Recipe 5.20. Limiting Who Can Send Mail to a Distribution GroupProblemYou need to control which accounts can send email messages to a distribution group. SolutionUsing a graphical user interface
Using VBScript' This code displays the sender restrictions on a group object. ' ------ SCRIPT CONFIGURATION ------ const cdoexmAccept = 0 ' Included senders const cdoexmReject = 1 ' Excluded senders strGroupDN = "<GroupParentDN>" ' e.g., cn=Staff,dc=3sharp,dc=com ' ------ END CONFIGURATION ------ ' Prepare the address list array Dim arrAddress( ) intSize = 0 ' Create the group object set objGroup = GetObject("LDAP://" & strGroupDN) Wscript.Echo "Sender restrictions for " & objGroup.Name & "." ' Is the address list empty? If so, there are no restrictions. ' If not, determine the type and enumerate using a dynamic array since we ' do not know how many items there are in it. If IsNull(objGroup.RestrictedAddressList) Then Wscript.Echo "There are no sender restrictions on this group." Else If objGroup.RestrictedAddresses = cdoexmAccept Then Wscript.Echo "The following senders can send to the group:" Else Wscript.Echo "The following senders cannot send to the group:" End If For Each strAddress in objGroup.RestrictedAddressList ReDim Preserve arrAddress(intSize) arrAddress(intSize) = strAddress Wscript.Echo arrAddress(intSize) intSize = intSize + 1 Next End If If you actually want to change the group restrictions on an object, you'll need to apply the addresses that you want to have access: ' This code configures the sender restrictions on a group object. ' ------ SCRIPT CONFIGURATION ------ const cdoexmAccept = 0 ' Included senders const cdoexmReject = 1 ' Excluded senders strGroupDN = "<GroupParentDN>" ' e.g., cn=Staff,dc=3sharp,dc=com intSize = 0 Dim arrAddress(2) ' put allowed senders here arrAddress(0) = <EmailAddress1> arrAddress(1) = <EmailAddress2> ' ------ END CONFIGURATION ------ ' Prepare the address list array ' Create the group object set objGroup = GetObject("LDAP://" & strGroupDN) Wscript.Echo "Updating sender restrictions for " & objGroup.Name & ":" ' Set the type of sender restriction objGroup.RestrictedAddresses = cdoexmAccept ' Enumerate the address list, then place it on the group object Wscript.Echo "Only the following senders can send to the group:" For Each strAddress in objGroup.RestrictedAddressList Wscript.Echo arrAddress(intSize) intSize = intSize + 1 Next objGroup.RestrictedAddressList = arrAddress ' Write the update object data back to the directory objGroup.SetInfo WScript.Echo "Set sender restrictions on " & strGroupDN DiscussionThis recipe provides a measure of control over traffic sent to groups within your organization, whether it originates within the organization or comes from without. There are two common scenarios where this is desirable:
Both distribution and security groups are managed in the same fashion, although security groups must be mail-enabled before the relevant attributes are available. When creating sender inclusions or exclusions in forests with multiple domains, be sure to consider the group's scope and ensure that the groups added remain within the same scope boundaries whenever possible. Note that the sender addresses specified must be associated with objects within Active Directory. You cannot use this as a general per-recipient filtering mechanism for external senders unless you are willing to create Active Directory contact objects for each external address. Also note that Exchange 2000 (and by default Exchange Server 2003) trusts the value of the sender as provided in the header of the message, so this restriction can be easily defeated by forgery. Exchange Server 2003 provides the option to enforce authentication; however the message enters the organization, be it by MAPI, OWA, or SMTP, Exchange will ensure that the sender matches the provided authentication credentials when this option is enabled, preventing header spoofing. Since contact objects cannot be authenticated, they cannot be used to include foreign addresses when authentication is desired. Using VBScriptThe script makes use of the CDOEXM IMailRecipient interface. This interface exposes the RestrictedAddresses and RestrictedAddressList properties, which together control the sender restriction behavior. Exchange checks to make sure that the RestrictedAddressList property contains no addresses; if it is null, Exchange will ignore the value of RestrictedAddresses and enforce no restriction. If the list is populated, Exchange will treat the addresses contained as either an inclusion or exclusion depending on the value of RestrictedAddresses. The addresses in the RestrictedAddressList property can be provided as either email addresses or as Active Directory paths; they will be converted to Active Directory paths and written in that format. In order to display the contents of the property, use a dynamic array; likewise, when setting the property, first construct an array of the individual sender addresses and then write the entire array to the RestrictedAddressList property. See AlsoMSDN CDOEXM documentation for RestrictedAddressList property |