Question for you Al, are you aware of any valid reasons for duped proxy addresses? MS says they shouldn't be duped period. But just curious if someone found some hack that seems to work to do this or that. I don't mean just dupes of primary, I mean any dupes at all.
>>>I can think of absolutely no reason for a duplicate address of any type. That would be the equivalent of duplicating your 10 digit phone number and expecting the CO's to route properly. Not going to happen. To try to do otherwise would be folly in the SMTP world (Exchange is SMTP based now, so it counts).
Also is there is a comprehensive list of the valid proxyaddress types like smtp, ms,ccmail,profs,snads, etc. I have seen some very different interesting ones lately.
>>>As Michael said, you can customize your implementation with additional proxy address types such as the CISCO additions. There are all types of implementation rules that should be followed and they're doc'd in the SDK or Exchange and on MSDN. Your program could conceivable read that information from the directory and base the logic on that. In otherwords, you could enforce what you find there and the syntax it requires. As long as they wrote it well of course :)
Is there a good doc on SMTP address validity checking? I looked at one RFC but that is one of the more confusing RFCs I have read, don't recall which it was but the valid chars were on I think pages 8/9.
>>>The RFC's and the MSDN/KB docs (we're talking about Exchange right?) are the ones that count. When in doubt, MSDN/KB trumps the RFC although I would argue that if you let your company talk on the internet you should follow the least common denominator which is the RFC. That prevents fun problems with foreign mailers. Pretty much anything with 8-bit ASCII or 7-bit ASCII (included mostly in 8-bit right?) would be a valid character, and pretty much anything with at least a RHS and LHS of a mail address separated by "@" or "!" should be considered valid. The docs have the details though.
You would think this would be better in a day and age when spam is so prevalent and many mailers (qmail for example) try to check for valid addresses. Syntax checking should be so easy for them to check prior to checking for a valid recipient. It's also in the Sendmail code to check in the routing and I would guess that Exchange does the same rather than look for an absolute match first. The UA often makes some checks as well, so you may find something useful if you dig in those docs (evolution might be good since it's opensource).
Any docs on valid x500/x400 values?
>>>The ITU is the keeper of the X.400 documents last I checked. This might be helpful for syntax checking though http://www.itu.int/itudoc/teltopic/x400/20656.txt (don't laugh, I know it's about a business card :)
X.500 are going to be a PITA because they should be limited use (mailers like them for migration scenarios but there are other uses where it MIGHT be useful I suppose) or coexistence usage. It would be best not to keep them any longer than you need to anyway. You'll also have issues with the UTF-8 representation I would guess (I haven't looked deeply into that), but otherwise X.500 and LDAP syntax are pretty much the same. You'll see plenty of RFC's that cross that up and blur the line between the two which is fair since LDAP was originally a way to get a PC to access X.500 DAP directories anyway. I would suggest a shortcut here and only go after the SDK docs for Exchange that deal with X.500 addresses. Should be some good cracker in the SP1 migration docs I would imagine. That's the scenario you'll most likely see it used and I believe they made some last minute changes to that in SP1.
End of the day, it's a tough nut to crack because of the ambiguity and unique integration properties of Exchange. Part of what makes it such a great product also makes it tough to manage. This can be done for individual sites with known boundaries, but to make it useful for many users, I think some ability for customization and some reading of the existing attributes at run time are needed. (Note that all of the address types are supposed to be registered with the server so it knows what to do with them. Did I say that twice in this email?? :)
Al
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Michael B. Smith
Sent: Thursday, November 04, 2004 10:28 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] ProxyAddress Verification Tools
Just a quick comment: Microsoft allows vendors to create their own proxy types. Cisco has a couple, for example, that are installed when you install their VoiceConnector and BridgeConnector. I don't know if they are supposed to be registered or not, though. I would hope so.
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of joe
Sent: Thursday, November 04, 2004 10:21 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] ProxyAddress Verification Tools
1. No argument. This could be internally generated, people issues, or at the widget factory we once saw a real fun issue with something the ADC was doing which really dorked the proxyaddresses on us for x.400 once.
2. Agreed.
The blank smtp proxyaddresses I was told by MS could cause some weird NDRs.
I didn't get anymore info than that. I don't really know the backend tech details on what they do with the proxyaddresses and more importantly exactly how they do it. Implementation details on the use of proxyaddresses would be nice, including queries against them etc.
Question for you Al, are you aware of any valid reasons for duped proxy addresses? MS says they shouldn't be duped period. But just curious if someone found some hack that seems to work to do this or that. I don't mean just dupes of primary, I mean any dupes at all.
Also is there is a comprehensive list of the valid proxyaddress types like smtp, ms,ccmail,profs,snads, etc. I have seen some very different interesting ones lately.
Is there a good doc on SMTP address validity checking? I looked at one RFC but that is one of the more confusing RFCs I have read, don't recall which it was but the valid chars were on I think pages 8/9.
Any docs on valid x500/x400 values?
I am definitely looking from the report side versus the autofix side.
Autofixing this stuff would almost certainly not be a good thing though I expect I would get requests of how about just fixing it when you find it versus just saying something which is what I get with gcchk (lingering object detection). Some things I am a bit leary to muck with.
