Exchange 2003 Email Size Delivery Restrictions…how confusing can it be?

I thought this would be fairly common knowledge by now, Exchange 2003 being quite mature in it's 5th year, but it's not something I've had a problem with before and therefore I'm going to write about it!

So a big email comes in; lets say it's 8MB. Your Exchange 2003 server, set to it's defaults for size restrictions, rejects the email. Why? Take a look at this Exchange TechNet article:

When the 8MB message crossed the routing group boundary through SMTP and arrived at the destination server, it was approximately 33 percent larger than the original message because of the inter-routing group SMTP increase…The final message had a content size equal to 11,594,558 (11 MB), and the message exceeded the 10-MB Global Limit, thus returning the 5.2.3 delivery status notification. elaborates:

Please keep in mind that message send [sic] through SMTP could grow about 10-20 percent because of format conversion (MIME and UUEncode)

For a standard Exchange Server installation, this is how the process of checking the email size goes (see the diagram below for full details):

  1. Does the email exceed Global Max submission content length?
  2. Does the email exceed the per-user Max Delivery Length for the recipient?
  3. If the email is not delivered locally, does the email exceed the Virtual Server SMTP limit?
  4. If the email is not delivered locally, does the email exceed the Connector limit?

Exchange Size Flow Chart

I won't elaborate on the places you can set the size restrictions, other than to reprint's list and point you to the full article.

You can set message limits at the following objects:

  • Global settings
  • System Policy
  • Individual mailbox
  • Individual message limit
  • Distribution list
  • Public folder
  • Connector
  • Virtual SMTP Server

Create a 100Mb file for testing transfer speeds

We have a Bonded ADSL solution for our servers to provide the necessary upstream transfer speeds for the applications we host. We have bonded ADSL because our exchange still doesn't support SDSL, and a leased line is overkill. Theoretically, we should have 28.1 Mbps download and 3.2Mbps upload – what I am actually seeing is about 1.7Mbps down and 1.9Mbps up. I have tested this on various servers, over various times and file sizes, there is no doubt that the performance is POOR.

Anyway, on to my point. I wanted to create a file that was exactly 100MB to test transfer speeds. Windows XP, Vista, 2003 and 2008 all have a command line utility called FSUTIL.exe which has a subset of commands to manipulate files, with which you can create a file that is exactly 100MB…like so:


Usage: FSUTIL FILE CREATENEW [Filename] [Size in bytes]


Outlook Web Access over SSL using Forms Based Authentication AND Integrated Authentication

Outlook Web access is a fantastic tool for our company, providing on-the-go
access to people's mailboxes – which is of course secured by SSL and uses Forms
Based Authentication. Internally, we have an intranet portal that allows us to
access the various systems – one of which is OWA. One of the stipulations for
this internal portal is that it is all Single Sign On using NTLM authentication
– integrated authentication. This is where the problem lies because enabling OWA
with Forms Based Authentication over SSL disables Integrated Authentication. So
our choice is to have users enter their credentials twice (not acceptable) or to
disable FBA and have external users log on with the annoying pop-up.


You can create a copy of the /Exchange and /Public Virtual Directories and
configure them to use Integrated Authentication. You can also restrict access to
them by IP…here's how:

 I'm assuming you've already set up OWA with SSL on your Exchange server. If you need to do that, try How
do I configure OWA to use SSL? at Daniel Petri's site

  1. Log onto your Exchange Server, and open up the IIS control panel. Locate
    your /Exchange and /Public virtual directories.
  2. Right click /Exchange, select "All Tasks" and then "Save Configuration to a
    Figure 1
  3. Go through the dialogue, save to a file and if you're worried about security, add a password.
  4. Once you're done, right click any white space in the root web site (or the exchange web site) and select "New", then select "Virtual Directory (from file)…"
    Figure 2
  5. You will be presented with the "Import Configuratio" dialogue, click "Browse…" and select the file you've just created. Click "Read File" and select the Exchange location underneath
    Figure 3
  6. Click "OK" and you'll be asked to provide a new name, or replace the existing Virtual Directory – select create a new one and put an appropriate name (I uses ExchangeIA)
    Figure 4
  7. Now, this step is optional, but read on anyway because you might want to think about it. I only want to allow people on my network to access this using Integrated Authentication, no one else, so I am going to restrict access to the Virtual Directory that I've just created to my IP subnet. To do this right click the newly created Virtual Directory (ExchangeIA) and select the "Directory Security" tab. Under "IP address and domain name restrictions" click "Edit". Now select "Denied access" to deny anyone other than the exceptions, then click "Add.." and enter the details of your network to allow those computers access.
    Figure 5
  8. Now head back to step 1 and repeat for the /Public folder, if Integrated Authentication is required for Public Folders.

Utilising more than 4GB of RAM with Windows Server 2003 Standard Edition – Enabling /PAE /3GB

We recently needed to upgrade one of our applications, and the new version requires an addition server instead of the application and SQL it requires a back end search, a front end web server and a SQL server. The specifications of the new server which are "required" to qualify for support are pretty high. The problem is that the actual processor usage is very light, and it is very hard to justify buying a whole new server that I know is going to be barely used.

The alternative plan was to virtualise the servers, make use of the existing physical hardware, upgrade the RAM and add a couple of drives to the RAID array, which we opted for because it would cost less than £300, instead of £3000.

I forgot, however, the 4GB limitations of Windows Server 2003. 32 bit processors cannot address more than 4GB of RAM, so to get round that you can use Physical Address Extensions (using the /PAE switch in the boot.ini) which enables you to utilise more than the standard 4GB.

Typically a 32 bit system with 4GB RAM will allow 2GB for the kernel, and 2GB for the Applications to use. This means that each application can virtually address up to 2GB of RAM. You can change this balance using the /3GB option in the boot.ini to allow 3GB for applications. Think carefully before doing this!

To enable PAE:

  1. Right click "My Computer", select "Properties"
  2. Select the "Advanced" tab and click the "Startup and Recovery" button
  3. Under "System startup" you can click "Edit" to open the boot.ini file.
  4. BE CAREFUL! You can render you OS unbootable! Add the /PAE and /3GB options to the startup (see below for an example) Save, OK and reboot.

multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows Server 2003, Standard" /PAE /3GB /fastdetect

It's worth noting that if you have DEP (Data Execution Protection) turned on then PAE will be turned on by default. DEP is on automatically in Windows Server 2003 SP1 – you'll see the /noexecute=[policy level] in the boot.ini

Something for nothing!?!

"Nothing can come of nothing" – to quote King Lear, but it seems this is not always true. Marc Andre is giving away an album, and all he asks in return is that you mention it to your friends. I've not listened to it yet, but even if I hate it…it was free!

Thanks to Matt Hellyer for the tip off.