Monday, June 29, 2009

The attributes behind Message Delivery Restrictions

Do you know what attributes are used to control who can and can't send to a Distribution List in Exchange 2003 and Exchange 2007? or Does it use a DACL?

Knowing such things is key if you are going to automate distribution list management through .NET programs, or MIIS/ILM/FIM, Quest ARS or any other tool that is talking to LDAP attributes. For Powershell you need a separate list since the names are different.

Seeing as how a picture is worth a thousand words I'll include some after a brief explanation:

At first I was afraid that it used the SendTo permission on DACLs but fortunately that is not what the Exchange GUI tools change. This is fortunate since ILM does not have an out of the box MA that modifies DACLs on AD objects, it is also fortunate since programming against DACLs is somewhat complicated. I must give thanks to my friend Joe Kaplan and his co-author Ryan Dunn for the helps in their book (see page 302 listing 8.2 listing the DACL) and their forum http://directoryprogramming.net/default.aspx

The .NET Developer's Guide to Directory Services Programming

With the help from their book I was able to eliminate DACLs since the darn things never changed. FC never lies.

Open the Exchange Console, navigate to the Distribution lists open their properties and go to Mail Flow Settings click on Message Delivery Restrictions and then click on the Blue check mark next to Properties:

image

So what I found was five attributes that control the fate of who can and who can't send to a particular recipient (in this case a distribution list)

authOrig, unauthOrig, and msExchRequireAuthToSendTo,

Attribute Name Name in GUI Explanation Powershell (Set-DistributionGroup) 
Just as an FYI
authOrig Accept messages from
Only senders in the following list:
If this attribute and dLMemSubmitPerms are both empty then that is the equivalent of All Senders. If populated only those recipients and the members of Distribution Lists enumerated in dLMemSubmitPerms can sends listed can send items to this distribution list minus anyone listed in unauthOrig and anyone that is a member of distribution lists enumerated in dLMemRejectPerms -AcceptMessagesOnlyFrom
dLMemSubmitPerms same as above see above -AcceptMessagesOnlyFromDLMembers
unauthOrig Reject messages from
Senders in the following list:
Prevents recipients listed here from sending to this Distribution list

-RejectMessagesFrom

dLMemRejectPerms same as above Prevents recipients who are members of the Distribution lists mentioned from sending email to this Distribution list

-RejectMessagesFromDLMembers

msExchRequireAuthToSendTo Require that all senders are authenticated When set to True only authenticated users (no external users) can send mail to this Distribution list

-RequireAllSendersAreAuthenticated

For more info on attribute to Powershell attribute name conversions see

http://blogs.technet.com/evand/archive/2007/02/19/filterable-properties-in-exchange-2007-rtm.aspx

For more on the Powershell commands with some examples see

http://technet.microsoft.com/en-us/library/bb397214.aspx

What would be really nice would be if FIM 2010 already had the schema and OVC extended for this. Since this is the very next thing people at a big company ask for after finding out they can automate distribution list maintenance.

As promised some pretty pictures to help explain (on the left you see the screenshot from ADSI edit and on the right the snapshot of the Exchange Console

authOrig

dLMemSubmitPerms

On this one I reverse the order

unauthOrig

By now you get the idea, that if you select a distribution listt in the Senders in the following list they get put here:

dLMemRejectPerms

So we see that the Exchange Console clever sorts the DLs from the individuals and puts them into their separate attributes.

2 comments:

zaicnupagadi said...

Very helpfull!! I was about to block sending emails to disabled accounts - not mailbox but accounts - so I can easily and quick retrieve some data from inactive inboxes. The solution is to create an empty group in AD and set the "dLMemSubmitPerms" parameter to accept messages only from that empty group! Amazing and great many thanks! If somebody else has problem here is the link to the forum with whole conversation -> http://wss.pl/frmThread.aspx?tid=98879

New learner said...

It is helpful. If only provide local AD powershell cmd to run the setting together.
Thanks.