Monday, May 3, 2021

Cisco Broke my Mail Server

The Rant 

I don't usually write about networking, but I'm having to do a bit more of it lately. Today we found that a new Cisco Firepower ASA broke our e-mail servers.

The Problem

SMTP Mail queues are backing up. Mail is not transferring. Now this isn't the internal, within the domain mail. This is going to another domain in the org. Still managed, sort of, by us, but separate. Complaints abot Non-delivery receipts start coming in.

You go to the Exchange Management Console, go to tools, click Queue Viewer and yup. A bunch of e-mail in the queue. This isn't dial-up days, mail shouldn't be in there unless they have bypassed your great e-mail attachment rule that limits sending Windows ISO images via e-mail. (thank you Jim!!) So you start to look around to see what is causing it.

Normal Problem

Usually this is cause my McAffee AV 8.8 and the Block Mass Mailing Worm rule. Enabled by default and applied by lazy busy admins to Exchange Servers. This is the main cause of intra domain e-mail backups. In McAfee Endpoint Manager there is a rule that you CAN enable, but is not enabled by default.

The Other Problem

OK, so to figure out if this is your problem, telnet to both exchange servers. (OK, I was stupid, so I'll put this in here. If you run putty, make sure to change the radio button to telnet because SSH will NOT work.) When you telnet in, You will get one of two things:

220 ************************************************************

or

220 SVR-LAB-EXC-01, Microsoft <blah blah blah>

The ***s are wrong. That is coming from the Firewall. You need to remove the SMTP block on there. A google search will turn up a "fixup protocol smtp 25" command. That's what broke it and seems to be in there by default, but doing a "no fixup protocol smtp 25" just doesn't work like other cisco commands should. This should work to remove the ESMTP Inspection.

# policy-map global_policy

# class inspection_default

# no inspect esmtp

Be happy today!!


VMWare PowerShell Module Problems

 Problem

Can't update the PowerShell Modules for VMware. You did it a year of more ago because you use VMWare Powershell Modules offline on an airgapped system. You remember doing it, but can't recall the sequence of events. Typical.

Errors

Now you recall, you try to use the:
Install-Module -Name VMware.PowerCLI
But you get an error. And the Error dialog says, Do you want to load the new version of NuGet, and of course you say yes, cause, "do it for me" is easiest. But it doesn't work.
WARNING: Unable to download from URI 'https://go.microsoft.com/fwlink/?LinkID=627338&clcid=0x409' to ''.
WARNING: Unable to download the list of available providers. Check your internet connection.
PackageManagement\Install-PackageProvider : No match was found for the specified search criteria for the provider 'NuGet'. 
The package provider requires 'PackageManagement' and 'Provider' tags. Please check if the specified package has the tags.
At C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1:7405 char:21
+ ...     $null = PackageManagement\Install-PackageProvider -Name $script:N ...
+                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidArgument: (Microsoft.Power...PackageProvider:InstallPackageProvider) [Install-PackageP 
   rovider], Exception
    + FullyQualifiedErrorId : NoMatchFoundForProvider,Microsoft.PowerShell.PackageManagement.Cmdlets.InstallPackageProvider
 
PackageManagement\Import-PackageProvider : No match was found for the specified search criteria and provider name 'NuGet'. 
Try 'Get-PackageProvider -ListAvailable' to see if the provider exists on the system.
At C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1:7411 char:21
+ ...     $null = PackageManagement\Import-PackageProvider -Name $script:Nu ...
+                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidData: (NuGet:String) [Import-PackageProvider], Exception
    + FullyQualifiedErrorId : NoMatchFoundForCriteria,Microsoft.PowerShell.PackageManagement.Cmdlets.ImportPackageProvider
You try an administrator shell if you didn't have that already, but still NO.
OK, now here is what the problem is. The last time you ran this, TLS1.0 and SSL3.0 were great!! but now they suck and you are still using them. What to prove it? type:
[Net.ServicePointManager]::SecurityProtocol
and you get tls, ssl3 and Pppptthhrrrr. You lose.

OK, so Lets add the new TLS 1.1 and 1.2

Set-ItemProperty -Path 'HKLM:\SOFTWARE\Wow6432Node\Microsoft\.NetFramework\v4.0.30319' -Name 'SchUseStrongCrypto' -Value '1' -Type DWord
and then
Set-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\.NetFramework\v4.0.30319' -Name 'SchUseStrongCrypto' -Value '1' -Type DWord
Now RESTART POWERSHELL IN ADMINISTRATOR MODE and now if you type:
[Net.ServicePointManager]::SecurityProtocol
You get tls, tsl1, tls12 - You'll be happy now. Go back and try your module update, import module, etc. and NuGet will load.