Deploying Safe Senders list by GPO - Hit and Miss

All replies

• 

  

  0

  Sign in to vote

   

  Hello,

   

  Thank you for your question.

   

  I am trying to involve someone familiar with this topic to further look at this issue. There might be some time delay. Appreciate your patience.

   

  Thank you for your understanding and support.

   

  Best Regards,

   

  Sally Tang

  TechNet Subscriber Support in forum

  If you have any feedback on our support, please contact tngfb@microsoft.com  

  Wednesday, March 2, 2011 6:27 AM
• 

  

  0

  Sign in to vote

  Thanks Sally,

  I found this thread talking about a similar problem http://social.technet.microsoft.com/Forums/sr-Latn-CS/outlook/thread/0ddcf321-9158-4078-ac83-45b33ef98266

  If I undertand this correctly the safe senders list is stored centrally in Exchange, not locally by Outlook on the client. This enables the OWA and Outlook safe senders lists to stay in sync. What seems to be happening in my case is changes made in Outlook, either manually or through GPO are not being synced back to Exchange, they do not appear on OWA.

  If I load up Outlook and the GPO safelist appears, then I run Update-SafeList -id "timb" on Exchange, the safelist in Outlook goes blank. It looks like it's syncing one way only.

  Hope this sheds some more light on the problem.

  Tim

  Wednesday, March 2, 2011 3:46 PM
• 

  

  0

  Sign in to vote

  Hi Tim,

  Since you ran the Update -Safelist -id "timb", if you open Outlook with the policy in place do you still see the same odd behavior?

  If you still see the same issue, try downloading the adm file from the More Information section of this article and deploying the policy with it and see if that works.

  http://support.microsoft.com/default.aspx?scid=kb;EN-US;2252421

   

  ---

  Regards, Teresa Microsoft Online Community Support Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

  Wednesday, March 2, 2011 4:41 PM
• 

  

  0

  Sign in to vote

  Hi Teresa,

  Thanks for the link - that's actually the article I followed to set this up in the first place. Yes, I still have the problem.

  What I think is happening is this, Outlook stores its safe senders list in Exchange. The list stored in Exchange is blank. I open Outlook, it loads up the blank list from Exchange, then appends the list from the gpo network location, this becomes visible in Outlook. It fails to then sync the list from the gpo back to Exchange. Periodically it syncs the blank list back from Exchange, thus overwriting the settings visible in Outlook with a blank list.

  I probably should have mentioned I'm using Exchange 2010 SP1.

  Thanks,

  Tim

   

  Wednesday, March 2, 2011 5:33 PM
• 

  

  0

  Sign in to vote

  Hi Tim,

  Can you send a copy of your HKLM and HKCU policies keys to olsupport@hotmail.com and I will take a look at them?

  You will need to rename them to .txt files in order for me to receive them.

   

   

  ---

  Regards, Teresa Microsoft Online Community Support Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

  Wednesday, March 2, 2011 6:02 PM
• 

  

  0

  Sign in to vote

  Hello Tim,

  Thank you for the file you sent me.  Everything looks okay there.  Did you verify there were no policies in the HKLM?

  Also, I would suggest you copy your Safe Senders text file locally and confirm there are no trailing blank lines after the entry.   That can cause the import to fail as well and the end user would not get any errors. 

  Once you confirm there are no trailing blank lines then test with a the file local to your machine and see if that works.

   

  ---

  Regards, Teresa Microsoft Online Community Support Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

  Thursday, March 3, 2011 2:24 PM
• 

  

  0

  Sign in to vote

  Hi Teresa,

  I looked in HKLM and couldn't find any entries in the equivalent place. I've checked the safe senders file carefuly, so stray spaces or odd characters. It will omport manually.

  I'd like to stress, the problem is not that the safe senders list doesn't import, it does. The problem is that it will subsequently dissappear. There seems to be a process whereby Outlook syncs it's safe senders list with Exchange 2010 and trying to do it by GPO also causes conflicts.

