Restricting email to the Internet on a per user AND per domain basis


You requested it... and we delivered it in Exchange 2010!

One of the most requested items in exchange 2007 was something like this...

...we have 5-12 external domains that we need to allow some users to send to, but prevent sending to all other domains...

Or like this...

...we need a way to allow everyone to send to the internet but restrict members of 'contract workers group' to just certain domains. 

This blog post is meant to show how easy it now is to accomplish this oft heard request in Exchange 2010. Transport rules, introduced with Exchange 2007, provided a lot of new options for administration of mail resulting in even more requests for additional functionality. The rules now have new predicates and actions extending the possibilities of what can be done.

In particular, the predicates for address matching that were previously only available on the Edge role are now available for Hub role as well!

For more information about the new predicate and actions see the following links below:

Exchange 2010 Transport Rule Predicates:
http://technet.microsoft.com/en-us/library/dd638183.aspx

Exchange 2010 Transport Rule Actions:
http://technet.microsoft.com/en-us/library/aa998315.aspx

So I will use the 2nd "request" above to demonstrate how to create a rule in 2010 to accomplish it.

For our example, the rule will restrict "Active Directory Mail enabled users" who have their 'Department' defined as 'Temp Employees' from sending mail to the internet, except they must be allowed to send to 2 external domains called: 'partnerdomain.com' and 'fourthcoffee.com'. Additionally, to reduce Helpdesk calls, you want to send an NDR when they violate the rule. For demonstration purposes I will use 2 Conditions, one Action and one Exception.

Creating a new rule

1. Conditions

a. First condition:

"Sent to users that are inside or outside the Organization, or partners"

Screenshot #1 above, set the dropdown to Outside the Organization option

b. Second condition:

"When the sender's properties match text patterns".

Now note the new options with this in the 3rd screenshot below allowing selection of Active Directory properties on the user object!

Here we will be using the 'Title' property to match the rule to a sender.

2. Actions

"Send rejection message to sender with enhanced status code". The text you add here is displayed in the "Diagnostic information for administrators:" section of the NDR and can say whatever you wish.  Originally I started out with "You may only send internet mail to @fourthcoffee.com and partnerdomain.com".

While the NDR provides the information, it is somewhat 'hidden' to be practical for your typical user, so I will create a customized DSN. At this point, all we need to do is specify the text and enhanced status code for our administrators.  The new text will be "Diagnostic information for System Administrators" and we specified a specific and unique error code 5.7.122 that is easy for administrators to associate with this rule, should troubleshooting be necessary.

3. Exceptions

"Except when a recipient's address matches text patterns". This is where we add domains that these senders are allowed to send mail to on the "Specify text patterns" dialog box.

And finally, this is the customized NDR that senders receive when violating the rule we created. This test was to two recipients where one is an allowed domain, Janer@fourthcoffee.com, and another is not an allowed domain: mthomas@e2k3.dom.

Notice how the NDR was only generated for the rejected recipient.  All other recipients were allowed through.

For more information:

- Understanding Transport Rules
http://technet.microsoft.com/en-us/library/dd351127.aspx

- Understanding How Transport Rules Are Applied
http://technet.microsoft.com/en-us/library/bb124703(EXCHG.140).aspx

- Create a Custom DSN
http://technet.microsoft.com/en-us/library/aa996803.aspx

- Associating a DSN Message with a Transport Rule
http://technet.microsoft.com/en-us/library/bb123506(EXCHG.80).aspx

- Dave Forrest
(
Contributions by Scott Landry, Stephen Gilbert and Steve Clagg)


Comments (7)
  1. Serkan says:

    Finally :)

    We are using a custom Transport Rule right now for this in 2007 but it will be a great feature for us in 2010

    Thanks for the great work…

  2. shawn says:

    Great stuff!  Does Exchange 2010 provide a mechanism for rate restriction (limit the number of messages a user can send over a given period of time)?  This would be a helpful feature for us.

  3. Dave says:

    Shawn – Thanks. Client Throttling, http://technet.microsoft.com/en-us/library/bb232205.aspx, would come the closest to a ‘rate restriction’ and can be applied via a custom policy on a per mailbox basis.  Steven Griffin also has an interesting post on this at http://blogs.msdn.com/stephen_griffin/archive/2010/01/07/throttling-exchange-2010.aspx

  4. Pete K. says:

    I’m looking for the same thing Shawn is.  While this stuff is great I’m thinking of limits in a given time frame, say 60 minutes, that would give us a fighting chance for accounts that have been compromised through phishing attacks.  Once an account has been phished the only recourse I can see is to throttle the number of messages that can be sent to limit damage.

  5. Scott Landry (MSFT) says:

    Pete/Shawn… take a look at the link Dave passed on, as well as http://technet.microsoft.com/en-us/library/dd298094.aspx.  Specifically "RecipientRateLimit"… does this meet your need?

  6. shawn says:

    Yes!  Thanks for the help.  It looks like I’ll have to create a policy using RecipientRateLimit and apply it to users.  This will be of some help in dealing with comprimised accounts used to send spam (as Pete alluded to).  However, it would be even more helpful if the time period was configurable.  Maybe something to put on the wish list?

  7. sachin says:

    How can i have the per domain functionality in exchange 2007

Comments are closed.

Skip to main content