Link to home
Start Free TrialLog in
Avatar of Joseph Daly
Joseph DalyFlag for United States of America

asked on

emailing active directory distribution groups

Our company like many others has a list of distribution groups for sending emails to various departments and offices within the company. Recenlty I just noticed that all of these distribution groups have an email address associated with them. Doing some testing I found that it is possible to send to the distribution group from outside the company providing you know the distributiongroup@company.com email address that is associated with it.

This is not good to have as it could potentially allow someone from outside to send mass emails within the company or it could allow for a terminated employee to do the same as well as a whole host of other bad things.

What I would like to do is stop someone from the outside from being able to send to those distribution groups but still be able to use them internally.

Originally I thought that using exchange tasks, and removing the email address would stop the ability to reach it from outside which it did. Now however I can not see the group in my outlook and cant send to it. Maybe im missing something maybe im doing someting wrong but im kinda stumped.
ASKER CERTIFIED SOLUTION
Avatar of Chris Dent
Chris Dent
Flag of United Kingdom of Great Britain and Northern Ireland image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of Joseph Daly

ASKER

I understand the part about the requiring authentication to send.

I guess im looking more for an explanation of the following
1. Does a distribution group have to have an email associated with it to work with exchange
2. Why do they give you the option to create a distribtuion group without an email if you cant use it to send emails
3. Short of ticking the authenticated users only is there any other way

1. Yes. X400 only addressing was ditched after Exchange 5.5 as far as I'm aware.

2. Dunno, you'd have to ask MS :)

3. Authenticated Users is, by far, the easiest way.

But no, it's not the only one. You could validate against a recipient list for inbound mail, or add explicit lists of users to each group stating who can and cannot send. However, those are hard work by comparison and the first might not even be possible using features native to Exchange 2003.

Chris
I probably will end up using the authenticated users checkmark as that should fulfill the requirements I stated above. It will keep outside email (not authenticated) from hitting the dist groups. And since we disabled terminated users they wont be able to get into their account in order to authenticate to send any emails.

I would think that internally you should be able to have a dist group without an email address because when you send to that group AD/exchange would be able to enumerate the members and then send the email to them. I would like to know MS reasons for not allowing that.

Im going to leave this open for a little bit longer just to see if there are any other ideas or maybe someone can post MS take on the issue.
Did some testing with the authenticated users and this solution does block outside people from sending to our internal distribution groups. Thanks