Ajcody-How-To-Setup-sendAsDistList-Right-And-Persona-For-A-Distribution-List

Admin Article

Article Information

This article applies to the following ZCS versions.

ZCS 8.0 Article ZCS 8.0


How To Setup A sendAsDistList Right and Persona For Internal Users


The following How-to only applies to ZCS 8 and greater

Actual How To Setup A sendAsDistList Right and Persona For A Distribution List Home Page

Please see: Ajcody-How-To-Setup-sendAsDistList-Right-And-Persona-For-A-Distribution-List

Bug - Can't Configure Domain Admins To Grant Rights

Please see:

What should work, but doesn't currently [Apr 28, 2015] is:

  1. Create a user and give it Delegated administrator permissions and default admin views.
  2. Create a Distribution List.
  3. Give the newly created user the following rights:
    • adminConsoleDLACLTabRights
    • setAdminConsoleDLMembersTab
    • viewAdminConsoleDLACLTab
    • setAdminConsoleDLACLTab
  4. Save
  5. Login as the user and try and edit the ACLs.

Work around is described in bug, though it might not be accessible since it's overly permissive.

Changes In ZCS8+ For zimbraAllowFromAddress and Persona's


Prior to ZCS 8, one would use the zimbraAllowFromAddress variable to allow one user the means to send as another user. This variable in ZCS 8+ only applies when setting the variable for external users now, it no longer allows internal users or distribution lists [DL's]. If you try to add an internal user or DL to zimbraAllowFromAddress, you'll see an error like:

 zmprov ma 11@test.com zimbraAllowFromAddress 12@test.com
ERROR: service.INVALID_REQUEST (invalid request: zimbraAllowFromAddress may not contain an internal account: 12@test.com)

With ZCS 8.0 and above, there is an upgrade script that will migrate internal users and DL's that are set in zimbraAllowFromAddress to become sendAs rights and also within the zimbraPrefAllowAddressForDelegatedSender variables. This is mentioned in the Release Notes and in the following bug:

  • "zimbraAllowFromAddress pref should exclude internal accounts"
    • http://bugzilla.zimbra.com/show_bug.cgi?id=66387
      • Please see Release Notes about doing this upgrade via the command : zmldapupgrade -b 66387
      • Any internal account or distribution list address listed in zimbraAllowFromAddress attribute is converted to a grant of sendAs (for account) or sendAsDistList (for DL) right from the named account or DL. The address is added to the zimbraPrefAllowAddressForDelegatedSender attribute of the granting account/DL.

Warning - Must Reload Browsers To See Changes When Changing Rights


When you make changes that effects the rights the account has, they will not automatically show up in the user's ZWC session. You must reload the browser session - either by doing a logout/login or by "refreshing" the browser. Refreshing the browser might require it's "Refresh" that it offers or by clicking in the URL field and hitting enter.

Left

Creating Initial Test Accounts


Login as the zimbra user:

su - zimbra

Create Three Test Accounts. Note, not all of these test account might be used for this particular wiki how-to :

[zimbra@]$ zmprov ca 1-sendas@test.com STRONG_PASSWORD
55a3d686-bd61-4608-a4a3-0027f5aee6ff

[zimbra@]$ zmprov ca 2-sendas@test.com STRONG_PASSWORD
fb316632-35c7-4038-9b78-56f2ed8e9823

[zimbra@]$ zmprov ca 3-sendOnBehalfOf@test.com STRONG_PASSWORD
deceeb15-ca0c-4868-9a6f-2f208ac36708

Create Initial Distribution List [DL] For sendAs Testing


Create A DL:

[zimbra@]$ zmprov cdl dl-sendas@test.com
52ff50a5-12f6-4093-93ce-88f6f9c20153

Add Our Three Test Users To the DL:

[zimbra@]$ zmprov adlm dl-sendas@test.com 1-sendas@test.com 2-sendas@test.com 3-sendonbehalfof@test.com

Review the current DL configuration:

[zimbra@zcs804 ~]$ zmprov gdl dl-sendas@test.com
# distributionList dl-sendas@test.com memberCount=2
mail: dl-sendas@test.com
objectClass: zimbraDistributionList
objectClass: zimbraMailRecipient
uid: dl-sendas
zimbraCreateTimestamp: 20131123155642Z
zimbraId: 52ff50a5-12f6-4093-93ce-88f6f9c20153
zimbraMailAlias: dl-sendas@test.com
zimbraMailForwardingAddress: 1-sendas@test.com
zimbraMailForwardingAddress: 2-sendas@test.com
zimbraMailHost: zcs804.DOMAIN.com
zimbraMailStatus: enabled

members
1-sendas@test.com
2-sendas@test.com
3-sendonbehalfof@test.com

Create Initial Distribution List [DL] For A Group To Add To The First DL For Testing And Three Group User Accounts


