Recipe5.20.Limiting Who Can Send Mail to a Distribution Group

Previous page
Table of content
Next page

Recipe 5.20. Limiting Who Can Send Mail to a Distribution Group

Problem

You need to control which accounts can send email messages to a distribution group.

Solution

Using a graphical user interface

  1. Log on to any machine in your domain that has the Exchange management tools installed.

  2. Open the ADUC snap-in (Users and Computers.msc).

  3. Browse to the OU or domain where your groups are located.

  4. Right-click the distribution group or mail-enabled security group, click Properties, and select the Exchange General tab.

  5. By default, the group is set to allow mail From everyone. If you want to allow mail only from certain users, select Only from; if you want to exclude mail from certain users or groups, select From everyone except.

  6. If you selected Only from or From everyone except, click Add, then select the desired user, group, and contact objects, and click OK to define which users are permitted or excluded.

  7. For Exchange Server 2003 only, check the From authenticated users only checkbox if you want Exchange to ensure that a message has been submitted by an authenticated user. Click OK.

Using VBScript
' This code displays the sender restrictions on a group object. ' ------ SCRIPT CONFIGURATION ------ const cdoexmAccept = 0                  ' Included senders const cdoexmReject = 1                  ' Excluded senders strGroupDN         = "<GroupParentDN>"  ' e.g., cn=Staff,dc=3sharp,dc=com ' ------ END CONFIGURATION ------ ' Prepare the address list array Dim arrAddress( ) intSize = 0 ' Create the group object set objGroup = GetObject("LDAP://" & strGroupDN)  Wscript.Echo "Sender restrictions for " & objGroup.Name & "." ' Is the address list empty? If so, there are no restrictions. ' If not, determine the type and enumerate using a dynamic array since we ' do not know how many items there are in it. If IsNull(objGroup.RestrictedAddressList) Then    Wscript.Echo "There are no sender restrictions on this group." Else    If objGroup.RestrictedAddresses = cdoexmAccept Then      Wscript.Echo "The following senders can send to the group:"    Else      Wscript.Echo "The following senders cannot send to the group:"    End If    For Each strAddress in objGroup.RestrictedAddressList      ReDim Preserve arrAddress(intSize)      arrAddress(intSize) = strAddress      Wscript.Echo arrAddress(intSize)      intSize = intSize + 1    Next End If

If you actually want to change the group restrictions on an object, you'll need to apply the addresses that you want to have access:

' This code configures the sender restrictions on a group object. ' ------ SCRIPT CONFIGURATION ------ const cdoexmAccept = 0                  ' Included senders const cdoexmReject = 1                  ' Excluded senders strGroupDN         = "<GroupParentDN>"  ' e.g., cn=Staff,dc=3sharp,dc=com intSize = 0 Dim arrAddress(2)                ' put allowed senders here arrAddress(0) = <EmailAddress1> arrAddress(1) = <EmailAddress2> ' ------ END CONFIGURATION ------ ' Prepare the address list array ' Create the group object set objGroup = GetObject("LDAP://" & strGroupDN) Wscript.Echo "Updating sender restrictions for " & objGroup.Name & ":" ' Set the type of sender restriction objGroup.RestrictedAddresses = cdoexmAccept ' Enumerate the address list, then place it on the group object Wscript.Echo "Only the following senders can send to the group:" For Each strAddress in objGroup.RestrictedAddressList    Wscript.Echo arrAddress(intSize)    intSize = intSize + 1 Next objGroup.RestrictedAddressList = arrAddress ' Write the update object data back to the directory objGroup.SetInfo WScript.Echo "Set sender restrictions on " & strGroupDN

Discussion

This recipe provides a measure of control over traffic sent to groups within your organization, whether it originates within the organization or comes from without. There are two common scenarios where this is desirable:

  • You have groups with large numbers of members, typically an "all users" broadcast group, and only certain staff members should be able to send to the group. These groups can also become a problem by providing an easy route for spam, viruses, and worms to spread throughout your organization.

  • You have one or more broadcast groups and one or more users who routinely reply to all recipients. The resulting traffic puts an increased load on your Exchange servers and can become a severe resource drain over low-bandwidth WAN connections.

Both distribution and security groups are managed in the same fashion, although security groups must be mail-enabled before the relevant attributes are available. When creating sender inclusions or exclusions in forests with multiple domains, be sure to consider the group's scope and ensure that the groups added remain within the same scope boundaries whenever possible.

Note that the sender addresses specified must be associated with objects within Active Directory. You cannot use this as a general per-recipient filtering mechanism for external senders unless you are willing to create Active Directory contact objects for each external address.

Also note that Exchange 2000 (and by default Exchange Server 2003) trusts the value of the sender as provided in the header of the message, so this restriction can be easily defeated by forgery. Exchange Server 2003 provides the option to enforce authentication; however the message enters the organization, be it by MAPI, OWA, or SMTP, Exchange will ensure that the sender matches the provided authentication credentials when this option is enabled, preventing header spoofing. Since contact objects cannot be authenticated, they cannot be used to include foreign addresses when authentication is desired.

Using VBScript

The script makes use of the CDOEXM IMailRecipient interface. This interface exposes the RestrictedAddresses and RestrictedAddressList properties, which together control the sender restriction behavior. Exchange checks to make sure that the RestrictedAddressList property contains no addresses; if it is null, Exchange will ignore the value of RestrictedAddresses and enforce no restriction. If the list is populated, Exchange will treat the addresses contained as either an inclusion or exclusion depending on the value of RestrictedAddresses.

The addresses in the RestrictedAddressList property can be provided as either email addresses or as Active Directory paths; they will be converted to Active Directory paths and written in that format. In order to display the contents of the property, use a dynamic array; likewise, when setting the property, first construct an array of the individual sender addresses and then write the entire array to the RestrictedAddressList property.

See Also

MSDN CDOEXM documentation for RestrictedAddressList property


Previous page
Table of content
Next page
Exchange Server Cookbook
Exchange Server Cookbook: For Exchange Server 2003 and Exchange 2000 Server
ISBN: 0596007175
EAN: 2147483647
Year: 2006
Pages: 235
Authors: Paul Robichaux, Missy Koslosky, Devin L. Ganger
BUY ON AMAZON
Java I/O
Agile Project Management: Creating Innovative Products (2nd Edition)
Metrics and Models in Software Quality Engineering (2nd Edition)
SQL Hacks
Cisco IOS in a Nutshell (In a Nutshell (OReilly))
Java How to Program (6th Edition) (How to Program (Deitel))
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy