kapshure
asked on
Exchange 2003 send-as errors -- previous working shared mailbox, now rippling through end-user base
Hi Team
I have inherited an Exchange 2003 Enterprise Edition, with no SP1 or SP2, that has started causing groups of users to not be able to send out from "shared/group" mailboxes. These shared/group mailboxes, function as departmental/team resources, and its imperative that the recipient only see the shared mailbox, not the actual end-users SMTP address, but instead, mydepartment@abc.com
We have several of these that are working correctly, but one mailbox in particular recently has started causing members in that group to receive bounce-backs w/ no NDR code, just this message:
You do not have permission to send to this recipient. For
assistance, contact your system administrator.
MSEXCH:MSExchangeIS:/DC=co m/DC=mydom ain:mail-s erver-host -name
This is what I know:
- Users have been added to "Send-on behalf" in Delivery Options, under Exchange General, for the mailbox in question
- Accept Messages from "Everyone" is selected under "Delivery Restrictions" under Exchange General for the mailbox in question
- have also added the users to the "Mailbox Rights" under Exchange Advanced (although this seems to create in the from field "jane doe on behalf of 'shared-mailbox-Display-Na me" -- which we dont want.. we have to hide the sender SMTP, and only allow the shared-mailbox SMTP to be visible)
- I'm not seeing anything in the logs on the Exchange system
- Doing a message trace just shows the message immediately bouncing
- Ran SMTPDiag w/ the shared mailbox as the sender, and chose a recipient from one of the bounce backs --- all the SMTPDiag tests were successful.
- nothing has changed in terms of MX records in our DNS zone.
What I haven't done:
Under the Default SMTP Virtual Server Properties > Access > Relay.. currently there are (3) subnets listed, but the checkbox is selected for "Allow all computers which successfully authenticate to relay, regardless of the list above". I've read on other sites, that this should be de-selected, and then "Users" should be clicked, and then "Authenticated Users" get the "Allow" permission for Submit and Relay.
I don't know why only this shared resource is experiencing this issue, but I'd really like to resolve this before it potentially starts spreading to the other addresses we have setup
ideas? thoughts? suggestions?
I have inherited an Exchange 2003 Enterprise Edition, with no SP1 or SP2, that has started causing groups of users to not be able to send out from "shared/group" mailboxes. These shared/group mailboxes, function as departmental/team resources, and its imperative that the recipient only see the shared mailbox, not the actual end-users SMTP address, but instead, mydepartment@abc.com
We have several of these that are working correctly, but one mailbox in particular recently has started causing members in that group to receive bounce-backs w/ no NDR code, just this message:
You do not have permission to send to this recipient. For
assistance, contact your system administrator.
MSEXCH:MSExchangeIS:/DC=co
This is what I know:
- Users have been added to "Send-on behalf" in Delivery Options, under Exchange General, for the mailbox in question
- Accept Messages from "Everyone" is selected under "Delivery Restrictions" under Exchange General for the mailbox in question
- have also added the users to the "Mailbox Rights" under Exchange Advanced (although this seems to create in the from field "jane doe on behalf of 'shared-mailbox-Display-Na
- I'm not seeing anything in the logs on the Exchange system
- Doing a message trace just shows the message immediately bouncing
- Ran SMTPDiag w/ the shared mailbox as the sender, and chose a recipient from one of the bounce backs --- all the SMTPDiag tests were successful.
- nothing has changed in terms of MX records in our DNS zone.
What I haven't done:
Under the Default SMTP Virtual Server Properties > Access > Relay.. currently there are (3) subnets listed, but the checkbox is selected for "Allow all computers which successfully authenticate to relay, regardless of the list above". I've read on other sites, that this should be de-selected, and then "Users" should be clicked, and then "Authenticated Users" get the "Allow" permission for Submit and Relay.
I don't know why only this shared resource is experiencing this issue, but I'd really like to resolve this before it potentially starts spreading to the other addresses we have setup
ideas? thoughts? suggestions?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
@dreadman2k
why am I not seeing this part (except where noted below) in the shared/group mailbox account properties
Under the Security tab, add them, scroll down to find the "SEnd as" & "Receive as" boxes & tick those two
I only see this option when I go into ESM > Admin groups > Server > Storage Group > Information Store. From there I can right-click > Properties > Security tab; from there I see the "send-as" and "Receive-as" permissions, but that's for the entire Information store - I only want to set this granularly per the correct mailbox, not every mailbox in that group.
why am I not seeing this part (except where noted below) in the shared/group mailbox account properties
Under the Security tab, add them, scroll down to find the "SEnd as" & "Receive as" boxes & tick those two
I only see this option when I go into ESM > Admin groups > Server > Storage Group > Information Store. From there I can right-click > Properties > Security tab; from there I see the "send-as" and "Receive-as" permissions, but that's for the entire Information store - I only want to set this granularly per the correct mailbox, not every mailbox in that group.
In ADUC try View --> Advanced Features and then see if it gives you the security tab on mailboxes.