Create A DL but include the options at the end, " zimbraMailStatus disabled", since we are just using this DL for group management and not as an email DL:

[zimbra@]$ zmprov cdl dl-group@test.com zimbraMailStatus disabled
c8223902-b6a8-46e6-8056-0c89b7a146b5

Let's create three user accounts that are just used for this DL group for our examples where we are using the object type of group:

[zimbra@zcs804 ~]$ zmprov ca dl-group-user1@test.com STRONG_PASSWORD
808f0133-7f11-4f40-8eed-23f4a6e74e37

[zimbra@zcs804 ~]$ zmprov ca dl-group-user2@test.com STRONG_PASSWORD
057e1d0c-8898-47a7-a2e6-1f8d73fd923a

[zimbra@zcs804 ~]$ zmprov ca dl-group-user3@test.com STRONG_PASSWORD
7ff80bcc-7b8b-4db4-a906-f0a85ff9da9b

Add Our Three Test Users To the DL:

[zimbra@]$ zmprov adlm dl-group@test.com dl-group-user1@test.com dl-group-user2@test.com dl-group-user3@test.com

Review the current DL configuration:

[zimbra@zcs804 ~]$ zmprov gdl dl-group@test.com
# distributionList dl-group@test.com memberCount=3
mail: dl-group@test.com
objectClass: zimbraDistributionList
objectClass: zimbraMailRecipient
uid: dl-group
zimbraCreateTimestamp: 20131123225736Z
zimbraId: c8223902-b6a8-46e6-8056-0c89b7a146b5
zimbraMailAlias: dl-group@test.com
zimbraMailForwardingAddress: dl-group-user1@test.com
zimbraMailForwardingAddress: dl-group-user2@test.com
zimbraMailForwardingAddress: dl-group-user3@test.com
zimbraMailHost: zcs804.DOMAIN.com
zimbraMailStatus: disabled

members
dl-group-user1@test.com
dl-group-user2@test.com
dl-group-user3@test.com

Granting The sendAsDistList Right Can Be A User, Group, Domain, All Users, Or All Users Both Internal And External To Send As The DL Account

This how-to can also be done for different objects besides a single user, the usr variable used throughout. He is brief examples using all the various variable options:

  • Granting for individual user - usr:
    • [zimbra@]$ zmprov grr dl dl-sendas@test.com usr 1-sendas@test.com sendAsDistList
  • Granting for a group - grp :
    • [zimbra@]$ zmprov grr dl dl-sendas@test.com grp dl-group@test.com sendAsDistList
  • Granting for a domain - dom :
    • [zimbra@]$ zmprov grr dl dl-sendas@test.com dom test.com sendAsDistList
  • Granting for all users [internal] - all :
    • [zimbra@]$ zmprov grr dl dl-sendas@test.com all sendAsDistList
  • Granting for all users [both internal and external] - pub :
    • [zimbra@]$ zmprov grr dl dl-sendas@test.com pub sendAsDistList

Granting The sendAsDistList Right For One User To Send As The DL Account


To grant a user [1-sendas@test.com] to send an email where the To field will be the DL email address [dl-sendas@test.com]:

[zimbra@]$ zmprov grr dl dl-sendas@test.com usr 1-sendas@test.com sendAsDistList

Review the DL configuration to confirm:

[zimbra@]$ zmprov gdl dl-sendas@test.com
# distributionList dl-sendas@test.com memberCount=2
mail: dl-sendas@test.com
objectClass: zimbraDistributionList
objectClass: zimbraMailRecipient
uid: dl-sendas
zimbraACE: 55a3d686-bd61-4608-a4a3-0027f5aee6ff usr sendAsDistList
zimbraCreateTimestamp: 20131123155642Z
zimbraId: 52ff50a5-12f6-4093-93ce-88f6f9c20153
zimbraMailAlias: dl-sendas@test.com
zimbraMailForwardingAddress: 1-sendas@test.com
zimbraMailForwardingAddress: 2-sendas@test.com
zimbraMailHost: zcs804.DOMAIN.com
zimbraMailStatus: enabled

members
1-sendas@test.com
2-sendas@test.com

Notice that there is now a zibraACE line that wasn't there when you initially setup the DL. The zimbraACE uses the zimbraId of the user being granted the right - in this case, the sendAsDistList right. You can confirm the zimbraId matches the user email that we granted the right to by doing:

[zimbra@]$ zmprov ga 55a3d686-bd61-4608-a4a3-0027f5aee6ff mail
# name 1-sendas@test.com
mail: 1-sendas@test.com
mail: 1-sendas-alias@test.com

And after reloading the ZWC browser session of the user [1-sendas@test.com] you should see the option for the DL [dl-sendas@test.com] in the From drop down when you compose a new email.

