...
If we replace the Mail Relays with Exchange Online, then the previous step doesn’t happen. We change the original MX record for “yale.edu” to point to “connect-yale-edu.mail.protection.outlook.com” and we take the teas and dump them in Boston harbor (we can have a party to celebrate the success of the project, but dressing up as native Americans is no longer appropriate because it is “cultural appropriation”).
Exchange Online will behave the same whether mail is sent to it directly or comes through the Mail Relays. So any mail that Exchange already processes correctly will work the same and we do not need to make changes.
The largest block of mail that will be processed differently are the student Eliapps accounts. Previously they would be sent from the Mail Relay to Google directly. Now the mail goes to Exchange. Because Exchange believes that it is “@yale.edu”, it initially expects that mail addressed to a user named “john.doe@yale.edu” is a personal O365 mailbox or a group object named “gravitywaveastronomy@yale.edu” is a shared mailbox or distribution list. However, it will find that the Azure AD User object for “john.doe@yale.edu” has no O365 account and will find no configured DL named “gravitywaveastronomy@yale.edu”.
It has always been possible to add configurations to Exchange and AD for mail accounts that belong to a university or company but which are hosted on another mail system. Originally Microsoft designed this when each department in a company had its own departmental mail server, but it works with any kind of server.
We already have the information we need in the Alias Table. Just as the current system uses the Alias Table to generate configuration for the Mail Relays, we can generate configuration in AD that Exchange will recognize as a pointer to a Yale University mail account on an external server. There has to be an AD object. The AD object cannot be a User with an O365 account (or the mail would be delivered to that mailbox). The object must be have a TargetAddress property.
The value of TargetAddress is essentially the MAILBOX column value in the Alias Table.
The AD Object can be a User or a Contact. Since every student with an Eliapps account already has an AD User object (and Yale Policy is that Eliapps mail users don’t also have an O365 mailbox), we have adopted the simplifying rule to put a TargetAddress in the existing User object for these students, but create a Contact for shared mailbox groups and everyone else.
The ALIAS_NAME must match one entry in the ProxyAddresses list property for the AD Object.
If we do this, then Exchange Online has the information it needs to forward mail for every Alias in the Alias Table that does not have an “@connect.yale.edu” MAILBOX, and therefore it can replace the existing Mail Relay function.
Exchange does not care how many objects you scatter into the AD, but it would certainly be a bad idea to create extra objects for the secondary Aliases of a student Eliapps account. So the student’s AD User object should contain ProxyAddresses for both the Primary Alias name and all secondary Alias names that point to the same “bulldogs” MAILBOX account.
We propose to also group Contact objects by MAILBOX value. More that one Alias can point to the same MAILBOX value, but if we group by MAILBOX value, we can then generate one Contact object for that value and add a ProxyAddresses entry for every ALIAS_NAME in the table with that MAILBOX.
Alias names change if a person chooses to change their First or Last name or if they enable and disable privacy. This is an IAM function.
Currently the old AD Daily Updater generates ProxyAddresses from Primary and Secondary Aliases of Exchange (@connect.yale.edu) MAILBOX values, although the old code gets confused unless the Netid owning the Alias is also the netid in the “netid@connect.yale.edu” value (which isn’t always true). The replacement code in IIQ (which has been written and tested but has not gone into production) fixes the incorrect assumptions by ignoring alias ownership, and it also generates the correct ProxyAddresses entries for primary and secondary Eliapps accounts (@bulldogs.yale.edu).
However, to address the “Canvas Contact” problem we have created ProxyAddresses and TargetAddress fields in the AD and Azure AD User objects of current students with Eliapps accounts. This is done only when the mailbox is created, so if a student generates Secondary Aliases or changes the Primary Alias, the ProxyAddresses list would have to be changed manually.
Done: Populate the ProxyAddresses list of student Eliapps users with any Secondary Aliases that have a MAILBOX that points to their Eliapps account.
Done: There may be Eliapps accounts that are the Primary Email Alias of people who are not current students and were not configured as part of the student class distribution list fix. Their Primary and Secondary aliases should be configured in their User objects if possible, or in a Contact if they also have an O365 account occupying the User object.
