Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Connect » Possible nasty bug or am I just not getting it?
  •  
willmatthews

Messages: 5
Karma: 0
Send a private message to this user
I came across something that *I* found to be a really nasty bug, however, I'm wondering if maybe I just don't understand the nature of the "feature". Basically, I have a domain with about 200 accounts, none of them have any restrictions as to sending/receiving emails to/from other domains. Everything works peachy.

Last night I created a new group email address, and put about 5 addresses in that group. Because it was for internal use only, I turned on the feature to restrict sending/receiving mail to/from other domains. I didn't want spam and unnecessary email going to this group. Applied the changes, tested it out, all looked good, my internal emails were getting through to the group address, and the external emails were not. I slept soundly.

Came in this morning, I have a bunch of people complaining as I walk in the door that everyone has been calling each of them claiming they can't send emails through to them. It actually worked out to be 5 people, the same 5 that were in that group. Luckily I caught in the logs what was going on. I verified that each of those people's individual accounts had the domain restriction turned off, only the group that they were in had the feature turned on. Yet, emails that were sent directly to their personal addresses were rejected if they came from an external domain! So now I've turned off that feature in the group and all is well in the universe again. However, if I had included people that didn't have customers to complain to them and alert them of the problem, how many emails would we have lost to this?

But I ask you, is this a nasty bug, or do I just not get how these groups work? Are they meant more to be groups for permissions purposes than for group emails? If so, what's the best way to set up a group email without burning an account from the license?

Incidentally, I'm running KMS 6.4.0 on Red Hat, if that's significant.

Will

  •  
zwaugh

Messages: 5
Karma: 0
Send a private message to this user
I ran into the same thing. I wanted to create groups for internal use, but didn't want to use a global distribution list in the public contacts. After I enabled it for about 20 users, no one could send or receive any external email. Whether it's a bug or "feature", I think it should be changed so the setting only affects the group as a whole and not propagate to the members of the group.
  •  
ccjwells

Messages: 192
Karma: 0
Send a private message to this user
This is pure conjecture, but I imagine that users inherit the properties of the group much like they would in an AD situation.
  •  
microalps

Messages: 168
Karma: 0
Send a private message to this user
I believe that is a restriction placed on the group and all members of the group (like mentioned above). Groups can't send out emails, so obviously it doesn't apply to group<_a.t_>domain.com. As an alternative, you can use mailing lists which provides the ability to control who can send to the list. I will note though that each mailing list will cost you one license seat.
  •  
willmatthews

Messages: 5
Karma: 0
Send a private message to this user
Hi microalps, thanks for the feedback. I'm not quite sure I follow though.

I can confirm that it's a restriction placed on the group and members--my concern is that it's not made clear in the group settings that whatever restrictions made to the group are inherited by the members. In this case, if you were to check the user profiles of each member, it would not indicate that those restrictions are turned on for them. Consider trying to track down this setting for one particular user if you have many groups and many users. There's no way to track this setting back to the group that has it turned on. That's why I'm at least somewhat dubious that this is meant to be an inherited restriction.

Further, you can both send emails from and receive emails to a group email address, so I don't see why this domain restriction rule could not apply to group(at)domain(dot)com.

I had considered both the mailing lists approach, as well as the forwarding user account approach, but again both of these will use up licenses.

I'm not trying to be stubborn -certainly not on a Friday, that's more of a Monday thing - but it just doesn't seem like it adds up right to me.

W

  •  
microalps

Messages: 168
Karma: 0
Send a private message to this user
From the KMS Manual:

Quote:

Specific access rights can be assigned to a group of users. These rights complement rights of individual users.


Translate as you see fit, but I think that's pretty straight forward. And, you say you can send mail from a user group. I am not aware of such a feature, so kindly explain.
  •  
winkelman

Messages: 2119
Karma: 3
Send a private message to this user
Yes, the right given to groups do not apply to the group, but to it's members. It's simply a simple way to set certain rights for a bunch of people. This works the same in, say, MS AD or Novell NDS.

Basically: groups are for applying rights. That it can also serve as distribution list, is a 'side matter'.

If you want to limit who can send to a group email address, don't use a group, use a mailing list. It has more advanced features. Downside: each mailing lists takes one license.
  •  
zwaugh

Messages: 5
Karma: 0
Send a private message to this user
There was a part left out from the previous quote from the manual

Quote:

User accounts within each domain can be sorted into groups. The main reasons for creating user groups are as followed:
* Group addresses can be created for certain groups of users with aliases (see chapter 15.3 Aliases) — mail sent to this address will be delivered to all members of the group.
* Specific access rights can be assigned to a group of users. These rights complement rights of individual users.


So how you look at it depends on what your reason is for creating it. Regardless, if they leave it how it is, they should add another option that says "Group email address can only receive email from its own domain" or something to that effect, then you can use it either way. Or to keep the comparison to AD, have an option when you create a group to use it for "Security" or "Distribution".
Previous Topic: wildcards (* or ?) in custom rules SPAM filter?
Next Topic: Not able to add entire contact information- OSX Tiger
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Fri Nov 24 03:10:56 CET 2017

Total time taken to generate the page: 0.00438 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.