Thread Info
  • Locked Locked
  • Replies 4 replies
  • Subscribers 2 subscribers
  • Views 9867 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos Virtual Email Appliance - Update how appliances handle default email address changes

TaraDeSandro

We have a pair of Sophos Virtual Email Appliances, clustered, and we use Directory Services to connect to Active Directory and synchronize our customer mailbox accounts.  We recently had a customer want to change the format of their email addresses from having an underscore (j_doe@domain.com) to not having an underscore (jdoe@domain.com), so we fulfilled their request.  Later we found out that because the end user allow / block lists AND the end user login (connected to Active Directory / using Directory Services) are tied to the default email address on a mailbox, when that address changes, the end user allow/block lists are essentially lost to the user, since they can no longer log in with their old email address so they can access their lists / quarantine, and because those allow/block lists are no longer applying to their mailbox, because they are tied to the old email address.

This is something that the appliances should be able to handle better.  The appliances are already aware of all the aliases on a mailbox (we are using the map aliases feature), so why could the appliance not also automatically associate the new default email address (and all additional email aliases on the mailbox) so that when the default address on a mailbox changes, the users don't lose their settings, AND so all of their email addresses are protected by their allow/block lists?  Also, the user should not lose their quarantined items just because their default address changed.

I was able to 'work around'  this issue in a way, because I was able to take a backup of the configuration and then drill down into the files and search by their domain to find the files for the users that did have individual allow / block lists.  However, all I could do with that was forward the files to the customer and let them distribute the files to their users so they can log in and add the addresses back manually if they want.  It seems like quite an inconvenience to the end users.  I couldn't do anything about the fact that they also lost access to their quarantined messages, if they had any.

Thank you for your time. :)

 

Tara D.



This thread was automatically locked due to age.
Parents

  • Hi Tara,

    The best way would be to actually create an alias in AD rather then changing the smtp mail address.  By changing the SMTP address the appliance sees that as a new user.  But when you just create an alias the appliance will just accept magically accept new mail for JDoe.

Reply

  • Hi Tara,

    The best way would be to actually create an alias in AD rather then changing the smtp mail address.  By changing the SMTP address the appliance sees that as a new user.  But when you just create an alias the appliance will just accept magically accept new mail for JDoe.

Children
  • in reply to Red_Warrior

    Thanks for your response.

    There are a couple reasons why that 'solution' is not plausible / feasible, however.

    1. Sometimes, customers decide to change their default email domain, and so they want to be able to log in with the new email address (to our system, etc), AND, they want that email address to be their new default (NOT just an alias).

    2. Sometimes, users' actual NAMES change (i.e. Jane Doe to Jane Smith), and of course they want to log in with their correct 'new' email address and have that as the default as well.

    Either way though, the bottom line is that we shouldn't have to change the way we handle users/email addresses in AD / Exchange just to accommodate this apparent shortcoming of the appliances.  The appliances should be able to handle this extremely common type of situation.  Users shouldn't be 'stuck' with whatever their email address was 'originally'.

    What I'm saying is that a user's allow/block lists should apply to all of a user's aliases (in other words, if an email address is whitelisted under the user's 'main/default' email address of JDoe@domain.com, it should also be whitelisted for JDoe_alias1@domain.com or even JDoe@domain2.com, AND, if that user's default email address changed from JDoe@domain.com to JDoe@domain2.com, the user should still be able to log into the EUWI on the appliances, AND, their allow/block lists should 'move' to (i.e. be accessible from) when they log in with their new default address (instead of effectively being 'lost' since the user can no longer log in to edit them since their email address/login name changed).

    Hopefully that makes sense.

    Thanks!

  • in reply to TaraDeSandro

    Hi Tara,

    Yes, I totally understand and value your concerns.  Unfortunately that functionality is currently not apart of the appliance.  

    The only real options are the alias as mentioned, or you could manually create a user account with password for the user to log in, but ultimately this will not allow them to manage their white/black lists as you seek.

    I have added my votes and your comments to the request, they can be found here:

    http://feature.astaro.com/forums/143206-sophos-email-security/suggestions/2744717-edit-end-user-whitelists-blacklists-via-admin-gui

  • in reply to Red_Warrior

    Thank you!  I intended for this to be a feature request. :)

    Unfortunately, when I follow the link you provided, I just get a message that says I don't have access to that forum, so I'm unable to look at it.

Unfiltered HTML