  I've now removed the GPO and at least now the safe senders list is saving manual entries and staying in sync with OWA.

  Thanks,

  Tim

  Tuesday, March 8, 2011 1:08 PM
• 

  

  0

  Sign in to vote

  Hi Tim,

  Do you have the application AppSense in your environment at all?

   

  ---

  Regards, Teresa Microsoft Online Community Support Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

  Tuesday, March 8, 2011 10:50 PM
• 

  

  0

  Sign in to vote

  Nope, no user/desktop virtualisation, just ordinary old fashioned desktop pcs.

  Wednesday, March 9, 2011 9:40 AM
• 

  

  0

  Sign in to vote

  Hi Tim,

  Can you test a user by creating a POP account or PIM (no email) profile without Exchange and then see if the policy works without any issues?  Just trying to confirm if it only fails when Exchange is in the picture.

   

   

  ---

  Regards, Teresa Microsoft Online Community Support Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

  Wednesday, March 9, 2011 2:40 PM
• 

  

  0

  Sign in to vote

  Hi Tim and Teresa,

  do you have any update? I have probably the very same problem which I described here http://social.technet.microsoft.com/Forums/en-US/outlook/thread/d63de62f-0825-4614-af3a-0a59a812cf08

  Regards,

  Martin

   

  Tuesday, March 15, 2011 3:07 PM
• 

  

  0

  Sign in to vote

  Hi Martin,

  I have not heard back from Tim on the testing with a POP account or PIM (no email) profile without Exchange . 

  Would you be willing to test this and let me know if this works for you? 

  I am trying to determine if having Exchange in the picture affects the outcome or not, which I suspect it will.

  If this issue does not occur without Exchange can you provide me with the Exchange version and SP level you are running.

  ---

  Regards, Teresa Microsoft Online Community Support Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

  Tuesday, March 15, 2011 3:24 PM
• 

  

  0

  Sign in to vote

  Hi Teresa,

  I tested it with POP3 account in separate mail profile and here are my findings.

  Outlook 2010 crashes if the registry key HKCU\Software\Policies\Microsoft\office\14.0\outlook\options\mail\JunkMailImportLists is 1. If the value is 0 or not present then Outlook does not crash but also those lists values don't load... Junk filter level is configured properly.
  It crashes on Windows 7 x64 and Windows XP x86, both have KB2281463 http://support.microsoft.com/kb/2281463 hotfix installed. This hotfix solves the problem of crashing Outlooks when they are connected to Exchange and Junk filter settings are configured in Group Policy. But it does not solve this problem when using POP3 profile.

  Outlook 2007 does not crash and safe senders list values loaded through GP stay there.

  Wednesday, March 16, 2011 1:41 PM
• 

  

  0

  Sign in to vote

  Hi Martin P7,

  Thank you very much.  Can you send me the details of your environment (exchange, Outlook, policies, version, etc) and I will attempt to set up a repro here as it appears that something is going on with Exchange).  You can email that information to olsupport@hotmail.com if you like.

   

   

  ---

  Regards, Teresa Microsoft Online Community Support Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

  Wednesday, March 16, 2011 1:57 PM
• 

  

  0

  Sign in to vote

  Hi,

  thanks for your attempt to help!

  Domain functional level is Windows Server 2008 R2, Exchange is 2010 SP1 RU2, EDGE role on one server the remaining roles except UM are on another server. There is Forefront Protection for Exchange on the EDGE server that marks legit messages with SCL:0.

  # Get-MailboxJunkEmailConfiguration someuser

  RunspaceId               : 229fb687-084f-425e-b8cf-3b1ec3cb1cfa
  Enabled                  : True
  TrustedListsOnly         : False
  ContactsTrusted          : True
  TrustedSendersAndDomains : {something1.net, something2.org, something3.eu, something4.cz}
  BlockedSendersAndDomains : {}
  IsValid                  : True

  Some accounts have TrustedSendersAndDomains property values same here and in Outlook and some have them out of sync. But none of them have the values in this property that is loaded by the GP configured list. So they apparently don't sync from the GP loaded list to the mailbox (don't

  And those who are out of sync - I don't know why Outlook does not load the value from mailbox yet - can't whitelist senders using Outlook because apparently the server property value is used but they can't see it nor modify it in Outlook.

