We’ve just released security updates for #MSExchange Server 2016-SE. These updates are the last publicly available SUs for Exchange Server 2016 and 2019.
MS Exchange gibt es seit 1996. SMTP gibt es seit 1982. Microsoft adaptierte die Technologie und zwang Firmen ihre Server auf. Im Internet spielt #MSExchange kaum eine Rolle. Fast 90% sind Open Source. Exchange kennt man primär daher, wenn mal Probleme mit Mailservern auftreten. Und dann bekommt man kryptische Fehlermeldungen, die nicht-standard SMTP sind. Das Krisenmanagement der Landesregierung ist aber schlecht. Der Weg aber richtig. Weg vom Monopol hin zu Standards .
BTW: from October 1st new Accepted Domains will automatically use the new MX infrastructure, which will maken enabling DANE a little less of a hassle as there should be no change in your MX record. See MC1048624 or https://mc.merill.net/message/MC1048624
You must enable DANE on your domain as this change is currently only present on the new https://mx.microsoft infrastructure. Currently for existing accepted domains this is the way to transition to the new infrastructure, although eventually new accepted domains will use this automatically (you do still need to enable DNSSEC & DANE). See more on DANE here https://learn.microsoft.com/en-us/purview/how-smtp-dane-works?wt.mc_id=M365-MVP-5000976
Although for hosted services you do not have control over their certificate management, however I would find it reassuring if such a service would implement CAA. And: Since a few days #MSExchange Online now has CAA records!
With upcoming changes in the maximum validity period of certificates (max 200 days in 2026, 100 in 2027, 47 in 2029) the use of ACME (Automated Certificate Management Environment) will certainly increase. The addition of CAA and combination with ACME is another layer in your security stack. It's recommended for Dutch governments.
You all know I like to use the https://internet.nl internet standards test. Recently they added the Certificate Authority Authorization or CAA DNS record check. This record signals which Certificate Authority is allowed during the certificate request process and CA's should honor this record and only issue a certificate when it's listed.
We’ve just released a Hotfix Update for #MSExchange Server 2016 - SE. Please check the blog post for more details: https://techcommunity.microsoft.com/blog/exchange/released-september-2025-exchange-server-hotfix-updates/4448721
The biggest gain is achieved by changing your default domain and checking existing objects. In addition, the default DKIM signing domain is often the MOERA domain. Take a moment to properly configure each custom domain as well, enhancing #security.
Read more here for a more detailed explanation and how to monitor the use of MOERA domains: https://techcommunity.microsoft.com/blog/exchange/limiting-onmicrosoft-domain-usage-for-sending-emails/4446167?WT.mc_id=M365-MVP-5000976
Last week #Microsoft announced an important change throttling #MSExchange Online outbound mail using *.onmicrosoft.com, or MOERA (Microsoft Online Exchange Routing Address). This is done to limit malicious\unsolicited mails from trail tenants, which is indeed a problem.
The impact for organizations using custom domains is limited. However, orgs might not be aware that some non-user objects use MOERA domains per default (i.e. Booking app, notifications etc.).
There are more similar changes already in preview and on the roadmap, but this is indeed a very big step in ending the era of maintaining an Exchange server “just because we sync our AD" and providing more flexibility in identity provisioning and governance.
This is big #MSExchange news! Today #Microsoft posted an article introducing the preview of the IsExchangeCloudManaged parameter in which you can shift the start-of-authority of Exchange attributes on hybrid identities from on-prem to cloud.
When enabled on a mailbox, you can manage synced identities mail properties directly in Exchange Online. Previously this was not possible and the reason you required an on-prem Exchange Server for management (or serverless with Management Tools).
New August 2025 #security update for #MSExchange! There are some vulnerabilities fixed, as of now not active in the wild but no reason to procrastinate. Small note: now AMSI HTTP Message body scanning will be enabled per default. Read more and find #Microsoft download links here: https://techcommunity.microsoft.com/blog/exchange/released-august-2025-exchange-server-security-updates/4441596?wt.mc_id=M365-MVP-5000976
Direct Send is defined as your organization sending mail to #MSExchange Online using a sender domain that is an accepted domain AND which is not send via any authentication (user or via Connectors). In some cases you might require this functionality, however this obviously can open your organization up to receive spoofed mails. Those should be filtered, but depending on the complexity the ability to disable Direct Send is a welcome option.
Recently the #MSExchange product group posted an article on disabling #SMTP Direct Send and after feedback reposted it with some additional clarifications because there were some misconceptions on the definition. I have had similar discussions with organizations. It depends on your configuration what the impact might be, but IMHO it is a welcome option to reduce your attack surface but you obviously need to understand it correctly.
Starting in August 2025, we will begin temporarily blocking #MSExchange Web Services (EWS) traffic using the Exchange Online shared service principal.
New blog post: Why every organization should enable DANE https://davestork.nl/why-every-organization-should-enable-dane/
#security #SMTP #mail #MSExchange #Microsoft365 #DNSSEC #AzureDNS
New malware called #GhostContainer has been spotted targeting high-profile organizations across Asia. Companies and individuals using #MSExchange worldwide should stay alert.
Read: https://hackread.com/new-ghostcontainer-malware-ms-exchange-servers-asia/
PSA: Do not - I repeat, do NOT - attempt an in-place upgrade of the Operating System of existing Exchange servers. Also, do not attempt to mix OSes within the same DAG; new OS = new Exchange Server = new DAG. That'll be all. #MSExchange
Start your in-place upgrade engines! #Microsoft #MSExchange Server Subscription Edition is now General Available! You've got 105 days left of 2016/2019 support! Go! Go! Go!
See the blog: https://techcommunity.microsoft.com/blog/exchange/exchange-server-subscription-edition-se-is-now-available/4424924?wt.mc_id=M365-MVP-5000976
#Microsoft365 #SMTP #Exchange
