Welcome to Exchange Team Blog Sign in | Join | Help
Search
BlogsVideos

Syndication

This Blog

Post Categories

Archives

How to block all inbound Internet mail to specific users or distribution groups in Exchange 2003

Very often you may find that you want to prohibit certain users from receiving mail from the internet. In the past, the solution would have been to give the specific users that are prohibited from receiving internet mail with non-resolvable SMTP domain addresses. Exchange 2003 now provides you with a feature that will NDR mail originating from the internet to users or distribution groups if they  mail was submitted anonymously. Anonymous authentication / mail will be the typical submission for mail originating from the internet.

To set the feature to require authentication to send to a distribution group, follow these steps:
 
1. Click "Start", point to "Programs", point to "Administrative Tools", and then click "Active Directory Users and Computers".

2. Right-click the distribution group, and then click "Properties".

3. Click the "Exchange General" tab.

4. Under "Message restrictions", click to select the "From authenticated users only" check box.


To set the feature to require authentication to send to a specific user, follow these steps:

1. Click "Start", point to "Programs", point to "Administrative Tools", and then click "Active Directory Users and Computers".

2. Right-click the user account, and then click "Properties".

3. Click the "Exchange General" tab.

4. Click "Delivery Restrictions".

5. Under "Message restrictions", click to select the "From authenticated users only" check box.


After this change, mail from the internet should effectively be rejected to the configured users as long as there was no authentication

- Ade Famoti

Published Monday, June 28, 2004 9:41 AM by Exchange
Filed Under: , , ,

Comments

 

A Peaceful Exchange said:

June 29, 2004 1:43 AM
 

adam fazio said:

this sounds feasible, however, would it also not deny mail from internal POP / IMAP users who do not authenticate to send?
July 8, 2004 11:32 AM
 

Ade Famoti [MSFT] said:

The default send settings ...send denoting relay settings on the SMTP virtual server are by default" only the list below", and "allow all users and computers that successfully authenticate to relay".

In essence, your POP/IMAP users are relay users when they send using SMTP and are expected to authenticate. When they do, mail will not be denied from them.

However, if your internal POP/IMAP users are not authenticating to send mail, they're mail will be denied i.e result in 5.7.1 NDR. Most importantly it poses a security issue because SMTP relay is then anonymous (open to any client).

If you would prefer to deviate from the default settings on the SMTP virtual server relay config, then you can choose specific user (security principals) that have the right to relay mail. This would be your internal POP/IMAP users in your case.
July 8, 2004 12:05 PM
 

Ade Famoti [MSFT] said:

It is strongly recommended that for inbound internet mail to honor this configuration, the internet facing only or first server in the organization to receive the message should be an Exchange 2003 server.
July 8, 2004 12:08 PM
New Comments to this post are disabled

News

This is provided "AS IS" with no warranties, and confers no rights. Use of included script samples are subject to the terms specified in the Terms of Use.

New! Would you like to suggest a topic for the Exchange team to blog about? Send suggestions to us.

Post Calendar

<June 2004>
SuMoTuWeThFrSa
303112345
6789101112
13141516171819
20212223242526
27282930123
45678910

Other Exchange Blogs

Exchange Websites

International

[MS] Exchange Blogs

[MVP] Blogs/Sites