Overview

• This article shares the instructions for configuring permissions for user impersonation rights to run Personal Filter List Migration Tool after upgrading VIPRE Email Security to GFI MailEssentials.
  
  
• The Personal Filter List Migration Tool imports the allowed and blocked email addresses which users defined in their respective mailboxes.
  
  
• Since the tool needs to access the mailboxes on the Microsoft Exchange server, specific permissions are required.
  
  
• These user permissions allow the tool to access all mailboxes.

• Important Note: If you are unsure about securely performing the steps mentioned in this article, always make a backup before making any changes or reach out to support for more help.

Environment

• GFI MailEssentials 2012 Service Release 3
• Upgrades from VIPRE Email Security 

Information

Please follow the steps below depending on the version of Microsoft Exchange installed:

Microsoft Exchange 2007 or 2010

• The user which was configured with impersonation rights in the VIPRE Email Security configuration can be used to run Personal Filter List Migration Tool.
  
  
• If this user has been deleted or needs to be re-created, please follow the instructions below:
  1. Create a new user without administrative privileges.
  2. Set a complex password for strong security.
  3. Open the Microsoft Exchange Management Shell.
  4. Create a new management scope as seen below which groups all recipients that have a mailbox:
     New-ManagementScope -name <scope name> -RecipientRestrictionFilter {RecipientType -eq "UserMailbox"}
  5. Replace <scope name> with the name of the scope given for all user mailboxes, e.g., user_mailboxes.
  6. Create a new management role which allows a particular user to have impersonation rights on a management scope:
     New-ManagementRoleAssignment -name <role name> -role:ApplicationImpersonation -user <impersonator> -CustomRecipientWriteScope <scope name>
  7. Replace <role name> with the name given to the role being assigned, e.g., impersonate_role.
  8. Replace <impersonator> with the email address of the user created in step 1.
  9. Replace <scope name> with the name of the scope specified in step 4.
  10. When the user has been assigned the necessary rights, specify the user in the In Exchange mailbox subfolder action configuration, through the Actions tab.
      
      
• Important Note: If a management scope already exists that covers all Microsoft Exchange mailboxes, another similar scope cannot be created.
  
  
• In this case, you need to either make use of the existing scope or else use the following commands to identify and remove the current scope before creating a new one:
  • Get-ManagementScope 
  • Remove-ManagementScope

Microsoft Exchange 2003

Follow these instructions to create a new user with necessary impersonation rights:

1. Create a new domain user or use an existing domain user which has administrative rights. This user should have a mailbox set.
2. From the Microsoft Exchange System Manager, right-click the Mailbox Store which is found under Servers > [SERVER NAME] > [STORAGE GROUP NAME].
   
3. Select Properties.
4. Open the Security tab and add the user created in Step 1 to the list. The user should have all the rights set to Allow.
5. On the same tab, click the Advanced button.
6. In the Permissions tab, double click an entry which has the user added in Step 4 in the Name column.
7. In the next dialog, scroll to the bottom of the list and set Receive As and Send As to Allow.
8. Press OK on all open dialogs to save the settings.