Solved

Securing Exchange emails to a single account

Posted on 2013-06-02
7
26 Views
Last Modified: 2015-11-30
All,

We have a client that requires securing emails by allowing replies only from the account the email was sent to originally.

In other words, if an email was sent to user1@mydomain.com, replies can be made from user1@mydomain only, and all attempts to communicate from other accounts in mydomain.com fail with ndr.

Currently, the client is on Exchange 2007, and will migrate to 2013 in the next few months.

Any ideas?

Thanks
0
Comment
Question by:Keith Wood
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
7 Comments
 
LVL 19

Expert Comment

by:suriyaehnop
ID: 39214463
In other words, if an email was sent to user1@mydomain.com, replies can be made from user1@mydomain only, and all attempts to communicate from other accounts in mydomain.com fail with ndr.

By default only user1 has permission to reply any email send to user1@mydomain.com since user1 has permission on his own mailbox.

There is circumstances especially the reply mailbox is a shared mailbox and other has permssion such as send on behalf. Other user able to reply on behalf on shared mailbox, where the From: will be the person who has send on behalf of shared mailbox
0
 

Author Comment

by:Keith Wood
ID: 39214555
I should be a bit more specific, and I apologize for not providing this info first.

Each of the users at this client monitors their own account and a shared account.  What we want to limit is the ability of any of the users to email from their own corporate mailbox someone who initially sent an email to the shared account, thereby allowing only a response or direct correspondence from the shared account only.  

Hope this cleared it up.

Thanks for the quick reply.
0
 
LVL 63

Accepted Solution

by:
Simon Butler (Sembee) earned 500 total points
ID: 39214667
I don't think this can be done.
You would need to maintain a list of domains / eamil addresses that were sent to the shared account. Then you would need something in place to check whether the user was authorised to send to that domain / email address.
It would need a database of some description because the list would get very long very quickly and would overwhelm transport rules.

Alas I think you are seeking a technical solution to a behavioural problem, which cannot be resolved by technology.

Simon.
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 

Author Comment

by:Keith Wood
ID: 39214863
So I figured out how to prevent users from sending to specific email addresses based on transport rules and distribution groups.

The last item would be to automatically populate a dynamic distribution group with sender's email addresses based on emails coming in to a specific email address within mydomain.com.

Can this be done?

Thanks,
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 39214986
Well it possibly could, but it isn't something I would advise.

To be a member of a group requires an AD object. For external senders to be a member of a group requires being a contact. Therefore you would have to get the email address, create the contact then add them to the group.

The contact would then be used by anyone sending OR receiving email involving that address. Unless scripted correctly it would appear in the GAL.

The group would get very large very quickly and that would have a detrimental effect on the performance of your Active Directory domain and email flow.

EVERY email that is sent by your org would have to be checked against that list. That means the distribution group being expanded every time an email is sent. The load on the domain controller would be huge and it would cause your email processing to slow down considerably.

I stress what I have said above - this is a VERY VERY bad idea and I would strongly discourage you from trying to find a solution. Go back to whatever PHB requested it, and tell them it cannot be done and to manage their staff rather than getting IT to do it for them.

Simon.
0
 

Author Comment

by:Keith Wood
ID: 39214996
Understood.  Thank you very much for the assistance.
0
 

Author Comment

by:Keith Wood
ID: 41342064
I've requested that this question be deleted for the following reason:

very old
0

Featured Post

Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

MS Outlook is a world-class email client application that is mainly used for e-communication globally.  In this article, we will discuss the basic idea about MS Outlook, its advanced features, and types of MS Outlook File formats.
A list of top three free exchange EDB viewers that helps the user to extract a mailbox from an unmounted .edb file and get a clear preview of all emails & other items with just a single click on mailboxes.
In this video we show how to create a Shared Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Sha…
In this Micro Video tutorial you will learn the basics about Database Availability Groups and How to configure one using a live Exchange Server Environment. The video tutorial explains the basics of the Exchange server Database Availability grou…

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question