Category: Rules


You run the Exchange 2007 BPA and you get a warning for Disable MAPI Clients.

Disable MAPI Warning

Disable MAPI Warning

This warning is not a huge deal, as it has been present on my production Exchange server for months without causing issue. I HATE error messages though, and I am now getting around to getting rid of it.

You could go read the lengthy Technet article (linked here) or you could skip all the explanation and just fix it. Read on…

What this setting does is tells Exchange with versions of Outlook can connect to it. I have the pleasure of installing all of the office clients, so I know the lowest version of Outlook is 2007. I also know no one in the office connects to Exchange from Outlook at home (VPN or RPC over HTTPS) that is lower than 2007. So why would I let outdated clients such as 97, 98, 2000 or 2003 connect? I wouldn’t!

A list of client version numbers is here.

Warning: If you have older clients that connect using Outlook 2003 or 2k, you might not want to follow my advice.

Let’s see what sort of clients connect right now. Open up Exchange Management Shell. It will be in the Start Menu, under All Programs Exchange Server 2007.

Once it’s open, you need to navigate to the folder that has the scripts in it. Type in: cd “C:\Program Files\Microsoft\Exchange Server\Scripts” and hit enter (leave the quotation marks on). Now type get-logonstatistics

Logon

Logon

You get a long page, so lets put it in a text file to decipher by adding > c:\logon.txt. Reading the file tells us nothing, at least me anyhow. I blocked out the names to save identities.

So, I’ll look another way. Ill navigate to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MSExchangeIS\ParametersSystem registry value in regedit and read the value for DisableMAPIClients.

Mine is set to 0.0.0-5.3164.0, which is the default. I would like to restrict everything before Outlook 2007. So, reading the Technet article leads me to this value:

0.0.0-5.65535.65535;8.02.4-11.65535.65533

Warning: Back up all changes to the registry before you make them. Save the file with the date on it. If you break your box, it’s not my fault- registry changes can be dangerous.

I notice though that my Exchange does not want me to block version 8.x.x. So I will change that value to the lowest in the 9x.x range there is, which gives me:

0.0.0-5.65535.65535;9.0.2711-11.65535.65535

This is telling Exchange to block ALL MAPI Access from client up to Outlook 2007, including Outlook 2003 SP3, excludeing ESA and Outlook 2007, 2010. This excludes a few numbers between 5.x.x and 9.x.x. This is because the Exchange System Attendant components use these numbers, so do not restrict them. Ill paste that value in the registry key.

 
Regedit

Regedit

 
Close out regedit and see now what BPA warns you about:
 The message now reads:

Some versions of MAPI clients are blocked on server SOLACESERVER.solace.local. Verify that version ‘6.x.x.x’ and version ‘8.x.x.x’ clients are not blocked as the Microsoft Exchange System Attendant process uses these version identifiers for performing server functions. Current MAPI blocking setting: 0.0.0-5.65535.65535;9.0.2711-11.65535.65535.

Thats correct then, as our warned numbers are excluded. Safely hide this message from all instances. If you have client connection problems, you can change this value in the future.

Today I will set up an email disclaimer. Taken from the HIPAA regulations guidelines for Protected Health Information (PHI), there are specific sets of disclaimers that must be employed depending upon the mails contents. For all company email, a disclaimer must be added to the bottom, stating “The materials in this email are private and may contain Protected Health Information. If you are not the intended recipient, be advised that any unauthorized use, disclosure, copying, distribution or the taking of any action in reliance on the contents of this information is strictly prohibited. If you have received this email in error, please immediately notify the sender via (123) 123-1234 or return email.”

We will set this one up first. Open up Exchange Management Console, and click Hub Transport under organization Configuration. Then click the Transport Rules Tab. Click New Transport Rule.

Name it something appropriate- in my case it is named HIPAA Disclaimer.

I want this disclaimer set to only apper on new emails sent to people who dont work in the company- people inside the company KNOW the emails are sensitive.

