Solved

emailing active directory distribution groups

Posted on 2009-04-02
5
531 Views
Last Modified: 2012-05-06
Our company like many others has a list of distribution groups for sending emails to various departments and offices within the company. Recenlty I just noticed that all of these distribution groups have an email address associated with them. Doing some testing I found that it is possible to send to the distribution group from outside the company providing you know the distributiongroup@company.com email address that is associated with it.

This is not good to have as it could potentially allow someone from outside to send mass emails within the company or it could allow for a terminated employee to do the same as well as a whole host of other bad things.

What I would like to do is stop someone from the outside from being able to send to those distribution groups but still be able to use them internally.

Originally I thought that using exchange tasks, and removing the email address would stop the ability to reach it from outside which it did. Now however I can not see the group in my outlook and cant send to it. Maybe im missing something maybe im doing someting wrong but im kinda stumped.
0
Comment
Question by:Joseph Daly
  • 3
  • 2
5 Comments
 
LVL 70

Accepted Solution

by:
Chris Dent earned 500 total points
ID: 24048800

Hey,

You need to set the Delivery Restrictions to only allow messages from Authenticated Users. That's set by default for Distribution Groups so I guess someone removed the tick at some point in the past.

If you want to find all the lists that permit external senders you can use this LDAP Query:

(&(objectClass=group)(!msExchRequireAuthToSendTo=TRUE))

Or this one to find those that require authentication:

(&(objectClass=group)(msExchRequireAuthToSendTo=TRUE))

Note that the first one has to use !<Attribute>=TRUE rather than =FALSE because it's either True, or Not Set. Or just take my word for it ;)

That can be used with whichever tool you prefer, either AD Users and Computers / Saved Queries / Custom Query / Advanced, or DSQuery, or PowerShell, or VbScript, or ADFind, etc, etc. Would you like more explicit instructions for any of those?

Chris
0
 
LVL 35

Author Comment

by:Joseph Daly
ID: 24048815
I understand the part about the requiring authentication to send.

I guess im looking more for an explanation of the following
1. Does a distribution group have to have an email associated with it to work with exchange
2. Why do they give you the option to create a distribtuion group without an email if you cant use it to send emails
3. Short of ticking the authenticated users only is there any other way
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 24048849

1. Yes. X400 only addressing was ditched after Exchange 5.5 as far as I'm aware.

2. Dunno, you'd have to ask MS :)

3. Authenticated Users is, by far, the easiest way.

But no, it's not the only one. You could validate against a recipient list for inbound mail, or add explicit lists of users to each group stating who can and cannot send. However, those are hard work by comparison and the first might not even be possible using features native to Exchange 2003.

Chris
0
 
LVL 35

Author Comment

by:Joseph Daly
ID: 24048919
I probably will end up using the authenticated users checkmark as that should fulfill the requirements I stated above. It will keep outside email (not authenticated) from hitting the dist groups. And since we disabled terminated users they wont be able to get into their account in order to authenticate to send any emails.

I would think that internally you should be able to have a dist group without an email address because when you send to that group AD/exchange would be able to enumerate the members and then send the email to them. I would like to know MS reasons for not allowing that.

Im going to leave this open for a little bit longer just to see if there are any other ideas or maybe someone can post MS take on the issue.
0
 
LVL 35

Author Closing Comment

by:Joseph Daly
ID: 31565741
Did some testing with the authenticated users and this solution does block outside people from sending to our internal distribution groups. Thanks
0

Join & Write a Comment

Disabling the Directory Sync Service Account in Office 365 will stop directory synchronization from working.
Marketers need statistics and metrics like everybody else needs oxygen. In this article we explain how to enable marketing campaign statistics for Microsoft Exchange mail.
In this video we show how to create a mailbox database in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Servers >> Data…
how to add IIS SMTP to handle application/Scanner relays into office 365.

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now