RSW's questions

We run Exchange 2010/Outlook 2013, and today a number of our users received an email with an attachment that contained malware. Our current anti-malware product didn't detect the malware, but I found out by manually running it through an online multi-vendor scanner. Before I could reach all my users, one of them thinks he might have opened the attachment.

Is there any definitive way for me to know whether or not this user opened the email attachment in question? Does Outlook or Exchange or something in the OS (we're on Win10 Enterprise) provide any way of knowing? All my internet searches found were people trying to determine if external users had opened email attachments they had sent to them (something akin to a read receipt), so that was of no use to me.

UPDATE: I'm not looking for answers relating only to the malware part of this issue. E.g., I'm not looking for advice on how to detect a possible malware infection on the user's computer, how to reformat the computer, etc.

I got bit in the rear again by the Back Pressure feature in Exchange 2010 this week. I want to set something up to alert me in the future when this happens again.

Background

Some people had been reporting delays receiving emails from people outside the organization for the past couple of weeks, but it was transient enough to not throw up any concrete red flags. Yesterday, finally, we had a solid outage where no external emails were coming in, and upon troubleshooting I found that Back Pressure was in force on our Edge Transport server. The problem was RAM overutilization, and a quick reboot solved the problem. After going back through the Event Logs, however, I realized that the Edge server had been slipping in and out of Back Pressure repeatedly over the past couple of weeks, thus the intermittent delays people were seeing with receiving email from the outside.

What I've tried

Whenever Exchange detects an overutilization condition (e.g., not enough free RAM or disk space), it logs Event ID 15004 in the Application event log. In the Event Viewer, I used the built-in "Attach Task To This Event..." feature to set up a Scheduled Task with the Action "Send an email..." that would email me whenever this event was logged (initially BackPressure only blocks external emails but allows internal emails to keep flowing). However, the "Send an email..." action requires you to specify an SMTP server. The problem is that our Edge server is not domain-joined and is out on the perimeter of our network, so I couldn't use our internal domain-joined SMTP server. I also had no success using the Edge server's own SMTP server ("localhost") as I couldn't figure out how to authenticate to it (where do you even configure it and what username/password would you use?). I was, however, able to use Gmail's SMTP relay to send the notification messages, but the Catch-22 is that once BackPressure is applied, all emails from the outside are blocked, so the notification messages relayed via Gmail are also blocked as being from the outside and I never see them.

I have a couple of things in place to help, but neither is foolproof. The first is a daily test email that gets sent to me every day at 8 AM...if I don't see it I know there's a problem, but instead of just a once-a-day test I want to know as soon as the Edge server starts having problems. I also have Nagios monitoring a few metrics on the Edge server, but it can't cover all the scenarios that Exchange uses to trigger a BackPressure situation.

Being notified whenever Event ID 15004 is logged on the Edge server is the Holy Grail, now I just need to figure out a way to make that happen reliably.

Is there a way to set up BackPressure email notifications from a non-domain-joined perimeter Edge server?

Yesterday one of my users was expecting an important, time-sensitive email from a government contact but never received it. Late in the day they sent an email to that contact saying "where's that email?" The government POC replied saying, "I already sent it this morning at 11:00 AM."

I checked our Exchange message tracking logs and confirmed that the email had in fact been sent but had been rejected for exceeding the maximum message size limit (the attachment was evidently pretty big).

By the time we realized what had happened, the government POC was gone for the day and the window of opportunity had closed. Evidently the government POC should have gotten an NDR (at some point) when his email was rejected by our system, but he either didn't get it in a timely manner, didn't notice it, didn't understand it, or didn't care. (The email went out to a pool of potential customers bidding on a new contract, and presumably as long as he did his job by sending the email out, he might not care if it arrived successfully or not.)

How can I be notified when one of my users has an email sent to them that is rejected due to exceeding one of our Exchange 2010 message size limits? If I had seen the rejection when it occurred, we might have had enough time to solve the problem before our opportunity slipped away.

I am currently setting up a new 3-host VSAN cluster that will be placed into production soon. (Note this is the newer "Virtual SAN" (VSAN) technology, not the older vSphere Storage Appliance (VSA) technology). This is the first time I have worked with VSAN.

Each of the three hosts in the cluster has four 1TB local HDD's and one 200GB local SSD (which VSAN needs for read/write caching) to contribute to the cluster. I have installed ESXi 5.5 directly on the first local HDD of each host.

I added the three hosts to vCenter and launched the vSphere Web Client to configure VSAN. But instead of seeing all four local HDD's on each host as being available to VSAN, only three are available.

From what I have read in the VSAN documentation, disks used by VSAN must solely be used by VSAN. That is, once VSAN "takes over" a local drive, that drive can not be used for any other purposes (such as reserving partitions for use by other OS's). However, it wasn't clear to me if that also meant not being able to store the ESXi bootable partition on one of the VSAN local drives.

I've heard a lot about installing ESXi to a bootable USB stick as an option, but have never tried it since we've always just placed the ESXi boot partition on our traditional SAN. (For background, the new VSAN cluster is going to replace our blades and traditional SAN due to downsizing and cost-cutting measures).

So to summarize, here are my questions:

1. Is it possible to install ESXi to one of the local HDD's and still have the rest of the space on that HDD be available to VSAN?
2. If the answer to question #1 is "no", then is the next best option to install ESXi to a bootable USB stick? (and if so, are there any notable tradeoffs to doing this that I should be aware of?)