  So for example user has @domain.com and user@domain2.net in property value but in Outlook he sees john.doe@domain3.net and @domain4.org. @domain4.org is loaded through GP so it disappears after couple of minutes (Junk filter settings must be reopened to see this) and if this user receives mail from john.doe@domain3.net or @domain4.org then it can go to Junk email. And user is expecting that it will be working because he does not see the TrustedSendersAndDomains property values that are stored with the mailbox on Exchange server.

  If there are any other cmd-let you want me to run let me know.

  Wednesday, March 16, 2011 2:35 PM
• 

  

  0

  Sign in to vote

  Hi Martin P7,

   

  Thank you so much for the information. 

  Are your users using any type of phone device?  If so, what are they using?

  Are you running Anti-virus on the Exchange server nand if so, what are you running?

   

  ---

  Regards, Teresa Microsoft Online Community Support Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

  Wednesday, March 16, 2011 4:14 PM
• 

  

  0

  Sign in to vote

  Hi,

  yes we are using ActiveSync (Windows Mobiles 6.x, Windows Phones 7, iPhones and Nokias, all working without problems) but it happens also on accounts that have never used ActiveSync.

  No, I don't have any antivirus on the non-EDGE server (CAS, HUB, Mailbox). I use Forefront solutions on the clients though.

  Thursday, March 17, 2011 7:27 AM
• 

  

  0

  Sign in to vote

  Hi,

  little update. I noticed that I can't whitelist my own domain in OWA. So I removed my domain from the file loaded via GP, ran Update-Safelist on the user that was out of sync and the values in Outlook and in the mailbox TrustedSendersAndDomains property started to be the same. However one thing that I don't undestand is that the property value on server was overwritten by the values in Outlook - I expected append.

  Update-Safelist description on http://technet.microsoft.com/en-us/library/bb125034.aspx says
  The Update-SafeList cmdlet reads the safelist aggregation data stored on a Microsoft Office Outlook user mailbox and then hashes and writes the data to the corresponding user object in Active Directory. Safelist aggregation data contains the Outlook user's Safe Senders List and Safe Recipients List.

  I don't understand where does the Get-MailboxJunkEmailConfiguration read TrustedSendersAndDomains property value from. From mailbox or AD? I am still trying to figure out what is going on and how they got out-of-sync in the first place. Does it mean that I need to set scheduled task for Get-Mailbox | Update-Safelist? I thought this should be updated automatically.

  Can I avoid overwritting values? I think that logical would be this process:
   - Outlook reads what is in mailbox property
   - Outlook reads what is loaded via GP
   - display both it in Junk filter configuration - this works ok, if the list does not include internal exchange domain then strange thing start to happen.
   - if user updates value in Outlook or OWA that is not defined via GP then update in the mailbox property happens correctly and is immediately reflected in the second client (OWA or Outlook) - this works ok
   - but if user removes value which was loaded via GP in OWA then Outlook does not show this deleted value next time when Outlook starts. But after Outlook's second start since the value has been deleted in OWA then the it is correctly loaded again and visible in OWA too. If the GP loaded value was deleted in Outlook then it loads again immediately on the next run. Quirky.

  It would be great if someone from the Exchange / Outlook team can bring more light to how this is working exactly especially how these values can get out of sync between OWA/mailbox and Outlook (btw my AD replication works just fine). Is it just because internal exchange domain was included in the list loaded via GP or could be there other reasons? I think that having the ability to have internal domain in the list is legitimate use - eg mailing from some legacy applications that can't authenticate, printers etc...

  Thursday, March 17, 2011 12:11 PM
• 

  

  0

  Sign in to vote

  Hi Martin P7,

  You have the HKCU\Software\Policies\Microsoft\office\14.0\outlook\options\mail\JunkMailImportLists with a value of 1 in your policy.  Do you have the append registry key applied?

