Using Secondary Email Address to Send Emails in Exchange 2007

This is just a work around and not a standard method. Broken rules on transport server may break the complete function.

Due to design limitations outlook and exchange together wont allow to send emails using the secondary email address on some user account. There are some third party utilities like IvaSoft which will allow to use secondary email address as a primary or to send emails. Here I am explaining the way to use Exchange Server 2007 features to achieve this.

In a scenario; user Administrator has an his primary email address as administrator@cassicrm.com and secondary email address as jsmith@contoso.com . For business reason Administrator needs to be able to send emails using both email addresses however this wont be possible due to restrictions in Exchange design. Here are steps to work around this problem;

1. Remove email address jsmith@contoso.com  from user account Administrator.

2. Create a new in AD using ADUC and mail enabled user account using EMS or EMC. Make sure the removed secondary email address from Administrator account is used as a primary email address on new user.image

3. Use ADUC again to assign Send As permissions to Administrator user account on newly created user account. Here, you need to consider that you will be using this user account to send emails so you may not want to have the display name different than the user having send as permissions on this user account. In stead of creating a new user account named Joe Smith the display name should be Administrator or the name of the user you are assigning Send As permissions to.

image

4. Configure a transport rule on HT to have emails redirected to administrator@cassicrm.com once an email is received for email address jsmith@contoso.com

 image

5. Use outlook to send as new email address. Now in this step when you create the user account you need to make sure that the new user’s display name need to be same as the Administrator’s display name in GAL.

image

6. Check if the recipient received an email sent using alternate email address.

This work around will work for Exchange 2003 as well but with a limitation that recipient of email sent using secondary email address wont be able to reply as there is no mechanism in Exchange 2003 that can understand where to put the received email.

 

 

 

Exchange 2010 EMC and Certificates Management Part – 2

This is the second part of the blog entry Exchange 2010 EMC and Certificate Management Part – 1 in the previous post I wrote about creating a certificate request and the limitations of the new certificate request wizard. In this part we will be looking at obtaining a new certificate and then installing it on the server.

To complete installing a new certificate on your Exchange Server 2010 server you first need to obtain a certificate from CA within your organization or from a third party CA. As stated in last post the New certificate wizard generates a request in a .req file.

1. To obtain a certificate from a third party CA or your internal CA, your first need to copy the contents of the .req file and paste it to the web console of your certification authority. For my internal Enterprise CA the picture looked like below. Please see carefully that the Certificate Template used for this certificate request is Web Server.

image

2. Once you are done with above interface by pasting the contents of .req file and choosing a correct template you will be presented with another page in your browser to download the certificate. This interface may vary depending upon the configuration of your CA. You may need to wait till the certificate is approved and issued by CA administrator if configured so. You can now download the certificate in DER encoded format or Base 64 encoded format and save it to some location on your desktop or server. You will also need to download the whole certificate chain if the issuing authority is not a trusted CA by your server.

image

3. Now, as you have downloaded the certificate to the server. You will need to complete the pending certificate request in your EMC. Select the complete pending request by right clicking on the pending certificate request in EMC.

image

4. A new interface asking you the path to the certificate will pop up. This wizards will ask the location for newly downloaded certificate. Click on the Browse button, select the newly downloaded .cer file and click on complete button.

image

5. You may recall, Exchange 2007 to have the imported certificate to be enabled before it can be used actually used exchange services. E14 is not an exception to it but you don’t need to use Enable-ExchangeCertificate this time. You can do it using  GUI easily. Now that you know, you have a new certificate imported correctly. You need to assign it to the services those will be using it.

Again, locate the new imported certificate in EMC and right click on it. Select Assign Services to Certificate… from the context menu.

One quick difference you may notice between the step 3 and now. That is the certificate status. It changes from Pending to Valid and icon in front of the certificate gets blue colored check mark on it.

image

6. Assign Services to Certificate… will list the services on a window those will be assigned to use this certificate. Select the services you want to use this certificate with and click on Assign button. In my case I did not have the UM role installed on the server so the Unified Messaging check box is grayed out.

image

7. You may notice a pop up asking your consent to assign this certificate to SMTP service on the server as the default certificate will be replaced if you have selected Simple Mail Transport Protocol to use the new certificate in step 6. Click Yes and your default self signed certificate created and assigned to SMTP during server  install will be replaced with new one.

image

Click Finish in the wizard and you are done.

In some cases you may end up with a warning message; warning you that this certificate will not be used for TLS connections. Something like below:

image

Here you need to really understand the configurations you choose at the time of new certificate request. If you want to use this new certificate for a connector which provides a TLS connections, you will have to mention that during the New Certificate Request Wizard.

 

Few things to note:

  • You must make sure that you have chosen the option to use new certificate for TLS connections during the request generation.
  • You must have the root CA and the entire certificate chain installed your Exchange Server as well as clients if you are using your internal CA for new request processing. Outlook as well as Outlook Anywhere and other web based services may be affected otherwise.
  • You must back up the certificate as soon as it is enabled on the server. I will write about it in Part-3 of this series.
  • I recommend backing up and removing any old certificate from the server as soon as the new certificate is active and fully functional.

I changed my blog to WP

Due to some technical reasons with my previous hosting provider I have moved my blog to wordpress today. There are several settings to be done  yet though all the text information is available. I will update the missing screen shots and other widgets as soon as possible.

I appreciate your visit. You can come back and check the updated information.

Thanks

Microsoft says no to 32 bit management console for Exchange 2010

I just came across a very good post by Paul Robichaux on Windows IT Pro under Exchange and Outlook section.

Paul discussed the demand versus availability of Exchange Server 2010 32 bit management tools very well in his post.

Bottom line of the post talks about zero expectations to see a 32 bit management console for Exchange Server 2010. Only Microsoft can tell how difficult is it for them to write a 32 management console code.

Personally, I would do a favor for a whole new x64 architecture offering a more memory addressing capabilities and performance. Yes, it does include cost to upgrade the hardware and software both but sticking back to legacy versions of hardware and software holds you back from upgrading your skills yourself.

Companies do have budgets for their IT infrastructures and may not tend to spend more money towards upgrade. But an upgrade may also help the heldesk and support teams to perform their jobs easily and much faster than they used to do. Normally, an Exchange support engineer needs to have a well equipped computer with troubleshooting tools where he/she may also need to work with some tools which demand more memory and high performance systems.

Also, if you are favoring to have a 32 bit Exchange 2010 application for your test labs then you probably need to understand that testing a performance of application on a 32 bit platform will be drastically different than having it tested on fully functional 64bit platform.

Read more about this story at Exchange 2010: No 32-Bit for You

Considering all above aspects and few more highlighted by Paul in his article probably many people may think of changing their thoughts on demanding a 32 bit management tools or the whole software for test labs.

How to prevent users from delegating their own mailboxes

Delegation is a great feature of outlook where users can allow their mailbox contents to be shared with their colleagues within the team. It also reduces the load on exchange administrators or the helpdesk to grant full mailbox permissions at the server level.

Though this feature is greatly helpful in many scenarios it becomes a concern when users share their mailbox folders, calendars or contacts with folks who are not supposed to see the information and the information is also sensitive enough to be confidential. For many other reasons like server performance, IT department may not want their users to have the ability to share mailbox contents with others (though delegation may not cause heavy performance impact on servers compared to other things).

Now the question is how to disable this for users in bulk? Delegation is an outlook feature and exchange supports it with few attributes on the delegated as well delegate’s user account in AD and rules in both mailboxes. Outlook deployment within your network is the only place where you can control this. But the trouble in doing so is that administrative templates in group policy for outlook and other office products do not have any provision for this. Here are few steps to make it possible:

1. According to KB 948894 for a single user you can edit few registry keys and make it happen":

A point to be noted here before proceeding is if you have outlook 2003 then you must, must have hotfix package 948893 installed. This hotfix provides some new policies in the form of new registry settings which will later needs to be created and modified.

Once you have the above mentioned hotfix installed for an outlook 2003 client you can create and enable the registry settings written by this hotfix. The settings those need to be modified are below:

Locate and then click the following registry subkey:

  • HKEY_CURRENT_USERSoftwareMicrosoftOffice11.0OutlookOptionsFolders

  • On the Edit menu, point to New, and then click DWORD Value.

     

    image

     

  • Type DisableEditPermissions, and then press ENTER.

     

    image

  • Right-click DisableEditPermissions, and then click Modify.
  • In the Value data box, type 1, and then click OK.

     

    The same method applies to Outlook 2007 as well. The only change in the procedure will be creating the Folders key under the path HKEY_CURRENT_USERSoftwareMicrosoftOffice12.0OutlookOptions

     

    Restart your outlook and you are good to go.

     

    2. For multiple users:

    Above configuration is feasible to be done for a single or up to 10 users but it will become a pain if this needs to be done organization wide and again, keeping track of users is not easy. So what you can do is deploy these registry settings by a GPO.

    Just to not duplicating the information I would not run through the whole process here when its already available at Microsoft DS team’s blog. Please refer the article below to deploy the registry changes.

    Deploying Custom Registry Changes through Group Policy

    Before you deploy this setting using GPO you need to understand that users not having their outlook configured on a domain joined machine and are using RPC/HTTP(S) to use access mailboxes will not be affected by this GPO.

    At last, I would like to highlight that when you open the registry editor you may not see the Folders key created automatically and you will have to create that manually.