Left

Granting The sendAsDistList Right For The Group DL dl-group@ To The Email DL Account dl-sendas@

Grant the group DL we made, dl-group@test.com, the sendAsDistList right to the dl-sendas@test.com DL we made and will use as a mailing list.:

[zimbra@]$ zmprov grr dl dl-sendas@test.com grp dl-group@test.com sendAsDistList

You'll see the following set for the dl-sendas@test.com DL now [assuming you also set this right for the 1-sendas@test.com earlier]:

$ zmprov gdl dl-sendas@test.com | grep sendAsDistList
zimbraACE: 55a3d686-bd61-4608-a4a3-0027f5aee6ff usr sendAsDistList
zimbraACE: c8223902-b6a8-46e6-8056-0c89b7a146b5 grp sendAsDistList

zimbraACE uses the zimbraId of the account/object. This should match the zimbraId for 1-sendas@test.com and dl-group@test.com when you created them.

Checking And Confirming Our Group DL Grant To sendAsDistList For Our Email DL

If you have been doing the example setups so far, you should be able to confirm that your grants are correct by doing:

[zimbra@]$ zmprov ckr dl dl-sendas@test.com dl-group-user1@test.com sendAsDistList
ALLOWED
Via:
    target type  : dl
    target       : dl-sendas@test.com
    grantee type : grp
    grantee      : dl-group@test.com
    right        : sendAsDistList

To confirm those not in the group, use an email below that you have not granted the sendAsDistList for:

[zimbra@]$ zmprov ckr dl dl-sendas@test.com admin@test.com sendAsDistList
DENIED
View Of The sendAsDistList Right To dl-group@ For The dl-sendas@ DL Account In The Admin Console


A screen shot of the admin console of the changes we made above via the CLI

Left

To Remove Our Group DL Grant Of sendAsDistList For Our Email DL

If you have been doing the example setups so far, you should be able to do the following to remove the sendAsDistList grant:

[zimbra@]$ zmprov rvr dl dl-sendas@test.com grp dl-group@test.com sendAsDistList

To confirm we removed the granted of sendAsDistList for dl-group@test.com and the users that are in that group:

[zimbra@]$ zmprov ckr dl dl-sendas@test.com dl-group-user1@test.com sendAsDistList
DENIED

[zimbra@]$ zmprov ckr dl dl-sendas@test.com dl-group@test.com sendAsDistList
DENIED


Configuring The Primary User Account To Use The DL As A Persona


One can setup a Persona for the DL now also like you would for a user alias.

Note: To set up persona's from the cli, see :

zmprov help command| grep -i identit
createIdentity(cid) {name@domain} {identity-name} [attr1 value1 [attr2 value2...]]
deleteIdentity(did) {name@domain|id} {identity-name}
getIdentities(gid) {name@domain|id} [arg1 [arg...]]
modifyIdentity(mid) {name@domain|id} {identity-name} [attr1 value1 [attr2 value2...]]


Possible Bug - Note, you might not have the option to adjust the Reply-To option to be the DL. This bug was true even after reloading the browser and also including the DL address in its zimbraPrefAllowAddressForDelegatedSender variable. The issue exposed here might just be that we don't populate the Reply-To drop down options with DL choices.

Set zimbraPrefAllowAddressForDelegatedSender in the DL configuration to include the DL address explicitly:

[zimbra@]$ zmprov mdl dl-sendas@test.com +zimbraPrefAllowAddressForDelegatedSender dl-sendas@test.com

Confirm the zimbraPrefAllowAddressForDelegatedSender was set:

[zimbra@]$ $ zmprov gdl dl-sendas@test.com zimbraPrefAllowAddressForDelegatedSender
# distributionList dl-sendas@test.com memberCount=2
zimbraPrefAllowAddressForDelegatedSender: dl-sendas@test.com

members
1-sendas@test.com
2-sendas@test.com


Left


Notice in the above screen shot I did not have the DL as an option from the drop down in the Reply-To section but I was able to manually type in the address there and it stayed when I saved the persona.


Left


I sent two messages to see the behavior of this Reply-To situation and the difference between using the DL persona and if we just sent a message with the non-persona DL from the drop down box of the From field.

Screenshot of the received message sending via the persona DL, the message I sent also has a screen shot of the compose window of the message.


Left


Screenshot of the received message sending via the non-persona DL via the From drop down box, the message I sent also has a screen shot of the compose window of the message.


Left


Even if this is a bug, it doesn't seem to effect the functionality though. For the non-persona DL message I sent, a reply to that message still goes back to the DL [dl-sendas@test.com].