I would recommend you install exchange 2003 Sp2 as soon as possible, so that you will at least be the same version as what the majority of people out there including experts have.
I would recommend you install exchange 2003 Sp2 as soon as possible, so that you will at least be the same version as what the majority of people out there including experts have.
ASKER
@MegaNuk3
I agree that we should be running SP2, but I'm also about to start migrating teams off the on-premise Exchange2k3 system and over to MS BPOS / Exchange 2010 setup. I'm a bit apprehensive on running any SP updates on this machine.
I flipped on the Advanced Views earlier, and somehow missed that tab, but its there now. going to test this.
Thanks!
I agree that we should be running SP2, but I'm also about to start migrating teams off the on-premise Exchange2k3 system and over to MS BPOS / Exchange 2010 setup. I'm a bit apprehensive on running any SP updates on this machine.
I flipped on the Advanced Views earlier, and somehow missed that tab, but its there now. going to test this.
Thanks!
ASKER
this setting didn't seem to work right away. I've seen it work quickly, but I'll wait and see what happens.
One thing that did occur, when I had full permissions in Exchange Adv > Mailbox rights > then applied:
- Read
- change
- take ownership
- full mbox access
the delivery worked, but then in the "from" field of the received email, it would show:
From: Jane Smith on behalf of "branded email account" --- which is what we can't have because of brand leak. So i pulled out all the permissions in this section, except for "Full Mailbox access" and it just goes back to bouncing.
One thing that did occur, when I had full permissions in Exchange Adv > Mailbox rights > then applied:
- Read
- change
- take ownership
- full mbox access
the delivery worked, but then in the "from" field of the received email, it would show:
From: Jane Smith on behalf of "branded email account" --- which is what we can't have because of brand leak. So i pulled out all the permissions in this section, except for "Full Mailbox access" and it just goes back to bouncing.
ASKER
also -- in the security tab, where you apply the "Send-As" and "Receive-As" permissions, there are a lot of other check boxes ticked... do you leave those enabled, or remove them all, and only do the Send/Recieve as permissions?
Thanks
Thanks
Leave the other boxes ticked and then tick allow 'Send As'
Within 2 hours it should take effect and overwrite 'Send On Behalf' in the from field
Within 2 hours it should take effect and overwrite 'Send On Behalf' in the from field
ASKER
got it.
Thanks MegaNuk3.
Thanks MegaNuk3.
SO how does it look now, Kapshure
ASKER
well, from what I know, it does seem to be working, but it does show the end-user name w./ the "sent on behalf of" in the "FROM" field.
It turns out, that w/ this particular team, this is OK, as long as it doesnt show their personal internal corp email address, which it doesnt. It just shows:
From: sharedmailbox sent on behalf by jane doe
But if this were from another team, this could be considered a branding leak. I'm still suspicious as to why all of the sudden this started breaking, considering it had been working successfully for quite some time.
However, w/ the lack of SP1 or SP2 installed, and the fact that we're in the middle of moving to BPOS -- I'm not going to spend a ton of time on it -- I just need to get band-aids in place until we get off this sickly Exchange2k3 system.
It turns out, that w/ this particular team, this is OK, as long as it doesnt show their personal internal corp email address, which it doesnt. It just shows:
From: sharedmailbox sent on behalf by jane doe
But if this were from another team, this could be considered a branding leak. I'm still suspicious as to why all of the sudden this started breaking, considering it had been working successfully for quite some time.
However, w/ the lack of SP1 or SP2 installed, and the fact that we're in the middle of moving to BPOS -- I'm not going to spend a ton of time on it -- I just need to get band-aids in place until we get off this sickly Exchange2k3 system.
Hmmm, 'send as' should be overriding the ' sent on behalf' but it might be as you say something Pre SP2 that is causing this not to work.
Try applying the hotfix I mentioned above (http://support.microsoft.com/kb/895949). This should "set" the Send as /Send on behalf of behavior & then we can get it responding correctly.
ASKER
@MegaNuk3
you're right, I'm sure the lack of any SP's on this system, is causing some undesirable activities
@dreadmank2k
I'm very apprehensive making changes to this system -- especially since we're migrating off of it ASAP.
And, I dont like making a hotfix/change like this on a Friday, especially Friday the 13th. :)
I'm just going to close this request for now - you guys have been great help.
you're right, I'm sure the lack of any SP's on this system, is causing some undesirable activities
@dreadmank2k
I'm very apprehensive making changes to this system -- especially since we're migrating off of it ASAP.
And, I dont like making a hotfix/change like this on a Friday, especially Friday the 13th. :)
I'm just going to close this request for now - you guys have been great help.
OK, thanks for the points and good luck for the migration
Cheers & hope the migration goes well. Moving up from 5.5 can only be a win.
ASKER
2003 actually. That box is on its way to major fubar status. Webmail/owa service won't stay online. I've gotta create another thread. /sigh
Just install SP2
ASKER
thanks for the quick reply. i'm about to step out the door, but will be reviewing this later.
yoiks! i've got some reading to do.