none
Using "authOrig" attibute to restrict who can send mail to E-Mail account

    Question

  • First, we are a State agency that has just move to a Cloud Exchange 2010 service.  (We are using Outlook 2007 in a Windows 2008 AD environment.  We have a mix of Windows XP and 7 PCs fully patched.)

    We have "Very" limited access to maintenance of the Exchange environment provided through a WEB Portal.  We do manage our own AD and would like to use the "authOrig" attribute (or other if needed/better) to accomplish the following:

    1.  We have serveral E-Mail Accounts (I'll identrify as "Restricted") that we only want specific users to mail to the "Restricted" accounts.

    I tried using ADModify to set the "authOrig" attribute value to the distinguishedName of:

       a. A "Security Group - Global " object.  The object had an "E-Mail" address set.

       b. A "Distribution List" object.  This object had an "E-Mail" address set and is used for normal E-Mail distribution to it's "Members".

       c.  A "User" object.

    Each step was done seperately (waited up to an hour to test each by sending an E-Mail message).  Neither A or B worked.  It wasn't until I added the "User" object distingueshedName that the authorized user was able to E-Mail the "Restricted" account.

    Any suggestions????

    2.  We would also like to find out how to limit the "Restricted" account to only being able to E-Mail to a specified Distribution List or Group of User accounts.


    Chris Premo
    Wednesday, January 25, 2012 10:35 PM

Answers

All replies

  • That seems like a normal request.  Who is providing your hosted service.  You, if not, they should be able to set restrictions on a mailbox.
    Sukh
    Wednesday, January 25, 2012 11:32 PM
  • Hi,

     

    From your description, you want to limit restricted users to send emails to specific distribution group, which you can configure Mail Flow Settings to achieve it. You can refer to the following article, though it is from the third-party website, I think it is helpful for you:

    http://exchangeserverpro.com/restrict-distribution-group-exchange-server-2010

     

    Hope it helps.

     

    Thanks


    Sophia Xu

    TechNet Community Support

    Monday, January 30, 2012 2:50 AM
    Moderator
  • No let me explain it a little better:

    First, here are the different accounts that will be in play

    1. Several "Board Member"

    2. Internal "Organiation Members"

    3. Internal "Distribution Lists"

    This is what we want:

    1. Set an attribute (which I guess would be on the "Board Members" object) that will limit who can send messages to the "Board Member".

    2. Set an attribute (don't know where or which one(s)) that will prohibit the "Board Member" from E-Mailing outside of our Domain.  Or possibly even to limit them to only E-Mailing to a specified Distribution List.

     

    Again, we are using a "Cloud" Exchange 2010 system hosted by MicroSoft and managed by a Third party contractor.  According to them, we should be able to use ADModify to set parameters on the following attributes, but I'm totally confused as to which one does what.

    AuthOrig   (Authorized Originators: Only these Users can send to the DL) – The way I read this, this value can only be a User object not a DL or Security Group.  Although this seems to work, I'd rather user a DL or Security Group (those being easier to manage).

     UnauthOrig(Unauthorized Originators: Anyone BUT these users can send to the DL)  – The way I read this, this value can only be a User object not a DL or Security Group.  Although this seems to work, I'd rather user a DL or Security Group (those being easier to manage).

     dLMemRejectPerms (Unauthorized DLs: Anyone but members of these DLs can send to this DL)  - Not sure if this is helpful for my purposes.  Also, what "Value" would I sent in this attribute????

     dLMemSubmitPerms (Authorized DLs: No one but members of these DLs can send to this DL) - Not sure if this is helpful for my purposes.  Also, what "Value" would I sent in this attribute????

    msExchRequireAuthToSendTo (Only Authenticated Senders can send to the DL, blocks External senders)  - Not sure if this is helpful for my purposes.  Also, what "Value" would I sent in this attribute????

     

    For Example, we want to set a block on the Board Members Object and limit who can send to that member.

     

    Board Member         Authorized E-Mailers         Members of DL 1

    Jane Doe                     Distribution List 1                  Bill Smith

                                                                                    Mary Jane

                                                                                    Carl Malton

     

    So if James Lear tried to E-Mail Jane Doe, he would receive a rejection notification that he isn’t authorized to mail to Jane Doe.  Yet if Bill Smith E-mailed Jane Doe, the message would be delivered.

     

     

     

     


    Chris Premo

    • Edited by Chris Premo Thursday, February 02, 2012 10:35 PM
    Thursday, February 02, 2012 10:20 PM
  • Can you not set rectrictions on the mailbox and setup a transport rule?
    Sukh
    Thursday, February 02, 2012 10:41 PM
  • Sure, but how.  I'm totally new to Exchange/Outlook (previously on GroupWise).  Instructions on how to set up this kind of parameters is slim to non-existent.  (Really poor for such a well used and supposedly Superior product.)
    Chris Premo
    Thursday, February 02, 2012 11:07 PM
  • This 3rd party contractor should be able to do this for, you shouldnt have to mess around with thise attributes, if he manages your service then he should really do it.

     


    Sukh
    Thursday, February 02, 2012 11:08 PM
  • I appreciate your help, but this seem very cumbersome.  One would think that I as the administrator of my AD and user objects would be able to set some parameter that could/would accomplist what we want to do.

      

    1.     Set a “block” on several “Board Member” objects that would limit who can send an E-Mail to the member.  For example, we would like to use a Distribution List to define who can E-Mail the member.

     

    Board Member         Authorized E-Mailers         Members of DL 1

    Jane Doe                     Distribution List 1                  Bill Smith

                                                                                                Mary Jane

                                                                                                Carl Maldon

     

    So if James Lear tried to E-Mail Jane Doe, he would receive a rejection notification that he isn’t authorized to mail to Jane Doe.  Yet if Bill Smith E-mailed Jane Doe, the message would be delivered.

     

     

    2.     Set a “block” on several Board Member” objects that would disable their ability to E-Mail outside of our Domain.

     

    Is this something that only the Exchange administrator can accomplish?  If not, what attributes or object settings do we use?  What values do we set in the attributes?  One wold think that MS would have had this process requested before and that they would have procedures on how to accomplish these tasks!!!


    Chris Premo
    Friday, February 03, 2012 4:32 PM
  • What Cloud service do you have? BPOS? O365?

    If yes, the I'd post in the cloud forum.


    Sukh
    Saturday, February 04, 2012 12:07 AM
  • BPOS
    Chris Premo
    Saturday, February 04, 2012 12:16 AM
    • Marked as answer by Chris Premo Monday, March 12, 2012 4:07 PM
    Monday, March 12, 2012 4:07 PM