Done: All remaining Email Aliases (excluding aliases pointing to some sort of Exchange account or a Primary Eliapps account) get turned into Contacts. We do not create or look for User objects for them. A new Contact is created in some new OU, and the MAILBOX becomes its TargetAddress and all the ALIAS_NAMEs with that MAILBOX value become entries in its ProxyAddresses list.
Decision Point: The personal O365 and Eliapps accounts are plausibly related to IAM, although we are not in the business of creating Secondary Aliases. It may be decided that it is useful to continue to audit the Alias Table and the ProxyAddresses list to see if somehow personal Alias changes slipped in without generating the required ProxyAddress changes. However, the creation and modification of shared mailboxes and departmental accounts is not an IAM function and because these objects have no information in Identity tables, we are not in a position to audit them properly. We should consider this a one time conversion of Alias information into AD objects and properties that configure Exchange Online. Going forward, all scripts, tools, and procedures used to generate departmental accounts and create their aliases should also manage their Contacts with the mail routing information.
Cleanup: If tools are created or converted to manage non-personal mail accounts, then we should consider establishing some proper rules and converting existing entries to match these rules. In particular, the practice of creating an Email Alias and a Dependent Netid and assigning ownership of the Alias to the person who owns the dependent Netid causes serious problems. People leave the university without transferring both the alias and the Dependent Netid to someone else. Then when their personal mail gets deprovisioned, the Secondary Alias for the group account remains attached to the inactive AD User object. The correct thing to do is the assign ownership of the Alias to the Dependent Netid that represents the shared mail account. The account can then stand alone, and if the owner fails to transfer the Dependent Netid to someone else, well the Dependent Netid is still active even if the former owner is inactive. This fix is not technically part of the Mail Relay project, but if we are fixing all the tools for this type of account we should fix this at the same time.
People with an Eliapps Primary Alias and O365 Secondary Alias
receive the original address in the mail without any translation through the Alias table. This means that Exchange has to understand “howard.gilbert@yale.edu”, while if the Mail Relays had preprocessed this alias they would have forwarded it as “gilbert@connect.yale.edu”.
In practice, this means that every Alias name has to be mapped to a Recipient (as explained above). In the past, some Aliases were not recognized by Exchange, so it would forward that message to the Mail Relays who in turn would translate the alias to a MAILBOX value and send it back. To get rid of the Mail Relays, Exchange has to recognize every alias immediately.
Done: Populate the ProxyAddresses list of student Eliapps users with any Secondary Aliases that have a MAILBOX that points to their Eliapps account.
Done: There may be Eliapps accounts that are the Primary Email Alias of people who are not current students and were not configured as part of the student class distribution list fix. Their Primary and Secondary aliases should be configured in their User objects if possible, or in a Contact if they also have an O365 account occupying the User object.
Done: All remaining Email Aliases (excluding aliases pointing to some sort of Exchange account or a Primary Eliapps account) get turned into Contacts. We do not create or look for User objects for them. A new Contact is created in some new OU, and the MAILBOX becomes its TargetAddress and all the ALIAS_NAMEs with that MAILBOX value become entries in its ProxyAddresses list.
ToDo: The Legacy ADDailyUpdater is deleting Secondary Email Aliases from the ProxyAddresses list. This must be fixed.
Decision Point: The personal O365 and Eliapps accounts are plausibly related to IAM, although we are not in the business of creating Secondary Aliases. It may be decided that it is useful to continue to audit the Alias Table and the ProxyAddresses list to see if somehow personal Alias changes slipped in without generating the required ProxyAddress changes. However, the creation and modification of shared mailboxes and departmental accounts is not an IAM function and because these objects have no information in Identity tables, we are not in a position to audit them properly. We should consider this a one time conversion of Alias information into AD objects and properties that configure Exchange Online. Going forward, all scripts, tools, and procedures used to generate departmental accounts and create their aliases should also manage their Contacts with the mail routing information.
