Prevent a user from sending and receiving internet mail in Exchange

sysop

1. Create a Distribution Group – let’s call it “DG-NoInternetMail”. Add the recipients you want to prevent from sending internet email as members of the group.

2 . Create a Transport Rule

  1. Fire up Exchange console | Organization Configuration | Hub Transport| Transport Rules tab | click New Transport Rule
  2. Enter a name for the rule – e.g. Rule-NoInternetMail
  3. On the Conditions page, select “From a member of a distribution list”
  4. In the rule description, click the link for distribution list (underlined)
  5. Click Add | Select the distribution list “DG-NoInternetMail”
  6. Under Conditions, select a second condition “Sent to users inside or outside the organization”
  7. In the rule description, click Inside (underlined) | change scope to Outside
  8. Click Next
  9. On the Actions page, select “send bounce message to sender with enhanced status code”
  10. If you want to modify the text of the bounced message (optional): In the description, click “Delivery not authorized, message refused” | enter new message text
  11. Click Next | verify the rule conditions and action in the summary
  12. Click New | click Finish

Inbound internet mail: In Exchange Server 2003/2000, you can prevent a recipient from receiving internet mail by requiring authentication to be able to send to the recipient. Internet senders are not authenticated. There are other ways to prevent inbound mail for certain users – like using Recipient Filtering, or generating an invalid email address from a non-existent domain, e.g. foo@nonexistentdomain.corp.

3. Exchange Server 2007 recipients can be set up to require sender authentication to receive email.

Using the Exchange console:
– Recipient Configuration -> select recipient -> recipient properties | Mail Flow Settings tab | Message Delivery Restrictions | Properties
– check “require that senders are authenticated”

Using the shell:

Set-Mailbox “Foo User” -RequireSenderAuthenticationEnabled $true

Additionally, either of the other 2 alternatives mentioned above for Exchange Server 2003/2000 can be used to prevent users from receiving internet email.

Setting delivery restriction based on group membership: Rather than setting up each recipient to receive inbound mail from authenticated senders only, you can get membership of the above distribution group and pipe it into the Set-Mailbox command:

Get-DistributionGroupMember “DG-NoInternetMail” | Set-Mailbox -RequireSenderAuthenticationEnabled $true

4. Use OWA/Outlook to test sending internet mail from a user who is a member of the distribution group.