2025-10-16

IIS SMTP 使用 WildCard 憑證無法啟用 TLS 的問題

WildCard 憑證如果用 MMC 匯入 Local Computer 的 Personal 後
SMTP Domain 的 Access -> Security communication 中 Require TLS encrypt 還是反灰不能勾選

此時開啟 IIS Manager (管理網站的那個 Internet Information Services (IIS) Manager)
在伺服器層級點 Server Certificates,再點 Import,記得匯入 Store 選 Personal
按 OK 後重啟 IIS & SMTP Service 即可

*. 可以把 Allow this certificate to be exported 取消勾選

IIS SMTP MMC 啟動錯誤

Stop-Service SMTPSVC
Stop-Service IISAdmin

notepad C:\Windows\System32\inetsrv\MetaBase.xml

找到 <IIsSmtpServer Location ="/LM/SmtpSvc/1" 這一段
加入參數: RelayIpList=""

Start-Service IISAdmin
Start-Service SMTPSVC

Set-Service SMTPSVC -StartupType Automatic

2025-10-15

取出 MSSQL DB 中 ZIP 壓縮過的二進位 .eml 檔並取出 Subject 等資訊

Mail eml 格式檔案 ZIP 後存在 DB 裡,但某日發現資料庫中有許多 Record 的 Subject 都錯誤
推測是歸檔程式有 Bug 的關係。
因為會影響搜尋結果,所以必須從資料庫中取出 ZIP 過的 eml 檔案
解壓後分析,再修正資料庫中的資料

以下程式包含上述功能但有更多其他功能,就不多說,有需要自取

需要 
SharpZipLib
這是用來忽略解壓過程中發生錯誤,強制解壓的工具
不知道為什麼 DB 中的 ZIP 二進位資料取出後解壓會有問題,但忽略錯誤就可以

只用 Powershell 實在沒辦法對 Email 做良好的 Parser,必須丟到 Python 去處理
所以需要用 Powershell 處理到一半,用 Python 讀檔,再回 Powershell 處理
因為我實在不熟 Python,不然應該要用 Python 從頭寫到瑋才對

以下程式有許多部份都是用 Copilot 協助產生的,再加上自己修改而成

2025-09-16

為 Powershell Script (*.ps1) 或自行編譯的執行檔 (*.exe) 建立自我信任的數位簽章

以下使用的環境為以 Windows Server 建立的Standalone CA,Enterprise CA 大同小異
首先建立一個憑證範本,用以提交 Code Signing Request 給 CA
其中藍字部分改為自己需要的內容
將其存檔為 CodeSigning.inf (純文字檔)
[Version]
Signature="$Windows NT$"

[NewRequest]
Subject = "CN=Dino9021 Code Signing, OU=IT, O=DinoClub, L=Hsinchu, S=Taiwan, C=TW"
KeySpec = 1
KeyLength = 2048
Exportable = TRUE
MachineKeySet = FALSE
SMIME = FALSE
PrivateKeyArchive = FALSE
UserProtected = FALSE
UseExistingKeySet = FALSE
RequestType = PKCS10
ProviderName = "Microsoft RSA SChannel Cryptographic Provider"

[Extensions]
2.5.29.37 = "{text}"
_continue_ = "1.3.6.1.5.5.7.3.3" ; Code Signing EKU

2025-09-10

2025-08-20

Restrict unassigned users from logging into ChatGPT Team via Microsoft Entra SSO

ChatGPT Team support SSO with detailed setup instructions.
However, this version does not support SCIM provisioning.
To restrict unassigned users from logging into ChatGPT Team via SSO, we have an alternative option using Conditional Access to achieve this goal.

  • Navigate to the Microsoft Entra Admin Center and select your "ChatGPT WorkOS SSO" (using the name you specified) enterprise application.
  • Create a new policy in the "Conditional Access" of the "Security" section and name it "ChatGPT WorkOS SSO Deny All But Excluded Policy" (or any name you like).
  • Assign "All Users" and exclude the users or groups you want to allow to use the ChatGPT team.
  • Select "ChatGPT WorkOS SSO" as "Target resources" to include.
  • Grant Block access and turn Enable policy to "On"

That is all,
Now unassigned users may be able to log in but not access the ChatGPT team.

Setting up MFA for a Microsoft Entra shared account

Microsoft Entra admin center

=> Entra ID - Authentication methods 
=> Software OATH tokens
=> Set Include Groups

=> Entra ID - Authentication methods 
=> Settings
=> System-preferred multifactor authentication
=> Add Groups to Exclude will make the members can set Default sign-in method

Browse "Security info" of Shared Account (https://aka.ms/mfasetup)

=> Add sign-in method
=> Choose Microsoft Authenticator
=> I want to use a different authenticator app
=> Finish the setup with OTP App you want to use (Microsoft Authenticator will do)

*. You may want to change the "Default sign-in method" from "App based authentication - notification" to "App based authentication or hardware token - code" to avoid high App Notification frequency.
*. If you see "Microsoft Authenticator - notification" instead of  "App based authentication - notification" and "Sign-in method when most advisable is unavailable" instead if "Default sign-in method" on the "Security info" page, you might have forgotten to follow the second section of the Microsoft Entra Admin Center.

2025-08-13

Public DNS with Benefit

AdGuard DNS(無過濾功能):

94.140.14.140
94.140.14.141

AdGuard DNS(攔截廣告、跟蹤器和釣魚網站)

94.140.14.14
94.140.15.15

AdGuard DNS(攔截廣告、跟蹤器、釣魚網站和成人內容的網站)

94.140.14.15
94.140.15.16

Cloudflare DNS(隱私權保護)

1.1.1.1
1.0.0.1

Cloudflare DNS (阻止惡意程式)

1.1.1.2
1.0.0.2

Cloudflare DNS (阻止惡意軟件及成人內容)

1.1.1.3
1.0.0.3

2025-08-11

Split and Merge Sheng-Bo MailStore for SQL DB

It's not a popular Software / Application.
You may not need it.

First : SplitDB.vbs (Run on MailStore Server)
=> Split DB by day with SplitDB.vbs

Second: MergeDB.vbs  (Run on MailSearch Server)
=> Merge DB to Quarter

2025-07-30

Block Auth Failed IPs for Exchange

$UnBlockIPURL 是一個給 User 自行解鎖 IP 的清單,要另外處理
此處不提供與介紹

# in Hours
$BlockTime = 720;
$RuleGroupName = "ExchangeAuthFailBlockIPs"
$RuleSubnetsGroupName = "ExchangeAuthFailBlockSubnets"
$SMTPLookBackHours = 1;
$SMTPLogFullPath = "C:\Program Files\Microsoft\Exchange Server\V15\TransportRoles\Logs\FrontEnd\ProtocolLog\SmtpReceive\"
$SMTPLogSearchTailLines = 10000;
$UnBlockIPURL = 'https://www.contoso.com/BlockIPs/History/AllUnblock.Json';

$ClassBSubnetBlockCount = 3;

#-------------------------------------------------------------------------------------------------------------------------------------------