Many organizations want to restrict certain sets of users from sendig or receiving Internet mail. “How do you prevent a user from sending or receiving Internet mail?” is a frequently asked question. Here’s how to accomplish this in Exchange 2010, Exchange 2007 and Exchange 2003.
Restricting outbound Internet mail for some users
On Exchange Server 2003/2000, You can prevent users from sending outbound Internet email by using Delivery Restrictions on SMTP Connector(s) for address space *.
Exchange Server 2010/2007 don’t have a similar way of implementing Delivery Restrictions, but they provide something much more convenient – Transport Rules. Transport Rules allow you to inspect messages in the transport pipeline and take actions such as blocking, rejecting or dropping messages that match the conditions you define in the rule.
To create a Transport Rule to prevent users from receiving internet mail:
Create a Distribution Group
Let’s call it DG-NoInternetMail. Add the recipients you want to prevent from sending internet email as members of the group.
Create a Transport Rule [Flash demo]
1) Fire up Exchange console | Organization Configuration | Hub Transport | Transport Rules tab | click New Transport Rule
2) Enter a name for the rule – e.g. Rule-NoInternetMail
3) On the Conditions page, select “From a member of a distribution list“
4) In the rule description, click the link for distribution list (underlined)
5) Click Add | Select the distribution list “DG-NoInternetMail”
6) Under Conditions, select a second condition “Sent to users inside or outside the organization“
7) In the rule description, click Inside (underlined) | change scope to Outside
8) Click Next
9) On the Actions page, select “send bounce message to sender with enhanced status code“
10) If you want to modify the text of the bounced message (optional): In the description, click “Delivery not authorized, message refused” | enter new message text
11) Click Next | verify the rule conditions and action in the summary
12) Click New | click Finish
Restricting inbound Internet mail for some users
In Exchange Server 2003/2000, you can prevent a recipient from receiving Internet mail by requiring authentication to be able to send to the recipient. Internet senders are not authenticated. There are other ways to prevent inbound mail for certain users – like using Recipient Filtering, or generating an invalid email address from a non-existent domain, e.g. firstname.lastname@example.org.
Configure Exchange 2010/2007 recipients to require sender authentication
In Exchange 2010/2007, you can configure recipients to require sender authentication to receive email. This prevents unauthenticated senders from sending mail to them.
Using the Exchange console:
- Expand Recipient Configuration -> select recipient -> recipient Properties | Mail Flow Settings page | Message Delivery Restrictions | Properties
- Select “require that senders are authenticated“
Using the Shell:
Set-Mailbox “Foo User” -RequireSenderAuthenticationEnabled $true
Additionally, either of the two other alternatives mentioned above for Exchange Server 2003/2000 can also be used to prevent users from receiving Internet email.
Setting delivery restriction based on group membership: Rather than setting up each recipient to receive inbound mail from authenticated senders only, you can get membership of the above distribution group and pipe it into the Set-Mailbox command:
Get-DistributionGroupMember “DG-NoInternetMail” | Set-Mailbox -RequireSenderAuthenticationEnabled $true
Use OWA/Outlook to test sending Internet mail from a user who is a member of the distribution group.