2

We are using Exchange 2013 for multi-tenant email hosting and I am trying to create a policy that will always show remote content from a specific sender domain (or single sender is fine too) in OWA.

We send out weekly reminders in an HTML email that reference external images and these images are always blocked.

Things I have tried:

  • Manually adding an email address to the safe sender list under "block or allow"
  • Set-MailboxJunkEmailConfiguration to add our email address to the TrustedSendersAndDomains
  • Creating a mail flow rule to bypass spam filtering for our domain
  • Set-ContentFilterConfig -BypassedSenderDomains *.ourdomain.com to bypass content filter for our domain

No matter what OWA still prompts for the remote content to be downloaded with each sign in.

The goal is to have a configuration that would automatically download remote content for ALL exchange users when the sender is a specific email address or domain. Is this possible with Exchange 2013 & OWA?

Here is an image showing what I would like to bypass:

enter image description here

Ideally, a rule or setting can be changed so user@domain.com is exempt from having content blocked in OWA. If not, then a command that could be run periodically or when we add new mailboxes to apply the setting to each mailbox is fine too.

Thanks

drew010
  • 226
  • 6
  • 16

3 Answers3

2

You can't by specific domain but you can unlock that globally.

Start by checking your OWA policy (Get-OwaMailboxPolicy)

Use : Set-OwaMailboxpolicy and set it as you need it.

Example: Set-OwaMailboxPolicy -Identity OwaMailboxPolicy-Default -AllowedFileTypes ".jpeg", ".pdf"

The error come as the server block certain MIME type from email in HTML's format.

yagmoth555
  • 16,758
  • 4
  • 29
  • 50
  • Hi thanks for your answer. I just tried this on one user mailbox, and then sent them an HTML formatted email with an external JPG image and it still did not load by default. – drew010 May 14 '15 at 22:50
  • Actually it may have worked, apparently trusted senders are case-sensitive...will post back after a bit more testing. – drew010 May 14 '15 at 23:04
1

My thought was to check OWAMailboxPolicy (get-owamailboxpolicy), but there don't seem to be settings here. There is a bit about MIME types and FRAME and IFRAME allowance, but if you can successfully view external content, I don't think that's the cause.

Just to confirm, you DO see the domain/sender in question when you run:

(Get-MailboxJunkEmailConfiguration -Identity <mailboxid>).TrustedSendersAndDomains

...right?

blaughw
  • 2,267
  • 1
  • 11
  • 17
  • When I run that command on the mailbox I am testing with, I do see two senders I am attempting to send mail from. However, when I send an HTML message with remote images in it from one of the TrustedSendersAndDomains accounts, both of the security prompts circled in my OP show up. – drew010 May 06 '15 at 19:44
  • Ok let's take a step back. Are you a Service Provider delivering Exchange to customers? If that's the case, can you help explain about your Exchange architecture and how different organizations (customers) fit in there? – blaughw May 07 '15 at 16:09
  • We are an MSP and hosted Exchange email is one service we provide to our clients. For each company, an OU is created on the DC and each user is added as an account to that OU. Each account then has a mailbox in Exchange 2013. The reason we want to disable this setting is because we send out weekly reminders and other notifications about maintenance or updates and we want the emails to just work. For the customers who use Outlook, we have group policies or local scripts that make the exceptions, but for those who use OWA we haven't figured out how to enable remote content automatically. – drew010 May 07 '15 at 18:28
  • Technically this was correct so I awarded the bounty and accepted since it would have worked. I posted an answer to show why it didn't originally work. – drew010 May 15 '15 at 19:27
1

With the recommendations of @blaughw and @yagmoth555 I was able to get this working. This really turned out to be simple but due to a couple of caveats with the trusted senders and domains there was some confusion created about how to do what I wanted.

Here are the two issues that prevented this from working initially:

  • TrustedSendersAndDomains appears to be cAsE-sEnSiTiVe
    • Initially, the trusted sender was user@domain.com but the email was being sent from User@domain.com (note the capital U on User)
    • Once I removed the lowercase trusted sender and re-added with the proper case coming from our system, images loaded automatically
  • Adding a domain to the trusted senders list didn't allow content to load automatically
    • I tried adding domain.com to the Trusted senders, but sending from person@domain.com didn't result in images loading. I had to explicitly add Person@domain.com for images to load automatically.

Our OwaMailboxPolicy default AllowedFileTypes was already set to .rpmsg .xlsx .xlsm .xlsb vstx .vstm .vssx .vssm .vsdx .vsdm .tiff .pptx .pptm .ppsx .ppsm .docx .docm .zip .xls .wmv .wma .wav .vtx .vsx .vst .vss .vsd .vdx .txt .tif .rtf .pub .ppt .png .pdf .one .mp3 .jpg .gif .doc .bmp .avi which included JPG images so I didn't need to modify that policy at all.

Simply adding the properly cased email address to each user's TrustedSendersAndDomains on the MailboxJunkEmailConfiguration did the trick.

For reference, here is the script I came up with to add this to ALL mailboxes on the system. I'll either have this run this once a night or when we add new companies/users to the Exchange system.

It can be called from command prompt like powershell.exe -File AddTrustedUsers.ps1

# Connect to Exchange
. 'C:\Program Files\Microsoft\Exchange Server\V15\bin\RemoteExchange.ps1'; Connect-ExchangeServer -auto -ClientApplication:ManagementShell

# Get all mailboxes
$mailboxes = Get-Mailbox

# Loop over each mailbox, print email address and call Set-MailboxJunkEmailConfiguration
$mailboxes | foreach {
    $_.EmailAddresses.SmtpAddress | Format-List;
    $_.alias | Set-MailboxJunkEmailConfiguration -TrustedSendersAndDomains @{Add='User@domain.com', 'Other.User@domain.com'}
}
drew010
  • 226
  • 6
  • 16