Exchange - Net Admin - Outlook
Windows Mobile - Windows

Contact - Director's Blog

Exchange Server Home

Exchange Consultancy

Exchange Resources

Microsoft Exchange
Amazon Store

Basic Email Gateway Server

Company wide Contact List

Disabled User Account

Distribution Lists

DNS Configuration

Exchange and a
Dynamic IP Address

Event ID 1221

Filter Unknown Users

Global Mailbox Folder
Permissions from Server

Intelligent Message Filter

Internal Email Address
for External People

Mailbox and Management
Account

Message Tracking

Migrating to a new server

Multiple Domains

Offline Address Book Errors

Options when a Staff Member
Leaves

Outlook Web Access

PDAs, OMA and EAS

Permissions Best Practises

Post Install Configuration

Public Folders

Prerequisites for Exchange
System Tools

RPC over HTTPS

Secure your SMTP Relay

Shutdown Script

SMTP Services and Exchange

SMTP Diagnostics

Spam Cleanup

Switching From POP3
to SMTP Delivery

Telnet Test

Username Change

Exchange Server Compatibility Information Exchange Server Version Compatibility 5.5 No 2000 Yes 2003 Yes 2007 Yes

Restrict Users from Sending and Receiving Internet Email
Author: Simon Butler, Exchange MVP, MCSE

Having the ability to restrict whether a user can send or receive email from the Internet can be very valuable. If someone is leaving the company it can ensure that they don't send anything out by email. If the email system is being abused by staff, you could restrict them down. You may also want to simply restrict who can send email out on the company's behalf.

Sending Internet Email

Exchange 2007

For Exchange 2007, you can restrict users from sending email using Transport rules. These can be found in The Exchange Management Console, under Organisaction Configuration, Hub Transport, Transport Rules.

Exchange 2003

This process involves using an SMTP Connector. If you already have an SMTP Connector, you should use that, otherwise your email flow could be disrupted.

1. Create the SMTP Connector in the usual way. (Instructions here)
   If this is your first SMTP Connector, then set it to use DNS for delivery. DO not set an invalid smart host or IP address. All email will use this SMTP Connector, so it should be tested before you apply any restrictions.
2. Click on the "Delivery Restrictions" tab and add the users who should be restricted from being able to send email.
   Hint - use a group instead of users.
   1. Create a mail enabled group in the usual way, with a name that is obvious what it is "Restricted Internet Email" or something like that.
   2. Add the users to it.
   3. Check the following KB article as you may need to make a registry change before this group works correctly for this particular task: http://support.microsoft.com/default.aspx?kbid=277872 or http://support.microsoft.com/default.aspx?kbid=279813
3. Once the restrictions have been placed, apply/ok out of the connector properties.

Restricting users to sending to specific domains

If you want to restrict the domains that users (or a subset of users) can send to, then you need to create two SMTP connectors.

Connector number one is the list of the domains that the users can send to. The cost on each domain needs to be 1, so that it is tried first.
Connector number two is the connector for restricting access. This is created as above - but the cost on the Address Space tab is set to 2, so that it is tried second.

Ensure that you review the kb articles above to check whether you need to make the registry or not.

Restricting users from sending to a specific email address

You can also stop users from sending to a specific email address.

1. Create an email enabled contact for the email address that you want to block, using Active Directory Users and Computers on the Exchange server.
2. After creating the contact, click on the tab "Exchange Advanced" and enable the option to hide the user from the Address Lists.
3. Click on the tab "Exchange General" and adjust the Message Restrictions. Change to "From Everyone Except" and set to your equivalent of your "All Staff" list.

Receiving Internet Email

Receiving internet email is a little more involved.

On Exchange 2000, simply remove the user's external email address. However for the mailbox to operate correctly, all accounts need to have an SMTP address. If you have a local address that isn't valid on the internet, then you should use that.
Otherwise, create a new recipient policy using a non-valid domain - for example company.local . If you don't set any filter on the recipient policy you can then add it to the users as required. You could also set a filter and use the group created in the Sending Internet Email procedure above.
The only drawback with this process is that internal people cannot send to those restricted users by entering a public SMTP address - as they don't have one. They will need to select the users from the GAL. 

For Exchange 2003, things are much easier. While you can use the process outlined above for Exchange 2000, you don't have to live with the restriction on the email addresses. With this version Microsoft introduced a new setting on the user account. Open the Properties of the user in Active Directory Users and Computers and click on the tab "Exchange General", then the button "Delivery Restrictions".
In there you can restrict who can deliver to the user. At the minimum set the "From Authenticated Users Only". You could also use your equivalent of "All Staff".

Exchange 2007, brings significant enhancements, as with Sending Email, use transport rules to control inbound email as well.

Note, before deploying this kind of restriction, ensure that it fits with your business processes, particularly if you have automated email messages delivered to users, for example from web sites or databases.