Overview of This Technical Note

Currently, products such as Microsoft Exchange, and other groupware systems, allow for the setting of permissions such that one user can be configured to send email on behalf of another user. For example, just as managers might have assistants who help manage their paper mail, these managers can use Microsoft Exchange to give another person access to their email. In Microsoft Exchange, the process of granting someone permission to open folders, read and create items, and respond to requests for another person is called Delegate Access.

This means that customers who are considering migrating their email infrastructure from Exchange to Messaging Server most likely require similar Delegate Access functionality in Sun Java System Messaging Server. This document describes how to configure the LDAP directory and the Messaging Server MTA to provide analogous functionality that exists in Microsoft Exchange.

Any email or groupware system that enables you to take actions based upon the identity of the sending user requires that you know who the actual sender of that email is. Typically, when an email originates from “inside” (in MTA configuration terms, this means the sender’s IP address specified in the INTERNAL_IP mapping), the submission of the message is allowed regardless of its destination and claimed sender. This is the MTA’s default configuration. But to be able to successfully apply mail submission delegation, you need to control who is sending email, even if that mail comes from inside. Such a situation leads to authentication enforcement even for these messages.

Using the sender’s address—either the email envelope or header—is not suitable. Envelope and header addresses can easily be forged. Because these addresses are easily forged, organizations should not rely upon them, especially when they want their users to be able to send sensitive email, often on behalf of company managers.

Controlling associated authentication information is usually the most feasible way of being certain who the actual sender of a particular email message is. Such information is available only if the sender of that message authenticates (uses a password or other authentication mechanism) upon message submission. This document describes a way to be able to perform decisions based on authentication information by enforcing authentication of all email in the environment. The only exceptions would be for email arriving from the Internet, and some email that is sent automatically and thus can be easily recognized. In this document, authenticating all email in an organization’s environment means all email that users send to one another within the organization, as well all email that users send outside the organization.