Tuesday, April 09, 2019

Luke: My best friend at 9 1/2

9 1/2 years ago, this awesome creature came home with me. Since the time he was a puppy, I look in to his eyes and see an old soul. Smart, intuitive, independent, and stubborn, I can't imagine my life without him. He has been with me almost 10 years and across thousands of miles. He takes it all in stride. He loves trips to the mountains, hanging out in my office, or just chilling someplace remote that we have hiked to. His coat is a bite lighter now and he is a bit more grumpy in the morning, but he is still that independent minded puppy I meet at 4 weeks old.

#siberianHusky #lifeWithLuke #bestFriend

Wednesday, March 20, 2019

They are like potato chips - Happy Birthday, Broker!

People in the know say that Siberian Huskies are like potato chips... you can't have just one. That is sure true. After a year and a half with Luke, I had to have another. And along came my Broker-boy.

Broker is the anti-Luke. He is always in a good mood and he always wants attention. He does not like children or other dogs. But, he is the sweetest dog alive if he likes you.

He has been with me now for almost 8 years and across thousands of miles. So happy to have my Broker-boy chilling next to me.

Monday, December 15, 2014

GALSync on a budget

It seems harder and harder to sync two different AD forests.  First, we had the "almost free" Microsoft IIFP which worked remarkably well. Then Quest released a series of free PowerShell scripts that would do the same thing.  Unfortunately, when they got Dell'ed, those scripts are no longer free.

A customer recommended this jewel, though.  I need to give it a test drive sometime, but wanted to share.

A GALSync powershell script

Tuesday, November 11, 2014

Amazon EC2 instance problem: not accessible from the network

I had my first issue with Amazon EC2 this week.  I rebooted a Windows Server EC2 micro instance and when it came back up, it was no longer accessible via RDP.  I tried stopping it and starting it several times with no success.   I found these instructions to fix the problem.

1.   Stop your instance through the AWS console

3.   Right click the instance in the management console, select change instance type such as C3.*, R3.*, or I2.*  (This upgrades the instance to a different network platform.  The public IP address will probably also change.)

4.  Start the instance.

5.   When the instance passes health check, RDP to the instance.

7.   Uninstall the AWS PV Driver Version 7.2.0 via "Programs and Features.”

8.  Reboot the machine when prompted by the uninstaller.

10.  Reboot when prompted by the installer.

11.  Run the script from step 6 again. This will ensure that this issue is corrected ongoing.

12.  Stop the instance and change the instance type to your previous instance.

Monday, July 21, 2014

So long, little MEC v2, we hardly knew ye

To the excitement of many, two years ago Microsoft resurrected the Microsoft Exchange Conference.   To many in the Exchange server community, this represented a renewed focus on Microsoft's part towards providing top-notch information to the Exchange community.  Though I found the timing to be a bit suspect (after all, MEC had been gone for 10 years), it was a welcome resurrection even though, at the time, I was the speaker chair for the Penton Media Exchange Connections Conference.

Alas, nothing lasts forever and apparently MEC v2 is already being canned in favor of a bigger, better, more stupendous TechEd.  The new event, now called Unified Microsoft Commercial Technology Event, will roll TechEd, MEC, the SharePoint, and the Lync conference.

I am disappointed in this latest devolution of Microsoft's conferencing strategy.  Unfortunately, large conferences tend to have to their sessions dumbed down a bit to a lower common denominator.  Smaller conferences, like MEC or Connections, does allow for more detailed and specialized sessions.  And, it does allow for more interaction with the presenters and vendor subject matter experts.


Sunday, July 20, 2014

Change Auditor installation broke Exchange 2010 scripting

Last week, we finally got around to starting our Change Auditor for Exchange installation.  We had tested this pretty thoroughly in the lab, but had not yet put it in to production.  So, we picked an unused public folder server in our Disaster Recovery site.

We did not realize that the first Change Auditor for Exchange agent that gets installed also enables a global setting that enables the Scripting Agent.  Once enabled, admin scripts and SCOM scripts could no longer run.  And, we use a lot of scripts for admin tasks.

If we had gone ahead and completed the Change Auditor agent installation on all servers, the problem would have been resolved.  But, since something was "broke" we halted the installation until we could figure out what had happened.

As a work around, we changed the ScriptingAgentConfig.XML file (see the above link) and disabled it on all other E2K10 servers.

