Ajcody-How-To-Setup-sendAs-Right-And-Persona-For-Internal-Users

Revision as of 18:48, 23 November 2013 by Ajcody (talk | contribs) (Created page with "{{Article Infobox|{{admin}}|{{ZCS 8.0}}||}} ===How To Setup A sendAs Right and Persona For Internal Users Or DL's=== ---- '''The following How-to only applies to ZCS 8 and ...")

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Admin Article

Article Information

This article applies to the following ZCS versions.

ZCS 8.0 Article ZCS 8.0


How To Setup A sendAs Right and Persona For Internal Users Or DL's


The following How-to only applies to ZCS 8 and greater


Changes In ZCS8+ For zimbraAllowFromAddress and Persona's


Prior to ZCS 8, one would use the zimbraAllowFromAddress variable to allow one user the means to send as another user. This variable in ZCS 8+ only applies when setting the variable for external users now, it no longer allows internal users or distribution lists [DL's]. If you try to add an internal user or DL to zimbraAllowFromAddress, you'll see an error like:

 zmprov ma 11@test.com zimbraAllowFromAddress 12@test.com
ERROR: service.INVALID_REQUEST (invalid request: zimbraAllowFromAddress may not contain an internal account: 12@test.com)

With ZCS 8.0 and above, there is an upgrade script that will migrate internal users and DL's that are set in zimbraAllowFromAddress to become sendAs rights and also within the zimbraPrefAllowAddressForDelegatedSender variables. This is mentioned in the Release Notes and in the following bug:

  • "zimbraAllowFromAddress pref should exclude internal accounts"
    • http://bugzilla.zimbra.com/show_bug.cgi?id=66387
      • Please see Release Notes about doing this upgrade via the command : zmldapupgrade -b 66387
      • Any internal account or distribution list address listed in zimbraAllowFromAddress attribute is converted to a grant of sendAs (for account) or sendAsDistList (for DL) right from the named account or DL. The address is added to the zimbraPrefAllowAddressForDelegatedSender attribute of the granting account/DL.

Warning - Must Reload Browsers To See Changes When Changing Rights


When you make changes that effects the rights the account has, they will not automatically show up in the user's ZWC session. You must reload the browser session - either by doing a logout/login or by "refreshing" the browser. Refreshing the browser might require it's "Refresh" that it offers or by clicking in the URL field and hitting enter.

Left

Creating Initial Test Accounts


Login as the zimbra user:

su - zimbra

Create Two Test Accounts :

[zimbra@]$ zmprov ca 1-sendas@test.com STRONG_PASSWORD
9c16e165-09f0-4155-92e6-59df3a9f4609

[zimbra@]$ zmprov ca 2-sendas@test.com STRONG_PASSWORD
8690ce69-d2e0-4ab0-83e8-040f88c290c3

Create Initial Distribution List [DL]


Create A DL:

[zimbra@]$ zmprov cdl dl-sendas@test.com
8f337d75-74d0-4491-bb53-8e4a2c220423

Add Our Two Test Users To the DL:

[zimbra@]$ zmprov adlm dl-sendas@test.com 1-sendas@test.com

[zimbra@]$ zmprov adlm dl-sendas@test.com 2-sendas@test.com

Review the current DL configuration:

[zimbra@zcs804 ~]$ zmprov gdl dl-sendas@test.com
# distributionList dl-sendas@test.com memberCount=2
mail: dl-sendas@test.com
objectClass: zimbraDistributionList
objectClass: zimbraMailRecipient
uid: dl-sendas
zimbraCreateTimestamp: 20131123155642Z
zimbraId: 52ff50a5-12f6-4093-93ce-88f6f9c20153
zimbraMailAlias: dl-sendas@test.com
zimbraMailForwardingAddress: 1-sendas@test.com
zimbraMailForwardingAddress: 2-sendas@test.com
zimbraMailHost: zcs804.DOMAIN.com
zimbraMailStatus: enabled

members
1-sendas@test.com
2-sendas@test.com

Granting The SendAs Right For One User To SendAs Its Alias Account


Create An Alias For One Of Our Users:

[zimbra@]$ zmprov aaa 1-sendas@test.com 1-sendas-alias@test.com

Configuring The Primary User Account To Use The Alias As A Persona


Login to ZWC as the user [1-sendas@test.com] either directly or by the admin consoles "View Mail" option. You should notice that the alias is not available as an option to select in the From field and that you don't have a drop down to change the From field. This is because the alias was just setup to be used for email redirection when we did it above. To allow the user to send email also as the alias, you can setup a Persona to show this option in the From field.

