Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

emailing active directory distribution groups

Posted on 2009-04-02
5
Medium Priority
?
540 Views
Last Modified: 2012-05-06
Our company like many others has a list of distribution groups for sending emails to various departments and offices within the company. Recenlty I just noticed that all of these distribution groups have an email address associated with them. Doing some testing I found that it is possible to send to the distribution group from outside the company providing you know the distributiongroup@company.com email address that is associated with it.

This is not good to have as it could potentially allow someone from outside to send mass emails within the company or it could allow for a terminated employee to do the same as well as a whole host of other bad things.

What I would like to do is stop someone from the outside from being able to send to those distribution groups but still be able to use them internally.

Originally I thought that using exchange tasks, and removing the email address would stop the ability to reach it from outside which it did. Now however I can not see the group in my outlook and cant send to it. Maybe im missing something maybe im doing someting wrong but im kinda stumped.
0
Comment
Question by:Joseph Daly
  • 3
  • 2
5 Comments
 
LVL 71

Accepted Solution

by:
Chris Dent earned 2000 total points
ID: 24048800

Hey,

You need to set the Delivery Restrictions to only allow messages from Authenticated Users. That's set by default for Distribution Groups so I guess someone removed the tick at some point in the past.

If you want to find all the lists that permit external senders you can use this LDAP Query:

(&(objectClass=group)(!msExchRequireAuthToSendTo=TRUE))

Or this one to find those that require authentication:

(&(objectClass=group)(msExchRequireAuthToSendTo=TRUE))

Note that the first one has to use !<Attribute>=TRUE rather than =FALSE because it's either True, or Not Set. Or just take my word for it ;)

That can be used with whichever tool you prefer, either AD Users and Computers / Saved Queries / Custom Query / Advanced, or DSQuery, or PowerShell, or VbScript, or ADFind, etc, etc. Would you like more explicit instructions for any of those?

Chris
0
 
LVL 35

Author Comment

by:Joseph Daly
ID: 24048815
I understand the part about the requiring authentication to send.

I guess im looking more for an explanation of the following
1. Does a distribution group have to have an email associated with it to work with exchange
2. Why do they give you the option to create a distribtuion group without an email if you cant use it to send emails
3. Short of ticking the authenticated users only is there any other way
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 24048849

1. Yes. X400 only addressing was ditched after Exchange 5.5 as far as I'm aware.

2. Dunno, you'd have to ask MS :)

3. Authenticated Users is, by far, the easiest way.

But no, it's not the only one. You could validate against a recipient list for inbound mail, or add explicit lists of users to each group stating who can and cannot send. However, those are hard work by comparison and the first might not even be possible using features native to Exchange 2003.

Chris
0
 
LVL 35

Author Comment

by:Joseph Daly
ID: 24048919
I probably will end up using the authenticated users checkmark as that should fulfill the requirements I stated above. It will keep outside email (not authenticated) from hitting the dist groups. And since we disabled terminated users they wont be able to get into their account in order to authenticate to send any emails.

I would think that internally you should be able to have a dist group without an email address because when you send to that group AD/exchange would be able to enumerate the members and then send the email to them. I would like to know MS reasons for not allowing that.

Im going to leave this open for a little bit longer just to see if there are any other ideas or maybe someone can post MS take on the issue.
0
 
LVL 35

Author Closing Comment

by:Joseph Daly
ID: 31565741
Did some testing with the authenticated users and this solution does block outside people from sending to our internal distribution groups. Thanks
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this post, I will showcase the steps for how to create groups in Office 365. Office 365 groups allow for ease of flexibility and collaboration between staff members.
If you have come across a situation where you need to find some EDB mailbox recovery techniques, then here you will find the same. In this article, we will take you through three techniques using which you will be able to perform EDB recovery. You …
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Whether it be Exchange Server Crash Issues, Dirty Shutdown Errors or Failed to mount error, Stellar Phoenix Mailbox Exchange Recovery has always got your back. With the help of its easy to understand user interface and 3 simple steps recovery proced…
Suggested Courses

782 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question