Send to a Dist List in Another Domain. Permissions Error. Please Help!

[syncreon]

Hi there,

To try and explain my scenario as brief as possible..

2 domains xyz.com and abc.com in a fully trusted forest with 2 seperate exchange environments (2003). 2 domains are connected via SMTP connector.

Creating an all users list on xyz.com which includes a contact on xyz.com domain with email address of allusers@abc.com. On the abc.com domain, this refers to a mailing list of all users on abc.com. It also includes a dist list on xyz.com with all users in it on that domain.

Have set permissions on the xyz.com all users list to allow xyzuser to send to all users. So this "should" give him the right to send to that list which includes the contact which forwards the mail to the dist. list on the other side.

On the abc.com domain, I have set the user xyzuser to have permissions to send to the allusers list using a domain local group.

However, user gets a 5.7.1 error of you do not have permissions when sending to abc.com all users list. His mail does get to the all users on the xyz.com domain though.

I appreciate this sounds confusing at first, so if you need any more info, please let me know.

Thanks in advance,
John

 

[TechyMcSe2k]

try this, it may work. It sounds like the DL in abc.com is locked down from anyone else sending to it. If so, try the option from everyone except and then put in abc.com\domain users and also hide group from the exchange address lists.

this will prevent abc.com users from emailing that DL; but still receive emails..say from xyz.com. Make the DL in abc.com unique so that any outsiders have a hard time figuring it out(prevent public users from emailing it)

________________________________________
Achieving a perception of high intelligence level can only be limited by your manipulation skills of the Google algorithm!

 

[syncreon]

Thanks for the reply.

As you suggested, that works. By using the "everyone except" option, the mail works. However, this is no good for us, as we cannot allow anybody from the other domain to send. It has to be a pre-approved list of people.

 

[TechyMcSe2k]

in the XYZ.com domain:
create your DL and add only approved users
then create a user account and within that account restrict who can email to that user account by adding only the above DL you created. Then Forward To: that user account email to the DL in ABC.COM and do not save copy in both mailboxes.

in the ABC.COM domain:
The DL in ABC.com that you have made UNIQUE(not easy to guess) and HIDDEN and do the "everyone except" as we talked about above.

________________________________________
Achieving a perception of high intelligence level can only be limited by your manipulation skills of the Google algorithm!

 

[syncreon]

Thanks for this tip, but again, it doesnt work. Still getting the 5.7.1 You do not have permission to send to this recipient bounceback.

 

[TechyMcSe2k]

since it is a fully trusted Forest, try creating a domain local dist. group in xyz.com add the allowed users, then in ABC.com try allowing only that domain local group to email it. If I remember correctly, that is the way to see groups in other forests is by using domain local groups.

________________________________________
Achieving a perception of high intelligence level can only be limited by your manipulation skills of the Google algorithm!

 

[TechyMcSe2k]

OK, this is tricky, but I got it to work in my test environment.

in XYZ.com:
create a mail enabled security group to be used in the contact Exchange General to lock down who can email the contact we are about to build...then
create a contact and point it to the smtp address of the DL in abc.com.
Then create a security group that this contact can be a member of and add it.

In ABC.COM:
create a new DL. Add the XYZ.COM\Group as its only member.
Then go to your DL that needs to be locked down and add the new DL into the security for sending to it.

I may have missed something or misworded, but this will get you going.

________________________________________
Achieving a perception of high intelligence level can only be limited by your manipulation skills of the Google algorithm!

 

[syncreon]

hey, thanks so much for all your efforts. Its greatly appreciated and giving me lots of things to try.

Can I ask that you add some example names of lists and users into your last suggestion to make the process clearer?

i.e. user xyz.com\test1 and dl xyz.com\group1 etc

 

[TechyMcSe2k]

in XYZ.com:

create a DL in xyz.com such as (name)=allowedDLsendersforABC-DL which will end up having an email address of allowedDLsendersforABC-DL@XYZ.COM
ADD USERs from XYZ.COM that you want to be able to send to the contact you create next.

create a contact (name)=dltoabc.com and give it an smtp address to point to myDLnameinABCdomain@ABC.COM
Then make it a member of allowedDLsendersforABC-DL@XYZ.COM

then in the contact dltoabc.com, go to the Exchange General Tab and set the Message Restrictions to Only From: and add the above DL allowedDLsendersforABC-DL@XYZ.COM

In ABC.COM:
Create a new DL (name)=XYZtoABC-DL-Lockdown

Then add the XYZ.COM Distribution List XYZ.COM\securityDLtoABC.COM from above to the Members Tab of XYZtoABC-DL-Lockdown

Then go to the Exchange General Tab for myDLnameinABCdomain@ABC.COM (the one you originally needed locked down in the beginning of this post) and set the Message Restrictions to Only From: XYZtoABC-DL-Lockdown

I hope this is a little clearer...I caught myself getting lost...LOL

________________________________________
Achieving a perception of high intelligence level can only be limited by your manipulation skills of the Google algorithm!

 

[TechyMcSe2k]

CORRECTION:
Then add the XYZ.COM Distribution List XYZ.COM\securityDLtoABC.COM from above to the Members Tab of XYZtoABC-DL-Lockdown

Should be:
Then add the XYZ.COM Distribution List XYZ.COM\allowedDLsendersforAB-DL@XYZ.COM to the Members Tab of XYZtoABC-DL-Lockdown

________________________________________
Achieving a perception of high intelligence level can only be limited by your manipulation skills of the Google algorithm!

 

[syncreon]

Thank you very much once again!

I just have one more small annoyance for you... the DLs you created, what are they? security group - global, security group - local, distribution group - global etc?

 

[TechyMcSe2k]

distribution group - doamin local should be fine. I tried Universal and global and did not see a difference or issue.

________________________________________
Achieving a perception of high intelligence level can only be limited by your manipulation skills of the Google algorithm!

 

[syncreon]

The only difference I am aware of is that if I am on a DL on abc.com, I cannot add members of xyz.com unless the DL is a distribution group - local.

When I go into add members, it only shows me the abc.com domain to choose users from. If it is a dist group - local then it allows me to choose from either.

I also sometimes get a violation constraint trying to add cross domain users unless they are inside a domain local group.