Overview
When GFI MailEssentials is installed on the Microsoft® Exchange Server, spam emails can be saved in a user’s mailbox folder. For more information refer to Configuring MailEssentials Spam Actions.
The next section describes how to move spam email to user's subfolders in Exchange.
Solution
When blocking spam, one of the actions which can be performed is that of moving spam emails to sub-folders within mailboxes in Microsoft Exchange Server. In the case of Microsoft Exchange 2010 and later, this is performed through the use of Exchange Web Services, which requires the credentials of a specific user in order to perform this action. This user must have the ability to impersonate domain users, so as to access the users' mailboxes.
To set up impersonation rights to a user, a management scope needs to be created, which would define the scope of the rights for all Microsoft Exchange mailboxes, followed by a management role assignment, which would assign impersonation rights over the management scope to the assigned user.
In GFI MailEssentials, the user with impersonation rights can be configured either after finishing the installation in the Post-installation Wizard or else in the configuration of the In Exchange mailbox subfolder action.
As shown in the screenshot below, the creation of the user, including the management scope and management role assignment can be done either automatically or manually.
How to automatically create a user and set impersonation rights
GFI MailEssentials provides the ability to automatically create a user specific only to the functionality required for moving spam to Microsoft Exchange mailboxes. When using this option, the following are automatically created and configured:
- A user named GFIME_MOVEEXCH_USER
- A management scope which named GFI_MA_UMP
- A management role assignment named GFI_MRA_UMP
How to manually set impersonation rights for a user
When you select to use an existing user account, you can click the Set access rights button to have the wizard automatically configure the management scope and management assignment role as per the above.
Alternatively, you can use the following steps to manually create and configure the user account, management scope, and management assignment role required to move spam emails to sub-folders in the users' mailboxes:
- Create a user without administrative privileges which would have a complex password.
- Open the Microsoft Exchange Management Shell
- Create a new management scope which groups all recipients that have a mailbox:
New-ManagementScope -name <scope name> -RecipientRestrictionFilter {RecipientType -eq "UserMailbox"}
The <scope name> text should be replaced with the name of the scope given for all user mailboxes.
Ex: user_mailboxes - Create a new management role which allows a particular user to have impersonation rights on a management scope:
New-ManagementRoleAssignment -name <role name> -role:ApplicationImpersonation -user <impersonator> -CustomRecipientWriteScope <scope name>
- The <role name> text should be replaced with the name given to the role being assigned. Ex: impersonate_role.
- The <impersonator> text should be replaced with the email address of the user created in step 1.
- The <scope name> text should be replaced with the name of the scope specified in STEP 3. Ex: user_mailboxes
When the user has been assigned the necessary rights, the user should be specified in the In Exchange mailbox subfolder action configuration, which can be accessed through the Actions tab.
Important notes:
- In Microsoft Exchange 2010 and newer, moving spam to the Exchange subfolders can be achieved by creating a transport rule that forwards tagged emails to the user’s Junk E-mail mailbox folder.
- If a management scope already exists with a scope covering all Microsoft Exchange mailboxes, another similar scope cannot be created. In this case, you need to either make use of the existing scope or else use the Get-ManagementScope & Remove-ManagementScope commands to identify and remove the current scope before creating a new one.
- If the password of the user having impersonation rights is modified, this will also need to be modified in the GFI MailEssentials configuration. If the new password is not updated in GFI MailEssentials, the action to move spam to Microsoft Exchange mailboxes will fail. To modify the new password in MailEssentials 2012 and later, the Impersonation user can be changed by going to the switchboard and adjusting the settings in the Move To Exchange tab.
(Start > All Programs > GFI MailEssentials > Switchboard > Move To Exchange Tab > Specify User Account)
Confirmation
Spam emails should be successfully moved to the recipients' junk sub-folder in the Exchange mailbox.