Sunday, July 06, 2014

Mailbox storage: If you really don't like your users... give them what they ask for...

Mailbox storage is always been a sore spot with me.  Regardless of how often you remind users to manage their mailbox, they want to hold on to almost everything.   But, I get this... I often refer back to email conversations that I had 2 or 3 years ago.  Email is an extension of my brain/memory.

In my user community, we have users that regularly receive 1.0GB of email per month.  PPTs, PDFs, documents, spreadsheets, images, audio, newsfeeds, you name it, they get it.  And, they keep it.

Years ago, our users complained loudly that they did not like having mailbox storage limits.  Management heard their screams and told us to raise the storage limits so we adopted Enterprise Vault and essentially give our users a "bottomless mailbox."   Vault comes through and archives anything older than 30 days. 

Normally, they don't let me anywhere near end users because I don't have a filter.... but over the past 2 years I have spoken to a lot of our user community.  And, they have resoundingly said "we hate Enterprise Vault" and "give us a larger mailbox and then just let *us* decide when we delete something or if we keep it."

So, our newest email platform now provides each user with a 2GB mailbox and a 10GB personal archive.  Within 6 months, some of our users had already exceeded these limits and more exceed them every day. 

And, you guessed it...  they want a way for "the vault to archive their older stuff".


Wednesday, June 11, 2014

OWA for Android App

Very cool!  Microsoft released today an OWA for Android app.  It is still in pre-release, but so all of you early adopters out there can expect few bugs.  And, of course, if you have been following the OWA apps for mobile devices, there is the caveat that it is only available for Office 365 for Business customers.  ;-(    So, more bait to get people to move to Office 365.

Tuesday, June 10, 2014

Show pictures the Exchange 2010 OWA GAL

Thanks again to Lee Derbyshire

How To Show GAL Pictures For Internal Emails In Exchange 2010 Outlook Web App

Moving Exchange database or defrag'ing Exchange database

I still see these questions asked pretty frequently:

1)  I need to defrag/compact my Exchange 2007 / 2010 / 2013 database?  What is the best way to do that? 
2)  I need to move my databases to a new disk.  What is the best way to do that?

If you have the free disk space, by and large the best way to defrag or move data is to just create a new database on the new disk.  Then, use the New-MoveRequest option to move the mailboxes over. This takes a bit longer but it also minimizes downtime and customer annoyances.  And, in the case of a defrag, it minimizes risk to the database file.

Automated user provisioning - Savior or Satan?

Over the past 10 years, more and more medium and large corporates have embraced user account and group provision systems as part of their identity management strategy.  In this article, Why Provisioning Should Move Away from IT, Dell/Quest advocates moving the provisioning process away from IT entirely.  (Well, that would be almost impossible, but at least get the "process" if not the technology away from IT.)

My own organization embraced a fairly customized version of Microsoft's Forefront Identity Manager (FIM) as our provision system.  It integrates with our PeopleSoft system as well as a number of other databases to provide a unified identity picture.

We have about 1 1/4 full time Microsoft Consulting Services employees on staff that help us maintain this behemoth, another almost full-time contractor, and another almost full-time employee that helps operate the system.  For 45,000 user objects, I'd estimate we spend about $750,000 per year in labor to maintain this.

The system is always a few generations behind where we need it to be.  Feature requests are generally a year to three years behind in integration and implementation.  (Part of this is due to some... "mishaps" our management is so gun-shy about anything to do with this platform that doing nothing is their IM strategy.

Meanwhile, the system works partially well for only about 75% of our employees/contractors since our PeopleSoft system maintains data for only employees not a lot of contractors.  So, our help desk still manually provisions many user accounts and groups. And, our PeopleSoft system often spits out phone numbers in formats that are not usable by UC "dialer" links or software.  So, dial links in Lync are useless.  And, our HR department refuses to update their system to accommodate us.

I'd guess that this platform actually costs us *more* than a manual provisioning system.  Sometimes, there is a reason why there is "no school like the old school."

If you are considering an automated user provisioning system, I strongly recommend going through as many different use cases as possible.  Not just your full time employees, but look at temps, short term contractors, long term contractors, VIPs, etc...  Go through your proposed IM system and look at all of these use cases and determine if the work flows are going to accommodate these.   And, if now, how many users fall outside of the "automated" boundary and how are you going to take care of them?

