I’d like to add a little disclaimer here, saying you can seriously mess up your mail folders if you just fiddle around without knowing what you’re doing in the software we’ll be using.

This magical piece of software is called “MFCMAPI” and can be downloaded from https://github.com/stephenegriffin/mfcmapi

Can’t find the executable ? That’s normal, it’s GitHub. You’re supposed to become depressed here.

https://github.com/stephenegriffin/mfcmapi/releases is the place to be 😉

I’ve made a personal package for your ease here –> MFCMAPI pack v18.2

Download the version corresponding to your OFFICE VERSION (not your Windows version), 32 or 64 bit, unpack the zipfile and run the package.

  1. Go to Session > Logon 
  2. Select your Outlook profile (if any)
  3. Double-click the data store (possibly just one, depending on the rights you have to other mailboxes or extra added PST files)
  4. Expand Root – Mailbox (or whatever it’s called in your Office installed language)
  5. Expand the Top of Information Store or the IPM_Subtree folder
  6. Select Inbox (language-specific name) and browse to the folder containing the problem
  7. Doubleclick PR_CONTAINER_CLASS in the right column and change the value in the ANSI field to IPF.Note.
    If my predections were correct, it used to say IPF.IMAP.
    If this is not the case, stop what you’re doing and roll back your changes, as there’s a different issue.

 

OFFICE 356 MIGRATION (6)

BOOM! Let’s do this.

You didn’t think I was going to let you start a migration process without making you read the detailed “how and why”, did you ?
There’s a couple of migration types to keep in mind, where one is easier than the other.
Usually the more difficult one is also the most interesting one, but even this is dependant on specific needs.

  • Remote move migration
  • Staged migration
  • Cutover migration
  • IMAP migration
  • PST import

The last one (PST) is in most cases forgotten as an official way, since it’s possibly way too simple in Microsoft’s eyes.

As the target audience for this specific blog post is the average Belgian SME with an average of 5 to 20 employees, I’ll stick to the basics in this post.
An other post will cover the heavier subjects in a nearby future (aka ‘when I feel like it’)

PST Migration (1)

Difficulty level   

Microsoft has this pretty cool tool to either upload PST files to a temporary Azure storage or to actually send them a physical copy by mail (yes, snailmail)

More info on this can be found on https://go.microsoft.com/fwlink/?LinkID=544944

It’s a bit out of the scope of our average situation here, but know that such a method exists.
It will require the use of the program AZCopy, which is well explained in the link above.
Check it out if you want to look like a cool IT guy in the eyes of your customer 😉

(although Powershell is still the way to go if you really want to impress your customer)

PST Migration (2)

Difficulty level   

Being a ton easier and providing more oversight than the PST Migration above, the ‘basic’ PST migration will have the average end-user require/demand your presence more often.

Although remote tools like Teamviewer/LogMeIn/… have made the life of the IT’er a lot easier, there’s got to be a bit of physical contact every now and then. This type of migration will give you the opportunity to sit down and explain Office 365 to your users while the data is slowly uploading through MS Outlook.
Grab some coffee and get your hands dirty as this type of migration will get you closest to the actual customer’s computer than any other.

Try to avoid using this migration type, when the customer has an IMAP mail account you need to move to your O365 tenant, as often IMAP saves the mail headers, but not the mail an sich, resulting in a very empty mailbox in the end.

Now, how does this process work ?
Pretty easy :

  • First of all, get your mail users to stop using their mail for a while.
    Preferably redirect the mailflow, by use of the MX record we talked about in this post, already 24 hours before starting your PST import, to make sure no trailing mail gets left behind on a mail server you won’t be able to access anymore after migrating.
  • If you’re really sure that the mail is good to go, the easiest way would be to locate the current location of the PST files.
    https://www.msoutlook.info/question/827 explains this quite well.
    Keep in mind that the PST files aren’t always in their default location. Some customer prefer to save their PST files on a network location or redirected folder.
    If you happen to be the IT guy that implemented this specific setup, shame on you. PST files will get corrupted by just looking at them. Placing them in a network drive, will only make things worse.
  • No PST file found ? No problem !
    There’s a possibility that your user has disabled ‘cached mode’ in Outlook (often occurs in cases of local desktop computers in connection with an Exchange Server on that same location)
    In that case you’re more likely to find OST files or something similar.
    The ‘clean’ way to go here is to start a simple PST export procedure in Outlook
    Seeing as reinventing the wheel is not my hobby, here’s the link to the Microsoft article that explains how to do this :
    https://support.office.com/en-us/article/export-or-backup-email-contacts-and-calendar-to-an-outlook-pst-file-14252b52-3075-4e9b-be4e-ff9ef1068f91
    Writing walls of text is one of my hobbies, though ^_^
  • Once you’ve gotten hold of the PST files, there’s a couple of ways to get them in Office 365, but seeing as I already advised to stop your users from using their email for a while, you get to strike while the iron is still hot.
    The easiest way is to create a new Outlook profile.
    Mac users : check this out –> https://support.office.com/en-us/article/manage-profiles-or-identities-in-outlook-for-mac-fed2a955-74df-4a24-bef6-78a426958c4c
    ooooh it's in DutchWindows users : Open Control Panel, go to Mail (32 bits or no reference to the number of bits, depending on the version).
    Afterwards, click ‘View Profiles’ and add a new one.
  • The ‘new account‘ wizard starts, where you can simply enter your new mail address (given you’re not migrating from a local Exchange server on your own domain – more on this later)
    Outlook will start and an empty mailbox or even a partly filled one will appear. Depending on whether you changed the MX record already or left it unchanged.
    Eventually, change the default profile to your new O365 one.
  • Thanks again to Microsoft for the following step ; import the PST file again in the correct profile.
    https://support.office.com/en-us/article/import-email-contacts-and-calendar-from-an-outlook-pst-file-431a8e9a-f99f-4d5f-ae48-ded54b3440ac
    If you’re still using the same version of Outlook (and you’ve set your user’s languages to that same language in the O365 portal *cough*), this will be a breeze. Calendar, Contacts (NO NOT AUTOFILL), Tasks, … will be imported.
    No stress (*)
    *actual stress level may vary.
  • Repeat x times where x is the number of computers where Outlook is running the old mailbox.