Cleanup: If tools are created or converted to manage non-personal mail accounts, then we should consider establishing some proper rules and converting existing entries to match these rules. In particular, the practice of creating an Email Alias and a Dependent Netid and assigning ownership of the Alias to the person who owns the dependent Netid causes serious problems. People leave the university without transferring both the alias and the Dependent Netid to someone else. Then when their personal mail gets deprovisioned, the Secondary Alias for the group account remains attached to the inactive AD User object. The correct thing to do is the assign ownership of the Alias to the Dependent Netid that represents the shared mail account. The account can then stand alone, and if the owner fails to transfer the Dependent Netid to someone else, well the Dependent Netid is still active even if the former owner is inactive. This fix is not technically part of the Mail Relay project, but if we are fixing all the tools for this type of account we should fix this at the same time.
People with an Eliapps Primary Alias and O365 Secondary Alias
The following people violate Yale policy by having an O365 account as a “secondary” rather than a primary account. Currently mail sent to “morrow.long@yale.edu” from any O365 user goes to his O365 inbox, while mail from outside Yale or from Eliapps goes to his Eliapps mailbox. When the Mail Relays go away, all mail will be delivered to O365. These users should be notified of the change.
| Code Block |
|---|
ALIAS_NAME TYPE MAILBOX NETID
---------- ---- ------- -----
morrow.long person morrow.long@bulldogs.yale.edu long
jason.ignatius person jason.ignatius@bulldogs.yale.edu jsi3
kcm.campbell person kcm.campbell@bulldogs.yale.edu cjc243
stuart.teal person stuart.teal@bulldogs.yale.edu sbt3
yanick-noelle.aigbedion person yanick-noelle.aigbedion@bulldogs.yale.edu yoa4
samira.ataei person samira.ataei@bulldogs.yale.edu fa292
jeff.mandell person jeff.mandell@bulldogs.yale.edu jm3353
sam.seiff person sam.seiff@bulldogs.yale.edu sbs79
bernardo.eilerttrevisan person bernardo.eilerttrevisan@bulldogs.yale.edu be244
elena.adasheva-klein person elena.adasheva-klein@bulldogs.yale.edu ea479
georgios.vasilopoulos person georgios.vasilopoulos@bulldogs.yale.edu vg284 |
...
person georgios.vasilopoulos@bulldogs.yale.edu vg284 |
People with Eliapps Primary Alias, No O365 Secondary Alias, but are “UserMailbox” Recipents (have a mailbox) in Exchange
The following people appear to have an O365 mailbox but no Email Alias points to it. Unless mail is sent directly to “netid@connect.yale.edu” they cannot get mail. If they login to their O365 account they can run Outlook, but they should not actually be able to receive mail. It appears the O365 mail account is left behind by some process. For example, some people change from O365 to Eliapps, and if the account is not deleted at the end, you end up with this situation. The problem here is that the unusable O365 account occupies the AD User object, so their Eliapps account has to be represented by a Contact object. This does not cause any problem and need not be fixed in order to retire the Mail Relays.
