back to article Microsoft Exchange 2010 support ends in a matter of days and there are 139,000 internet-facing servers still up

Security company Rapid7 reports that there are more than 139,000 Microsoft Exchange 2010 servers with internet-facing services (Outlook Web Access or OWA) despite the application going out of support this month. Exchange 2010 was initially due to go end-of-life in January this year, but Microsoft extended support to 13 October …

  1. AMBxx Silver badge

    Exchange 2007 and SBS

    I wonder how many of those instances are on old installs of SBS. Great product to install and initially configure, but upgrades were a nightmare. For most small businesses, if it's not broken, they're not going to upgrade.

    1. thondwe

      Re: Exchange 2007 and SBS

      Last version of SBS (2011) included Exchange 2010, then was dropped as a product.

      1. AMBxx Silver badge

        Re: Exchange 2007 and SBS

        So could be both the 2007 and 2010 Exchange installs!

    2. Wade Burchette

      Re: Exchange 2007 and SBS

      Future versions were a nightmare too. I had a test license of Exchange 2013 from TechNet, back when Microsoft had some brains and TechNet premium was still a thing. I had a test server to play around with and learn how to use new software. This was Server 2012 R2 standard. I had the essentials role installed for the backup. I follow Microsoft's instructions to the letter. Turns out, essentials role and Exchange were incompatible. But did Microsoft bother saying any of that in their instructions? Did Exchange throw an error in the install? Nope, the closest you get is that Exchange is incompatible with Server Essentials. It installed but never worked.

      So I installed a Server 2012 R2 standard virtual machine. I had nothing installed, no updates of any kind. I once again followed Microsoft instructions to the letter. Exchange 2013 installed, but still didn't work. The web interface or Exchange powershell would never ever work.

      This time I bought a book, and it had steps Microsoft didn't bother to include. A format, and following the book's instructions Exchange 2013 finally started to work. But 2 months later, the web interface stopped working, although everything else did work. I didn't test the Exchange powershell at that time. About 12 months after that, everything stopped working: calendar, email, etc. I had Exchange on a VM with nothing else and I didn't do anything to the VM, ever. I didn't touch Exchange or the Windows Server on the VM. After I installed, I never remoted into the VM server for any reason. I did nothing, and Exchange just stopped working for no good reason. I came to the conclusion that the new Microsoft has software so screwed up that you have to be pay them to be certified just to fix their incompetence.

      1. J. Cook Silver badge

        Re: Exchange 2007 and SBS

        A *lot* of the problems with 2013 get solved with cumulative updates; assuming, of course, that the CU one is installing doesn't break something horribly in the process. :(

        Also, with 2013 and later, **EVERYTHING** is powershell; the EMS is god. the EAC? it runs powershell commands on the backend, which is why it's dog slow at times.

        We had a VAR assist us with doing a migration from 2010 to 2013, which was... _interesting_ in a few ways, some not good.

        Also, those poor people that bought SBS and were expecting to 'grow out' of it? If by 'grow out' meaning 'throw it out and re-build it with a proper fleet of AD, exchange, etc. servers', then yes. (SBS at one point had some hardcoded limitations built into it which made it extremely difficult if not impossible to migrate into a 'big boy' solution. )

  2. Binraider Silver badge

    Stating the somewhat obvious - not all of us can, or want to move our email servers off premises, or onto cloudy services. Other mail servers are available. Just not many (any?) that can be configured using your AD which for some reason is regarded as a killer app.

  3. Lee D Silver badge

    Moved all my users to GMail.

    Can find no redeeming feature in either Outlook or Exchange at all, and certainly not in OWA.

    For those whose inbox was precious, I just used GSSMO (be careful, GSMMO or something is a similarly named tool!) and imported their mailbox into GMail.

    The only blocker was a couple of people who use desktop programs that use MAPI to send their mail... but Google Sync for Outlook sorts that out - they have an install of Outlook that syncs to their GMail and it sends the mail from GMail.

    The administration, the spam-filtering, the access, the compatibility, the calendar... so much better with GMail and Google Calendar.

    If I was a millionaire starting my own business, I'd just buy GSuite. So many problems solved so very simply in any modern browser.

  4. Pascal Monett Silver badge

    Vnext - and so it starts

    Borkzilla is finally gearing up to get everyone on board with a subscription. And with the perfect excuse : no more out-of-date mail servers !

    Ain't life grand ? There are going to be some fat bonuses when Vnext comes out, and it'll be every year, too.

    I am starting to think about getting some Borkzilla shares. It looks like they won't be going down any time soon.

    1. IGotOut Silver badge

      Re: Vnext - and so it starts

      You may of missed the fact many businesses have been using subscriptions for on prem MS stuff for year's.

      CapEx vs OpEx etc etc...

    2. big_D Silver badge

      Re: Vnext - and so it starts

      Yes, you too can experience the instability that is Azure, all from the comfort of your own computer room.

    3. EnviableOne

      Re: Vnext - and so it starts

      vNext : taking bets on release names:

      Exchange 365


      Exchange Server (Exchange Server 2109 .....)

      are the front runners

  5. Rich 2 Silver badge

    Why should you need to patch?

    Why should you need to patch an email server that has a code base at least 10 years old (and probably much older)?

    As it’s a security outfit that is highlighting the issue, I’m guessing the concern is with (lack of) security patches.

    I used to run a BSD box with qmail running on it - a mature codebase for what is basically a relatively simple and certainly very well understood service. I never felt the need to monitor security patch releases for it; mostly because there weren’t any but also because it didn’t need any.

    Strange how MS email STILL needs security patches donkeys after first release.

