amset

.info
.co.uk - exchange consultancy
.net - internet based solutions
Have your Exchange server installed, maintained or
upgraded by Amset IT Solutions.
Exchange 2000, 2003, 2003 SBS, 2007
More Information (UK only)

Broadband - Exchange
Login Scripts - Net Admin
Outlook - Windows Mobile
Windows

Contact - Advertise

AddThis Social Bookmark Button

Exchange Server

Exchange Consultancy


Amazon Store


Basic Email Gateway Server

Company wide Contact List

Disabled User Account

Distribution Lists

DNS Configuration

Exchange and a
Dynamic IP Address

Event ID 1221

Filter Unknown Users

Global Mailbox Folder
Permissions from Server

Intelligent Message Filter

Internal Email Address
for External People

Internet Tools

Mailbox and Management
Account

Message Tracking

Migrating to a new server

Multiple Domains

Offline Address Book Errors

Options when a Staff Member
Leaves

Outlook Web Access

PDAs, OMA and EAS

Permissions Best Practises

Post Install Configuration

Public Folders

Prerequisites for Exchange
System Tools

RPC over HTTPS

Secure your SMTP Relay

Shutdown Script

SMTP Services and Exchange

SMTP Diagnostics

Spam Cleanup

Switching From POP3
to SMTP Delivery

Telnet Test

Tools for Admin of
Exchange Server

Username Change

Exchange Server
Compatibility Information
Exchange
Server Version
Compatibility
5.5 No
2000 Yes
2003 Yes
2007 Maybe
Restrict Users from Sending and Receiving Internet Email

Author: Simon Butler, Exchange MVP, MCSE
Last Page Review: 26/06/2007

Having the ability to restrict whether a user can send or receive email from the Internet can be very valuable. If someone is leaving the company it can ensure that they don't send anything out by email. If the email system is being abused by staff, you could restrict them down. You may also want to simply restrict who can send email out on the company's behalf.

Sending Internet Email

This process involves using an SMTP Connector. If you already have an SMTP Connector, you should use that, otherwise your email flow could be disrupted.

  1. Create the SMTP Connector in the usual way. (Instructions here)
    If this is your first SMTP Connector, then set it to use DNS for delivery. DO not set an invalid smart host or IP address. All email will use this SMTP Connector, so it should be tested before you apply any restrictions.
  2. Click on the "Delivery Restrictions" tab and add the users who should be restricted from being able to send email.
    Hint - use a group instead of users.
    1. Create a mail enabled group in the usual way, with a name that is obvious what it is "Restricted Internet Email" or something like that.
    2. Add the users to it.
    3. Check the following KB article as you may need to make a registry change before this group works correctly for this particular task: http://support.microsoft.com/default.aspx?kbid=277872 or http://support.microsoft.com/default.aspx?kbid=279813
  3. Once the restrictions have been placed, apply/ok out of the connector properties.

Restricting users to sending to specific domains

If you want to restrict the domains that users (or a subset of users) can send to, then you need to create two SMTP connectors.

Connector number one is the list of the domains that the users can send to. The cost on each domain needs to be 1, so that it is tried first.
Connector number two is the connector for restricting access. This is created as above - but the cost on the Address Space tab is set to 2, so that it is tried second.

Ensure that you review the kb articles above to check whether you need to make the registry or not.

Restricting users from sending to a specific email address

You can also stop users from sending to a specific email address.

  1. Create an email enabled contact for the email address that you want to block, using Active Directory Users and Computers on the Exchange server.
  2. After creating the contact, click on the tab "Exchange Advanced" and enable the option to hide the user from the Address Lists.
  3. Click on the tab "Exchange General" and adjust the Message Restrictions. Change to "From Everyone Except" and set to your equivalent of your "All Staff" list.

Receiving Internet Email

Receiving internet email is a little more involved.

On Exchange 2000, simply remove the user's external email address. However for the mailbox to operate correctly, all accounts need to have an SMTP address. If you have a local address that isn't valid on the internet, then you should use that.
Otherwise, create a new recipient policy using a non-valid domain - for example company.local . If you don't set any filter on the recipient policy you can then add it to the users as required. You could also set a filter and use the group created in the Sending Internet Email procedure above.
The only drawback with this process is that internal people cannot send to those restricted users by entering a public SMTP address - as they don't have one. They will need to select the users from the GAL. 

For Exchange 2003, things are much easier. While you can use the process outlined above for Exchange 2000, you don't have to live with the restriction on the email addresses. With this version Microsoft introduced a new setting on the user account. Open the Properties of the user in Active Directory Users and Computers and click on the tab "Exchange General", then the button "Delivery Restrictions".
In there you can restrict who can deliver to the user. At the minimum set the "From Authenticated Users Only". You could also use your equivalent of "All Staff".

Note, before deploying this kind of restriction, ensure that it fits with your business processes, particularly if you have automated email messages delivered to users, for example from web sites or databases. 

Sponsored Links

Last Page Update:
26/06/2007

Back to the Top
Contact Us - Advertise on amset.info
Exchange Index - Home Page


Broadband - Exchange - Login Scripts - Network Admin - Outlook - Windows Mobile - Windows


© Amset IT Solutions Ltd. 1998 - 2008. All rights reserved. Reproduction of any content on this web site is prohibited without express written consent. Use of this web site is subject to our terms and conditions. All trademarks and registered trademarks are property of their respective owners. This site is not endorsed or recommended by any company or organisation mentioned on this site. This site is to provide guidance only and as such we cannot be held responsible for any consequences of following the advice given.