  <samp>HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Options\Mail </samp>
  Name: JunkMailImportAppend
  Value type: REG_DWORD
  Value data: 0 or 1 (A value of 0 does not append the list. A value of 1 appends the list.)

  If not, try this registry key and see if that allows it to not be overwritten. 

  As for the internal domain, I will do some research here and let you know when I find anything.

   

  ---

  Regards, Teresa Microsoft Online Community Support Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

  Thursday, March 17, 2011 1:30 PM
• 

  

  0

  Sign in to vote

  I've seen it where while most of the list imported via group policy disappear within 1 minute of importing succesfully, but a few domains that are in the import list but  aren't associated with our Exchange server remain in the safe senders list.  I had been trying to figure out why only the domains associated with Exchange disappear.

   

  We have a hosted Exchange enviromnet, so I don't have full visabilty of how the server -side is setup, but they hve a 3rd-party SPAM filter that or mail passes through before getting to Exchange, so I have our own domains on the Outlook safe-senders list (via group policy import) so outlook doesn't try and filter them too (as  anything outlook junks for those domains at that point is almost always a false postive).  I want mail destined for our own domains only to get filtered once, by the 3rd-party tool.  Thats what I'm trying mainly accomplish with my Outlook safe sender list.

  Thursday, March 17, 2011 4:09 PM
• 

  

  0

  Sign in to vote

  You have the HKCU\Software\Policies\Microsoft\office\14.0\outlook\options\mail\JunkMailImportLists with a value of 1 in your policy.  Do you have the append registry key applied?

  <samp>HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Options\Mail </samp>
  Name: JunkMailImportAppend
  Value type: REG_DWORD
  Value data: 0 or 1 (A value of 0 does not append the list. A value of 1 appends the list.)

  If not, try this registry key and see if that allows it to not be overwritten. 

  As for the internal domain, I will do some research here and let you know when I find anything.

  Hi Teresa,

  yes I have Append configured (JunkMailImportAppend=1). It is possible that I had it configured on Enabled for a short time and then the overwrite happened. I haven't seen the problem since my last post. My fault.

  Were you able to replicate the problem with internal domains not working in safe senders lists? I still don't have a solution how to set Outlook to not filter mail coming from our legacy apps or hardware devices because they are using sender addresses same as our domain. Unfortunately not all of them can use authenticated connectors. Regular spam spoofing our domain is filtered on the perimeter so inside it's 99.9% false positive - so basically the same problem and demand as booster94 has.

  Regards,

  Martin

  Tuesday, March 22, 2011 7:55 AM
• 

  

  0

  Sign in to vote

  Hi Martin,

  In my working with my other customers so far it appears that this could be caused by a corrupt Junk E-Mail Rule.  In that case, we deleted the Jun E-Mail Rule with MFCMAPI and Outlook recreated it and it worked fine.

  I would suggest testing this first.

  1. Close Outlook
  2. In the Exchange Management Shell modify the SafeSenders List by typing this command
  3. Set-MailboxJunkEmailConfiguration -Idenity username -TrustedSendersandDomains user@here.com
  4. Once you have run this command against an affected mailbox then test opening Outlook with that mailbox and see if the SafeSenders List shows.

   

  ---

  Regards, Teresa Microsoft Online Community Support Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

  Tuesday, March 22, 2011 10:54 PM
• 

  

  0

  Sign in to vote

   

  I've been able to reliably reproduce and narrow down some causes on issues very similar to or the same as the above posters.

  We are currently running Exchange 2010 and Exchange 2003 in a Mixed Mode Environment. I am using Outlook 2010 and my mailbox is in our Exchange 2010 environment.

  We use a GPO-deployed SafeSenderList setup per several Microsoft sources including a support KB article. This works fine, I can see it pull the file from our DFS namespace (the requisite hotfix to allow for network SafeSenderLists has been installed) using Process Monitor. It reads the entire file from beginning to end.

