none
Closed group getting external mail despite delivery management set to receive mails inside organization

    Question

  • Group users brought to our notice about a mail they received from LinkedIn even though we defined delivery management for the group as "Only senders inside my organization"

    By the mail received it appears that one of the group user requested to reset password and in turn the entire group received a mail with the link to reset the password. We are on Exchange 2013 CU3 in coexistence with Exchange 2010.

    Please share your thoughts on the possible cause of this behavior.


    • Edited by Shireesh1 Friday, September 12, 2014 6:07 PM
    Friday, September 12, 2014 6:03 PM

Answers

  • Thank you all for your response and help,

    We were able to fix this issue by removing IP address of our MTAs, mistakenly allowed on the receive connector

    • Marked as answer by Shireesh1 Wednesday, September 17, 2014 7:52 AM
    Wednesday, September 17, 2014 7:52 AM

All replies

  • Shireesh - 

    I would start by identifying how/where this message entered the org.  You can run a message trace to follow the path of the message.  For example, an inbox rule to redirect a copy of the message would look like a direct delivery, but via a trace you would see how the message was processed.  

    As a second possibility, if you have any relay devices that authenticate when sending into exchange, that counts as an authenticated sender and could hit the DL.  Again, message trace would help you see where it entered the org.

    -Gary


    Gary Steere | Microsoft Certified Master: Exchange Server | Microsoft Certified Solutions Master: Messaging | Microsoft vTSP http://IThinkThereforeIEHLO.com

    Friday, September 12, 2014 7:03 PM
  • Thanks Gary,

    Could not find message trace on Exchange 2013. 

    Ran this to find, but doesn't look like the output is helpful

    Get-MessageTrackingLog -Server mbx11 -ResultSize  Unlimited -Start "9/10/2014 8:00AM" -End 9/13/2014 8:00AM" -MessageSubject Rajesh, here's the link to reset your password -Recipients mf@domain.com -Sender security-noreply@linkedin.com

    EventId                       Source                        Sender                        MessageSubject
    -------                       ------                        ------                        --------------
    HAREDIRECT                    SMTP                          security-noreply@linkedin.com Rajesh, here's the
    RECEIVE                       SMTP                          security-noreply@linkedin.com Rajesh, here's the
    AGENTINFO                     AGENT                         security-noreply@linkedin.com Rajesh, here's the
    SEND                          SMTP                          security-noreply@linkedin.com Rajesh, here's the
    SEND                          SMTP                          security-noreply@linkedin.com Rajesh, here's the
    SEND                          SMTP                          security-noreply@linkedin.com Rajesh, here's the
    DELIVER                       STOREDRIVER                   security-noreply@linkedin.com Rajesh, here's the
    DELIVER                       STOREDRIVER                   security-noreply@linkedin.com Rajesh, here's the
    DELIVER                       STOREDRIVER                   security-noreply@linkedin.com Rajesh, here's the

    Saturday, September 13, 2014 9:12 AM
  • Hi Shireesh,

    In addition to the above points ,

    1. Please review the headers of the message which you have received to the distribution list .From that you can able to identify no of hops , message origination and termination.Same time you can able to find what are all the servers involved during the message transport . 

    2.Then do the message tracking for all the transport servers .Please use the below command which will search the message tracking logs in all the transport servers available in your organization .

    get-transportservice | get-messagetrackinglog 

    3.Anyhow you are having an co-existence environment but for your information These kind of incidents will also happens during the Exchange cross forest migration.Because during the period of migration we will be having the distribution group in the source forest as well in the target forest till the exchange servers in the source forest is decommissioned and the mail re-routing to the exchange servers in the new forest .

    Regards

    S.Nithyanandham


     




    Thanks S.Nithyanandham

    Saturday, September 13, 2014 6:50 PM
  • Group users brought to our notice about a mail they received from LinkedIn even though we defined delivery management for the group as "Only senders inside my organization"

    By the mail received it appears that one of the group user requested to reset password and in turn the entire group received a mail with the link to reset the password. We are on Exchange 2013 CU3 in coexistence with Exchange 2010.

    Please share your thoughts on the possible cause of this behavior.


    Check the headers of the message;

    What is set for: X-MS-Exchange-Organization-AuthAs


    Twitter!: Please Note: My Posts are provided “AS IS” without warranty of any kind, either expressed or implied.

    Saturday, September 13, 2014 7:28 PM
    Moderator
  • Thank you all for your response and help,

    We were able to fix this issue by removing IP address of our MTAs, mistakenly allowed on the receive connector

    • Marked as answer by Shireesh1 Wednesday, September 17, 2014 7:52 AM
    Wednesday, September 17, 2014 7:52 AM