I thought this would be fairly common knowledge by now, Exchange 2003 being quite mature in it's 5th year, but it's not something I've had a problem with before and therefore I'm going to write about it!

So a big email comes in; lets say it's 8MB. Your Exchange 2003 server, set to it's defaults for size restrictions, rejects the email. Why? Take a look at this Exchange TechNet article:

When the 8MB message crossed the routing group boundary through SMTP and arrived at the destination server, it was approximately 33 percent larger than the original message because of the inter-routing group SMTP increase...The final message had a content size equal to 11,594,558 (11 MB), and the message exceeded the 10-MB Global Limit, thus returning the 5.2.3 delivery status notification.

Petri.co.il elaborates:

Please keep in mind that message send [sic] through SMTP could grow about 10-20 percent because of format conversion (MIME and UUEncode)

For a standard Exchange Server installation, this is how the process of checking the email size goes (see the diagram below for full details):

1. Does the email exceed Global Max submission content length?
2. Does the email exceed the per-user Max Delivery Length for the recipient?
3. If the email is not delivered locally, does the email exceed the Virtual Server SMTP limit?
4. If the email is not delivered locally, does the email exceed the Connector limit?

I won't elaborate on the places you can set the size restrictions, other than to reprint Petri.co.il's list and point you to the full article.

You can set message limits at the following objects:

• Global settings
• System Policy
• Individual mailbox
• Individual message limit
• Distribution list
• Public folder
• Connector
• Virtual SMTP Server

Outlook Web access is a fantastic tool for our company, providing on-the-go access to people's mailboxes - which is of course secured by SSL and uses Forms Based Authentication. Internally, we have an intranet portal that allows us to access the various systems - one of which is OWA. One of the stipulations for this internal portal is that it is all Single Sign On using NTLM authentication - integrated authentication. This is where the problem lies because enabling OWA with Forms Based Authentication over SSL disables Integrated Authentication. So our choice is to have users enter their credentials twice (not acceptable) or to disable FBA and have external users log on with the annoying pop-up.

OR...

You can create a copy of the /Exchange and /Public Virtual Directories and configure them to use Integrated Authentication. You can also restrict access to them by IP...here's how:

 I'm assuming you've already set up OWA with SSL on your Exchange server. If you need to do that, try How do I configure OWA to use SSL? at Daniel Petri's site

1. Log onto your Exchange Server, and open up the IIS control panel. Locate your /Exchange and /Public virtual directories.
2. Right click /Exchange, select "All Tasks" and then "Save Configuration to a File..."
   
3. Go through the dialogue, save to a file and if you're worried about security, add a password.
4. Once you're done, right click any white space in the root web site (or the exchange web site) and select "New", then select "Virtual Directory (from file)..."
   
5. You will be presented with the "Import Configuratio" dialogue, click "Browse..." and select the file you've just created. Click "Read File" and select the Exchange location underneath
   
6. Click "OK" and you'll be asked to provide a new name, or replace the existing Virtual Directory - select create a new one and put an appropriate name (I uses ExchangeIA)
   
7. Now, this step is optional, but read on anyway because you might want to think about it. I only want to allow people on my network to access this using Integrated Authentication, no one else, so I am going to restrict access to the Virtual Directory that I've just created to my IP subnet. To do this right click the newly created Virtual Directory (ExchangeIA) and select the "Directory Security" tab. Under "IP address and domain name restrictions" click "Edit". Now select "Denied access" to deny anyone other than the exceptions, then click "Add.." and enter the details of your network to allow those computers access.
   
8. Now head back to step 1 and repeat for the /Public folder, if Integrated Authentication is required for Public Folders.
   

Originally posted Thursday, February 21st, 2008