Answer
New in GFI MailEssentials 20, the Information Store Protection feature allows the Microsoft Exchange 2013 Information Store in the Mailbox Role to be scanned via Microsoft Exchange Web Services (EWS).
This was implemented to address the discontinuation of VSAPI in Microsoft Exchange 2013. EWS requires credentials of a specific user in order to perform this action. This user must have the ability to impersonate domain users, so as to access the users mailboxes.
The same user account is required for the Move to Exchange Subfolder action when GFI MailEssentials is running on Microsoft Exchange 2010 and later.
The below are the possible options:
- Use an existing account and instruct GFI MailEssentials to set the Full Mailbox Rights to it.
- Instruct GFI MailEssentials to create a new account already with Full Mailbox Rights set.
To set up impersonation rights to a user, a management scope needs to be created, which would define the scope of the rights for all Microsoft Exchange mailboxes, followed by a management role assignment, which would assign impersonation rights over the management scope to the assigned user.
In GFI MailEssentials, the user with impersonation rights can be configured either after finishing the installation in the post installation wizard or from GFI MailEssentials Switchboard > Exchange Account tab.
How to automatically create the user with the necessary rights
GFI MailEssentials provides the ability to automatically create a user specific only to this functionality. When using this option, the following are automatically created and configured:
- A user named GFIME_MOVEEXCH_USER
- A management scope which named GFI_MA_UMP
- A management role assignment named GFI_MRA_UMP
Note: It's strongly suggested to set the newly created user account with "password never expires" in Active Directory.
How to manually set impersonation rights for an existing user
When you select to use an existing user account, you can click the Set access rights button to have the wizard automatically configure the management scope and management assignment role as per the above.
Alternatively, you can use the following steps to manually create and configure the user account, management scope and management assignment role required to move spam emails to sub-folders in the users mailboxes.
- Create a user without administrative privileges which would have a complex password
- Open the Microsoft Exchange Management Shell
- Create a new management scope which groups all recipients that have a mailbox:
New-ManagementScope -name <scope name> -RecipientRestrictionFilter {RecipientType -eq "UserMailbox"}
The text should be replaced with the name of the scope given for all user mailboxes. Ex: user_mailboxes - Create a new management role which allows a particular user to have impersonation rights on a management scope:
New-ManagementRoleAssignment -name <role name> -role:ApplicationImpersonation -user <impersonator> -CustomRecipientWriteScope <scope name>
- The <role name> text should be replaced with the name given to the role being assigned. Ex: impersonate_role.
- The <impersonator> text should be replaced with the email address of the user created in step 1.
- The <scope name> text should be replaced with the name of the scope specified in STEP 3. Ex: user_mailboxes
Notes:
If a management scope already exists with a scope covering all Microsoft Exchange mailboxes, another similar scope cannot be created. In this case, you need to either make use of the existing scope or else use the Get-ManagementScope & Remove-ManagementScope commands to identify and remove the current scope before creating a new one.
If the password of the user having impersonation rights is modified, this will also need to be modified in the GFI MailEssentials configuration. If the new password is not updated in GFI MailEssentials, the action to move spam to Microsoft Exchange mailboxes will fail. To modify the new password in MailEssentials 2012 and 2014, the Impersonation user can be changed by going to the switchboard and adjusting the settings in the Move To Exchange tab. (Start > All Programs > GFI MailEssentials > Switchboard > Move To Exchange Tab > Specify User Account)
For MailEssentials 2016 that would be (Start > All Programs > GFI MailEssentials > Switchboard > Exchange Account Tab > Specify User Account)
How to add permissions to the public folders to allow GFI MailEssentials to scan for malware
Permissions for each public folder that is to be scanned by GFI MailEssentials needs to be set. In Exchange 2010 and later this can be done from within the Public Folder Management Console UI. In Exchange 2007 it is necessary to add these rights manually for each folder and sub folder via theExchange Management Shell.
Note: Subfolder permissions are not inherited, each sub folder must have the permissions set in the Exchange Management Shell
For example:
- Add-PublicFolderClientPermission -Identity "\public folder 1" -user "mark@pelli3.local" -AccessRights PublishingEditor
- Add-PublicFolderClientPermission -Identity "\public folder 1\public folder 1.1" -user "mark@pelli3.local" -AccessRights PublishingEditor
- Add-PublicFolderClientPermission -Identity "\public folder 1\public folder 1.1.1" -user "mark@pelli3.local" -AccessRights PublishingEditor
- Add-PublicFolderClientPermission -Identity "\public folder 1\public folder 1.1.2" -user "mark@pelli3.local" -AccessRights PublishingEditor