Granting The sendAsDistList Right To 1-sendas@ For An Alias Of A Distribution List - dl-sendas-alias@test.com


Create a DL alias:

[zimbra@]$ zmprov adla dl-sendas@test.com dl-sendas-alias@test.com

Our current DL's properties so far in our how-to here will show:

[zimbra@zcs804 ~]$ zmprov gdl dl-sendas@test.com
# distributionList dl-sendas@test.com memberCount=2
mail: dl-sendas@test.com
mail: dl-sendas-alias@test.com
objectClass: zimbraDistributionList
objectClass: zimbraMailRecipient
uid: dl-sendas
zimbraACE: 55a3d686-bd61-4608-a4a3-0027f5aee6ff usr sendAsDistList
zimbraCreateTimestamp: 20131123155642Z
zimbraId: 52ff50a5-12f6-4093-93ce-88f6f9c20153
zimbraMailAlias: dl-sendas@test.com
zimbraMailAlias: dl-sendas-alias@test.com
zimbraMailForwardingAddress: 1-sendas@test.com
zimbraMailForwardingAddress: 2-sendas@test.com
zimbraMailHost: zcs804.DOMAIN.com
zimbraMailStatus: enabled
zimbraPrefAllowAddressForDelegatedSender: dl-sendas@test.com

members
1-sendas@test.com
2-sendas@test.com

You'll notice the alias added in the line: mail: dl-sendas-alias@test.com .

Note also, that our prior steps in this how-to already :

  • Added 1-sendas@ to have sendAsDistList right for the DL.
    • zmprov grr dl dl-sendas@test.com usr 1-sendas@test.com sendAsDistList
    • This shows the zimbraId of the 1-sendas@ user:
      • zimbraACE: 55a3d686-bd61-4608-a4a3-0027f5aee6ff usr sendAsDistList
  • Added the zimbraPrefAllowAddressForDelegatedSender: dl-sendas@test.com value
  • zmprov mdl dl-sendas@test.com +zimbraPrefAllowAddressForDelegatedSender dl-sendas@test.com

Let's add the DL alias to the zimbraPrefAllowAddressForDelegatedSender variable:

[zimbra@]$ zmprov mdl dl-sendas@test.com +zimbraPrefAllowAddressForDelegatedSender dl-sendas-alias@test.com

Let's confirm both dl-sendas@test.com and dl-sendas-alias@test.com are true for zimbraPrefAllowAddressForDelegatedSender :

[zimbra@]$ zmprov gdl dl-sendas@test.com zimbraPrefAllowAddressForDelegatedSender
# distributionList dl-sendas@test.com memberCount=2
zimbraPrefAllowAddressForDelegatedSender: dl-sendas@test.com
zimbraPrefAllowAddressForDelegatedSender: dl-sendas-alias@test.com

members
1-sendas@test.com
2-sendas@test.com

Login to ZWC with the 1-sendas@test.com account or reload its current browser session and confirm you can use both dl-sendas@test.com and dl-sendas-alias@test.com.

Left

Note - in the screenshot above we had already setup a persona also for the DL use, it's the extra line there in the screen shot.

Only Seeing The Alias dl-sendas-alias@ For dl-sendas@ As An Option For 1-sendas@

Then you didn't not include all the addresses needed for the zimbraPrefAllowAddressForDelegatedSender value in the DL properties. You probably see something like:

[zimbra@]$ zmprov gdl dl-sendas@test.com zimbraPrefAllowAddressForDelegatedSender
# distributionList dl-sendas@test.com memberCount=2
zimbraPrefAllowAddressForDelegatedSender: dl-sendas-alias@test.com

members
1-sendas@test.com
2-sendas@test.com

And in the primary address for the DL to the zimbraPrefAllowAddressForDelegatedSender value. Remember to use the + sign.

[zimbra@]$ zmprov mdl dl-sendas@test.com +zimbraPrefAllowAddressForDelegatedSender dl-sendas@test.com

Let's confirm both dl-sendas@test.com and dl-sendas-alias@test.com are true for zimbraPrefAllowAddressForDelegatedSender :

[zimbra@]$ zmprov gdl dl-sendas@test.com zimbraPrefAllowAddressForDelegatedSender
# distributionList dl-sendas@test.com memberCount=2
zimbraPrefAllowAddressForDelegatedSender: dl-sendas@test.com
zimbraPrefAllowAddressForDelegatedSender: dl-sendas-alias@test.com

members
1-sendas@test.com
2-sendas@test.com

Login to ZWC with the 1-sendas@test.com account or reload its current browser session and confirm you can use both dl-sendas@test.com and dl-sendas-alias@test.com.



Jump to: navigation, search