[Today’s post comes to us courtesy of Damian Leibaschoff]
DISCLAIMER: There are many different ways to implement this solution, this is just one of them.
A very common request we get is people wanting to be able to send outbound Internet e-mails from Outlook using different addresses as the originating address. This is different than just using a delegation or Sending on Behalf, this is truly sending the e-mail with a different “From:” address. The solution presented here will focus in using Outlook and Exchange without the need to create new accounts in Outlook. It will not only allow a user to send using a different e-mail address, it will also allow a user or a group of users to send using the e-mail address of a mail enabled security group.
An example would be: You have a mail enabled security group or a distribution group with an address of firstname.lastname@example.org and you want to send your replies as coming from that address instead of your personal one. The same concept can be used for a single user that wants to be able to send using other addresses.
1. Removing the additional E-mail addresses from your existing user
This first step is optional and it really depends on where you are in the implementation of this process. If you already have a mail enabled security group or distribution group with the desired e-mail address, then you can skip it. On the other hand if your user already has the address you want to use to send as (as a secondary e-mail address in Active Directory), we will need to remove it from the user itself, we cannot have two objects in active directory with the same e-mail address. We will need to add this e-mail address to another object that we will create shortly, so for now, we need to remove it. Remember, Exchange will always use your default e-mail address as the reply-to/from address, so we need to work around this limitation.
- Open AD Users and Computers
- Find the user that might have the needed e-mail added as a secondary e-mail address and open its properties. If you are not sure you can use the FIND feature:
- Right click on the domain container and select Find
- Go to the Advanced tab
- Click on Field, select User and pick Proxy Addresses, change the condition to Is (exactly), and on the Value type in the e-mail address you are searching for (prefix it always with SMTP:, for example, SMTP:email@example.com), click Add.
- Click Find Now
- Once you find the user, open its properties and go to the E-mail addresses tab
- Remove the secondary E-mail address that you want to use as an alternate primary address. It is recommended that you temporally stop mail flow by stopping the SMTP Virtual Server from Exchange System Manager (under protocols\SMTP) as to avoid receiving e-mails to this address for the few minutes that this procedure will take until the e-mail is moved to another object.
- Click OK to accept the changes.
2. Creating the new Mail Enabled Security Group.
- Open AD Users and Computers from Administrative Tools.
- Expand your domain, MyBusiness, and select Security Groups
- Do right click, New, Group
- Selected Global and Security, give it a distinctive name (it will show up when sending e-mails) and click Next.
- Put a check next to “Create an Exchange e-mail address”, don’t worry about the alias, we can modify it to match the address we need once the object is created.
- Click next and finish.
Wait a few minutes for the object to be stamped by the Exchange Recipient Update Service.
- Now open the Properties of the Security Group you just created.
- Go to the E-mail Addresses tab, if this is blank, stop, the object has not been stamped yet. Once you have address in the E-mail addresses tab, you can proceed.
- If you see the e-mail address you need as the primary, then you can skip the next few steps, if you don’t, then add it:
- Click New, SMTP Address, and add the e-mail address we removed from step 1 (for example firstname.lastname@example.org).
- Click ok to accept.
- Select the newly added SMTP E-mail address and click Set As Primary.
- Also uncheck the “Automatically update e-mail addresses based on recipient policy”.
- Click Ok to close the properties. Note: It is important not to make this security group a member of any other groups, this will help prevent issues with the AdminSDHolder resetting the security permissions we are going to be changing in the next section.
3. Adding the group membership and setting the proper security to allow the Send As.
We will be working on the properties of the Security Group we just created, but before we continue, we need enabled the Advanced Features in AD Users and Computers.
- Select View on the top menu and then select Advanced Features.
Now we can open the properties of the Security Group we just created.
- Expand your domain, MyBusiness, and select Security Groups
- Right Click the desired Security Group we just created and select properties.
- Go to the Members tab
- Click Add
- Type the name of the User who is going to be receiving the e-mails sent to the E-mail address what we have configured for this Group. Remember, e-mails sent to the e-mail address that we added on step 2 will be delivered to members of this group only, if this is just one user that needs to send and receive using the second e-mail address, then you would have only 1 member, if this is a shared address, then you can have multiple members, they will all get a copy of e-mail sent to the address in question.
- Repeat the Add process as needed.
- Once you have added the members, click Apply, inbound e-mail sent to the address in question will start flowing again. Start the SMTP Virtual Server if you had that stopped. Do not close the properties yet.
Now we need to set up the proper security. We will need to add the user or group accounts we will want to allow to send as using this Security Groups primary e-mail address. This is the key step that will allow us to use the e-mail address as our new From. Keep in mind that Domain Administrators and Account Operators will already be able to Send As this group and no changes are needed.
- Go to the Security tab
- Click Add
- Type the name of the User who is going to be sending the e-mails using the e-mail address configured for this mail enabled Security Group. If you want to allow all members of this group to be able to send using the e-mail address here, then add the security group name (Sales Group in our example).
- Once you have added the user/users/groups, find them on the security list, select the object, and scroll down on the Permissions half of the window until you find the “Send As” right. Put a check on the Allow column. You are basically giving the user Send As rights on the Security Group.
- Click ok
- Open the Services MMC
- Re-start the Microsoft Exchange System Attendant service (and its dependants)
Picture showing the allow just on a per user basis scenario:
Picture showing the allow all group members to Send As:
4. Testing from Outlook
At this point all the pieces should be in place. Mail should be flowing to the e-mail address in question and the only thing left is for the user to learn how to pick which account to use when sending outbound e-mail. Please note that this will not happen automatically, the user will have to take action for every e-mail they want to use a different address for.
- In Outlook while logged in to the user’s mailbox that has Send As permissions to the newly created group (so basically, open Outlook as normal, nothing should change from the client perspective), click to open a new email
- Outlook 2003: Click View, and select “From Field”
- Outlook 2007: Click Options and select “Show From”
- Click on the From: and pick the Group that has the address we want to use or type the Group name or just type the e-mail address (on our case email@example.com). Due to potential timing issues while updating the offline address book while in cached mode, the new group may not show up to be selected. It should eventually show up, if it doesn’t then something is not working as expected with the OAB generation.
- Fill in the To, Subject, write up your email and click Send email
- The receiver should only see the alternate email address as the From.
- You get the following NDR:
Your message did not reach some or all of the intended recipients.
Sent: 10/31/2007 2:27 PM
The following recipient(s) could not be reached:
firstname.lastname@example.org on 10/31/2007 2:27 PM
You do not have permission to send to this recipient. For assistance, contact your system administrator.
- Or the following error (if you are not in cached mode):
- This is a sign that the security was not setup properly or has not taken effect. Re-check step 3. Do not forget to re-start the Microsoft Exchange System Attendant Service on the server and Outlook on the client. If permissions have been changed on the security group, check the group membership of that group, make sure it is not a member of a protected AdminSDHolder group (direct or transitive). See the following KB for additional information http://support.microsoft.com/default.aspx?scid=kb;EN-US;907434 .