Ajcody-How-To-Setup-sendAs-Right-And-Persona-For-Internal-Users

Admin Article

Article Information

This article applies to the following ZCS versions.

ZCS 8.0 Article ZCS 8.0


How To Setup A sendAs Right and Persona For Internal Users


The following How-to only applies to ZCS 8 and greater

Actual How To Setup A sendAs Right and Persona For Internal Users Home Page

Please see: Ajcody-How-To-Setup-sendAs-Right-And-Persona-For-Internal-Users

Changes In ZCS8+ For zimbraAllowFromAddress and Persona's


Prior to ZCS 8, one would use the zimbraAllowFromAddress variable to allow one user the means to send as another user. This variable in ZCS 8+ only applies when setting the variable for external users now, it no longer allows internal users or distribution lists [DL's]. If you try to add an internal user or DL to zimbraAllowFromAddress, you'll see an error like:

 zmprov ma 11@test.com zimbraAllowFromAddress 12@test.com
ERROR: service.INVALID_REQUEST (invalid request: zimbraAllowFromAddress may not contain an internal account: 12@test.com)

With ZCS 8.0 and above, there is an upgrade script that will migrate internal users and DL's that are set in zimbraAllowFromAddress to become sendAs rights and also within the zimbraPrefAllowAddressForDelegatedSender variables. This is mentioned in the Release Notes and in the following bug:

  • "zimbraAllowFromAddress pref should exclude internal accounts"
    • http://bugzilla.zimbra.com/show_bug.cgi?id=66387
      • Please see Release Notes about doing this upgrade via the command : zmldapupgrade -b 66387
      • Any internal account or distribution list address listed in zimbraAllowFromAddress attribute is converted to a grant of sendAs (for account) or sendAsDistList (for DL) right from the named account or DL. The address is added to the zimbraPrefAllowAddressForDelegatedSender attribute of the granting account/DL.

Warning - Must Reload Browsers To See Changes When Changing Rights


When you make changes that effects the rights the account has, they will not automatically show up in the user's ZWC session. You must reload the browser session - either by doing a logout/login or by "refreshing" the browser. Refreshing the browser might require it's "Refresh" that it offers or by clicking in the URL field and hitting enter.

Left

Creating Initial Test Accounts


Login as the zimbra user:

su - zimbra

Create Three Test Accounts. Note, not all of these test account might be used for this particular wiki how-to :

[zimbra@]$ zmprov ca 1-sendas@test.com STRONG_PASSWORD
55a3d686-bd61-4608-a4a3-0027f5aee6ff

[zimbra@]$ zmprov ca 2-sendas@test.com STRONG_PASSWORD
fb316632-35c7-4038-9b78-56f2ed8e9823

[zimbra@]$ zmprov ca 3-sendOnBehalfOf@test.com STRONG_PASSWORD
deceeb15-ca0c-4868-9a6f-2f208ac36708

Create An Alias For The Account 1-sendas@


Create An Alias For One Of Our Users:

[zimbra@]$ zmprov aaa 1-sendas@test.com 1-sendas-alias@test.com

Configuring The Primary User Account - 1-sendas@ - To Use The Alias - 1-sendas-alias@ - Setup A Persona


Note: To set up persona's from the cli, see :

zmprov help command| grep -i identit
createIdentity(cid) {name@domain} {identity-name} [attr1 value1 [attr2 value2...]]
deleteIdentity(did) {name@domain|id} {identity-name}
getIdentities(gid) {name@domain|id} [arg1 [arg...]]
modifyIdentity(mid) {name@domain|id} {identity-name} [attr1 value1 [attr2 value2...]]

Login to ZWC as the user [1-sendas@test.com] either directly or by the admin consoles "View Mail" option. You should notice that the alias is not available as an option to select in the From field and that you don't have a drop down to change the From field. This is because the alias was just setup to be used for email redirection when we did it above. To allow the user to send email also as the alias, you can setup a Persona to show this option in the From field.

  • Click Add Persona
  • Persona Name = 1-sendas-alias
  • From: set to 1-sendas-alias@test.com
  • Reply-to: set to 1-sendas-alias@test.com
  • Use this persona: When replying or forwarding messages sent to: 1-sendas-alias@test.com
  • Click the Save button at the upper left.


Left


Now reload/refresh the browse to see changes. When you compose a new message now, you should see the alias as an option from the drop down box that's offered from the From field.


Left


If the option is not there, log out of ZWC and log back in.

Granting The SendAs Right To 2-sendas@ For The 1-sendas@ Account


This section will grant 2-sendas@ to send messages as 1-sendas@ .