  The errant behavior was that, after several Outlook restarts (after the initial GPO import of the SafeSenderList), only whitelisted domains were in the list. Individual email addresses were no longer present.

  I cleaned up our list. It had the following issues: an asterik in front of @domain.com, a blank line ended the file and it contained many of the domains that our Exchange environment has listed as acceptable domains.

  The latter portion was quite intentional for the reasons already given: we have automated reports and jobs that are delivered to our users and they are being flagged as Junk Email.

  So, after all the scrubbing of the file it was working great. I removed the domains and everything mentioned above and the FULL list imported into my Outlook Safe Sender List and also showed up my OWA list. Everything is still great -- until, as a test, I added one of the automated email addresses to my Safe Sender List via Outlook. After several Outlook restarts my OWA list was updated and now only contains whole domains, no individual email messages. Eventually, Outlook updates with the correct list again but the Exchange mailbox never updates again and remains as is; containing only the full domains.

  The biggest scenario that will cause us issues are from hosted services that 'impersonate' us. The require SPF settings and such have been made but should Outlook or Exchange flag them as Junk because it is coming from a domain that Exchange handles but didn't actually originate from Exchange I have no remediation. I can't whitelist those addresses for the whole company. At least not in any way that I'm currently aware of.

  We are very anxiously awaiting some resolution to this thread and, depending on what that resolution is, can open a ticket regarding this issue with Microsoft Support as well.

  -------

  Issue 1: Individual Email addresses are removed when a domain that is managed by Exchange is added to the Safe Sender List via Outlook or GPO Import of SafeSenderList

  Reproduction:

  1. Close Outlook
  2. Login to OWA and clear the Safe Senders and Recipients List
  3. Launch Outlook and observe that the list is blank
  4. Refresh OWA and observe the list is blank
  5. Restart Outlook and observe that Outlook has imported the list successfully and as written: domain and individual email addresses
  6. Refresh OWA and observe the list is blank
  7. Restart Outlook and observe the full list
  8. Refresh OWA and observe the full list
  9. Add a domain matching a domain that is an Exchange domain via Outlook to the Safe Sender List
  10. Restart Outlook several times
  11. Refresh OWA and observe a list containing only domains; sans individual email addresses
  12. Restart Outlook serveral times and observe the modified list containing only domains; sans individual email addresses
  13. Restart Outlook at least 2 more times and observe now the full correct list without the added Acceptable Exhange Domains
  14. No amount of restarting or refreshing seems to correct the now domain-only list in Exchange. Only clearing the list via OWA (and through the server management tools) will now correct the junk mail settings on the mailbox

  Issue 2: Safe Sender and Recipient List becomes unmanageable via OWA when an individual email address at a domain managed by Exchange is added to the Safe Sender List via Outlook or Safe Sender List Import

  Reproduction:

  1. Close Outlook
  2. Login to OWA and clear the Safe Senders and Recipients List
  3. Launch Outlook and observe that the list is blank
  4. Refresh OWA and observe the list is blank
  5. Restart Outlook and observe that Outlook has imported the list successfully and as written: domain and individual email addresses
  6. Refresh OWA and observe the list is blank
  7. Restart Outlook and observe the full list
  8. Refresh OWA and observe the full list
  9. Add an individual email address via Outlook to the Safe Sender List
  10. Restart Outlook several times or otherwise allow time for Outlook to synchronize the list
  11. Refresh OWA and observe the new address added (user@exchange-managed-domain.com)
  12. Attempt to modify the list and observe a Junk Email validation error

  Regards,

  Joe Tinney

  
  

  • Edited by Joe Tinney Thursday, March 24, 2011 1:46 PM Added Second Scenario and clarified the First

  Wednesday, March 23, 2011 8:57 PM
• 

  

  0

  Sign in to vote

  Hi Joe,

  reading your reproduction steps I want to confirm that this is the same thing I observed. I just incorrectly thought that the list was overwritten on server when in fact only individual email addresses were removed in the process. I ran Update-Safelist on the mailboxes before removing Exchange internal domain from the GP loaded Safe senders list and because of that I thought that the cause was in the Update-Safelist. Users who were not running Outlook and had not loaded the GP safe senders list containing Exchange internal domain while I was testing this have the safe senders lists on their mailboxes intact.

