Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

emailing active directory distribution groups

Posted on 2009-04-02
5
Medium Priority
?
538 Views
Last Modified: 2012-05-06
Our company like many others has a list of distribution groups for sending emails to various departments and offices within the company. Recenlty I just noticed that all of these distribution groups have an email address associated with them. Doing some testing I found that it is possible to send to the distribution group from outside the company providing you know the distributiongroup@company.com email address that is associated with it.

This is not good to have as it could potentially allow someone from outside to send mass emails within the company or it could allow for a terminated employee to do the same as well as a whole host of other bad things.

What I would like to do is stop someone from the outside from being able to send to those distribution groups but still be able to use them internally.

Originally I thought that using exchange tasks, and removing the email address would stop the ability to reach it from outside which it did. Now however I can not see the group in my outlook and cant send to it. Maybe im missing something maybe im doing someting wrong but im kinda stumped.
0
Comment
Question by:Joseph Daly
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
5 Comments
 
LVL 71

Accepted Solution

by:
Chris Dent earned 2000 total points
ID: 24048800

Hey,

You need to set the Delivery Restrictions to only allow messages from Authenticated Users. That's set by default for Distribution Groups so I guess someone removed the tick at some point in the past.

If you want to find all the lists that permit external senders you can use this LDAP Query:

(&(objectClass=group)(!msExchRequireAuthToSendTo=TRUE))

Or this one to find those that require authentication:

(&(objectClass=group)(msExchRequireAuthToSendTo=TRUE))

Note that the first one has to use !<Attribute>=TRUE rather than =FALSE because it's either True, or Not Set. Or just take my word for it ;)

That can be used with whichever tool you prefer, either AD Users and Computers / Saved Queries / Custom Query / Advanced, or DSQuery, or PowerShell, or VbScript, or ADFind, etc, etc. Would you like more explicit instructions for any of those?

Chris
0
 
LVL 35

Author Comment

by:Joseph Daly
ID: 24048815
I understand the part about the requiring authentication to send.

I guess im looking more for an explanation of the following
1. Does a distribution group have to have an email associated with it to work with exchange
2. Why do they give you the option to create a distribtuion group without an email if you cant use it to send emails
3. Short of ticking the authenticated users only is there any other way
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 24048849

1. Yes. X400 only addressing was ditched after Exchange 5.5 as far as I'm aware.

2. Dunno, you'd have to ask MS :)

3. Authenticated Users is, by far, the easiest way.

But no, it's not the only one. You could validate against a recipient list for inbound mail, or add explicit lists of users to each group stating who can and cannot send. However, those are hard work by comparison and the first might not even be possible using features native to Exchange 2003.

Chris
0
 
LVL 35

Author Comment

by:Joseph Daly
ID: 24048919
I probably will end up using the authenticated users checkmark as that should fulfill the requirements I stated above. It will keep outside email (not authenticated) from hitting the dist groups. And since we disabled terminated users they wont be able to get into their account in order to authenticate to send any emails.

I would think that internally you should be able to have a dist group without an email address because when you send to that group AD/exchange would be able to enumerate the members and then send the email to them. I would like to know MS reasons for not allowing that.

Im going to leave this open for a little bit longer just to see if there are any other ideas or maybe someone can post MS take on the issue.
0
 
LVL 35

Author Closing Comment

by:Joseph Daly
ID: 31565741
Did some testing with the authenticated users and this solution does block outside people from sending to our internal distribution groups. Thanks
0

Featured Post

Get your Conversational Ransomware Defense e‑book

This e-book gives you an insight into the ransomware threat and reviews the fundamentals of top-notch ransomware preparedness and recovery. To help you protect yourself and your organization. The initial infection may be inevitable, so the best protection is to be fully prepared.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A couple of months ago we ran into an issue that necessitated re-creating our Edge Subscriptions. However, when we attempted to execute the command: New-EdgeSubscription -filename C:\NewEdgeSub_01.xml we received an error indicating that the LDAP se…
One-stop solution for Exchange Administrators to address all MS Exchange Server issues, which is known by the name of Stellar Exchange Toolkit.
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…
Suggested Courses

715 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question