The last random thoughts are good and I was thinking along those lines but that would be a ways out, looking for a way to quickly identify the basics right now.
joe
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of Mulnick, Al
Sent: Thursday, November 04, 2004 7:20 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] ProxyAddress Verification Tools
Those are good boundaries. I'd say that if you have that kind of garbage two things are likely true:
1) you have a bad process somewhere that needs to be cleaned up
2) if you write a tool, it needs to be customizable for the site that's using it. Most sites will have their own customizations of what's correct and what's not.
In the case of a tool that checks this, you would want to have a base of correctness and then customizations on top of that. i.e. properly formatted SMTP addresses wherever found, duplicates among primary or any proxy-addresses or both, character checking (multi-language?)(should be able to handle both 2821 and 821 specs for legacy reasons) would be examples of base-level function.
Blank proxy-addresses? You might report it, but that's necessarily any more than bloat so action may not be worth it. Maybe an option?
Adding an option to export the information or logging it in a way that it's easily put back if they find out they still have old dec mailers around would be good ;)
Keep in mind that per RFC 6. Invalid smtp address format like [EMAIL PROTECTED]@joeware.net [EMAIL PROTECTED]@joeware.net is not invalid.
It may not be a great idea, but it's compliant and should be allowed.
There's also other combinations that are possible that in practice people shouldn't do. For legacy reasons they might need it but really should just get a report about it vs fixing it.
Just some random thoughts Joe. It would be nice to have something that checks for dups and format as long as the format is configurable in a pattern matching way (such as [EMAIL PROTECTED] would be looking for [EMAIL PROTECTED] addresses and would check that with the users sn, and givenname field values etc.)
Al
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of joe
Sent: Wednesday, November 03, 2004 7:04 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] ProxyAddress Verification Tools
Verify as in verify that garbage isn't in the proxyaddresses field. What does that mean to me?
Things I have commonly seen
1. Values that mean nothing (i.e. value but no label), like say the whole value is @domain.com or alice or something else silly.
2. A label but no value, like SMTP: or X400:
3. Duped labels like X400:X400
4. Duplicate addresses, x400 or smtp or ms or ccmail or ? Any dupes are bad.
At the Widget factory we had 50+ conference room mailboxes sharing x400 addresses that were migrated from 5.5, it was a mess. Whether that was due to the special provisioning and such or something in the migration I never heard and not sure anyone figured it out, I identified them, they fixed them.
5. Invalid characters in smtp addresses like spaces, unicode, special characters.
6. Invalid smtp address format like [EMAIL PROTECTED]@joeware.net or joe@
7. Invalid x400... Though this one I have had to do manually in terms of what the proper values for the pieces are, would like to work that out programmatically as well to make it more generic. Also what characters aren't valid for x400?
Then there is bloat, like having SNADS or PROFS or CCMAIL or MSMAIL entries and you only have Exchange email.
Most of this could be attributed to provisioning systems gone bad or bad scripts or people just putting garbage in through interfaces that allow it (proxyAddresses is simply a MV attribute in AD). I wouldn't put it past the system in various versions making a mistake and putting something there. I haven't known of anything in particular doing it but have run into occasions where there was no other simple explanation and could never be duplicated using any methods allegedly being used.
I don't think the best practices analyzer does it though I should positively rule it out.
It seems as a rule AD tends to get messy as most people aren't looking at cleaning it up. The Exchange attributes seem to be even more ripe in some environments because people are positively afraid to touch anything in the Exchange attributes.
joe
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of Mulnick, Al
Sent: Wednesday, November 03, 2004 7:36 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] ProxyAddress Verification Tools
When you say verify, what do you mean exactly. That means multiple things to me, such as whether one was created, whether there are dups, whether it conforms to the naming standards, and so on. Can you provide some boundaries?
Personally, I haven't seen anything that does this as a tool. Although it's expected that this is built in to the creation process, there are ways this can get messed up and there are ways to circumvent even the safe-guards built into the Exchange product.
There are ways to prevent it as well such as having a good system of unique id's for user LHS of the SMTP addresses etc. In practice, you never see users with unfriendly smtp addresses for very long though :)
Haven't looked at the new health checker to see if it identifies proxy-address issues. Probably should.
I would think a perl or vbscript with regular expressions would be helpful, but for dups it would require a little more effort to catch before monitoring does especially in a large environment. Some sort of database app would be most efficient I would think.
Al
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of joe
Sent: Wednesday, November 03, 2004 6:22 AM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] ProxyAddress Verification Tools
What is the best tool out there that checks and verifies proxyaddresses are good (format and info) and not duplicated in a forest? I have a perl script to do it, but would like something faster and don't really want to write it but will if I have to.
You are verifying your proxyaddresses right? If not, you might consider it.
In my last position at a world class widget factory company that was a huge issue and caused Exchange great stress. We found thousands of issues in the proxyaddresses.
joe
List info : http://www.activedir.org/mail_list.htm
List FAQ : http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/mail_list.htm
List FAQ : http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/mail_list.htm
List FAQ : http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/mail_list.htm
List FAQ : http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/mail_list.htm
List FAQ : http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