  I also strongly hope we will be able to find some resolution to this problem.

   

  Hi Teresa,

  there is no problem in safe listing individual email addresses from Exchange internal domain eg user@companydomain.com but only in listing @companydomain.com. So before someone from Microsoft proposes us to whitelist those individul email addresses I have to say that there are apps that set MAIL FROM: for the user that uses them. I already tried to change the application configuration to use SMTP authentication and thus bypassing Junk email filtering but it was not possible. I could use another SMTP server, set the application to use it and forward the mail to exchange using authenticated connection but that increases complexity and costs.

  I don't want to maintain the safe senders list updated with all our users email addresses - I just want to whitelist our domain in Junk email filter. That's regular business need in my oppinion.

  Regards,

  Martin

  Wednesday, March 23, 2011 9:40 PM
• 

  

  0

  Sign in to vote

  To hopefully add some more information for troubleshooting.  My safesender list that I import consisted of 5 domains that were being handled by my Exchange server and 3 that were outside domains.  After a short time after import all the domains associated with Exchange would disappear leaving only the ones that weren't in the list.  One of those names that wasn't associated with Exchange was an acquistion company that we just recently migrated into our Exchange environment.  Now, a short time after, the initial ssafesender list import,  that domain disappears out of the list with the rest of my Exchange domains leaving only the 2 outside domains in the list.

  Thursday, March 24, 2011 12:28 PM
• 

  

  0

  Sign in to vote

  Martin,

  I'm going to edit my post above to reflect your findings on the individual email addresses. If I add full domains then I see the behavior I previously described. I get a new set of issues when I add an individual email address via Outlook.

  OWA will not allow me to add user@mydomain.com where mydomain.com is one of our Exchange domains. It tells me this user is part of my organization and that it is unnecessary. Outlook will allow me to add that user. Outlook also successfully updates my SafeList in Exchange with that user. However, from that point on, I can no longer modify my Safe Sender and Recipient List via OWA.

  Further, OWA is complaining about Junk E-mail validation and lists an address for the value that is perfectly valid and that it will otherwise add just fine. I'm guessing this is a result of it finding, unexpectedly, an address that isn't permitted (one with a domain that Exchange is handling).

  Teresa,

  I hope this helps to clarify even more the issues we're seeing. I'd like to say that I can understand (in one, probably very common scenario) this behavior. For organizations using ONLY Exchange for all of their mail and who are using services that can authenticate via SMTP this is great and you wouldn't want to allow people to open themselves up for spoofed domain spam of their own domain. However, Exchange is not our true edge mail device. We use Postfix and a variety of programs for anti-spam, -malware, -virus and those catch the spoofed domains from the Internet. This level of enforced protection (I assume that is why this is in place) isn't necessary for my organization.

  Regards,

  Joe

  Thursday, March 24, 2011 1:38 PM
• 

  

  1

  Sign in to vote

  Hi Everyone,

  So if the issue you are experiencing is that the internal domain and internal domain users are missing from the Safe Senders list then this is a known issue in Exchange 2010 SP1. 

  This was addressed in RU3 for Exchange SP1 and that was pulled for other reasons.  When RU3 is released again this should address that issue.  I am not sure when RU3 is scheduled to be released again, but if you cannot wait for it then I would suggest you call Microsoft and open a ticket for Exchange and you can then explain to them that you have been made aware of a known issue with Internal domains disapearing from your Safe Senders List and you wanted to see if there is a fix or workaround until RU3 is released.

