What to do? SE or Decommission
I’ll start by outlining our current environment for context: Two standalone Exchange Server 2016 VMs. Primarily used for recipient management in a hybrid setup. Also functions as an anonymous relay for two LOB applications — one of which requires the mail service to reside on the same network as the application (as per vendor requirement). We have not opted for Extended Support (ESU) and installed the latest available Security Update last week. Management has been presented with the following options to move forward: 1) Perform a legacy upgrade — build two new servers and migrate from Exchange 2016 to Subscription Edition (SE). 2) Migrate LOB applications to another SMTP service — this would allow continued use of Exchange Management Shell for recipient management (by setting up a new server, preparing the schema for SE, and following Microsoft’s decommissioning process). 3) Migrate both LOB applications to another SMTP service and management to alternative platforms such as Easy365 or ManageEngine, removing the dependency on Exchange entirely. This post is mainly to gather some insights and general discussion around the best path forward. From a risk management perspective, since we’re effectively sitting on a time bomb without further Microsoft updates, I’m leaning toward option 2, especially given that all mailboxes have long been migrated to Exchange Online. What should I be watching out for with this approach? It seems many have taken a similar path — I’d appreciate hearing about any challenges or pitfalls you encountered and how you mitigated them during implementation.Issue with DnsConnectorDelivery
Background: We are currently migrating from Exchange 2016 to 2019 in a hybrid environment. We have 2 2016 servers both in our main datacenter, and 2 2019 servers, one in our main datacenter and one in our offsite datacenter. Backup datacenter has its own DCs that are replicas of our main datacenter's DCs. Exchange 2019 has been installed and updated to CU 11. Problem: When I run the hybrid configuration wizard and select all 4 servers to be included in the send and receive connectors, everything completes and no errors appear. However, mail gets stuck in the DnsConnectorDelivery queue on the server in our backup datacenter. The NextHopDomain for the stuck mail is our M365 domain, domain.mail.onmicrosoft.com As soon as I remove the server in the backup site from the send and receive connectors, mail flows correctly again. I've done a lot of internet searching and it seems the issue has something to do with our MX record, but both domains have the correct record in their DNS. What could be causing the issue? Any help is appreciated!
Why would a hacker/scammer put a domain INTO my exchange online admin?
OK so this is a weird one. I've been doing this a fairly long time but I'm not a full time exchange admin. I help my clients with exchange online often, but I'm a local IT pro, doing all sorts of screwdriver and software work, not just exchange. So maybe this isn't as bizarre as I think it is, but let's see. My client stopped receiving email 2 days ago. Alerted me to it yesterday. They don't know their password but no devices are asking for passwords, so I suspect it's not a password issue. I get logged into my admin and reset their password so we can get into their account. Suddenly they start getting asked for PW on phone and outlook, so we know that the password hadn't been changed prior. I get into account and see new rules sending all emails into archive and trash. So that explains that. So someone broke into the account with the correct password. Easily enough explained. Though weird that it would happen if the user didn't know their own password. So, one question is how did the scammer get into the account. I have looked at the login logs but I don't know what to sort/filter by to really find out anything helpful. Any ideas? So I got into the account and upon resetting his password he is forced to enable MFA. So that's done. I'm in the admin and what do I find? Two NEW domains in the settings. They are set up for exchange online. No users though. Not only that but I can't REMOVE the domains that aren't mine. I get this error when trying to remove it: "The domain coburnsfleetservices.com can't be removed at this time because it was purchased from Microsoft 365. It can only be used with your current Microsoft 365 account. You can remove it from the account once the subscription expires or is canceled." Also, in the emails missed in the past 48 hours we got one that said this: "A verified domain was added to your Avenue A Realty Advisors LLC account If this domain wasn't added by an admin in your organization, credentials might have been compromised and we suggest reviewing your password and multifactor authentication settings." I searched online and found contact info for one of the stolen/given domains. Called them and they said they had been hijacked 2 weeks ago, and their email used to send out payment requests to thousands of email addresses. Thought they had it solved a few days ago and it had been silent. Now this. So a second thing I'd like to find out is when exactly those domains were put into my exchange online account. Can I find that info from the logs? Additionally, WHY would someone move unrelated domains into my account? Maybe is the assumption that that happened before 2 weeks ago when that company's domain had been used to send out mass mail? Doesn't seem possible, because that company would have figured out that they no longer controlled their own domain and they couldn't have gotten control of the account again. Or...? I don't know. But while I've seen users tricked into giving out their passwords dozens of times, and their email used to try to solicit money from vendors, I've never seen another domain slipped in. Any ideas? And suggestions how to search the logs to get to the bottom of the missing puzzle pieces? Thanks for any leads!