First, grant the right to 2-sendas@ for the 1-sendas@ account [option 1]:

[zimbra@]$ zmmailbox -z -m 1-sendas@test.com grr account 2-sendas@test.com sendAs
  granted: 
    account 2-sendas@test.com sendAs

Or you can grant the right to 2-sendas@ for the 1-sendas@ account [option 2]:

[zimbra@]$ zmprov grr account 1-sendas@test.com usr 2-sendas@test.com sendAs

To confirm the grants that 1-sendas@ has allowed, do:

[zimbra@zcs804 ~]$ zmprov gg -t account 1-sendas@test.com
target type  target id                            target name        grantee type grantee id                           grantee name       right
------------ ------------------------------------ -----------------  ------------ ------------------------------------ -----------------  ------
account      55a3d686-bd61-4608-a4a3-0027f5aee6ff 1-sendas@test.com  usr          fb316632-35c7-4038-9b78-56f2ed8e9823 2-sendas@test.com  sendAs

To confirm 2-sendas@ can send as 1-sendas@ , log into ZWC with the 2-sendas@ account or reload the browser session if you were already logged in as 2-sendas@. You should now see the following when you compose a new message:

Left

You should also be able to setup a persona under 2-sendas@ for the 1-sendas@test.com email address.

1-sendas@ User Giving And Viewing Of The SendAs Right To 2-sendas@ For The 1-sendas@ Account In 1-sendas@ ZWC Preferences

You can see the sendAs rights that an account have given or been set for in the users Preferences > Accounts - "The following users have delegated authority to this account" area in ZWC. The user can also add the sendAs rights here, it is listed under the Primary Account selection :

Left

View Of The SendAs Right To 2-sendas@ For The 1-sendas@ Account In The Admin Console

A screen shot of the admin console of the changes we made above via the CLI

Left

Granting The SendAs Right To 2-sendas@ For The 1-sendas@ Account's Alias 1-sendas-alias@ Address


If an account has multiple addresses it needs to share out, these additional steps are necessary for the accounts that are NOT its primary email address - for example, an alias.

First, when adding these additional accounts, you DO NOT set the grant like you did to the primary email address of the account. Attempting to use the alias, for example, will not work.

[zimbra@]$ zmmailbox -z -m 1-sendas-alias@test.com grr account 2-sendas@test.com sendAs
  granted no right

No right was granted above because grants are actually set to the primary account, not the alias.

Another key point to remember when an account needs to grant any of the sendAs rights for multiple email addresses it manages [aliases for example], it must also set ALL of its sendAs addresses in the zimbraPrefAllowAddressForDelegatedSender variable. If an account is only granting the sendAs rights to its primary email address, then this variable will be blank by default and can be left blank. Example of the value prior to setting the sendAs grant will look like:

[zimbra@]$ zmprov ga 1-sendas@test.com zimbraPrefAllowAddressForDelegatedSender
# name 1-sendas@test.com

Remember, we have already granted 2-sendas@test.com sendAs rights to 1-sendas@test.com in our prior steps and confirm 2-sendas@ can send emails as 1-sendas@ .

To include the additional email address that 1-sendas@ has for 2-sendas@ to send messages as, do the following.

Set the primary email address in the zimbraPrefAllowAddressForDelegatedSender value:

zmprov ma 1-sendas@test.com +zimbraPrefAllowAddressForDelegatedSender 1-sendas@test.com

Now add the alias also:

zmprov ma 1-sendas@test.com +zimbraPrefAllowAddressForDelegatedSender 1-sendas-alias@test.com

Confirm the changes:

[zimbra@]$ zmprov ga 1-sendas@test.com zimbraPrefAllowAddressForDelegatedSender
# name 1-sendas@test.com
zimbraPrefAllowAddressForDelegatedSender: 1-sendas-alias@test.com
zimbraPrefAllowAddressForDelegatedSender: 1-sendas@test.com

Reload the browser session for 2-sendas@ and you'll now see:

Left

Only Seeing The Alias 1-sendas-alias@ For 1-sendas@ As An Option For 2-sendas@

If you did not include the primary email address of the account in the zimbraPrefAllowAddressForDelegatedSender but later added another email address it has, an alias for example, the accounts that were granted the sendAs right will only then see the alias email address when they try to sendAs that user. For example, if you did:

[zimbra@]$ zmprov ma 1-sendas@test.com +zimbraPrefAllowAddressForDelegatedSender 1-sendas-alias@test.com

And the current value then showed:

[zimbra@]$ zmprov ga 1-sendas@test.com zimbraPrefAllowAddressForDelegatedSender
# name 1-sendas@test.com
zimbraPrefAllowAddressForDelegatedSender: 1-sendas-alias@test.com

The only option the 2-sendas@ account you get would be for 1-sendas-alias@test.com . For example:

Left

To correct this, you will need to add the primary address to the zimbraPrefAllowAddressForDelegatedSender and the 2-sendas@ users would need to reload the browser to then see both 1-sendas@test.com and 1-sendas-alias@test.com .

[zimbra@]$ zmprov ma 1-sendas@test.com +zimbraPrefAllowAddressForDelegatedSender 1-sendas@test.com

Confirm the change:

[zimbra@]$ zmprov ga 1-sendas@test.com zimbraPrefAllowAddressForDelegatedSender
# name 1-sendas@test.com
zimbraPrefAllowAddressForDelegatedSender: 1-sendas-alias@test.com
zimbraPrefAllowAddressForDelegatedSender: 1-sendas@test.com

Reload the browser session for 2-sendas@ and you'll now see:

Left



Jump to: navigation, search