Copied from this document, can the source user for example test#mydomain.com and the destination user be test#audit.mydomain.com?
Types of users in a monitored email scenario
A monitored email scenario includes three types of users:
Administrator — Any domain administrator can create, retrieve, update, and delete an email monitor using the Email Audit API's monitor resource. In addition, an administrator can use the API to retrieve user account information and download the mailbox. These operations can only be done within the domain over which the administrator exercises control.
Source user — The source user is the user who receives or sends messages that are being audited by the monitoring destination user. Any domain administrator or account user can be a source user. The source user must be in the same domain as the administrator and destination user.
Destination user — The destination user is the auditor who receives the audited email messages.
The destination user (destUserName) goes off the primary username (regardless of audit.mydomain.com or mydomain.com). If audit.mydomain.com was added as a subdomain to mydomain.com and test#audit.mydomain.com was his primary email address it will work with the input:
name='destUserName' value='test'
Related
In my place of work we have an Active Directory with 'staff' accounts. Each of these AD accounts has an associated company email, e.g. john#example.com
Within the same AD we also have 'external' user accounts, e.g. suppliers, contractors etc. This allows the external users to login and access some of our systems using their AD credentials (user number and password). None of these external users have an email address associated with their AD account.
The only users with an AD email address are 'staff'. There are various reasons why we would like 'external' users to have an email address, e.g. Currently they cannot use the 'send to email' feature of our printers, as they have no associated email.
I have a few questions (I am not an AD administrator or security expert, and I'm not familiar with the email or AD infrastructure.)
is it technically possible to associate an external domain email address to our internal AD user accounts (e.g. john#gmail.com)
will doing this pose any security risks / why would AD admins be reluctant to do this
is there a better / safer alternative
I'm a global administrator of my O365 account - I have an external user who is not in our O365 contact list and needs to send email to one of our O365 distribution group and I don't want to check mark on "allow external user to send to this Distribution list" as I don't want every external user send to that distribution list - my question is how do I can grant permission just to that one external user to send email to the distribution list who is not added as an O365 contact and where distribution list has a restriction to not receive email from external users.
I have just implemented wso2is 5.3 and I am looking at setting up the password and username recovery options.
Wso2is is set up with our Active Directory domain as the primary user store. In AD, the 'mail' attribute holds the user's primary email address, and 'otherMailbox' contains additional, external email addresses for the user.
I would like to use the email recovery, but we can't use the primary email, since the password for that account is the password they are trying to reset. We need to have the recovery process use one of the addresses in 'otherMail'.
I can't find anywhere in the documentation where you can define any option for what email is used for the recovery process.
Is the primary email the only one supported for password recovery? How can I tell the password and username recovery process to use a different email?
Thanks
Don
The answer, it turns out, is to change the claim mapping for the email address claim in WSO2 to point to the otherMailbox attribute in AD. It properly deals with the multi-valued email address list and for the purposes of password recovery, it sends the notification to all of the listed email addresses.
We then created another claim called Campus Email and pointed it at the mail attribute in AD.
There doesn't seem to be any negative issue with having 'our' email not be the 'primary' email.
Don
I have opened a centralized mailbox that collects all the emails that come to my organization (for analysis).
This is done by a Transport Rule that i created which redirects all the email to this mailbox.
The problem is that when i tried to send it back to the original recipients with the EWS application it gives me this error:
ErrorSendAsDenied -
The user account which was used to submit this request does not have the right to send mail on behalf of the specified sending account., Cannot submit message.
This email was sent from outside of the organization so I guess i should grant the centrailzied mailbox SEND-AS permissions for the external email.
I have looked at the Add-ADPermission cmdlet here:
https://technet.microsoft.com/en-us/library/bb124403%28v=exchg.160%29.aspx?f=255&MSPPError=-2147217396
And tried to grant the mailbox permissions to "NT AUTHORITY\ANONYMOUS LOGON" but it doesn't recognize it,
How can grant the permissions?
Thanks!
You won't be able to resend the message as the original sender unless you own that sender domain and that is an authoritative domain (eg you can then assign rights to send as the security principal that owns that email address). Otherwise what your doing is considered spoofing and will be disallowed in the client API's for security reasons. You also don't wan't to just resend a message like that anyway eg if it has external recipients and you just resent it to all the recipients it you will be sending another copy to those external recipients in that case (which will mostly likely then just get bounced for spf reasons). What you need to know is the envelope recipients of the original message and just resend to those recipients.
A few workarounds for this would be to use the replay directory on Transport server https://technet.microsoft.com/en-us/library/bb124230(v=exchg.150).aspx this would be the most common method as it allows you control the delivery via Xheaders (eg so you can restrict which recipients get the message your resending) and gives the most flexibility but requires file level access to the Transport Server. Other EWS methods would be to look at using Moderation instead and then release the approved the messages,
I have a service account for an application that is used to send out emails via a MSExchange server. The 'From' field gets populated by the email address in the current users profile, but the server is sending back a response
"SmtpException: Mailbox unavailable. The server response was: 5.7.1 Client does not have permissions to send on behalf of the from address."
As there are alot of email addresses that could be being sent from, is it possible to set up the service account so that it will have send on behalf permissions for "*#domain1.com email addresses" or do they all have to be added one at a time?
Send on behalf isn't really possible like this given how it's set. If you were OK with Send-As (so the mails would come from Service1#domain1.com versus Service1 on Behalf of bob#domain1.com), you could grant the service account send-as rights at the domain, OU, or mailbox database levels.