   

  ---

  Regards, Teresa Microsoft Online Community Support Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

  • Proposed as answer by Joe Tinney Thursday, March 24, 2011 4:48 PM
  • Marked as answer by Sally Tang Tuesday, March 29, 2011 2:06 AM

  Thursday, March 24, 2011 3:05 PM
• 

  

  0

  Sign in to vote

  Teresa,

  Thanks!! I believe this may be exactly what my org is looking at and from reading about everyone else's woes I think this fits the bill. I recall that RU3 was pulled and we'll just be on the lookout for it to come back. I've alerted my internal team to the issues at hand and we'll work through those until that update is rereleased. If it persists too long then we'll consider pushing for a hotfix.

   

  Thanks,

  Joe

  Thursday, March 24, 2011 4:47 PM
• 

  

  0

  Sign in to vote

  Hi Joe,

  I didn't test the individual internal address with OWA, only with Outlook and I was also able to add the address to user's whitelist using Powershell on the server. Good to know that. FYI, we're using Exchange EDGE role and Forefront Protection for Exchange so this problem is not really affected by the perimeter SMTP solution.

  Thursday, March 24, 2011 7:38 PM
• 

  

  0

  Sign in to vote

  Hi Teresa,

  I will be looking forward to RU3 then. I hve 2010 SP1 RU2 right now. Although I'll wait for others to test it first - the quality score of Exchange updates is kind of low lately :(

  Thursday, March 24, 2011 7:39 PM
• 

  

  0

  Sign in to vote

  Hi Joe,

  did you try the rereleased update already? Does it solve the problem?

  Thanks for info.

  Monday, April 11, 2011 10:25 AM
• 

  

  0

  Sign in to vote

  Good morning, Martin.

  We've not yet applied the new update. We're letting it settle for a bit longer to see if anything kicks up. What we've done in the meantime is to use a script to scrub our maintained list on a regular basis of any domains and email addresses that might break things.

  I'll report back as soon as we've tried it out!

  Regards,
  Joe

  Monday, April 11, 2011 12:47 PM
• 

  

  0

  Sign in to vote

  Hello folks,

  I installed RU3 on Saturday night and to my disappointment the issue is still here :( Absolutely nothing has changed. Outlook loads the list, shows internal address for about minute, Get-MailboxJunkEmailConfiguration on the server returns the internal domains in TrustedSendersAndDomains property for couple of minutes and then it dissapears from there too.

  Read http://support.microsoft.com/kb/2458522 - RU3 fixes only bug in this not the cause. For some reason Microsoft decided to remove the possibility to allow Exchange accepted domains in SP1:

  Cause 1:

  This issue occurs because of a functionality change that is introduced in Exchange Server 2010 SP1. In Exchange Server 2010 SP1, domains that are configured as accepted domains are no longer allowed in the junk email lists of a mailbox.

   

  I expected the fix to change it back but Microsoft apparently still ignores our reasons why this is a valid use.., If you also think this is a valid use please support my question here http://social.technet.microsoft.com/Forums/en-US/outlook/thread/c24f70bc-9da5-4e23-9463-a948ab1c93d0

  Monday, April 18, 2011 6:39 AM
• 

  

  0

  Sign in to vote

  We are still having issues with Outlook 2010 crashing when the safesenders list is imported via GPO.  Has anyone had any luck with this??  The hotfix download says there are no affected systems for this patch. We're running Win7 SP1, and Exchange and Office 2010. 

  • Edited by philm954 Thursday, October 20, 2011 3:31 PM

  Thursday, October 13, 2011 7:37 PM
• 

  

  0

  Sign in to vote

  RU3 still didn't fix our issue - import list regedit is still making Outlook 2010 crash.

  Tuesday, November 1, 2011 2:51 PM
• 

  

  0

  Sign in to vote

  This is a major issue.  We are Exchange 2010 SP1 14.01.0218.013, on a Server 2008 R2 virtual.  No antispam, no edge service, have several domains in house.  Outlook 2007 and 2010 clients in the office and via Outlook Anywhere in the field.

  Outlook takes it upon itself to move e-mails from our primary and additional accepted domains to Junk, whether or not the originating address is a service or a mailbox. 

  Because of the aforementioned issues we are not able to add our domains or domain e-mail addresses to a safe list to keep our internal e-mail out of Junk in Outlook.  Significant loss of functionality.