IMAP migration

Difficulty level  

The difficulty level could vary depending on the version of the IMAP server, but the thought train runs on that same track. (did I just invent a new proverb ?)

First of all, let’s take a look at this schema below, which explains the process of migration quite neatly and in an understandable manner.

Thanks, Microsoft, for this overview.

If you’ve followed our current steps in the previous posts, we’ve already established the steps up to the creation of the mailboxes, which starts us at step 5. isn’t that tidy ?

You need to create a specific CSV file, that we’re going to use in our migration batch.
Usually it will suffice to base yourself on this template, but there are exceptions for Exchange, Dovecot, Mirapoint and couple of weirder ones.

EmailAddress,UserName,Password
terrya@contoso.edu,contoso\terry.adams,1091990
annb@contoso.edu,contoso\ann.beebe,2111991
paulc@contoso.edu,contoso\paul.cannon,3281986

The exceptions to this layout are discussed at this Microsoft page.

The general idea behind this CSV file is to provide the mailbox address TO which you need to copy the content of the IMAP folder, together with the username and password of the ORIGINAL IMAP mailbox, where the mail is currently residing.

You can start the migration in the O365 Exchange Control Panel, by going to ‘Recipients’ and then clicking ‘Migration’ in the topmenu.

Click the little ‘+‘ and select ‘Migrate to Exchange Online’

Select ‘IMAP migration’

Upload your CSV file and allow unknown columns

Enter the IMAP server data and means of authentication of your old provider

Pressing ‘Next’ will start the initial setup.

The migration top menu will provide you with more information on how your migration is going. You can click the migration batch and review potential errors or view the overall progress.

A picture’s worth a thousand words, so I’m guessing a Youtube video will be worth at least “De Leeuw van Vlaenderen” :

Finally, there are some handy links on https://support.office.com/en-us/article/what-you-need-to-know-about-migrating-your-imap-mailboxes-to-office-365-3fe19996-29bc-4879-aab9-5a622b2f1481 to give you tons more info on IMAP migrations.

 

Things that might will go wrong

Every IT related action has a counter-action that results in something going wrong.
Keep Murphy’s laws in mind, especially the computer-based ones.

  • Oh no! I lost my contacts.
    First of all, wear glasses.
    Second, they’re not your contacts. They’re your autocomplete list in the to-field
    Third, you might have used the global address list instead of your own contact list.
    Still found no contacts ? Have you imported from a different folder language of Outlook ? Check ‘all folders‘ and see if you’ve got an other ‘Contacts’ folder somewhere (check for specific  Contacts icons)
    Also, an IMAP migration does not cover contacts (or calendar or tasks for that matter, import them using the PST method, while excluding mail)
  • My IMAP-imported items cannot be moved/deleted/…
    Prepare for fun in the MFCMAPI tool (2 do : actually writing an article on MFCMAPI)
  • I can’t send an internal mail after the O365 migration.
    Actually, you can, but you’re still using the wrong address in the background.
    Your to-field might say ‘my_colleague@mydomain.com’, but in the background it’s saved this entry as a unique ID (especially when migrating from your own local mail server).
    The solution : delete this user from your address book/autocomplete list and type the address manually.
  • I didn’t have Outlook before migrating. How can I create this new profile you speak of ?
    2 do : tools for migrating from other crappy software
  • My old mails appear in ‘Postvak In’, while my new mail arrives in ‘Inbox’.  Also my calendar says ‘Calendar’ instead of what the native language of my Outlook used to be.
    Change your account locales in the webmail version of Outlook.
    How ? Like this –> https://webapps.stackexchange.com/questions/95913/how-do-i-change-the-language-in-office-365s-outlook
  • My PST file will not import (/partly).
    Most common reason is a corrupt PST file. Fix it using the scanPST tool.
    Corruption can happen if you save your PST file on a network drive or if a specific mail is being a d*ck. ScanPST will solve this.
    An often overlooked reason could also be not having enough space in your new O365 mailbox. In this case you might have to upgrade the O365 subscription for this specific user with extra space or clean up the mailbox before doing the export to a PST file.
  • Very big mails don’t get IMAP-migrated.
    This is normal. IMAP migration supports email size up to 35MB/mail
  • I had a sh*tload of mails in my old IMAP folder and now some of them are missing.
    If you had over 500.000 mails in your old IMAP box, this is bound to happen as number of maximum items you can migrate in one batch is limited to 500.000
  • Migrating from Google to O365 is constantly failing. What am I doing wrong ?
    You haven’t google’d enough.
    No, seriously, there’ s a security setting you must turn on in your Google  Security Settings :

    You’ll find this here : https://myaccount.google.com/security?pli=1#signin