  • Click Add Persona
  • Persona Name = 1-sendas-alias
  • From: set to 1-sendas-alias@test.com
  • Reply-to: set to 1-sendas-alias@test.com
  • Use this persona: When replying or forwarding messages sent to: 1-sendas-alias@test.com
  • Click the Save button at the upper left.


Left


Now reload/refresh the browse to see changes. When you compose a new message now, you should see the alias as an option from the drop down box that's offered from the From field.


Left


If the option is not there, log out of ZWC and log back in.

Granting The SendAs Right For One User To SendAs The DL Account


To grant a user [1-sendas@test.com] to send an email where the To field will be the DL email address [dl-sendas@test.com]:

[zimbra@]$ zmprov grr dl dl-sendas@test.com usr 1-sendas@test.com sendAsDistList

Review the DL configuration to confirm:

[zimbra@]$ zmprov gdl dl-sendas@test.com
# distributionList dl-sendas@test.com memberCount=2
mail: dl-sendas@test.com
objectClass: zimbraDistributionList
objectClass: zimbraMailRecipient
uid: dl-sendas
zimbraACE: 55a3d686-bd61-4608-a4a3-0027f5aee6ff usr sendAsDistList
zimbraCreateTimestamp: 20131123155642Z
zimbraId: 52ff50a5-12f6-4093-93ce-88f6f9c20153
zimbraMailAlias: dl-sendas@test.com
zimbraMailForwardingAddress: 1-sendas@test.com
zimbraMailForwardingAddress: 2-sendas@test.com
zimbraMailHost: zcs804.DOMAIN.com
zimbraMailStatus: enabled

members
1-sendas@test.com
2-sendas@test.com

Notice that there is now a zibraACE line that wasn't there when you initially setup the DL. The zimbraACE uses the zimbraId of the user being granted the right - in this case, the sendAsDistList right. You can confirm the zimbraId matches the user email that we granted the right to by doing:

[zimbra@]$ zmprov ga 55a3d686-bd61-4608-a4a3-0027f5aee6ff mail
# name 1-sendas@test.com
mail: 1-sendas@test.com
mail: 1-sendas-alias@test.com

And after reloading the ZWC browser session of the user [1-sendas@test.com] you should see the option for the DL [dl-sendas@test.com] in the From drop down when you compose a new email.

Left

Configuring The Primary User Account To Use The DL As A Persona


One can setup a Persona for the DL now also like you did for the user alias.

Possible Bug - Note, you might not have the option to adjust the Reply-To option to be the DL. This bug was true even after reloading the browser and also including the DL address in its zimbraPrefAllowAddressForDelegatedSender variable. The issue exposed here might just be that we don't populate the Reply-To drop down options with DL choices.

Set zimbraPrefAllowAddressForDelegatedSender in the DL configuration to include the DL address explicitly:

[zimbra@]$ zmprov mdl dl-sendas@test.com +zimbraPrefAllowAddressForDelegatedSender dl-sendas@test.com

Confirm the zimbraPrefAllowAddressForDelegatedSender was set:

[zimbra@]$ $ zmprov gdl dl-sendas@test.com zimbraPrefAllowAddressForDelegatedSender
# distributionList dl-sendas@test.com memberCount=2
zimbraPrefAllowAddressForDelegatedSender: dl-sendas@test.com

members
1-sendas@test.com
2-sendas@test.com


Left

Notice in the above screen shot I did not have the DL as an option from the drop down in the Reply-To section but I was able to manually type in the address there and it stayed when I saved the persona.

Left

I sent two messages to see the behavior of this and the different between using the DL persona and if we just sent a message with the non-persona DL from the drop down box of the From field.

Screenshot of the received message sending via the persona DL, the message I sent also has a screen shot of the compose window of the message.

Left

Screenshot of the received message sending via the non-persona DL via the From drop down box, the message I sent also has a screen shot of the compose window of the message.

Left

Even if this is a bug, it doesn't seem to effect the functionality though. For the non-persona DL message I sent, a reply to that message still goes back to the DL [dl-sendas@test.com].

Granting The SendAs Right To 2-sendas@ For The 1-sendas@ Account


This section will grant 2-sendas@ to send messages as 1-sendas@ .

