Exchangepedia Blog is read by visitors from all 50 US States and 150 countries world-wide
An often heard requirement is that of preventing one or a few users from sending/receiving internet mail.
Outbound internet mail: On Exchange Server 2003/2000, this was accomplished using Delivery Restrictions on SMTP Connector(s) for address space *.
Exchange Server 2007 doesn't have a similar way of implementing Delivery Restrictions, but it provides the convenience of inspecting messages in the transport pipeline and taking actions on those, using Transport Rules. To create a Transport Rule to prevent users from receiving internet mail:
Create a Distribution Group - let's call it "DG-NoInternetMail". Add the recipients you want to prevent from sending internet email as members of the group.
Create a Transport Rule [Flash demo]
1) Fire up Exchange console | Organization Configuration | Hub Transport | Transport Rules tab | click New Transport Rule
2) Enter a name for the rule - e.g. Rule-NoInternetMail
3) On the Conditions page, select "From a member of a distribution list"
4) In the rule description, click the link for distribution list (underlined)
5) Click Add | Select the distribution list "DG-NoInternetMail"
6) Under Conditions, select a second condition "Sent to users inside or outside the organization"
7) In the rule description, click Inside (underlined) | change scope to Outside
8) Click Next
9) On the Actions page, select "send bounce message to sender with enhanced status code"
10) If you want to modify the text of the bounced message (optional): In the description, click "Delivery not authorized, message refused" | enter new message text
11) Click Next | verify the rule conditions and action in the summary
12) Click New | click Finish
Inbound internet mail: In Exchange Server 2003/2000, you can prevent a recipient from receiving internet mail by requiring authentication to be able to send to the recipient. Internet senders are not authenticated. There are other ways to prevent inbound mail for certain users - like using Recipient Filtering, or generating an invalid email address from a non-existent domain, e.g. foo@nonexistentdomain.corp.
Exchange Server 2007 recipients can be set up to require sender authentication to receive email.
Using the Exchange console:
- Recipient Configuration -> select recipient -> recipient properties | Mail Flow Settings tab | Message Delivery Restrictions | Properties
- check "require that senders are authenticated"
Using the shell:
Setting delivery restriction based on group membership: Rather than setting up each recipient to receive inbound mail from authenticated senders only, you can get membership of the above distribution group and pipe it into the Set-Mailbox command:
Use OWA/Outlook to test sending internet mail from a user who is a member of the distribution group.
Outbound internet mail: On Exchange Server 2003/2000, this was accomplished using Delivery Restrictions on SMTP Connector(s) for address space *.
Exchange Server 2007 doesn't have a similar way of implementing Delivery Restrictions, but it provides the convenience of inspecting messages in the transport pipeline and taking actions on those, using Transport Rules. To create a Transport Rule to prevent users from receiving internet mail:
Create a Distribution Group - let's call it "DG-NoInternetMail". Add the recipients you want to prevent from sending internet email as members of the group. Create a Transport Rule [Flash demo]1) Fire up Exchange console | Organization Configuration | Hub Transport | Transport Rules tab | click New Transport Rule
2) Enter a name for the rule - e.g. Rule-NoInternetMail
3) On the Conditions page, select "From a member of a distribution list"
4) In the rule description, click the link for distribution list (underlined)
5) Click Add | Select the distribution list "DG-NoInternetMail"
6) Under Conditions, select a second condition "Sent to users inside or outside the organization"
7) In the rule description, click Inside (underlined) | change scope to Outside
8) Click Next
9) On the Actions page, select "send bounce message to sender with enhanced status code"
10) If you want to modify the text of the bounced message (optional): In the description, click "Delivery not authorized, message refused" | enter new message text
11) Click Next | verify the rule conditions and action in the summary
12) Click New | click Finish
Inbound internet mail: In Exchange Server 2003/2000, you can prevent a recipient from receiving internet mail by requiring authentication to be able to send to the recipient. Internet senders are not authenticated. There are other ways to prevent inbound mail for certain users - like using Recipient Filtering, or generating an invalid email address from a non-existent domain, e.g. foo@nonexistentdomain.corp.
Exchange Server 2007 recipients can be set up to require sender authentication to receive email.Using the Exchange console:
- Recipient Configuration -> select recipient -> recipient properties | Mail Flow Settings tab | Message Delivery Restrictions | Properties
- check "require that senders are authenticated"
Using the shell:
Set-Mailbox "Foo User" -RequireSenderAuthenticationEnabled $true
Additionally, either of the other 2 alternatives mentioned above for Exchange Server 2003/2000 can be used to prevent users from receiving internet email.Setting delivery restriction based on group membership: Rather than setting up each recipient to receive inbound mail from authenticated senders only, you can get membership of the above distribution group and pipe it into the Set-Mailbox command:
Get-DistributionGroup "DG-NoInternetMail" | Set-Mailbox -RequireSenderAuthenticationEnabled $true
Use OWA/Outlook to test sending internet mail from a user who is a member of the distribution group.Labels: Administration, Exchange Server 2007, Exchange Shell, Mailbox
5 Comments:
This is just what I have been looking to implement. Thanks for the great post!
I am trying to restrict internet mail for about 5000 students. Do you foresee any problems with having that many people in a DG in this particular application?
The assumption is it'll be way better performance-wise than doing the same thing on Exchange Server 2003 using Delivery Restrictions.
From what I've heard: the initial loading may take a few seconds, but after that you shouldn't see any issues.
The best way to find out would be to first try this in a test environment if you can.
This tripped me up....
Also note:
Understanding How Transport Rules Are Applied in an Exchange 2007 Organization
http://technet.microsoft.com/en-us/library/bb124703.aspx
At the end of this document, note the following explanation:
"Each Hub Transport server maintains a recipient cache that is used to look up recipient and distribution list information. The recipient cache reduces the number of requests that each Hub Transport server must make to an exADNoMk domain controller. The recipient cache updates every four hours. The recipient cache update interval can't be modified. As a result, changes to transport rule recipients, such as the addition or removal of distribution list members, may not be applied to transport rules until the recipient cache is updated. To force an immediate update of the recipient cache, you must stop and start the MSExchangeTransport service. This must be done for each Hub Transport server where you want to forcibly update the recipient cache."
So basically:
1. Addition or removal of distribution list members, is NOT applied to transport rules until the recipient cache is updated
2. The recipient cache is updated every 4 hours
3. The update interval cannot be modified
4. To enforce an immediate update, we need to restart MSExchangeTransport service
Great newspost.
I only have one problem with it.
I want to block incoming mails for the members of DistributionGroup DG_NoExternalEmail , but when i use the command in the newspost:
Get-DistributionGroup "DG_NoExternalMail" | Set-Mailbox -RequireSenderAuthenticationEnabled $true
and the DG is created in exchange and visibile in the AD , i receive the error:
[PS] C:\Documents and Settings\ADMINISTRATOR.HOOFDKANTOOR\Desktop>Get-Distributi
onGroup "DG_NoExternalMail" | Set-Mailbox -RequireSenderAuthenticationEnabled $
true
Set-Mailbox : The operation could not be performed because object 'CN=DG_NoEx
ternealMail,CN=Users,DC=Hoofdkantoor,DC=local' could not be found on domain contr
oller 'dc01.Hoofdkantoor.local'.
At line:1 char:57
+ Get-DistributionGroup "DG_GeenExterneMail" | Set-Mailbox <<<< -RequireSender
AuthenticationEnabled $true
This is a good information, I just have a question under the same token. How I can limit a group of users to receive email from a specific domain and block every other domain? ex: DG_XXDomain able to send and receive just from yyy.com domain (a Sales Partner). I'm using Exchange 2003 SP2
Thank You
Post a Comment
Links to this post:
Create a Link
<< Home