    1. J. Cook Silver badge

      Re: Why should you need to patch?

      WHy does it need patching? Let me summarize the ways:

      * web interface- the usual suspects apply. Exchange is married and sewn firmly into it's own IIS instance.

      * SMTP bugs/compromises

      * OS surface attacks

      Yeah, a firewall helps with _some_ of those issues, but not nearly enough of them.

  6. IGnatius T Foobar !

    On-prem Exchange is doomed

    Micros~1 have succeeded in making Exchange so obtuse, so difficult to run, so persnickety, that no one can run it but them. That's the current play with Exchange 365, and they're loving it.

    Anyone who wants to continue running on-prem email and collaboration should be moving to different software. On-prem Exchange is a dead end.

    1. J. Cook Silver badge
      Black Helicopters

      Re: On-prem Exchange is doomed

      Care to suggest alternatives, then? Remember, it has to support:

      Shared Contacts/ address books (the GAL is still very much a thing)

      Email (natch)

      Shared calendars (room calendars, people sharing their calendars, the ability for a team of co-workers to see each other's calendars, etc.)

      The often (and quite rightly so!) maligned public folders, although people are (finally!!) moving away from the bloody things

      Having those 'special' folks in upper management (you know who they are) that never delete ANYTHING and use their mailbox as a file storage mechanism not complain about being able to see all their messages, even if they only read them once and consign them to taking up disk space on your mail server.

      All from within Outlook (either natively or via an add-in or plug-in)- your userbase will break out the pitchforks and torches if they have to learn something new!


  7. Lorribot

    So some real facts

    Exchange 2010 can be installed on Server 2012R2.

    Also I believe that Exchange 2010 support tops out at Windows Server 2012 R2 for supported Active Directory environments (writable DCs, writeable GCs, and maximum forest functional level). Any AD site that contains an Exchange 2010 server must contain at least one Windows 2012 R2 or earlier writeable DC and writeable GC. In other words, The presence of other Windows 2016 or later DCs in the site or forest is OK, as long as your forest functional level stays at Windows 2012 R2 or lower.

    1. Lorribot

      Re: So some real facts

      RU22 is supported in AD 2016 environments

      SP3 is supported for install on 2012R2

  8. Libertarian Voice


    It is 2020 and Exchange server is an unreliable messy pain in every way imaginable. Postfix and Dovecot people!!!!! I wouldn't mind if they were not free.

    We have never looked back!

  9. Anonymous Coward

    Plus addressing

    "One tip that some have missed: plus addressing"

    Oh thank $DEITY, MS have finally invented that, what? ... 20 years late.

    I generally front Exchange with a Linux smtp daemon. Nowadays (last 15 years) my weapon of choice is Exim. Keeping /etc/aliases up to date is trivial. /etc/skel makes an alias file appear in a user's home directories (which magically appears on demand) if they point Explorer at the mail gateway. Winbind and smbd do the hard work. They can edit the thing and if they don't break the syntax then they can have as many aliases as they like. I have a scripted cron job that runs every 24ish hours that looks for duplicates and emails them to me to resolve.

    1. Lorribot

      Re: Plus addressing

      That's all great, but I pity the poor guy that has to come in and unpick/understand it all or the exec that has to try and employ a person who can understand all that assuming they know what it all is.

      Design, Build and deploy to manged by someone lesser than you.

      1. Norman Nescio Silver badge

        Re: Plus addressing

        The problem with hiding the complexity is that if you are successful at it, people think what you do is simple, and, therefore, anyone can do it.

        An issue with producing systems that can be administrated by people with less-than-comprehensive skill-sets is that management can be tempted to dispense with the producer's services because a cheaper administrator can do the visible job. This is not to say that one should deliberately make things complicated as job-security: but be aware that people can be lulled into a false sense of security by using a simplified interface that covers most of the functionality to do a complex job. When the extra competence is needed, and is not readily available, problems occur.

        It is bit like writing: text lacking proper punctuation, and missing out odd words and mistyping/misspelling others means that text takes longer to unpick and understand, so good writing is in a style made easy for others to follow. I tend to be a bit verbose and convoluted, but appreciate good writing because it is hard to do.

  10. Arbuthnot the Magnificent

    Exchange 2010

    Last 2010 project I worked on was a large upgrade from 2003 to 2010, this was only in 2015. NHS trust, the latest versions were never allowed (the project started a year or two earlier). So yes, I expect there are still a few of them around!

    1. Anonymous Coward
      Anonymous Coward

      Re: Exchange 2010

      an old employer of mine is still running 2010 although a small deployment. another old employer managed to migrate from 2010 to o365 hybrid about 12 months ago to beat the previous Jan 2020 EOL that was for a city council so quite a large deployment. And a company (a large housing association) I went for an interview with last month are still running 2010 although currently migrating, again a o365 hybrid

    2. EnviableOne

      Re: Exchange 2010

      Exchange 2010 was the last one covered by the NHS wide Enterprise Licence Agreement, hence most trusts were still using it.

      Those trusts that couldnt afford 2013 or 2019, are currently working on migrating 2010 to N365 (the NHS version of M365) under a new NHS wide agreement

      1. Arbuthnot the Magnificent

        Re: Exchange 2010

        Right, wasn't aware of that, I left there in 2016. My bosses were always very leery of the latest versions, we went straight from 2003 to 2010 - it also avoided the problem of going from 2003 to 2013 directly.

        I was pretty sad when I shut down the last 2003 box, it was what I certified on, and I knew it would be the last one I ever saw. Yes, it was shit, but it was shit I knew. I suppose it's the same feeling the last flint-knapper had when everyone was using copper tools or something.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like