First, grant the right to 2-sendas@ for the 1-sendas@ account [option 1]:

[zimbra@]$ zmmailbox -z -m 1-sendas@test.com grr account 2-sendas@test.com sendAs
  granted: 
    account 2-sendas@test.com sendAs

Or you can grant the right to 2-sendas@ for the 1-sendas@ account [option 2]:

[zimbra@]$ zmprov grr account 1-sendas@test.com usr 2-sendas@test.com sendAs

To confirm the grants that 1-sendas@ has allowed, do:

[zimbra@zcs804 ~]$ zmprov gg -t account 1-sendas@test.com
target type  target id                            target name        grantee type grantee id                           grantee name       right
------------ ------------------------------------ -----------------  ------------ ------------------------------------ -----------------  ------
account      55a3d686-bd61-4608-a4a3-0027f5aee6ff 1-sendas@test.com  usr          fb316632-35c7-4038-9b78-56f2ed8e9823 2-sendas@test.com  sendAs

To confirm 2-sendas@ can send as 1-sendas@ , log into ZWC with the 2-sendas@ account or reload the browser session if you were already logged in as 2-sendas@. You should now see the following when you compose a new message:

Left

You should also be able to setup a persona under 2-sendas@ for the 1-sendas@test.com email address.

Granting The SendAs Right To 2-sendas@ For The 1-sendas@ Account's Alias 1-sendas-alias@ Address


If an account has multiple addresses it needs to share out, these additional steps are necessary for the accounts that are NOT its primary email address - for example, an alias.

First, when adding these additional accounts, you DO NOT set the grant like you did to the primary email address of the account. Attempting to use the alias, for example, will not work.

[zimbra@]$ zmmailbox -z -m 1-sendas-alias@test.com grr account 2-sendas@test.com sendAs
  granted no right

No right was granted above because grants are actually set to the primary account, not the alias.

Another key point to remember when an account needs to grant any of the sendAs rights for multiple email addresses it manages [aliases for example], it must also set ALL of its sendAs addresses in the zimbraPrefAllowAddressForDelegatedSender variable. If an account is only granting the sendAs rights to its primary email address, then this variable will be blank by default and can be left blank. Example of the value prior to setting the sendAs grant will look like:

[zimbra@]$ zmprov ga 1-sendas@test.com zimbraPrefAllowAddressForDelegatedSender
# name 1-sendas@test.com

Remember, we have already granted 2-sendas@test.com sendAs rights to 1-sendas@test.com in our prior steps and confirm 2-sendas@ can send emails as 1-sendas@ .

To include the additional email address that 1-sendas@ has for 2-sendas@ to send messages as, do the following.

Set the primary email address in the zimbraPrefAllowAddressForDelegatedSender value:

zmprov ma 1-sendas@test.com +zimbraPrefAllowAddressForDelegatedSender 1-sendas@test.com

Now add the alias also:

zmprov ma 1-sendas@test.com +zimbraPrefAllowAddressForDelegatedSender 1-sendas-alias@test.com

Confirm the changes:

[zimbra@]$ zmprov ga 1-sendas@test.com zimbraPrefAllowAddressForDelegatedSender
# name 1-sendas@test.com
zimbraPrefAllowAddressForDelegatedSender: 1-sendas-alias@test.com
zimbraPrefAllowAddressForDelegatedSender: 1-sendas@test.com

Reload the browser session for 2-sendas@ and you'll now see:

Left

Only Seeing The Alias 1-sendas-alias@ For 1-sendas@ As An Option For 2-sendas@

If you did not include the primary email address of the account in the zimbraPrefAllowAddressForDelegatedSender but later added another email address it has, an alias for example, the accounts that were granted the sendAs right will only then see the alias email address when they try to sendAs that user. For example, if you did:

[zimbra@]$ zmprov ma 1-sendas@test.com +zimbraPrefAllowAddressForDelegatedSender 1-sendas-alias@test.com

And the current value then showed:

[zimbra@]$ zmprov ga 1-sendas@test.com zimbraPrefAllowAddressForDelegatedSender
# name 1-sendas@test.com
zimbraPrefAllowAddressForDelegatedSender: 1-sendas-alias@test.com

The only option the 2-sendas@ account you get would be for 1-sendas-alias@test.com . For example:

Left

To correct this, you will need to add the primary address to the zimbraPrefAllowAddressForDelegatedSender and the 2-sendas@ users would need to reload the browser to then see both 1-sendas@test.com and 1-sendas-alias@test.com .