| Code Block |
|---|
ALIAS_NAME TYPE MAILBOX NETID ---------- ---- ------- ----- travis.zadeh person travis.zadeh@bulldogs.yale.edu tz237 thomas.langford person thomas.langford@bulldogs.yale.edu tl397 ben.kiernan person ben.kiernan@bulldogs.yale.edu magpie carol.hwang person carol.hwang@bulldogs.yale.edu chwang cynthia.farrar person cynthia.farrar@bulldogs.yale.edu cfarrar albert.laguna person albert.laguna@bulldogs.yale.edu al757 wayne.zhang person wayne.zhang@bulldogs.yale.edu wwz3 mark.gerstein person mark.gerstein@bulldogs.yale.edu mg269 richard.lalli person richard.lalli@bulldogs.yale.edu rl3 ivan.szelenyi person ivan.szelenyi@bulldogs.yale.edu is66 kusal.samarasinghe person kusal.samarasinghe@bulldogs.yale.edu kts34 victoria.misenti person victoria.misenti@bulldogs.yale.edu vlg8 william.hawkins person william.hawkins@bulldogs.yale.edu wbh24 richard.walser person richard.walser@bulldogs.yale.edu rwalser keith.corbino person keith.corbino@bulldogs.yale.edu kac64 jesus.yanez person jesus.yanez@bulldogs.yale.edu jy384 yong.xiong person yong.xiong@bulldogs.yale.edu yx44 wasim.sayyad person wasim.sayyad@bulldogs.yale.edu was35 rohan.gurram person rohan.gurram@bulldogs.yale.edu rkg33 nirag.kadakia person nirag.kadakia@bulldogs.yale.edu nk479 aman.khanuja person aman.khanuja@bulldogs.yale.edu ak2385 nicholas.ryan person nicholas.ryan@bulldogs.yale.edu njr33 j.zhang person j.zhang@bulldogs.yale.edu jz435 claudia.villano person claudia.villano@bulldogs.yale.edu cav7 kyle.vanderwerf person kyle.vanderwerf@bulldogs.yale.edu krv8 paul.wolfram person paul.wolfram@bulldogs.yale.edu pw379 kas.tebbetts person kas.tebbetts@bulldogs.yale.edu kt522 soumya.james person soumya.james@bulldogs.yale.edu sj484 megan.eckerle person megan.eckerle@bulldogs.yale.edu mme28 ronald.tricoche person ronald.tricoche@bulldogs.yale.edu rt347 craig.luekens person craig.luekens@bulldogs.yale.edu cal65 andrea.darif person andrea.darif@bulldogs.yale.edu ad566 saul.jaime-figueroa person saul.jaime-figueroa@bulldogs.yale.edu sj396 omer.mano person omer.mano@bulldogs.yale.edu om55 xinglin.lu person xinglin.lu@bulldogs.yale.edu xl294 mahmut.demir person mahmut.demir@bulldogs.yale.edu md762 andrew.currie person andrew.currie@bulldogs.yale.edu ajc82 libby.didomizio person libby.didomizio@bulldogs.yale.edu eed37 nathan.chang person nathan.chang@bulldogs.yale.edu nac53 ting.zhou person ting.zhou@bulldogs.yale.edu tz232 debra.houle person debra.houle@bulldogs.yale.edu dh462 daifeng.wang person daifeng.wang@bulldogs.yale.edu dw396 yotam.hadar person yotam.hadar@bulldogs.yale.edu ymh4 paul.berkowitz person paul.berkowitz@bulldogs.yale.edu phb8 fatih.celikbas person fatih.celikbas@bulldogs.yale.edu fc359 luyao.jiang person luyao.jiang@bulldogs.yale.edu lj275 michelle.yuen person michelle.yuen@bulldogs.yale.edu mcy6 jonathan.warrell person jonathan.warrell@bulldogs.yale.edu jw2394 timur.galeev person timur.galeev@bulldogs.yale.edu tg397 sara.smith person sara.smith@bulldogs.yale.edu sks25 melissa.lu person melissa.lu@bulldogs.yale.edu ml2453 jaeeun.song person jaeeun.song@bulldogs.yale.edu js2894 vishal.patel person vishal.patel@bulldogs.yale.edu vp276 wenjun.hu person wenjun.hu@bulldogs.yale.edu wh288 j.zhuang person j.zhuang@bulldogs.yale.edu jz472 tianliuyun.gao person tianliuyun.gao@bulldogs.yale.edu tg344 nat.irwin person nat.irwin@bulldogs.yale.edu nsi4 declan.clarke person declan.clarke@bulldogs.yale.edu dc547 arthur.lau person