Monday, June 09, 2014

AssociatedItemCount versus ItemCount

 Recently, one of my "Yes, but show me the TechNet article to prove it" co-workers asked me about the different between AssociatedItemCount and ItemCount properties in Exchange 2010 (and, of course 2007 and 2013) when looking at mailbox and public folder statistics.  (We all have one of these co-workers, don't we?)

ItemCount reflects the total number of actual, viewable mail/calendar/contact/etc... items in the folder.  Anything the user sees in the folder or mailbox.

AssociatedItemCount are the "hidden" objects associated with a folder or mailbox including rules, forms, form-type, Admin info, moderation information, views, auto-complete items, categories, etc... 

Here are the relevant passages in the scripture. 
MSDN Folder Associated Information
MSDN Content Tables
MSDN Folder-Associated Information Tables

Saturday, June 07, 2014

Goodbye Sitemeter

I have been using Sitemeter for years to provide a simple visit counter and reports for some of my web sites.  Recently, I noticed that sometimes my Ithicos site was loading slowly sometimes and the browser was going to a lot of sites that I *know* I don't have links to.

This includes:

Apparently, Sitemeter has been bought by the same ad-ware intensive company that bought MySpace.  And, now the script that you embed on your web site for the Sitemeter is also going out and establishing connections and setting cookies for all of these other sites.

I not only found it is setting this cookies and establishing these connections, but it is also REDIRECTING my site to an "ad" page and my site visitor has to click "Return to Original Site" link.

Goodbye Sitemeter!

Tuesday, June 03, 2014

Marriott Destinations Club Members

If you are a Marriott Destinations Club member, I just found a cool trick.  If you are short on points for the year, you can Buy or Rent Marriott Destinations Points.  Technically, this is called "renting" because you only get the "one time" use of the points for a particular, but it is very cool.  It allows a lot of flexibility for those that want to add some points some years to their portfolio without going back and purchasing permanent points.  The site lets you find DC owners that have extra points and want to "sell" them.  They usually sell for about $0.45 to $0.60 per point.

Wednesday, May 21, 2014

Outlook 2007: Are you longing for a way to see GAL photos?

I think showing people's photos in the Global Address List is a great way to improve collaboration between employees.  Especially in medium or large businesses or in businesses that are geographically dispersed.  It adds a nice, friendly, personal touch to email. 

If you are still stuck on Outlook 2007, good news!  There is an Outlook 2007 Social Connector add-on.

Monday, May 05, 2014

Easiest thing I have done this spring.... Kemp Load Balancer

I have to say, setting up a Kemp Load Balancer to front-end 2 Exchange 2010 servers was just about the easiest thing I have done this year.  Set up the hardware, registered the device with Kemp, loaded up an Exchange 2010 template, and configured the two virtual servers.   First time I had done this. It took a a bit more than hour from the time we pulled it out of the box until the it was done.  Nice!

Tuesday, April 08, 2014

Usage of higher MX records

I recently noticed something that at first seemed a bit weird.   A company had transitioned to an external email hygiene service but left their old MX record in place with a higher cost value, so their MX records looked like this (I shortened the text a bit)

company.com     MX=10     hygiene1.serviceplace.org
company.com     MX=10     hygiene2.serviceplace.org
company.com     MX=20    oldserver.company.com

 We noticed that a lot of email was still coming directly in to oldserver.company.com (their old gateway). 

  According to the RFCs, the SMTP transport is supposed to always pick the lowest MX record first and only move to a higher one if the lower ones fail.  But, we were seeing a different behavior.

  After some additional analysis, we found that only spam and malware were coming in to the MX record of 20.   After some discussion with some colleagues, I found out that spammers will intentionally do this in hopes of finding backdoors or SMTP paths in to your system will less security or message hygiene in place.

 Ideally, once you start using an external provider, you should remove your old MX records, get their IP addresses from which they send, and block everyone else's TCP port 25 at your firewall so that spammers can't find you by port scans.

Monday, March 31, 2014

Forms based authentication and anonymous folders

Sometimes I have seen some weird issues with some forms based authentication.  On the logon form, the images do not show up and the text and other information does not line up correctly.  The images are in the .\images folder and the style sheet is in the .\styles folder.

