Technical Exchange bLog

You installed Exchange 2016 on top of Windows 2016 and when you try to access ECP or OWA with newest Google Chrome you get an error ERR_SPDY_INADEQUATE_TRANSPORT_SECURITY.

All works well in Internet Explorer. The reason behind this are obsolete (security) protocols used by default. One option is to change settings in Windows registry, but my suggestion is to download a free copy of CryptoIIS from Nartac Software, run it on the server and press Best practices button then Apply. After restarting the server there will be no ERR_SPDY_INADEQUATE_TRANSPORT_SECURITY error and your server will be a little bit more secured :)

When you install Microsoft Exchange 2016 on Windows 2016 server it is suggested to add some exclusions to Windows Defender. Since the list is quite large, use PowerShell to add exclusions. Exclusion list can be found at https://technet.microsoft.com/en-us/library/bb332342(v=exchg.160).aspx

SECURITY PRECAUTION - Don't just blindly copy below commands and exclusions but check them. If anyone manipulated the below list on this site without my knowledge you will end adding exclusions you don't want to have.

Run PowerShell on Windows 2016 Exchange 2016 server as administrator.Add Folder Exclusions
Set-MpPreference -ExclusionPath $env:SystemRoot"\Cluster",$env:ExchangeInstallPath"ClientAccess\OAB",$env:ExchangeInstallPath"FIP-FS",$env:ExchangeInstallPath"GroupMetrics",$env:ExchangeInstallPath"Logging",$env:ExchangeInstallPath"Mailbox",$env:ExchangeInstallPath"TransportRoles\Data\Adam",$env:ExchangeInstallPath"…

You might find the attachments are being stripped from some email entering your organization despite recipient and sender domain have been added to the "whitelist" in Sender ID Agent.

Agents on Exchange Edge server are as follows:


Each of the agents has its own priority, meaning which of the agent will be first, second, third,... in line to filter. Filters take precedence over another just in case spam is found.

For example: If Connection Filtering Agent finds spam (connection verification fails) it discards the message and none is processed any further. If the message passes Connection Filtering Agent it then goes to Address Rewriting Inbound Agent, which is next on priority list etc.

So, if we put a recipient to BypassedRecipients list in Sender ID Agent, it will be bypassed only for Sender ID Agentfilter and not for example Attachment Filtering Agent.
As per Microsoft. "The BypassedRecipients parameter specifies one or more SMTP email addresses. Messages bound for the…

Go to http://spamcannibal.org/cannibal.cgiIn the right side menu click Lookup IPEnter mail server IP address into the field and click Lookup IPCheck why you got listed in the first placeIf your mail server is missing PTR (reverse DNS) record, add itIf other problem resolve it firstIf the problem is resolved go again to http://spamcannibal.org/cannibal.cgiClick Contact in the right side menuScroll to the bottomEnter your IP addressEnter your EmailDescribe why you got listed and what you did to solve the problemSubmit NOTE: Don't try to get de-listed from any blacklist BEFORE you solved the problem added you to the blacklist in the first place

You might find messages staying in queue on your email server (mixed environment 2007/2010 Exchange) and Error showing:

451 4.4.0 Primary target IP address responded with: "23500000870YIIGUAYJKoZIhvcSAQICAQBuggY/MIIGO6ADAgEFoQMCAQ6iBwMFAAAAAACjggTEYYIwDCCBLygAwIBBaEPGw1JTkNPSVMuR09WLklOoigwJqADAgECoR8wHRsHU01UUFNWQxsSTUFJTC5pbmNvaXMuZ292Lmluo4IEeDCCBHSgAwIBEqEDAgFMooIEZgSCBGIjDRqyadXg4Y1GQAcMZKo9KfI/2l1JPauKHPjVxyi3sP+6PV8wXjzRn36QjnIsLu7OPtzWDRkJBR/VFnJMLT3wTpg0uEe4eAr7kAgJ+mo4vbuFdlYb+ns23tnLO2kyt3dfXgrPF5Ulm4C6me734JrfOrkT51UCliUMKmlcDAhcPEmDUagjCg9XmLatKNTn41sFZktRjFs8bXexAacl/Wil+gFI5qZbh9nrs922FUoLhmX1U7dS6xiyH2VHaxCAodcbNh14apN/rK0SvjQZi+L2bO2RSF3Rx5LO4zAPfn9LAlNQRwQo8U8NR7J1JACBUwe3t3InTRA0TXyJNCxVGZBM5QjgeJFgBRN6pqa6jZyT7tUgURrG1fHFs4fV77jyxgKjxcrUdc5n7MWT77sfLlb4Ao5HJukOnWlBVUyoDCDvVarc+8/5VJdWFxnNUkohaVUPnDYMMGiGsadDYy39omsSasFkLShLqE7vBGx3WdsvQQnH2kOTwS4mfbWsuulDUfgHOoBg4AW/fB1oxCUT5E3/siLDdurZX/LEjSCmwxbtzzLJ9IGhAlMb+WUUhlZiNb2mn3pZAUlQnDip0ZkXi2nYm71FaTnBb1chScpnpBJ…

By default, NDR (5.4.4) of an email sent to a user with non-existent domain is sent to postmaster's mailbox. If you want your users to get NDR when they send email to a wrong email address (domain in this case), you need to remove 5.4.4 code from Transport Configuration.

In Exchange 2010:


go to Organization > Hub transport > Global settings > Transport settingsremove code 5.4.4 from the list

In Exchange 2013/16
Get-transportConfig to check settingsFind GenerateCopyOfDSNFor and the codes (if 5.4.4 is on the list)Example: {5.4.8, 5.4.4, 5.4.6, 5.2.4, 5.2.0, 5.1.4}Copy ALL codes (from bracket to bracket)Paste into NotepadRemove 5.4.4 from the list (remove 5.4.4, )Set-transportConfig -GenerateCopyOfDSNFor "5.4.8, 5.4.6, 5.2.4, 5.2.0, 5.1.4" Users will get NDR immediately.