CentOS 7 minimal installs happily on Windows Server Hyper-V 2016. Do not forget to run
nmcli
nmtui
to active network connection, as by default it is not active.
Wednesday, May 29, 2019
Tuesday, May 21, 2019
Thursday, May 16, 2019
Office 365 Exchange Online Protection and DMARC
If you want to protect your domain with DMARC or use DMARC to filter spam and you use Office 365, note that Microsoft decided to alter normal DMARC policy. Imagine the domain protects itself and a message was identified as DMARC=fail and policy is set to reject with 100%. DMARC policy example: v=DMARC1;p=reject;pct=100
Office 365 will ignore reject and will deliver email marked as spam. A header will contain
"dmarc=fail action=oreject" (oreject being overwritten reject.)
Here is how Microsoft justifies this design decision:
https://docs.microsoft.com/en-us/office365/securitycompliance/use-dmarc-to-validate-email#inbounddmarcfail
Office 365 will ignore reject and will deliver email marked as spam. A header will contain
"dmarc=fail action=oreject" (oreject being overwritten reject.)
Here is how Microsoft justifies this design decision:
"If the DMARC policy of the sending server is p=reject, EOP marks the message as spam instead of rejecting it. In other words, for inbound email, Office 365 treats p=reject and p=quarantine the same way.
Office 365 is configured like this because some legitimate email may fail DMARC. For example, a message might fail DMARC if it is sent to a mailing list that then relays the message to all list participants. If Office 365 rejected these messages, people could lose legitimate email and have no way to retrieve it. Instead, these messages will still fail DMARC but they will be marked as spam and not rejected. If desired, users can still get these messages in their inbox through these methods:
- Users add safe senders individually by using their email client
- Administrators create an Exchange mail flow rule (also known as a transport rule) for all users that allows messages for those particular senders."
https://docs.microsoft.com/en-us/office365/securitycompliance/use-dmarc-to-validate-email#inbounddmarcfail
Thursday, May 9, 2019
Monday, May 6, 2019
ICMP redirect
In the middle of migration from one firewall to another you may discover that you need to point a specific migrated IP to new firewall, while default gateway remains as old firewall.
Then in the old firewall you will specify a route to forward to new firewall.
When a user will ping that IP, the old firewall as default route will respond with ICMP redirect message. This message will most problably be ingored by your user PC.
Check if the registry Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\EnableICMPRedirect is 1
and that Firewall allows ICMP Redirect messages (the best is to enable a custom Windows firewall rules to let this to be accepted in trusted networks, but not in public as example.
Then when you ping you will see ICMP redirect message in Wireshark, then after a while that your PC starts sending it to new Firewall.
Note that "route print" will not show this new route.
Then in the old firewall you will specify a route to forward to new firewall.
When a user will ping that IP, the old firewall as default route will respond with ICMP redirect message. This message will most problably be ingored by your user PC.
Check if the registry Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\EnableICMPRedirect is 1
and that Firewall allows ICMP Redirect messages (the best is to enable a custom Windows firewall rules to let this to be accepted in trusted networks, but not in public as example.
Then when you ping you will see ICMP redirect message in Wireshark, then after a while that your PC starts sending it to new Firewall.
Note that "route print" will not show this new route.
Subscribe to:
Posts (Atom)