Turns out, this is by design because forms-based authentication is enabled and the authorization section specifies that anonymous users are denied access (in the <authorization> tag.

      <deny users="?" />
      <allow users="*" />

I found a lot of discussion threads indicating that the <location> could be used with the path option to specify a path that could be accessed anonymously.  But, I found conflicting information.  One poster said you could only have ONE <location> tag.  However, upon testing it, I found that you can indeed have 2 different <location> tags.  See below.

    <!-- This location tag specifies that the styles and images folders are accessible before logon. This allows the logon page and logo to be displayed correctly. -->
     <location path="styles">
            <allow users="*"/>
     <location path="images">
            <allow users="*"/>

  I put these inside the <configuration> tag of the web.config file near the bottom.  This seems to clear up the issues. 

Saturday, February 01, 2014

Exchange 2013 Architecture Poster

Microsoft just released a PDF version of their Exchange Server 2013 Architecture Poster.  Free to download.

Tuesday, December 17, 2013

Convert OST file to PST file

I still see questions in the forums from time to time where someone is asking if it is possible to convert an OST file to a PST file.  This is usually due to a mailbox being deleted, but the OST file remains.

Microsoft does not provide any mechanism to convert an OST file to a PST file.  However, if you can open up the OST file when you open Outlook, you can create a new PST file and just export email to it or drag-and-drop items in to the PST file.

There are a few third party tools that will do this, but I have not tested any of them.


Sunday, December 15, 2013

.NET Framework 4 application issues on fresh Windows 2008 R2 installation

A bit of frustration with Windows Server 2008 R2 and the .NET Framework 4.0.  Just because you use the Add-WindowsFeature Application-Server option to add the .NET Framework, the 4.0 Framework may not be properly registered with IIS.  This seems to be true when you install the 4.0 Framework first and then later add Web-Server and Application-Server options to Windows later.

I installed the prerequisites, then installed my 4.0 Framework application and got this error:

HTTP Error 500.21 - Internal Server Error

Handler "PageHandlerFactory-Integrated" has a bad module "ManagedPipelineHandler" in its module list

This implies that the ASP.NET managed handler is incorrect, but in reality the 4.0 Framework is not properly registered.

Open up a command prompt as an administrator, then change to this folder:

Run this command:
aspnet_regiis.exe -iru 

  There are a couple of different installation/registration options for aspnet_regiis.exe, but the -iru option is the safest since it only registers the 4.0 Framework and does not change/update any existing applications or web sites.  That is helpful if you have web applications that are still using the 2.0 Framework.

Sunday, December 08, 2013

Ithicos Solutions Customer Survey

If you are a customer of Ithicos Solutions and use our Active Directory self service tools such as Directory Update, Directory Manager, Directory Search, and/or Directory Password products, we would like your feedback:

Ithicos Solutions survey

This survey should take no more than 5 minutes to complete and will help us determine better ways to support you in the future.  The survey is completely anonymous, but if you can leave your email at the end for a chance to win an Amazon gift card.


Saturday, December 07, 2013

Convert user mailbox to linked mailbox in Exchange 2010

A few weeks ago, someone enabled the user accounts for a bunch of our Exchange 2010 linked mailboxes.  One of the workflows in our FIM system saw this as an indication that they should be user mailboxes rather linked mailboxes and thus converted them all from linked mailboxes to user mailboxes.

I did a bit of research and was somewhat heartbroken to find this TechNet article

This article implied that converting user mailboxes back to linked mailboxes was not possible using the EMC. 

After a bit more research and an email from Jason Sherry, I fortunately found out this article is wrong.  (I'm hoping Microsoft updates this.)

It is pretty simple to convert a user mailbox with E2K10 SP2 or E2K10 SP3 back to a linked mailbox.

Set-User <userID> -LinkedMasterAccount  AccountDomain\UserID  -LinkedDomainController AccountDomainControllerFQDN

Here is an example:

Set-User jim -LinkedMasterAccount Contoso\Jmcbee -LinkedDomainController dc01.contoso.local


Monday, November 25, 2013

Search Exchange for credit card or social security numbers

A question came up recently at a customer site about how they could search their Exchange mailboxes for email messages that contain credit card numbers.  (This is prohibited by their company policy, but they still find credit card numbers occasionally.)   Almost immediately after that, someone on a newsgroup asked if it was possible to search all mailboxes using Exchange Server 2010 or 2013 eDiscovery tools for social security numbers.

