A recent Exchange 2003 fix is expected to cause some administrative headaches. This is described by KB895949. The fix changes the rights a user requires to send emails from another user's mailbox.
Before the fix, having the "Full Mailbox Access" permission was enough for users to send emails from a mailbox. As explained by the KB article, the permission allowed a user to logon and send messages from other user's mailboxes. This worked even if the "Send as" permission was explicitly denied.
This ability is often necessary for central mailboxes being manned by more than one user. Some Exchange integrated applications also require this level of mailbox access. Indeed the latter case is the one expected to cause most problems.
The fact that "Full Mailbox Access" permission worked well so far, led application vendors to believe that this was the expected behavior. Nevertheless, now that the fix is available, their applications risks to be blocked.
An important aspect here is the fact that not all Exchange integrated applications require these permissions. Many applications only require the ability to send emails via SMTP. The issue becomes relevant when a user (or application) performs an Exchange mailbox logon and sends emails on behalf of the mailbox owner. In this case the user is accessing the mailbox resources hence triggering permission enforcement.
Clearly the type of email access adopted depends on the level of functionality required. For example, an application generating automatic replies for emails at the inbox is likely to be affected. On the other hand, many mailing list applications only require sending emails via SMTP.
Troubleshooting Exchange integrated applications may be a bit tricky in this case. Here are some reasons:
Most applications will automatically setup mailbox access permissions automatically on installing. This renders the setup a lot more user-friendly but may hide the permission requirements from administrators.
Access right problems are notoriously sneaky. Depending on how the application handles error conditions, the administrator's view of the problem may vary considerably.
The KB article was released last November and all vendors affected by this issue are likely to already have updates or articles explaining how to resolve the problem.
The Exchange blog recently highlighted solutions for BlackBerry and GoodLink users. Check the links at the references for this blog. A step-by-step procedure on how to manually configure the necessary rights is also included.
References
KB895949 - A delegate user who has "Full mailbox access" permissions for another user's mailbox can send e-mail messages as the mailbox owner in Exchange Server 2003
KB912918 - Error message when an application tries to send a message as another user by using Exchange Server 2003: "Access denied"
You Had Me At EHLO - BlackBerry and GoodLink users may be unable to send messages after applying latest Exchange 2003 store hotfixes
You Had Me At EHLO - Minimum permissions necessary to access mailbox data