Exchange 2010 Block Internet Email, with exceptions



We are in the process of our Exchange2003 to Exchange 2010 migration (SBS2003 to Win2008/Exchange2010). All the mailboxes have been transferred to the Exchange 2010 server, but we are still using the SMTP Connector of Exchange 2003 to send external emails.

The company has a policy that not all users are allowed to send/receive External emails. This 'rule' has been applied to the Exchange 2003 SMTP connector a couple of years by from this article: "Restricting Users from Sending Internet Based Email".

A quick overview: Basically create an AD security group called "No Internet Email" and assign this group to the Connector's Delivery Restrictions – Reject Message From field. All one now has to do is to add all the users to the "No Internet Email" security group in order to block those users from sending emails.

The problem:
I've been instructed to keep the email restrictions for the "No Internet Emails" group in place, but I must allow the restricted users to be able to send/receive internet emails to/from a select view domains, i.e. certain customers, etc.

How would I go about doing this? If I need to change the way the users are blocked from sending/receiving emails on Exchange 2010 instead of using the Connector route as described in the above mentioned article, then so be it.

Any help would be greatly appreciated

Best Answer

This shouldn't be too difficult using transport rules.

Am on Exchange 2007 but process is extremely similar...

Restricting outbound internet mail for some users

Create a Distribution Group and add the recipients you want to prevent from sending internet email as members of the group.

Create a Transport Rule

1) Fire up Exchange console | Organization Configuration | Hub Transport | Transport Rules tab | click New Transport Rule

2) Enter a name for the rule – e.g. Rule-NoInternetMail

3) On the Conditions page, select “From a member of a distribution list“

4) In the rule description, click the link for distribution list (underlined)

5) Click Add | Select the distribution list “DG-NoInternetMail”

6) Under Conditions, select a second condition “Sent to users inside or outside the organization“

7) In the rule description, click Inside (underlined) | change scope to Outside

8) Click Next

9) On the Actions page, select “send bounce message to sender with enhanced status code“

10) If you want to modify the text of the bounced message (optional): In the description, click “Delivery not authorized, message refused” | enter new message text

11) Click Next | verify the rule conditions and action in the summary

12) Click New | click Finish

Restricting inbound internet mail for some users

Using the Exchange console:

Expand Recipient Configuration > select recipient > recipient Properties | Mail Flow Settings page | Message Delivery Restrictions | Properties
Select “require that senders are authenticated“