Tuesday, June 5, 2007

Configuring mail forwarding by using only a Contact object

This is not recommended way by Microsoft, however you may want to use this method to forward the e-mails to your former employees and don't have to use your CALS, or reserving a mailbox for this purpose. The Microsoft article (kb-555187) talks about some security related reasons and why this method might be selected forwarding the mails to external recipient rather than using on the regular mailbox, exchange general delivery option on forward to external recipient by selection contact object in Active directory.

Scenario: User Dan quits his present company and gets hired by Microsoft as Exchange subject matter expert. Dan goes back to security department of his company and asks them if they can forward mail to Dan for couple mounts. Since Dan is a great employee security, will say no problem. However the network is regulated and all users' mailboxes must be blown away within 10 days of employee termination. This case security team lead G cannot use the regular forwarding option under Exchange general tab and wants to use another method to achieve the same goal.Dan provides his new mail address to G, as Dan@Microsoft.com. Dan quits his company and his SMTP proxy address blown away (Dan@donateBlod.com).G goes to active directory and creates a contact for Dan, and configures SMTP Proxy address for this contact, as Dan@Microsoft.com . Existing Recipient policy will stamp this object with @donateBlod.com and now Dan has two SMTP Proxy address. G goes back to AD and locates the contact for Dan, and sets the primary SMTP address to Dan@DonateBlod.com and leaves the second Proxy address as second SMTP address Dan@microsoft.com

When SMTP session open from external users, who has no idea Dan has quit from DonateBlod.com Company will e-mail Dan and let's see what will happen. Mail gateways alterative for SMTP name space @DonateBlod.com will accept the mail behalf of DAN External sender sends mail to Dan@DonamteBlod.com There is no mailbox for Dan@DonateBlod.com "Security team blown away the mailbox and the user account"

The contact information however stays in Active directory .DIT database with two SMTP Proxy address already configured for this contact object.

When mail is accepted by smart host or mail relay gateway, for behalf of Dan@DonateBlod.com , mail get to the exchange server. Exchange server locates the contacts. Exchange server sees the attribute called "targetAddress" set to second SMTP Proxy address and forwards (redirects) e-mails to this address and in this example the address is Dan@DonateBlod.com


Best Regards,

Oz Ozugurlu



No comments: