The attributes behind Message Delivery Restrictions

Do you know what attributes are used to control who can and can't send to a Distribution List in Exchange 2003 and Exchange 2007? or Does it use a DACL?

Knowing such things is key if you are going to automate distribution list management through .NET programs, or MIIS/ILM/FIM, Quest ARS or any other tool that is talking to LDAP attributes. For Powershell you need a separate list since the names are different.

Seeing as how a picture is worth a thousand words I'll include some after a brief explanation:

At first I was afraid that it used the SendTo permission on DACLs but fortunately that is not what the Exchange GUI tools change. This is fortunate since ILM does not have an out of the box MA that modifies DACLs on AD objects, it is also fortunate since programming against DACLs is somewhat complicated. I must give thanks to my friend Joe Kaplan and his co-author Ryan Dunn for the helps in their book (see page 302 listing 8.2 listing the DACL) and their forum http://directoryprogramming.net/default.aspx

The .NET Developer's Guide to Directory Services Programming

With the help from their book I was able to eliminate DACLs since the darn things never changed. FC never lies.

Open the Exchange Console, navigate to the Distribution lists open their properties and go to Mail Flow Settings click on Message Delivery Restrictions and then click on the Blue check mark next to Properties:

So what I found was five attributes that control the fate of who can and who can't send to a particular recipient (in this case a distribution list)

authOrig, unauthOrig, and msExchRequireAuthToSendTo,

Attribute Name	Name in GUI	Explanation	Powershell (Set-DistributionGroup)  Just as an FYI
authOrig	Accept messages from Only senders in the following list:	If this attribute and dLMemSubmitPerms are both empty then that is the equivalent of All Senders. If populated only those recipients and the members of Distribution Lists enumerated in dLMemSubmitPerms can sends listed can send items to this distribution list minus anyone listed in unauthOrig and anyone that is a member of distribution lists enumerated in dLMemRejectPerms	-AcceptMessagesOnlyFrom
dLMemSubmitPerms	same as above	see above	-AcceptMessagesOnlyFromDLMembers
unauthOrig	Reject messages from Senders in the following list:	Prevents recipients listed here from sending to this Distribution list	-RejectMessagesFrom
dLMemRejectPerms	same as above	Prevents recipients who are members of the Distribution lists mentioned from sending email to this Distribution list	-RejectMessagesFromDLMembers
msExchRequireAuthToSendTo	Require that all senders are authenticated	When set to True only authenticated users (no external users) can send mail to this Distribution list	-RequireAllSendersAreAuthenticated

For more info on attribute to Powershell attribute name conversions see

http://blogs.technet.com/evand/archive/2007/02/19/filterable-properties-in-exchange-2007-rtm.aspx

For more on the Powershell commands with some examples see

http://technet.microsoft.com/en-us/library/bb397214.aspx

What would be really nice would be if FIM 2010 already had the schema and OVC extended for this. Since this is the very next thing people at a big company ask for after finding out they can automate distribution list maintenance.

As promised some pretty pictures to help explain (on the left you see the screenshot from ADSI edit and on the right the snapshot of the Exchange Console

On this one I reverse the order

By now you get the idea, that if you select a distribution listt in the Senders in the following list they get put here:

So we see that the Exchange Console clever sorts the DLs from the individuals and puts them into their separate attributes.