So I select from user inside or outside the organization and sent to users inside or outside of the organization.

Edit Transport Rule

Edit Transport Rule

In the lower window I then click the blue links in each subject, and change the from sentence to inside, and the to sentence to outside. This rule now only applies if someone from my domain mails someone not from my domain. Click next (you might add more conditions if you wish).

Under actions, select the check box for append disclaimer text using font, size, color, with separator and fallback to action if unable to apply. Now click the blue link at the bottom. We will leave append as append, and change the disclaimer text to our disclaimer. Make sure once you enter your text you copy it to the clipboard, you’ll need some of it in a second. Personally, I also check the box that says send a BCC to address. I do this for compliance- one copy of every emails gets sent to a mailbox I have set up named general correspondence. This email is kept for 2 years, and potentially contains confidential information. I also changed the color and font size of the disclaimer, though that is completely up to you.

Click Next. Exceptions- these are things that will prevent the rule from completing. I select except when the text specific words appears in the subject or body of the message… I click specific words, and enter in the value of our disclaimer, which I copied from the transport rule. This tells Exchange to not append this disclaimer if it already exists- it will display only once in each conversation. Cool. NOTE: For the sake of explanation, I also check the box except when message is marked as importance, and change the importance to Importance High. this will not apply to most people with a simple disclaimer, and I will explain in a few moments.

Click next and update, and you are done.

Now, the reason I made the additional BCC rule and exception: HIPAA requires that we have a disclaimer on all email, appended. They also require that we PREPEND the same disclaimer if the message DOES contain PHI. This situations can be applied to any business, it does not have to be healthcare. So, to comply, let’s make our second rule. It is going to be nearly the same, except for a few selections.

Edit Actions

Edit Actions

Create a new rule, I named it PHI. The same to and from rules are selected- in addition I select the condition and marked with Importance High. I click next and add prepend the subject with string and for the value I put Protected Health Information:. This makes this the beginning of the subject line on emails to which this applies. I also select apply message classification, and change that to ExCompany Confidential. I then select append disclaimer text using font blah blah. On the bottom, I add the same disclaimer text as before, but this time I change the word append to prepend. I also change to color to red. Then complete the rest of the steps the same as above- I even Bcc a different mailbox (named PHI correspondence), which gets retained for 4 years.

Total, these two rules do the following:

When emailing someone outside the company, a disclaimer is added, the email is saved.

When a user marks the message as High Importance, a different disclaimer is added to the top, PHI is added to the subject, and the email is saved in a different mailbox.

There are better things to do to retain email, but this works for me. Asking my users to categorize every email they interact with or move emails into public folders for retention does not work- I tried. this is the most simple solution I could come up with to categorize general and administrative emails for eDiscovery.

A GREAT article can be found here at MSExchange with more screenshots.

Introduction

This blog is a simple list of changes I make to keep a Microsoft Small Business Server 2008 and accompanying network up and running. While I do not consider Microsoft, nor any of their software to be actually “stupid”, anyone who has ever worked on anything Microsoft certainly understand the ease with which a person can break their functionality. This is my specialty. Through out this blog I will document many system changes both custom and necessary out of the box changes. It will include OS, software, hardware, and workstation changes. These changes should and will encompass a wide variety of topics to include:

  • DNS
  • DHCP
  • Active Directory
  • Exchange 2007
  • WSUS
  • Windows Backup
  • WSS 3.0 on IIS 7.0
  • Sharepoint Customization
  • SQL Server Express 2005
  • Windows 7, Vista, and XP
  • Network peripherals such as printers, routers, and switches

    Not only will these posts document my troubleshoot and error correcting process, but they will provide links to other sites with answers, or useful posts on help forums. while I do not promise that any of these posts will be accurate, I can assure you that to the best of my ability I am solving common and complex errors that might affect any user of any Microsoft product.Please allow credit where credit is due. I publish references and links to this site as a means of spreading information, without intent to infringe or harm. Feel free to contact me with any problems.

  • %d bloggers like this: