Trusted Senders - can they be added globally at org. level?
Automated E-Mails that are sent by our helpdesk now include an image which is being blocked by OWA and now requires each user to click the link that re-enables the blocked content on every single e-mail they recieve. The address these e-mails come
from is inside our organisation, is there a way to make the sender a trusted sender at organistaion level so each user doesn't have to all the address to their trusted senders list manually?
We don't use an Edge server in our setup - not sure if that will make a difference or not.
November 29th, 2010 3:37pm
A couple of ways:
1. Create a hub transport rule and assign a SCL of -1 to those messages based on the FROM:
2. Set it at the mailbox level with:
http://technet.microsoft.com/en-us/library/dd979780.aspx
Set-MailboxJunkEmailConfiguration
Free Windows Admin Tool Kit Click here and download it now
November 29th, 2010 4:50pm
Andy,
That didn't work. I've created the hub transport rule and it's had no effect. I didn't look at option 2 because the e-mails are not actually going into the user junk e-mail folder.
Here is a screenshot of what we are seeing.
http://tinypic.com/r/11ha04h/7
Cheers
Adam.
December 1st, 2010 6:56am
Actually, I would try option 2. Option 1 ensures that it doesnt go to junk but doesnt make it truly "trusted".
However, if you go with Option 2, you have to be very careful because simply adding a trusted sender via that powershell command will overwrite anything the user already has, so you would need to script something to pull out the existing safe sender lists
and append the one you want to add.
Also note, you can use a GPO to do this as well at the client level
http://technet.microsoft.com/en-us/library/cc179183.aspx
These are the only real options at a global level.
Free Windows Admin Tool Kit Click here and download it now
December 1st, 2010 8:05am
Andy,
Couldn't use option 2 either. I've got the following error because the address is within our organisation.
Property validation failed. Property = TrustedSendersAndDomains (System.String)
Error = "allictsupport[at]riddlesdown.org" is in your organization and can't be added to Safe Senders and Recipients..
+ CategoryInfo : NotSpecified: (0:Int32) [Set-MailboxJunkEmailConfiguration], PropertyValidationException
+ FullyQualifiedErrorId : 2E811E82,Microsoft.Exchange.Management.StoreTasks.SetMailboxJunkEmailConfiguration
I can't use the GPO option as this is happening for users using OWA - In Outlook it is fine.
Any other suggestions?
December 2nd, 2010 5:36am
Do those user use Outlook as well? If so, the GPO can be used and the safe senders will accessible for OWA and Outlook clients as its stored in the mailbox.
What version of Exchange and Service pack are you using?
Free Windows Admin Tool Kit Click here and download it now
December 2nd, 2010 9:14am
Most don't use Outlook. I use Outlook 2010 and I haven't had to add anything. My assumption was addresses within the organisation were considered safe.
Exchange 2010 SP1 is what we are using.
December 2nd, 2010 5:11pm
Ok, as you have seen, you cant add your own domains to the safe sender lists either through OWA or Powershell.
You can however add them via Outlook. There is a bug in 2010 SP1 that will clear the safe sender list if you add domains you are authoritative for via Outlook. ( Outlook lets you add them - but that is incorrect behavior)
The fix will be upcoming in a future rollup. However, you still wont be able to add your own domains once that fix is released - it only fixes the bug that clears out the entire list. Your only real option is to either change the FROM: so
that it comes from a SMTP domain you do not control ( and have the users add to their safe sender lists) or use the hub transport rule I mentioned earlier ( though its a not a perfect solution)
Free Windows Admin Tool Kit Click here and download it now
December 2nd, 2010 8:19pm
I'd go with the hub transport rule, but, I cannot get it to work. This is what I have:
from people: allictsupport[at]riddlesdown.org
set scl to: -1
no exclusions
When I send an e-mail to that address I have the same problem trying to view it in OWA.
December 3rd, 2010 8:25am
Instead of from people, have the rule check if the FROM matches a pattern ( and enter the SMTP address)
After that, check the header of the message to verify that anonymous messages sent from outside of Exchange using that FROM have a SCL of -1
That's about a close as you can get to making it a safe sender.
Free Windows Admin Tool Kit Click here and download it now
December 3rd, 2010 9:18am
I've changed the hub transport rule and still the e-mail is not considered safe. Here is the contents of the message header:
Received: from (10.59.100.28) by EX2010-1.riddlesdown.local (10.59.100.41)
with Microsoft SMTP Server (TLS) id 14.1.218.12; Fri, 3 Dec 2010 19:49:19
+0000
Date: Fri, 3 Dec 2010 19:49:19 +0000
From: IT Support <allictsupport[at]riddlesdown.org>
To: <address removed before posting>
Message-ID: <4cf949bf6a0f4_580f0535201466cc@HELPDESK.tmail>
Subject: [Ticket #5941] Test 5 - Spiceworks
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="mimepart_4cf949bf90257_580f05352014678"
Return-Path: allictsupport@riddlesdown.org
X-MS-Exchange-Organization-AuthSource: EX2010-1.riddlesdown.local
X-MS-Exchange-Organization-AuthAs: Internal
X-MS-Exchange-Organization-AuthMechanism: 06
X-Originating-IP: [10.59.100.28]
X-MS-Exchange-Organization-SCL: -1
I can't believe that e-mails from originating from an accepted domain are not considered safe.
December 3rd, 2010 3:18pm
X-MS-Exchange-Organization-AuthAs: Internal
X-MS-Exchange-Organization-AuthMechanism: 06
Those 2 headers indicate that the sender is authenticating to Exchange, so it should be trusted.
Free Windows Admin Tool Kit Click here and download it now
December 3rd, 2010 3:44pm
On Mon, 29 Nov 2010 20:32:39 +0000, adamf83 wrote:
>Automated E-Mails that are sent by our helpdesk now include an image which is being blocked by OWA and now requires each user to click the link that re-enables the blocked content on every single e-mail they recieve.
What link is it they have to click? Is the image embedded in the
message or is it a link to a file on a web server? If it's link to a
web site, is the web site in the brwoser's "trusted sites"?
>The address these e-mails come from is inside our organisation, is there a way to make the sender a trusted sender at organistaion level so each user doesn't have to all the address to their trusted senders list manually?
>
>We don't use an Edge server in our setup - not sure if that will make a difference or not.
Are you sure this isn't a browser configuration thing?
---
Rich Matheisen
MCSE+I, Exchange MVP
--- Rich Matheisen MCSE+I, Exchange MVP
December 3rd, 2010 9:30pm
On Fri, 3 Dec 2010 20:38:53 +0000, AndyD_ wrote:
>
>
>X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 06
>
>
>
>Those 2 headers indicate that the sender is authenticating to Exchange, so it should be trusted.
Not to mention the "X-MS-Exchange-Organization-SCL: -1" which says the
message certainly isn't considered to be spam -- at least not by
Exchange.
---
Rich Matheisen
MCSE+I, Exchange MVP
--- Rich Matheisen MCSE+I, Exchange MVP
Free Windows Admin Tool Kit Click here and download it now
December 3rd, 2010 9:30pm
Rich,
The image is embeded in the message (<img src> etc..), the actual file is stored on our webserver. I've added the site to trusted sites in IE and this doesn't appear to have made a difference.
I've tried this using IE and Firefox, I get the same problem on both - I don't think it's a browser config thing.
December 4th, 2010 6:39am
One thing you may want to look at is to disable Web Beaconing for OWA. ( I'm not recommending it necessarily)
I think you should look at changing the FROM: to a SMTP address that your Exch org isnt authoritative for and that will allow users to add to their safe sender list if the hub transport rule isnt working as expected.
http://technet.microsoft.com/en-us/library/bb430788.aspx
Free Windows Admin Tool Kit Click here and download it now
December 4th, 2010 9:22am
Disabling Web Beaconing for OWA does work but i'm not sure I want to implement that as a change. I will look at how I can use a smtp address my Exchange org isn't authoritative for with our helpdesk product.
Thanks for all the suggestions.
December 4th, 2010 9:52am
On Sat, 4 Dec 2010 11:29:08 +0000, adamf83 wrote:
>The image is embeded in the message ( etc..), the actual file is stored on our webserver. I've added the site to trusted sites in IE and this doesn't appear to have made a difference.
How large is the image? Can it be included in the message and
reference by a content identifer instead of using a link?
>I've tried this using IE and Firefox, I get the same problem on both - I don't think it's a browser config thing.
http://technet.microsoft.com/en-us/library/bb124901.aspx
I suppose you could also add the domain (or the usrer) that sends the
e-mail to the client's Safe Sender list.
I think the definition of "external" content is "anything not in the
message".
---
Rich Matheisen
MCSE+I, Exchange MVP
--- Rich Matheisen MCSE+I, Exchange MVP
Free Windows Admin Tool Kit Click here and download it now
December 4th, 2010 2:10pm
The image is 12k. I don't know about including it in the message and referencing it by a content identifer - how would I go about that?
I can't add the domain that send the e-mail as it's the same domain that our exchange org is authoritave for.
December 4th, 2010 5:24pm
On Sat, 4 Dec 2010 22:19:42 +0000, adamf83 wrote:
>The image is 12k. I don't know about including it in the message and referencing it by a content identifer - how would I go about that?
You include the image as another MIME body part and refer to it in the
img tag by name.
>I can't add the domain that send the e-mail as it's the same domain that our exchange org is authoritave for.
Then change the name of the sending domain.
---
Rich Matheisen
MCSE+I, Exchange MVP
--- Rich Matheisen MCSE+I, Exchange MVP
Free Windows Admin Tool Kit Click here and download it now
December 4th, 2010 10:18pm