While searching for text or numerical patterns, such as "XXXX XXXX XXXX XXXX" or XXX-XX-XXXX is a piece of cake for some search engines using regular expressions (RegEx), this is not possible with Exchange eDiscovery tools.   I should not that you can do some pattern matching using transport rules and it is possible to intercept messages in transit, but not possible at rest.  So, if you are looking for data that is already in your database, then you are somewhat out of luck.  At least "out of the box".

Sherpa Software's Discovery Attender does, however, do more complex pattern matching.

Tuesday, July 30, 2013

Update to Exchange 2013 CU2

Microsoft has released an update to Exchange 2013 CU2 that fixes an issue with public folder permissions.  Check the build number if you have recently deployed.  The build number for the new release should be 712.24.  See Microsoft KB2859928 for more information.

Thursday, July 25, 2013

ResolveP2 headers in Exchange 2010 and 2013

Exchange 5.5, 2000, and 2003 had a feature called ResolveP2 headers.  Essentially, it allowed Exchange to accept an inbound message, inspect the sender's SMTP address (or other type of address back in the olden days) and if the address was associated with an object in the Global Address List / Active Directory, then replace the sender's address with the name from the GAL.

For example, if the email was sent from snuffy@volcanosurf.com, but you had a mail-enabled contact or mail-enabled user in GAL with that SMTP address, it would resolve the name and the From would instead say "Snuffy Smith" or whatever the display name was.   You can read more about this feature from the olden days in this blog by David Lemson: 
ResolveP2, RerouteViaStore, and its equivalent in Exchange 2003

This feature was turned off by default to keep spammers from sending "reputable" looking mail by trying to make a message look like it came from a valid internal sender.

Recently, we were trying to figure out out to turn this back on due to an ongoing migration.  We needed the senders in DomainX to be resolved properly to GAL objects when they sent to DomainY.

The ResolveP2 feature does not exist in Exchange 2010 (and 2013).  Exchange will only resolve the sender's address to a GAL object if the message comes from an authenticated or trusted source.

You can duplicate this functionality in Exchagne 2010 / 2013 with a receive connector that is configured to allow relay and on the Authentication properties, include the "Externally Secured" property.

Bharat Suneja has an excellent article on how to do this.
How To Allow Relaying in Exchange 2010 and Exchange 2007 

Once you have set up the relay receive connector, add the sending system's IP addresses to the authorized source IP addresses.

Take care with this feature because you can inadvertently allow people to relay through your system which will inevitably add you to block lists, get you in trouble with your ISP, and bring about plague-o-locust across the land.  Anyone that sends through this particular receive connector will have these rights.


Friday, July 19, 2013

Exchange 2013 CU2 - OWA Forms Based Authentication automatically enabled

I think most people automatically use OWA Forms Based Authentication (FBA) for web mail, but in some cases you may have just Basic or Integrated Windows Authentication enabled.

Some people have been reporting that even though FBA is disabled in their environment, once the update to E2K13 CU2, the logon form is displayed rather than using Basic or IWA.

If you check the OWA virtual directory properties, the FormsAuthentication form option is set to "False", yet the FBA form still appears. 
Get-OwaVirtualDirectory | FL forms*,basic*
FormsAuthentication : False
BasicAuthentication : True

  This happens because when CU2 is installed, it replaces the existing web.config file with a new one that has FBA enabled.  This is easy to fix, though.

Simply "enable" and then "disable" FBA on your OWA virtual directories. 

Get-OwaVirtualDirectory | Set-OwaVirtualDirectory -FormsAuthentication $True
Get-OwaVirtualDirectory | Set-OwaVirtualDirectory -FormsAuthentication $False 

This should reset FBA back to off.

For more information, see this KB article "The FBA page is displayed when a user accesses OWA or ECP to log on to Exchange Server 2013"

Thursday, July 18, 2013

OWA for the iPad and iPhone for Office365 users

If you are on Office365, this should be some good news.  Microsoft has released Outlook Web App for the iPad and iPhone.  They are available for download from the Apple App Store.  Unfortunately, this seems to be only for Office365 users rather than on premises users.

Thursday, July 11, 2013

Exchange 2013 RTM CU2

Microsoft released Exchange 2013 RTM CU2 this week.  Cumulative Release 2 includes a number of big fixes and product improvements.  Some important notes include that the RBAC roles have been updated (so test thoroughly) and the AD schema will need to be updated. 