  (yes, I know, no e-mail on the GAL will ever be marked Junk by Outlook...ever... but that's just not true.)

  Thursday, December 22, 2011 8:32 PM
• 

  

  0

  Sign in to vote

  Office service pack 1 resolved our issue of the client crashing when importing safe senders list. Domain service emails still went to junk mail. Ultimately we ran a powershell command that marked our domain mail with spam level of -1. Although we do get the occasional spam of spoofed mail, all domain mail goes to the inbox. I can post the command next week if needed.

  Thursday, December 22, 2011 11:28 PM
• 

  

  0

  Sign in to vote

  When you get the chance, would you please post the command used mark internal domains at spam level of -1?

  Wednesday, February 1, 2012 9:13 PM
• 

  

  0

  Sign in to vote

  New-TransportRule -Name "Allow mydomain.com" -FromAddressContainsWords "mydomain.com -SetSCL -1
  **restart Microsoft exchange transport**

  Wednesday, February 1, 2012 9:36 PM
• 

  

  0

  Sign in to vote

  Hi all,

  First time poster here.

  I have spent a few hours on this today and have, what would appear to be, a solution.

  The Registry Key HKCU\Software\Policies\Microsoft\Office\1x.x\Outlook\Options\Mail (JunkMailImportLists - 1) is required

  Setting the the Safe Senders list is required

  So far, all the "standard" procedures for configuring this GPO is 100% required. There is 1 step missing.

  I was able to finally get this GPO to apply by applying the GPO in the following steps:

  1 - Run "gpupdate /force" just to make sure that the policy is applying

  2 - Restart Outlook

  3 - (The potential missing link) Disable Cached Mode

  4 - Restart Outlook

  5 - Check your local client Safe Senders List, it should now be populated by your imported list

  6 - Restart Outlook

  7 - Enable Cached Mode

  8 - Restart Outlook - Your Safe Senders List should now be complete

  I know that this is a time consuming list of steps, and will not be practical at all in any Enterprise of size, but it does work.

  Im am now investigating how we can get this mass deployed to the enterprise with a minimal amount of user or administrator intervention on the client side.

  I will post here with results once I have them.

  Cheers,

  Wizz-Fizz

  
  

  • Edited by Wizz-Fizz Wednesday, April 4, 2012 6:57 AM Spelling and Grammar

  Wednesday, April 4, 2012 6:52 AM
• 

  

  0

  Sign in to vote

  Unfortunately, it would appear that this has failed to resolve out issue.

  Upon logging in this morning, the safe senders list has been stripped out of the Outlook client, investigations to continue.

  Initial findings suggest that working on Cached Mode wipes the list, working witout Cached Mode enables the list to stay.

  Wednesday, April 4, 2012 10:32 PM
• 

  

  1

  Sign in to vote

  Group Policy Safe Senders does not work. After spending quite some time on this issue I discoverd that the best way to solve this problem is to prevent emails from being marked as spam on the Exchange Server. Create a transport rule on the server for the address in question in my case it was all messages from @server.domain.com set spam confidence level to -1.

  http://msdn.microsoft.com/en-us/library/exchange/ms998863(v=exchg.65).aspx

  ---

  If God intended us to wear uniforms we'd all look alike.

  • Proposed as answer by MakoShark Friday, July 27, 2012 2:01 PM

  Friday, July 27, 2012 1:59 PM
• 

  

  0

  Sign in to vote

  We have same problem. our Exchange server is 2007 SP3.

  it's not Server side issue it's just Outlook 2010 problem.

  Users with Outlook 14.0.6023 and below reported that their Outlook crashed after applying safe-sender GPO.

  users with Outlook 14.0.6129 and above are safe!

  Then Outlook needs to be updated to Dec 2012.

  Change SCL for all the internal emails is not an ideal solution for the enterprise networks. it's more load on hub transport servers.

  Thanks

  Pedram

  Tuesday, February 26, 2013 6:42 AM