Exchange 2016 envelope sender rewriting when redirecting e-mails

%3CLINGO-SUB%20id%3D%22lingo-sub-1618790%22%20slang%3D%22en-US%22%3EExchange%202016%20envelope%20sender%20rewriting%20when%20redirecting%20e-mails%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1618790%22%20slang%3D%22en-US%22%3E%3CP%3EThe%20situation%3A%20some%20month%20ago%20we%20put%20all%20Exchange%202010%20servers%20out%20of%20operation%20(quite%20late%2C%20I%20know)%2C%20which%20were%20forwarding%20external%20messages%20to%20our%20Exchange%202016%20farm%20(on%20premises)%20so%20far.%20We%20do%20not%20have%20Exchange%20server%20with%20the%20Edge%20server%20role%20-%20this%20role%20is%20provided%20by%20our%20Proofpoint%20gateways.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ENow%20we%20recently%20observed%20a%20general%20issue%20with%20incoming%20(external)%20e-mails%20addressing%20distribution%20groups%20where%20some%20members%20have%20an%20Exchange%20forwarding%20to%20an%20external%20recipient%20configured%3A%20the%20SMTP%20envelope%20(%22P1%22)%20sender%20is%20not%20rewritten%20to%20the%20internal%20SMTP%20address%20anymore%2C%20leading%20to%20spoofing%20alerts%20at%20the%20forwarding%20destination%20(external%20SMTP%20server).%20Surprisingly%20this%20is%20not%20true%20for%20traffic%20NOT%20involving%20a%20DG%20(that%20is%2C%20a%20message%20from%20external%20sender%20send%20directly%20to%20an%20internal%20recipients%2C%20who%20in%20turn%20has%20set%20up%20a%20redirect%20to%20another%20external%20recipient).%20I%20found%20for%20most%20of%20the%20DGs%20that%20I%20could%20avoid%20the%20spoofing%20alert%20by%20setting%20the%20DG%20to%20ReportToManagerEnabled%3A%24true%20which%20sets%20the%20DG%20manager%20as%20P1%20sender%20address.%20But%20doing%20this%20for%20every%20DG%20would%20be%20a%20cumbersome%20and%20somehow%20problematic%20solution%20from%20my%20point%20of%20view%20(thousands%20of%20DGs%2C%20not%20every%20having%20a%20manager%20etc).%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20tried%20to%20find%20any%20hint%20about%20a%20behavioural%20change%20with%20Exchange%202013%2F2016%20which%20could%20give%20an%20explanation%20here.%20It%20looks%20like%20this%20is%20now%20provided%20by%20the%20Edge%20server%20role%20only%20(resp.%20SRS%20with%20Exchange%20Online)%2C%20but%20I%20am%20still%20convinced%20that%20Exchange%202010%20already%20started%20to%20automatically%20rewrite%20sender%20addresses%20when%20redirecting%20in%20a%20proper%20way.%20For%20both%2C%20mailbox%20recipients%20and%20DGs.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20compared%20the%20transport%20agents%20for%20Ex%202010%2F2016%20and%20tried%20different%20settings%20with%20no%20success%20(beside%20changing%20ReportToManagerEnabled).%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ECan%20anybody%20give%20a%20hint%20or%20explanation%20about%20what%20might%20have%20caused%20the%20change%3F%20Why%20does%20Exchange%202016%20rewrite%20the%20sender%20for%20a%20mailbox%20recipient%2C%20but%20not%20for%20a%20distribution%20group%20anymore%3F%20Is%20changing%20ReportToManagerEnabled%20my%20only%20way%20to%20achieve%20a%20change%20here%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThank%20you%20in%20advance.%3C%2FP%3E%3CP%3EJ%C3%B6rn%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1618790%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3E2016%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EExchange%20Server%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Highlighted
Occasional Visitor

The situation: some month ago we put all Exchange 2010 servers out of operation (quite late, I know), which were forwarding external messages to our Exchange 2016 farm (on premises) so far. We do not have Exchange server with the Edge server role - this role is provided by our Proofpoint gateways.

 

Now we recently observed a general issue with incoming (external) e-mails addressing distribution groups where some members have an Exchange forwarding to an external recipient configured: the SMTP envelope ("P1") sender is not rewritten to the internal SMTP address anymore, leading to spoofing alerts at the forwarding destination (external SMTP server). Surprisingly this is not true for traffic NOT involving a DG (that is, a message from external sender send directly to an internal recipients, who in turn has set up a redirect to another external recipient). I found for most of the DGs that I could avoid the spoofing alert by setting the DG to ReportToManagerEnabled:$true which sets the DG manager as P1 sender address. But doing this for every DG would be a cumbersome and somehow problematic solution from my point of view (thousands of DGs, not every having a manager etc).

 

I tried to find any hint about a behavioural change with Exchange 2013/2016 which could give an explanation here. It looks like this is now provided by the Edge server role only (resp. SRS with Exchange Online), but I am still convinced that Exchange 2010 already started to automatically rewrite sender addresses when redirecting in a proper way. For both, mailbox recipients and DGs.

 

I compared the transport agents for Ex 2010/2016 and tried different settings with no success (beside changing ReportToManagerEnabled).

 

Can anybody give a hint or explanation about what might have caused the change? Why does Exchange 2016 rewrite the sender for a mailbox recipient, but not for a distribution group anymore? Is changing ReportToManagerEnabled my only way to achieve a change here?

 

Thank you in advance.

Jörn

0 Replies