See Ross Smith IV's EHLO blog posting on Exchange 2010 RTM CU2.

Tuesday, May 07, 2013

Filed-based antivirus scanners on Exchange servers

Have I ever mentioned that really dislike file-based antivirus scanners on Exchange Servers?  Really, really, really dislike them.....

For the past 6 weeks, at work we have been fighting weird latency issues for most of our users.  Outlook slows down to a crawl at some points during the day.  We have been blaming WAN congestion, but this past week we noticed that the Test-MapiConnectivity cmdlet was showing much higher than expected latency. (Normal should be less than 20-100ms).  We were seeing spikes on all databases as high as 1,000ms.

The plague of modern IT is LOTS of agents and we are no exception.  Inventory, monitoring, security, antivirus, etc....   The latency went away when we removed Symantec Endpoint Protection.  While the exclusions were all supposed to be in place, we were still seeing the latency until the SEP client was removed entirely.  (A side note, the local firewall component of SEP was disabled.)

So, I guess I'm now questioning whether Exchange servers really need file-based antivirus scanners any longer?  Provided clients are well protected and administrators don't logon to the server console frequently to perform day-to-day administration, do we really need those file-based scanners?

Wednesday, April 10, 2013

Moving jpegPhoto photos to the thumbnailPhoto attribute

There are a lot of clever people out there.  Unfortunately, I'm not amoungst them.  But, Joe Richards and Brian Desmond are!  Thanks to Joe for developing some great tools and Brian for showing me how to use some of them to do something tricky.

Anyway, on past the credit.  There are quite a few organizations out there that used the jpegPhoto attribute to store photos of users for use with 3rd party applications including my Directory Update Self Service Updateand Directory Manager thumbnailphoto Active Directory applications.  Microsoft is now using thumbnailPhoto as their photo-attribute-of-choice for Exchange 2010 and Outlook 2010.  That leaves a lot of us with our photos in jpegPhoto.

Using the ADFind and ADMod applications from Joe Richards, though, you can copy the jpegPhoto data in to the thumbnailPhoto attribute.  First, download and unzip these two applications. 

Here is an example of how to move user LukeHusky's photo:
adfind -f "(&(objectCategory=person)(objectClass=user)(samAccountName=LukeHusky)(jpegPhoto=*))" jpegPhoto -adcsv | admod BIN##thumbnailPhoto::{{jpegPhoto}}

If this works for one user, you can actually run this against ALL users that have data in the jpegPhoto attribute with this command.
adfind -f "(&(objectCategory=person)(objectClass=user)(jpegPhoto=*))" jpegPhoto -adcsv | admod BIN##thumbnailPhoto::{{jpegPhoto}} -unsafe

You can also run this so that it will stop after a specific number of errors, such as 5 in the case below:
adfind -f "(&(objectCategory=person)(objectClass=user)(jpegPhoto=*))" jpegPhoto -adcsv | admod BIN##thumbnailPhoto::{{jpegPhoto}} -exterr -upto 5

As always, test before doing AD-wide deployments!


Thursday, February 21, 2013

Exchange maximum send and receive message size not working

I see a lot of posts in the newsgroups about the maximum message size limits not working correctly.  People are continually trying to change global message size limits, send connectors, etc... I keep meaning to write about this.

Out of the box, Exchange's maximum send and receive message size limit is 10MB.  But, that is the "internal" message size limit.  When a message is sent from one Exchange server to another within your organization, the format remains in MAPI format.  This means that attachments remain in their original binary format.

However, if you send a message OUTSIDE of your Exchange organization the message must be converted in to an Internet standard. This standard is almost always MIME (Multipurpose Internet Mail Extensions).  Binary attachments (ZIPs, DOCs, PPTs, XLSs, etc...) must be converted from there standard binary format to Base64.  When an attachment is converted to Base64, the resulting attachment size is about 37% LARGER than the original file.

So, an internal e-mail message that is around 7.5MB (including attachments) will expand to just over 10MB.   Exchange will issue an NDR that the message size is too large.

When explaining to your users the maximum send and receive (outbound and inbound) message sizes, it is best to explain that the "internal" limit is 10MB, but the external limit is around 7MB.