[zimbra@]$ zmprov ma 1-sendas@test.com +zimbraPrefAllowAddressForDelegatedSender 1-sendas@test.com

Confirm the change:

[zimbra@]$ zmprov ga 1-sendas@test.com zimbraPrefAllowAddressForDelegatedSender
# name 1-sendas@test.com
zimbraPrefAllowAddressForDelegatedSender: 1-sendas-alias@test.com
zimbraPrefAllowAddressForDelegatedSender: 1-sendas@test.com

Reload the browser session for 2-sendas@ and you'll now see:

Left

Granting The SendAs Right To 1-sendas@ For An Alias Of A Distribution List - dl-sendas-alias@test.com


Create a DL alias:

[zimbra@]$ zmprov adla dl-sendas@test.com dl-sendas-alias@test.com

Our current DL's properties so far in our how-to here will show:

[zimbra@zcs804 ~]$ zmprov gdl dl-sendas@test.com
# distributionList dl-sendas@test.com memberCount=2
mail: dl-sendas@test.com
mail: dl-sendas-alias@test.com
objectClass: zimbraDistributionList
objectClass: zimbraMailRecipient
uid: dl-sendas
zimbraACE: 55a3d686-bd61-4608-a4a3-0027f5aee6ff usr sendAsDistList
zimbraCreateTimestamp: 20131123155642Z
zimbraId: 52ff50a5-12f6-4093-93ce-88f6f9c20153
zimbraMailAlias: dl-sendas@test.com
zimbraMailAlias: dl-sendas-alias@test.com
zimbraMailForwardingAddress: 1-sendas@test.com
zimbraMailForwardingAddress: 2-sendas@test.com
zimbraMailHost: zcs804.DOMAIN.com
zimbraMailStatus: enabled
zimbraPrefAllowAddressForDelegatedSender: dl-sendas@test.com

members
1-sendas@test.com
2-sendas@test.com

You'll notice the alias added in the line: mail: dl-sendas-alias@test.com .

Note also, that our prior steps in this how-to add already :

  • Added 1-sendas@ to have sendAs right for the DL.
    • zmprov grr dl dl-sendas@test.com usr 1-sendas@test.com sendAsDistList
    • This shows the zimbraId of the 1-sendas@ user:
      • zimbraACE: 55a3d686-bd61-4608-a4a3-0027f5aee6ff usr sendAsDistList
  • Added the zimbraPrefAllowAddressForDelegatedSender: dl-sendas@test.com value
  • zmprov mdl dl-sendas@test.com +zimbraPrefAllowAddressForDelegatedSender dl-sendas@test.com

Let's add the DL alias to the zimbraPrefAllowAddressForDelegatedSender variable:

[zimbra@]$ zmprov mdl dl-sendas@test.com +zimbraPrefAllowAddressForDelegatedSender dl-sendas-alias@test.com

Let's confirm both dl-sendas@test.com and dl-sendas-alias@test.com are true for zimbraPrefAllowAddressForDelegatedSender :

[zimbra@]$ zmprov gdl dl-sendas@test.com zimbraPrefAllowAddressForDelegatedSender
# distributionList dl-sendas@test.com memberCount=2
zimbraPrefAllowAddressForDelegatedSender: dl-sendas@test.com
zimbraPrefAllowAddressForDelegatedSender: dl-sendas-alias@test.com

members
1-sendas@test.com
2-sendas@test.com

Login to ZWC with the 1-sendas@test.com account or reload its current browser session and confirm you can use both dl-sendas@test.com and dl-sendas-alias@test.com.

Left

Note - in the screenshot above we had already setup a persona also for the DL use, it's the extra line there in the screen shot.

Only Seeing The Alias dl-sendas-alias@ For dl-sendas@ As An Option For 1-sendas@

Then you didn't not include all the addresses needed for the zimbraPrefAllowAddressForDelegatedSender value in the DL properties. You probably see something like:

[zimbra@]$ zmprov gdl dl-sendas@test.com zimbraPrefAllowAddressForDelegatedSender
# distributionList dl-sendas@test.com memberCount=2
zimbraPrefAllowAddressForDelegatedSender: dl-sendas-alias@test.com

members
1-sendas@test.com
2-sendas@test.com

And in the primary address for the DL to the zimbraPrefAllowAddressForDelegatedSender value. Remember to use the + sign.

[zimbra@]$ zmprov mdl dl-sendas@test.com +zimbraPrefAllowAddressForDelegatedSender dl-sendas@test.com

Let's confirm both dl-sendas@test.com and dl-sendas-alias@test.com are true for zimbraPrefAllowAddressForDelegatedSender :

[zimbra@]$ zmprov gdl dl-sendas@test.com zimbraPrefAllowAddressForDelegatedSender
# distributionList dl-sendas@test.com memberCount=2
zimbraPrefAllowAddressForDelegatedSender: dl-sendas@test.com
zimbraPrefAllowAddressForDelegatedSender: dl-sendas-alias@test.com

members
1-sendas@test.com
2-sendas@test.com

Login to ZWC with the 1-sendas@test.com account or reload its current browser session and confirm you can use both dl-sendas@test.com and dl-sendas-alias@test.com.

Jump to: navigation, search