Event ID 3

KB ID 0000341 

Problem

Event ID 3

Source: SystemServiceModel

Error: WebHost failed to process a request. Sender Information.

Exception: System.ServiceModel.ServiceActivationException: The service ‘/EWS/exchange.asmx’ cannot be activated due to an exception during compilation.  The exception message is: Security settings for this service require ‘Anonymous’ Authentication but it is not enabled for the IIS application that hosts this service.. —> System.NotSupportedException: Security settings for this service require ‘Anonymous’ Authentication but it is not enabled for the IIS application that hosts this service.

It’s simple permissions error in IIS.

Solution

1. Locate the Virtual Directory in the error message, in the example above that the EWS virtual directory. (Exchange Web Services).

2. Click Start > Administrative Tools > Internet Information Services (IIS) Manager > Expand Sites > Default Web sites > locate the problem virtual directory > Select it then open authentication.

3. Make sure “Anonymous Authentication” is set to enabled.

4. Then restart web services, click Start > in the run/search box type cmd{enter} > Execute the following command,

[box]iisreset /noforce[/box]

Related Articles, References, Credits, or External Links

NA

SBS – No Incoming Mail ‘421 4.3.2 Service not available’

KB ID 0000803

Problem

While testing mail flow on a new SBS 2011 Server, outbound mail worked fine, but no mail would flow in. When I attempted to Telnet in from a remote host this was what I saw;

421 4.3.2 Service not available
Connection to host lost.

Solution

Normally I’d expect to see an error like this if the Exchange ‘Receive Connector’ was misconfigured, (if you’re not using SBS 2011 create a new default receive connector and make sure there are no firewalls in the way).

If you are using SBS 2011 you need to run the ‘Connect to the Internet’ Wizard (seriously!)

After this check inbound mail flow again.

Related Articles, References, Credits, or External Links

NA

Allow a Server to “Relay” Through Microsoft Exchange

KB ID 0000542

Problem

Back in the early days of email, just about all mail servers let you relay mail though them. That was fine until someone worked out you could then get someone else to send out your “spam”, and they would look like the guilty party. Even today people misconfigure their Exchange servers and make them an open relay.

But what happens if you have a particular server or machine that you want to let use your Exchange server as a relay? e.g. a Linux server that sends mail, or a SQL server running SQLMail? Then you need to allow relaying from either that IP address, or the network it’s on.

Allow Relay from an IP with Office 365 (Exchange Online)

Allow Relay from an IP with Exchange 2016 & 2013

Allow Relay from an IP with Exchange 2010

Allow Relay from an IP with Exchange 2007

Allow Relay from an IP with Exchange 2003

Allow Relay from an IP with Exchange 2000

Solution

Allow Relay from an IP with Exchange 2010 and 2007

1.From the Exchange Management Console > Server Configuration > Hub Transport > New Receive Connector.

2. Give the connector a name and select Custom > Next.

3. Next.

4. Add > Add in the IP address(s) or network you want to allow relay from > OK.

5. Select the 0.0.0.0 255.255.255.255 entry and click DELETE.

Warning: Leaving this entry in will make your Exchange Server an Open Relay. (Note: This does NOT mean that your default connector is an “Open Relay” as this uses “authentication”

6. Next.

7. New.

8. Finish.

9. Select your new connector then right click > Properties.

10. On the Permission Groups tab ensure “Exchange Servers” is selected.

11. On the Authentication Tab > Tick “Externally Secured (for example with IPSEC).” > Apply > OK.

Allow Relay from an IP with Powershell

The following Powershell does the same as above;

[box]New-ReceiveConnector -Name “Server2 Allow Relay” -usage Custom -Bindings ’0.0.0.0:25′ -RemoteIPRanges 172.16.254.207 -server DC2A – -permissiongroups ExchangeServers -AuthMechanism ‘TLS, ExternalAuthoritative’[/box]

Allow Relay from an IP with Exchange 2003 and 2000

1. Launch Exchange System Manager > Administrative Groups > Administrative group Name > Servers > Servername > SMTP > Right click Default SMTP Virtual Server > Properties.

Note: If you can’t see administrative groups right click the top level (in this case “First Organization (Exchange)) and tick the box to show administrative groups.

2. Access Tab > Authentication > Ensure “Anonymous Access” is enabled.

3. Click Relay > Ensure the default of “Only the list below” is selected > Add.

4. Add in the IP addresses(s) networks or domains you want to allow ‘relaying’ from > OK.

5. OK > Apply > OK.

 

Related Articles, References, Credits, or External Links

Exchange – Are you an Open Relay?