arthur.lau@bulldogs.yale.edu ajl74 kevin.lopez person kevin.lopez@bulldogs.yale.edu kl533 raymond.simpson person raymond.simpson@bulldogs.yale.edu rgs45 roger.desravines person roger.desravines@bulldogs.yale.edu rd557 rachel.renne person rachel.renne@bulldogs.yale.edu rr687 claudia.valeggia person claudia.valeggia@bulldogs.yale.edu crv7 eduardo.fernandez-duque person eduardo.fernandez-duque@bulldogs.yale.edu ef344 farren.isaacs person farren.isaacs@bulldogs.yale.edu fji2 sahand.negahban person sahand.negahban@bulldogs.yale.edu snn7 karihenkelmann.keyl person karihenkelmann.keyl@bulldogs.yale.edu kk544 john.henderson person john.henderson@bulldogs.yale.edu jh925 antonio.fonseca person antonio.fonseca@bulldogs.yale.edu ahf38 xing.wu person xing.wu@bulldogs.yale.edu xw358 tianxiao.li person tianxiao.li@bulldogs.yale.edu tl444 clinton.wang person clinton.wang@bulldogs.yale.edu cjw46 hatice.erten person hatice.erten@bulldogs.yale.edu hne2 lewis.golove person lewis.golove@bulldogs.yale.edu lg432 laurel.german person laurel.german@bulldogs.yale.edu lag48 mela.toro person mela.toro@bulldogs.yale.edu at549 andres.munozrojas person andres.munozrojas@bulldogs.yale.edu arm92 alberto.urcia person alberto.urcia@bulldogs.yale.edu au45 clare.staib-kaufman person clare.staib-kaufman@bulldogs.yale.edu cs2528 damon.clark person damon.clark@bulldogs.yale.edu dac77 jennifer.wu person jennifer.wu@bulldogs.yale.edu jw2282 jennifer.raab person jennifer.raab@bulldogs.yale.edu jcr42 marcus.alexander person marcus.alexander@bulldogs.yale.edu mam96 noah.planavsky person noah.planavsky@bulldogs.yale.edu np363 dhanusha.nalawansha person dhanusha.nalawansha@bulldogs.yale.edu dan44 leonidas.salichos person leonidas.salichos@bulldogs.yale.edu ls926 isaac.nakhimovsky person isaac.nakhimovsky@bulldogs.yale.edu isn2 chitra.ramalingam person chitra.ramalingam@bulldogs.yale.edu cr537 robyn.creswell person robyn.creswell@bulldogs.yale.edu rc698 basile.njei person basile.njei@bulldogs.yale.edu bn72 jacqueline.kisa person jacqueline.kisa@bulldogs.yale.edu jkk35 benjamin.schwartz person benjamin.schwartz@bulldogs.yale.edu bs843 shaoke.lou person shaoke.lou@bulldogs.yale.edu sl2373 steven.chou person steven.chou@bulldogs.yale.edu sc2493 sarah.luckart person sarah.luckart@bulldogs.yale.edu srl54 jacob.e.miller person jacob.e.miller@bulldogs.yale.edu jem263 joseph.goode person joseph.goode@bulldogs.yale.edu jbg66 ran.gu person ran.gu@bulldogs.yale.edu rg684 marilyn.mossien person marilyn.mossien@bulldogs.yale.edu mrm95 nikhil.malvankar person nikhil.malvankar@bulldogs.yale.edu nm563 terence.renaud person terence.renaud@bulldogs.yale.edu tr369 test2.infoed.ti7 person test2.infoed.ti7@bulldogs.yale.edu ti7 david.breslow person david.breslow@bulldogs.yale.edu dkb27 yannick.jacob person yannick.jacob@bulldogs.yale.edu yj242 susan.choi person susan.choi@bulldogs.yale.edu sc385 alyssa.dechiaro person alyssa.dechiaro@bulldogs.yale.edu ad949 imad.rizvi person ir99@bulldogs.yale.edu ir99 yat.wong person yat.wong@bulldogs.yale.edu yw629 xinyi.zhang.xz476 person xinyi.zhang.xz476@bulldogs.yale.edu xz476 rachael.roettenbacher person rachael.roettenbacher@bulldogs.yale.edu rmr79 killian.mcloughlin person killian.mcloughlin@bulldogs.yale.edu km2345 jennifer.nulsen person jennifer.nulsen@bulldogs.yale.edu jn535 a.scott person a.scott@bulldogs.yale.edu aas228 chenziyi.mi person chenziyi.mi@bulldogs.yale.edu cm2523 sebastian.lordadumont person sebastian.lordadumont@bulldogs.yale.edu