The Exchange 2007 Wiki

Menu

Getting Started
Programming Exchange
PowerShell Scripts

Organization Node
  - Mailbox
  - Client Access
  - Hub Transport
  - Unified Messaging
Server Node
  - Mailbox
  - Client Access
  - Hub Transport
  - Unified Messaging
Edge Transport
Recipient Management
Tips and Tricks
FAQs
  - Definitions
  - Ask a Question

Site Index
Home


Wall of Fame
Syndication
Feedback

The content on this site is provided "AS IS" with no warranties, and confers no rights.

Permissions

Permissions get granted through Access Control Lists (ACL). ACLs specify for users or computers what is allowed and/or what isn’t. The Transport ACLs only specify what is allowed, as by default nothing is. Every object in the Directory (AD or ADAM) has an ACL stored in an attribute called the ‘ntSecurityIdentifier’. SMTP Receive and SMTP Send connectors are also stored in the Directory and that’s the attribute that also defines the Transport permissions. The get-adpermission task can be used to see the permissions on AD objects. Windows provides a mechanism to define your own extended permissions, which is what Exchange2007 Transport did. To see all the extended permissions on for instance an SMTP Receive Connector:

get-adpermission <id of the Receive Connector> | ft User,ExtendedRights

For more information Transport Permissions see: http://technet.microsoft.com/en-us/library/aa997170.aspx

Example:

[MSH] D:\>get-adpermission 'Default EDGEA73' | ft User,ExtendedRights

User                                    ExtendedRights

----                                    --------------

NT AUTHORITY\Authenticated Users        {ms-Exch-SMTP-Submit}

NT AUTHORITY\Authenticated Users        {ms-Exch-SMTP-Accept-Any-Recipient}

NT AUTHORITY\Authenticated Users        {ms-Exch-Bypass-Anti-Spam}

MYHUB\Exchange Servers            {ms-Exch-SMTP-Accept-Exch50}

MYHUB\Exchange Servers            {ms-Exch-Accept-Headers-Routing}

MYHUB\Exchange Servers           {ms-Exch-Accept-Headers-Forest}

...

The following table provides the list of all the (extended) permissions defined by Transport:

Permission
 Display name
ms-Exch-SMTP-Submit
 Submit Messages to Server
ms-Exch-SMTP-Accept-Any-Recipient
 Submit Messages to any Recipient
ms-Exch-SMTP-Accept-Any-Sender
 Accept any Sender
ms-Exch-SMTP-Accept-Authoritative-Domain-Sender
 Accept Authoritative Domain Sender
ms-Exch-SMTP-Accept-Authentication-Flag
 Accept Authentication Flag
ms-Exch-Accept-Headers-Routing
 Accept Routing Headers
ms-Exch-Accept-Headers-Organization
 Accept Organization Headers
ms-Exch-Accept-Headers-Forest
 Accept Forest Headers
ms-Exch-SMTP-Accept-Exch50
 Accept Exch50
ms-Exch-SMTP-Send-Exch50
 Send Exch50
ms-Exch-Send-Headers-Routing
 Send Routing Headers
ms-Exch-Send-Headers-Organization
 Send Organization Headers
ms-Exch-Send-Headers-Forest
 Send Forest Headers
ms-Exch-Bypass-Message-Size-Limit
 Bypass Message Size Limit
ms-Exch-Bypass-Anti-Spam
 Bypass Anti-Spam

The Display Name provides a ‘hint’ as to what the permission is about. The list below provides more information on each of them.

ms-Exch-SMTP-Submit

If the SMTP receive session does not have this permission, it will fail to submit messages. It will fail both the “MAIL FROM” and “AUTH” command. The “AUTH” command will also fail as the credential might have been correct, but the authenticated user or computer will have no chance to do anything useful with the session.

ms-Exch-SMTP-Accept-Any-Recipient

If the SMTP receive session does not have this permission, the server will reject the “RCPT TO” command if the recipient domain does not match any accepted domain. You could call this permission also the Relay permission.

ms-Exch-SMTP-Accept-Any-Sender

If the SMTP receive session does not have this permission, the server will check sender address spoofing. If the spoofing check fails, the message gets rejected at either “MAIL FROM” or EOD (End Of Data), depending on which sender (envelop or message/header) was found to be spoofed.

ms-Exch-SMTP-Accept-Authoritative-Domain-Sender

If the SMTP receive session does not have this permission, the server will reject “MAIL FROM” if the specified address is at an authoritative domain. (An authoritative domain is an administrative domain with at least one mail server responsible for the final delivery of messages addressed to that domain.)

ms-Exch-SMTP-Accept-Authentication-Flag

If the SMTP receive session does not have this permission, the server will ignore the AUTH= option that was specified on the “MAIL FROM” command. (Internally, Exchange Servers transfer anonymous messages using “AUTH=<>”.)

ms-Exch-Accept-Headers-Routing

If the SMTP receive session does not have this permission, the server will strip all “Received:” headers.

Note: This should only happen for client message submissions over SMTP, which is why by default ExchangeUsers do not get this permission. (See RFC 2476.)

ms-Exch-Accept-Headers-Organization

If the SMTP receive session does not have this permission, the server will strip all organization headers. Those headers all start with “X-MS-Exchange-Organization-“.

ms-Exch-Accept-Headers-Forest

If the SMTP receive session does not have this permission, the server will strip all forest headers. Those headers all start with “X-MS-Exchange-Forest-“.

ms-Exch-SMTP-Accept-Exch50

If the SMTP receive session does not have this permission, the server will not accept the “XEXCH50” command.

Note: This command is necessary for interoperability with Exchange2000 and Exchange2003. In an environment with only Exchange2007 servers, the “XEXCH50” command won’t be used once disabled.

ms-Exch-SMTP-Send-Exch50

If the SMTP send session does not have this permission, the server will not send the “XEXCH50” command.

ms-Exch-Send-Headers-Routing

If the SMTP send session does not have this permission, the server will strip all “Received:” headers.

For details on how to strip all internal routing information from outbound messages see this article:
http://exchangeshare.wordpress.com/2008/05/26/how-to-remove-header-from-outgoing-mails-in-exchange-2007/

ms-Exch-Send-Headers-Organization

If the SMTP send session does not have this permission, the server will strip all organization headers. Those headers all start with “X-MS-Exchange-Organization-“.

ms-Exch-Send-Headers-Forest

If the SMTP send session does not have this permission, the server will strip all organization headers. Those headers all start with “X-MS-Exchange-Forest-“.

ms-Exch-Bypass-Message-Size-Limit

If the SMTP receive session has this permission, the server will skip message size restrictions at the protocol level.

ms-Exch-Bypass-Anti-Spam

If the SMTP receive session has this permission, the server will pass this permission to anti spam agents, as to skip this message for anti-spam checks.

Looking once more at the sample output of the get-adpermission task and considering the permissions granted to ‘NT AUTHORITY\Authenticated Users’, this means that this SMTP Receive connector allows authenticated users:

1)      to submit messages (ms-Exch-SMTP-Submit)

2)      to send messages to any domain (ms-Exch-SMTP-Accept-Any-Recipient)

3)      and their messages won’t be scanned for spam (ms-Exch-Bypass-Anti-Spam)

Site

Changes
Index
Search

 

User

 

Log In
Register

 
 

Last Modified 8/25/08 10:33 AM