[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 438
  • Last Modified:

Exchange 2003 send-as errors -- previous working shared mailbox, now rippling through end-user base

Hi Team

I have inherited an Exchange 2003 Enterprise Edition, with no SP1 or SP2, that has started causing groups of users to not be able to send out from "shared/group" mailboxes. These shared/group mailboxes, function as departmental/team resources, and its imperative that the recipient only see the shared mailbox, not the actual end-users SMTP address, but instead, mydepartment@abc.com

We have several of these that are working correctly, but one mailbox in particular recently has started causing members in that group to receive bounce-backs w/ no NDR code, just this message:

You do not have permission to send to this recipient.  For
assistance, contact your system administrator.
           MSEXCH:MSExchangeIS:/DC=com/DC=mydomain:mail-server-host-name


This is what I know:

- Users have been added to "Send-on behalf" in Delivery Options, under Exchange General, for the mailbox in question
- Accept Messages from "Everyone" is selected under "Delivery Restrictions" under Exchange General for the mailbox in question
- have also added the users to the "Mailbox Rights" under Exchange Advanced (although this seems to create in the from field "jane doe on behalf of 'shared-mailbox-Display-Name" -- which we dont want.. we have to hide the sender SMTP, and only allow the shared-mailbox SMTP to be visible)

- I'm not seeing anything in the logs on the Exchange system
- Doing a message trace just shows the message immediately bouncing
- Ran SMTPDiag w/ the shared mailbox as the sender, and chose a recipient from one of the bounce backs --- all the SMTPDiag tests were successful.
- nothing has changed in terms of MX records in our DNS zone.

What I haven't done:

Under the Default SMTP Virtual Server Properties > Access > Relay..  currently there are (3) subnets listed, but the checkbox is selected for "Allow all computers which successfully authenticate to relay, regardless of the list above". I've read on other sites, that this should be de-selected, and then "Users" should be clicked, and then "Authenticated Users" get the "Allow" permission for Submit and Relay.

I don't know why only this shared resource is experiencing this issue, but I'd really like to resolve this before it potentially starts spreading to the other addresses we have setup

ideas? thoughts? suggestions?
0
kapshure
Asked:
kapshure
  • 9
  • 6
  • 4
2 Solutions
 
dreadman2kCommented:
Kapshure,

In my E2003 organisation, this is the method we follow to allow "Send as":
(We do not add them to the "Send on behalf" box, but it won't hurt "
1. Under Exchange Advanced, mailbox rights, add them & tick "Full Mailbox Access'
2 Under the Security tab, add them, scroll down to find the "SEnd as" & "Receive as" boxes & tick those two  (don't change any others - if ticked leave them ticked, if empty, leave them empty)

That's pretty much it. We add groups to a shared mailbox, so new people who need access only need to be added to the group - much quicker.

Be warned, the default behaviour for "Send as" wsa changed in a patch, read here: http://support.microsoft.com/kb/895949

Without this hotfix, anyone with "Full Access" could send as. With the patch, you need to follow the steps above.
0
 
kapshureAuthor Commented:
@dreadman2k

thanks for the quick reply. i'm about to step out the door, but will be reviewing this later.

yoiks! i've got some reading to do.
0
 
MegaNuk3Commented:
Note, 'Send As' will override 'Send on Behalf'. It can also take up to 2 hours for 'Send As' rights to take effect.
0
Get your Disaster Recovery as a Service basics

Disaster Recovery as a Service is one go-to solution that revolutionizes DR planning. Implementing DRaaS could be an efficient process, easily accessible to non-DR experts. Learn about monitoring, testing, executing failovers and failbacks to ensure a "healthy" DR environment.

 
kapshureAuthor Commented:
@dreadman2k

why am I not seeing this part (except where noted below) in the shared/group mailbox account properties

Under the Security tab, add them, scroll down to find the "SEnd as" & "Receive as" boxes & tick those two

I only see this option when I go into ESM > Admin groups > Server > Storage Group > Information Store. From there I can right-click > Properties > Security tab; from there I see the "send-as" and "Receive-as" permissions, but that's for the entire Information store - I only want to set this granularly per the correct mailbox, not every mailbox in that group.
0
 
MegaNuk3Commented:
In ADUC try View --> Advanced Features and then see if it gives you the security tab on mailboxes.

I would recommend you install exchange 2003 Sp2 as soon as possible, so that you will at least be the same version as what the majority of people out there including experts have.
0
 
kapshureAuthor Commented:
@MegaNuk3

I agree that we should be running SP2, but I'm also about to start migrating teams off the on-premise Exchange2k3 system and over to MS BPOS / Exchange 2010 setup.  I'm a bit apprehensive on running any SP updates on this machine.

I flipped on the Advanced Views earlier, and somehow missed that tab, but its there now. going to test this.

Thanks!
0
 
kapshureAuthor Commented:
this setting didn't seem to work right away. I've seen it work quickly, but I'll wait and see what happens.

One thing that did occur, when I had full permissions in Exchange Adv > Mailbox rights > then applied:

- Read
- change
- take ownership
- full mbox access

the delivery worked, but then in the "from" field of the received email, it would show:

From: Jane Smith on behalf of "branded email account" ---  which is what we can't have because of brand leak. So i pulled out all the permissions in this section, except for "Full Mailbox access" and it just goes back to bouncing.
0
 
kapshureAuthor Commented:
also -- in the security tab, where you apply the "Send-As" and "Receive-As" permissions, there are a lot of other check boxes ticked... do you leave those enabled, or remove them all, and only do the Send/Recieve as permissions?

Thanks

0
 
MegaNuk3Commented:
Leave the other boxes ticked and then tick allow 'Send As'

Within 2 hours it should take effect and overwrite 'Send On Behalf' in the from field
0
 
kapshureAuthor Commented:
got it.

Thanks MegaNuk3.

0
 
dreadman2kCommented:
SO how does it look now, Kapshure
0
 
kapshureAuthor Commented:
well, from what I know, it does seem to be working, but it does show the end-user name w./ the "sent on behalf of" in the "FROM" field.

It turns out, that w/ this particular team, this is OK, as long as it doesnt show their personal internal corp email address, which it doesnt. It just shows:

From: sharedmailbox sent on behalf by jane doe


But if this were from another team, this could be considered a branding leak. I'm still suspicious as to why all of the sudden this started breaking, considering it had been working successfully for quite some time.

However, w/ the lack of SP1 or SP2 installed, and the fact that we're in the middle of moving to BPOS -- I'm not going to spend a ton of time on it -- I just need to get band-aids in place until we get off this sickly Exchange2k3 system.
0
 
MegaNuk3Commented:
Hmmm, 'send as' should be overriding the ' sent on behalf' but it might be as you say something Pre SP2 that is causing this not to work.
0
 
dreadman2kCommented:
Try applying the hotfix I mentioned above (http://support.microsoft.com/kb/895949). This should "set" the Send as /Send on behalf of behavior & then we can get it responding correctly.
0
 
kapshureAuthor Commented:
@MegaNuk3

you're right, I'm sure the lack of any SP's on this system, is causing some undesirable activities

@dreadmank2k

I'm very apprehensive making changes to this system -- especially since we're migrating off of it ASAP.
And, I dont like making a hotfix/change like this on a Friday, especially Friday the 13th. :)

I'm just going to close this request for now - you guys have been great help.
0
 
MegaNuk3Commented:
OK, thanks for the points and good luck for the migration
0
 
dreadman2kCommented:
Cheers & hope the migration goes well. Moving up from 5.5 can only be a win.
0
 
kapshureAuthor Commented:
2003 actually. That box is on its way to major fubar status. Webmail/owa service won't stay online. I've gotta create another thread. /sigh
0
 
MegaNuk3Commented:
Just install SP2
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

  • 9
  • 6
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now