How do you identify the "You've joined the xxx group" emails?
When you join a microsoft 365 group via Outlook you get an email (apparently from yourself) to say you have joined it. How do you actually identify these emails on Exchange? I've looked at the headers but nothing really stands out. I need to exclude these types emails from rules.
Exchange 2019 Mailbox Migration Error - Folder conflicts with Exchange Online folder
Hi Exchange Experts, I'm migrating a small Exchange 2019 environment to 365. Been pulling my hair out becuase of just one mailbox giving this error Error description --------------------------- Error: AggregateMailboxFolderConflictPermanentException: The folder 'Files' conflicts with Exchange Online folder 'Files', please move the messages to another folder and restart the job. Data migrated: 0 B (0 bytes) Migration rate: -------------------------------------- Migration user report: 5/14/2025 12:32:05 PM [MEUP300MB0105] Request processing continued, stage CreatingFolderHierarchy. 5/14/2025 12:32:05 PM [MEUP300MB0105] Stage: CreatingFolderHierarchy. Percent complete: 10. 5/14/2025 12:32:12 PM [MEUP300MB0105] Stage: CreatingFolderHierarchy. Percent complete: 10. 5/14/2025 12:32:12 PM [MEUP300MB0105] Fatal error AggregateMailboxFolderConflictPermanentException has occurred. ---------------------- It seems to be a system folder and I've tried to remove files from it (although there're no files in it) using MFCMAPI tool with no success. Renamed the folder and tried to re-run the migration with no luck. Has anyone experience this issue? any thoughts or tips are much appreciated ! Thank you.
Send admin notifications on x number of messages from an email address
Hi, We're having a problem with a repeat spam/phishing offender that recycles email addresses from a particular domain. Because the email address is new it hasn't had a chance to be picked up by blacklists, so it doesn't get picked up as spam. We can't block on content, subject or sender because it all changes so for these campaigns we're relying on user reports to give us the heads up. We also can't block the domain because we receive legitimate email from the domain also. I'd like to change this so we can hit them before users notice and possibly whilst the spam campaign is in flight but I'm unsure as to how to go about it. Is there a rule or other setting I can configure which sends notifications to specific e-mail addresses if, say 100 emails were received from any email address (or from a specific domain?) within an hour, or 5 hours? I don't see how I can configure such a rule in mailflow rules so I'm guessing this might be somewhere else. There's an element of us likely being falsely alerted to marketing campaigns, but hopefully it's configurable enough that we can limit it down to only applying this against a specific sender domain, or adding a new custom mailflow rule which will lower the likelihood of false positives. Many thanks, - Lsward
Exchange 2016 and deffer delivery
Hi! Is it possible to configure delay of outgoing sending messages for user mailbox, like outlook's deffered delivery? I couldn't find such an option in mailflow-rules, as deepseek says "New-TransportRule -Name "DelaySendForUser" -SenderAddressEquals "email address removed for privacy reasons" -DeferMessageMinutes 2 -Enabled $true" - it doesn't work:))
How to consistently differentiate Microsoft service notification emails from normal user emails?
I receive a large number of notification mails from Microsoft services (SharePoint, Teams, etc.) and they clutter my mailbox. I’ve tried: Inbox rules filtering by sender (e.g., email address removed for privacy reasons) → doesn’t work since Microsoft uses many changing domains. Filtering by Microsoft IP ranges → some internal org mails also get caught. Filtering by domains from Microsoft endpoint list → works, but the list updates monthly, so not reliable. Question: Is there a consistent way (e.g., via Internet message headers or any other property) to reliably identify Microsoft-generated notification emails vs normal user emails?Microsoft some server IP not in SPF List?
We Have add DNS record v=spf1 include:spf.protection.outlook.com -all , but find to SPF is failed spf:demo.com:2603:1096:301:11b::15 how can we solve this problem , because we need increase the security Level , would like quarantine / set to junk mailbox for SPF Fail mail Thank
