Send As and OWA Bug

Send As and OWA Bug (Full Version)

All Forums >> [Microsoft Exchange 2003] >> Server Security

Message

s.loquet -> Send As and OWA Bug (20.Oct.2006 8:29:52 AM)
Hello, i use Exchange 2003 SP2 Patchs : 912442 Security Update 916803 Security Update 911829 HotFix 895949 IE patch I have to give rights but there's a bug I create 2 new fresh new users : user1 and user2 I give to user1 "FullMailBox access" to user2 and nothing else. I connect to Outlook with the client using user1 I have added user2 mailbox If I send an email an I change the "From :" field there's nothing wrong The email is received => user2 on behalf user1 So that's ok Now, if i do the same but using OWA http://exchange/echange first I connect, and then I had /user2 I send the email... and it is received has coming from user2 (no mention of user1) So Fake Identity You can look at KB912918 and how to solve it... it doesn"t work because I can send and email without having the "send as" ... within OWA. Security hole??? I Still have no anwser [&:]

joshh385 -> RE: Send As and OWA Bug (20.Oct.2006 5:33:20 PM)
This is expected behavior. OWA doesn't provide a send on behalf of feature natively. Because you've given the second user full access to the mailbox they are allowed to logon to the mailbox of the other user via OWA. When you open the first mailbox as an additional mailbox in Outlook, it is smart enough to know that you are sending on behalf of the user. If all you're looking for is send on behalf of permissions I would suggest granting them via the Exchange General tab on the user account in AD vs. granting full mailbox access.

jchong -> RE: Send As and OWA Bug (22.Oct.2006 2:12:45 PM)
Send as through OWA is not available, you would need a third party tool. http://www.ivasoft.biz/choosefromowa.shtml

s.loquet -> RE: Send As and OWA Bug (23.Oct.2006 4:16:52 AM)
Wrong... the bug is that I can "send as" in OWA by having only the "full mailbox access" on an user...

joshh385 -> RE: Send As and OWA Bug (25.Oct.2006 5:42:14 PM)
No, that's not a bug. Full access is full access; you get it all.

Page: [1]