Thursday, May 18, 2006

Exchange fix breaks Blackberry and Goodlink clients

Microsoft has released a new security for Exchange 2003. This update is the KB 895949: "Send As" permissions behavior change in Exchange 2003" fix. I have kind of ignored this fix for the past few weeks, but had to get on top of it when it was about to effect one of my customers.

By default, the “Send As” permission has been implicitly included in the “Full Mailbox Access” permission. If a group was delegated Full Control permissions to the organization or an administrative group (without blocking the "Send As" and "Receive As" permissions) then the group members would get full mailbox access. This is necessary for service accounts for client-proxy servers such as the RIM Blackberry server and the Goodlink server (for allowing Treo users access to Exchange mailboxes.)

There are only 3 exceptions to the change in this behavior:
  • The owner of the mailbox
  • The associated external account for a mailbox
  • A delegate of the mailbox owner
Once the fix is applied, the BlackBerry Enterprise Server will see errors in its event logs such as these:
[40700] (12/13 15:38:10):{0xFF0} {} Receiving packet from device, size=111, TransactionId=-2099843783, Tag=147, content type=CMIME, cmd=0x3[30112] (12/13 15:38:10):{0xFF0} {} Receiving message from device, RefId=1607656887, Tag=147, TransactionId=-2099843783[20265] (12/13 15:38:10):{0xFF0} {} MAPIMailbox::Send(ppMAPIMessage) - SubmitMessage (0x80070005) failed[20265] (12/13 15:38:10):{0xFF0} {} MAPIMailbox::Send(ppMAPIMessage) - SubmitMessage (0x80070005) failed[20000] (12/13 15:38:10):{0xFF0} {} Send() failed: SUCCESS, Tag=147[40277] (12/13 15:38:10):{0xFF0} {} Sending message error to device for message 1607656887[40583] (12/13 15:38:10):{0xFF0} {} Sending packet to device, Size=46, Tag=222, TransactionId=-1012978472

You need to delegate the Blackberry or Goodlink service account the Send As permissions to the necessary mailbox, OU, or entire domain, in Active Directory. See Microsoft KB 912918: Users cannot send e-mail messages from a mobile device or from a shared mailbox in Exchange 2000 Server and in Exchange Server 2003 for information on how to do this for a single mailbox or an entire domain.

Thanks to Steve Head for reminding me that there is another article that also discusses this vulnerability and on which platforms it may cause problems. See KB 916803: Vulnerability in Microsoft Exchange Server could allow remote code execution.


At 5:19 PM, Blogger Steve Head said...


were you aware of this follow on article?;en-us;916803


At 5:52 PM, Blogger Jim McBee said...

Hi Steve, yep, I should have included the reference to the fix in the article. This posting was making it difficult to be concise. :-)


Post a Comment

<< Home