CentOS – Install and Configure a TFTP Server

KB ID 0000998

Problem

I needed to back up a Cisco firewall, and perform an upgrade remotely, despite my best efforts to use the ASDM and update via http, I had to go ‘old school’ and bring up a TFTP server on one of my CentOS Linux servers.

Solution

1. Log onto the server and install the xinetd TFTP Server. Execute the following command and follow the on-screen prompts.

[box]Using username “root”.
Last login: Thu Aug 7 17:58:10 2014 from midd-8.cable.virginm.net
[root@Web-Test ~]# yum install tftp tftp-server xinetd[/box]

2. Now you need to edit the config file, here I’m using nano, but you could use vi as well.

[box][root@Web-Test ~]# nano /etc/xinetd.d/tftp[/box]

3. When you open the file it will look like this;

[box]

# default: off
# description: The tftp server serves files using the trivial file transfer
#       protocol.  The tftp protocol is often used to boot diskless
#       workstations, download configuration files to network-aware printers,
#       and to start the installation process for some operating systems.
service tftp
{
        socket_type             = dgram
        protocol                = udp
        wait                    = yes
        user                    = root
        server                  = /usr/sbin/in.tftpd
        server_args             = -s /var/lib/tftpboot
        disable                 = yes
        per_source              = 11
        cps                     = 100 2
        flags                   = IPv4
}  

[/box]

4. Edit the file and save it, so it looks like this;

[box]

# default: off
# description: The tftp server serves files using the trivial file transfer
#       protocol.  The tftp protocol is often used to boot diskless
#       workstations, download configuration files to network-aware printers,
#       and to start the installation process for some operating systems.
service tftp
{
        socket_type             = dgram
        protocol                = udp
        wait                    = yes
        user                    = root
        server                  = /usr/sbin/in.tftpd
        server_args             = -c -s /var/lib/tftpboot
        disable                 = no
        per_source              = 11
        cps                     = 100 2
        flags                   = IPv4
}

[/box]

5. Set the permissions on the tftp folder.

[box][root@Web-Test ~]# chmod 777 /var/lib/tftpboot[/box]

Note: if you run SELinux you may also need to execute the following command, ‘setsebool -P tftp_anon_write 1‘.

WARNINIG: This enables anonymous access on the TFTP root folder, if your server is public facing and not firewalled, then I would suggest you do what I do, (stop and start the service manually, and only open the firewall for TFTP when you need to use it – see below).

6. If you use iptables as a firewall, you will need to open the TFTP port (UDP Port 69).

[box][root@Web-Test ~]# iptables -I INPUT -p udp –dport 69 -j ACCEPT[/box]

7. Start the xinetd service.

[box][root@Web-Test ~]# /etc/init.d/xinetd start
Starting xinetd:[ OK ][/box]

8. If you want the service to always be running, (see my warning above) then use the following command.

[box][root@Web-Test ~]# chkconfig xinetd on[/box]

9. Let’s give it a test, from my Cisco device lets see if I can backup the config to this server.

[box]

Petes-ASA# copy run tftp

Source filename [running-config]?

Address or name of remote host []? 123.123.123.123

Destination filename [running-config]?
Cryptochecksum: 9d4006ed 0bb1d39c fe61da22 91222a76
!!!
9284 bytes copied in 2.130 secs (4642 bytes/sec)
Petes-ASA#

[/box]

10. I could SSH into the server and change to the /var/lib/tftpboot directory and see the file. But I’ve got WinSCP installed so I can view the backup with that.

11. Let’s see if we can copy a file off the TFTP server back to the firewall.

[box]

Petes-ASA# copy tftp flash

Address or name of remote host []? 123.123.123.123

Source filename []? asa915-k8.bin

Destination filename [asa915-k8.bin]?

Accessing tftp://123.123.123.123/asa915k8.bin…!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Writing file disk0:/asa915-k8.bin…
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
27113472 bytes copied in 845.110 secs (32086 bytes/sec)
Petes-ASA#

[/box]

12. Now unless you are leaving xinetd running lets turn it off.

[box][root@Web-Test ~]# /etc/init.d/xinetd stop
Stopping xinetd: [ OK ][/box]

13. If you are running iptables and have opened the TFTP port I like to close that as well.

Note: It its possible to see that that port is open even if there is no service running on it, that’s why I close it down.

[box][root@Web-Test ~]# iptables -D INPUT -p udp –dport 69 -j ACCEPT[/box]

Related Articles, References, Credits, or External Links

NA