ssl57 haoran.cao person haoran.cao@bulldogs.yale.edu hc685 jack.berry person jack.berry@bulldogs.yale.edu jrb248 mark.lisi person mark.lisi@bulldogs.yale.edu ml2622 brian.koopman person brian.koopman@bulldogs.yale.edu bjk49 avi.cohen person avi.cohen@bulldogs.yale.edu ajc259 ishan.negi person ishan.negi@bulldogs.yale.edu in49 yinan.chen person yinan.chen@bulldogs.yale.edu yc778 pranavateja.surukuchi person pranavateja.surukuchi@bulldogs.yale.edu ps938 yue.hu person yue.hu@bulldogs.yale.edu yh567 gabe.petrov person gabe.petrov@bulldogs.yale.edu gpp8 haven.herrin person haven.herrin@bulldogs.yale.edu hmh47 yixuan.tan person yixuan.tan@bulldogs.yale.edu yt355 yakun.zhou person yakun.zhou@bulldogs.yale.edu yz883 jacques.saarbach person jacques.saarbach@bulldogs.yale.edu js3973 emma.mckinney person emma.mckinney@bulldogs.yale.edu em873 michael.rader person michael.rader@bulldogs.yale.edu mr2542 ashley.arthur person ashley.arthur@bulldogs.yale.edu ala72 andy.knauer person ajk83@bulldogs.yale.edu ajk83 xiangyu.zhang person xiangyu.zhang@bulldogs.yale.edu xz527 ben.crair person ben.crair@bulldogs.yale.edu bec32 nicolas.maffey person nicolas.maffey@bulldogs.yale.edu nam87 charalampos.papamanthou person charalampos.papamanthou@bulldogs.yale.edu cp936 xuqiang.qin person xuqiang.qin@bulldogs.yale.edu xq43 sunny.yang person sunny.yang@bulldogs.yale.edu gy88 alison.sweeney person alison.sweeney@bulldogs.yale.edu as3822 chungsuk.choi person chungsuk.choi@bulldogs.yale.edu cc2858 makenna.hamilton person makenna.hamilton@bulldogs.yale.edu mh2539 chaofan.xu person chaofan.xu@bulldogs.yale.edu cx78 david.goerger person david.goerger@bulldogs.yale.edu deg38 ruifeng.sun person ruifeng.sun@bulldogs.yale.edu rs2623 juan.gambetta person juan.gambetta@bulldogs.yale.edu jpg68 caroline.chen person caroline.chen@bulldogs.yale.edu cc2766 junqi.wang person junqi.wang@bulldogs.yale.edu jw2675 fl428 person fl428@bulldogs.yale.edu fl428 ar2483 person ar2483@bulldogs.yale.edu ar2483 |
AD Daily Updater Bug Entries
There are around 1700 users who have only Eliapps Email aliases and who are regarded by Exchange Online as only MailUsers (that is, they are not UserMailbox entries and therefore have no Exchange mail account). The Legacy AD Daily Updater may have added incorrect smtp:netid@connect.yale.edu and smtp:first.last@connect.yale.edu proxyaddresses and values for msexchversion and three other msexch* fields. These should be removed, although they create no problems for the Mail Relay retirement project and are just incorrect data that should be cleaned up when the Legacy AD Daily Updater is retriedThe Legacy ADDailyUpdater code adds “netid@connect.yale.edu” and “first.last@connect.yale.edu” to some Eliapps User objects. These entries are misleading to a person, but they do not confuse Exchange Online. These AD User objects are MailUsers with an ExternalEmailAddress (called a TargetAddress in AD). They do not have an O365 Mailbox and Exchange knows that even though there are “connect.yale.edu” entries in the ProxyAddresses list. Again, this is not something that has to be fixed to retire the Mail Relays, but after the ADDailyUpdater is replaced by the IIQ AD Updater function, these incorrect entries should be deleted. Also, any msExchVersion number or other msExchxxxx fields incorrectly set by Legacy ADDailyUpdater should be cleared. This will be a one time Powershell cleanup done after we stop running ADDailyUpdater.