HOW TO: Prevent a user from sending and receiving internet mail

by Bharat Suneja

Many organizations want to restrict certain sets of users from sendig or receiving Internet mail. “How do you prevent a user from sending or receiving Internet mail?” is a frequently asked question. Here’s how to accomplish this in Exchange 2010, Exchange 2007 and Exchange 2003.

Restricting outbound Internet mail for some users

On Exchange Server 2003/2000, You can prevent users from sending outbound Internet email by using Delivery Restrictions on SMTP Connector(s) for address space *.

Exchange Server 2010/2007 don’t have a similar way of implementing Delivery Restrictions, but they provide something much more convenient – Transport Rules. Transport Rules allow you to inspect messages in the transport pipeline and take actions such as blocking, rejecting or dropping messages that match the conditions you define in the rule.

To create a Transport Rule to prevent users from receiving internet mail:

Create a Distribution Group

Let’s call it DG-NoInternetMail. Add the recipients you want to prevent from sending internet email as members of the group.

Create a Transport Rule [Flash demo]

1) Fire up Exchange console | Organization Configuration | Hub Transport | Transport Rules tab | click New Transport Rule
2) Enter a name for the rule – e.g. Rule-NoInternetMail
3) On the Conditions page, select “From a member of a distribution list
4) In the rule description, click the link for distribution list (underlined)
5) Click Add | Select the distribution list “DG-NoInternetMail”
6) Under Conditions, select a second condition “Sent to users inside or outside the organization
7) In the rule description, click Inside (underlined) | change scope to Outside
8) Click Next
9) On the Actions page, select “send bounce message to sender with enhanced status code
10) If you want to modify the text of the bounced message (optional): In the description, click “Delivery not authorized, message refused” | enter new message text
11) Click Next | verify the rule conditions and action in the summary
12) Click New | click Finish

Restricting inbound Internet mail for some users

In Exchange Server 2003/2000, you can prevent a recipient from receiving Internet mail by requiring authentication to be able to send to the recipient. Internet senders are not authenticated. There are other ways to prevent inbound mail for certain users – like using Recipient Filtering, or generating an invalid email address from a non-existent domain, e.g. [email protected].

Configure Exchange 2010/2007 recipients to require sender authentication

In Exchange 2010/2007, you can configure recipients to require sender authentication to receive email. This prevents unauthenticated senders from sending mail to them.

Using the Exchange console:

  1. Expand Recipient Configuration -> select recipient -> recipient Properties | Mail Flow Settings page | Message Delivery Restrictions | Properties
  2. Select “require that senders are authenticated

Using the Shell:

Set-Mailbox “Foo User” -RequireSenderAuthenticationEnabled $true

Additionally, either of the two other alternatives mentioned above for Exchange Server 2003/2000 can also be used to prevent users from receiving Internet email.

Setting delivery restriction based on group membership: Rather than setting up each recipient to receive inbound mail from authenticated senders only, you can get membership of the above distribution group and pipe it into the Set-Mailbox command:

Get-DistributionGroupMember “DG-NoInternetMail” | Set-Mailbox -RequireSenderAuthenticationEnabled $true

Test it!

Use OWA/Outlook to test sending Internet mail from a user who is a member of the distribution group.

{ 13 comments… read them below or add one }

Anonymous July 12, 2007 at 12:47 pm

This is just what I have been looking to implement. Thanks for the great post!

I am trying to restrict internet mail for about 5000 students. Do you foresee any problems with having that many people in a DG in this particular application?

Reply

Bharat Suneja July 12, 2007 at 5:52 pm

The assumption is it’ll be way better performance-wise than doing the same thing on Exchange Server 2003 using Delivery Restrictions.

From what I’ve heard: the initial loading may take a few seconds, but after that you shouldn’t see any issues.

The best way to find out would be to first try this in a test environment if you can.

Reply

Melissa Stowe August 15, 2007 at 9:39 am

This tripped me up….

Also note:

Understanding How Transport Rules Are Applied in an Exchange 2007 Organization

http://technet.microsoft.com/en-us/library/bb124703.aspx

At the end of this document, note the following explanation:

“Each Hub Transport server maintains a recipient cache that is used to look up recipient and distribution list information. The recipient cache reduces the number of requests that each Hub Transport server must make to an exADNoMk domain controller. The recipient cache updates every four hours. The recipient cache update interval can’t be modified. As a result, changes to transport rule recipients, such as the addition or removal of distribution list members, may not be applied to transport rules until the recipient cache is updated. To force an immediate update of the recipient cache, you must stop and start the MSExchangeTransport service. This must be done for each Hub Transport server where you want to forcibly update the recipient cache.”

So basically:

1. Addition or removal of distribution list members, is NOT applied to transport rules until the recipient cache is updated

2. The recipient cache is updated every 4 hours

3. The update interval cannot be modified

4. To enforce an immediate update, we need to restart MSExchangeTransport service

Reply

Peter van Welt October 10, 2007 at 4:12 am

Great newspost.

I only have one problem with it.
I want to block incoming mails for the members of DistributionGroup DG_NoExternalEmail , but when i use the command in the newspost:

Get-DistributionGroup “DG_NoExternalMail” | Set-Mailbox -RequireSenderAuthenticationEnabled $true

and the DG is created in exchange and visibile in the AD , i receive the error:

[PS] C:\Documents and Settings\ADMINISTRATOR.HOOFDKANTOOR\Desktop>Get-Distributi
onGroup “DG_NoExternalMail” | Set-Mailbox -RequireSenderAuthenticationEnabled $
true
Set-Mailbox : The operation could not be performed because object ‘CN=DG_NoEx
ternealMail,CN=Users,DC=Hoofdkantoor,DC=local’ could not be found on domain contr
oller ‘dc01.Hoofdkantoor.local’.
At line:1 char:57
+ Get-DistributionGroup “DG_GeenExterneMail” | Set-Mailbox <<<< -RequireSender
AuthenticationEnabled $true

Reply

Carlos April 15, 2008 at 1:25 pm

This is a good information, I just have a question under the same token. How I can limit a group of users to receive email from a specific domain and block every other domain? ex: DG_XXDomain able to send and receive just from yyy.com domain (a Sales Partner). I’m using Exchange 2003 SP2

Thank You

Reply

Sam January 20, 2009 at 12:18 pm

I agree with Peter, the command does not work, but this command does work:

Get-DistributionGroupMember -Identity “DG-NoInternetMail” | Set-Mailbox -R
equireSenderAuthenticationEnabled $true

Reply

Bryce June 11, 2012 at 11:03 am

This does not appear to work if the DG-NoInternetMail distribution group is marked to “hide group from Exchange address lists”. Anyone else have this problem?

Reply

Mohammad Mustafa August 23, 2012 at 12:34 am

Dear:

1st-
When i send email for a groups , i don’t wont these users to view the group emails by expanding it on (To : field).

2nd
I want some users to send mails for specific user (AD) or mails

Reply

René Tana March 7, 2014 at 3:35 am

Thanks is working…

Reply

Julian Blue July 2, 2015 at 6:02 am

Using the RequireSenderAuthenticationEnabled for blocking inbound internet mail is ok,
but requires a new command each time you want to restrict a new user.

Why not creating a second Transport Rule , with inverted filters,
i.e. “From NotInOrganization” to members of “DG-NoInternetMail” ?
This way you just have to add new restricted users to the Group.

Reply

Bharat Suneja January 27, 2016 at 5:44 pm

Thanks for the feedback. Believe this had to do with the transport rule predicates available in Exchange 2007/2010 when the post was written.

Reply

Mr. Greg January 27, 2016 at 1:17 pm

Julian,

Good suggestion; it works in reverse also. Using the transport rule allows turning off NDR response option, where as using the Require Sender Authentication Enable (check box) option would send a NDR.

Bharat – Thanks for the write-up how-to :)

Reply

Paul Brown December 23, 2022 at 6:59 pm

I’ve been using a flash blocker extension for years, in chrome and firefox. When I used to do IT support in a small company I would install the blocker extensions before handing over a computer to a new member of staff, it reduced my work load not having to reinstall computers due to web infections, and staff complaints about laggy internet when they were using mobile data.
Paul Brown

Reply

Leave a Comment

{ 1 trackback }

Previous post:

Next post: