Microsoft Exchange and Blackberry Server Specialists

Restrict Users from Sending and Receiving Internet Email

Having the ability to restrict whether a user can send or receive email from the Internet can be very valuable. If someone is leaving the company it can ensure that they don't send anything out by email. If the email system is being abused by staff, you could restrict them down. You may also want to simply restrict who can send email out on the company's behalf.

Sending Internet Email

This process involves using an SMTP Connector. If you already have an SMTP Connector, you should use that, otherwise your email flow could be disrupted.

  1. Create the SMTP Connector in the usual way. (Instructions here)
    If this is your first SMTP Connector, then set it to use DNS for delivery. DO not set an invalid smart host or IP address. All email will use this SMTP Connector, so it should be tested before you apply any restrictions.
  2. Click on the "Delivery Restrictions" tab and add the users who should be restricted from being able to send email.
    Hint - use a group instead of users.
    1. Create a mail enabled group in the usual way, with a name that is obvious what it is "Restricted Internet Email" or something like that.
    2. Add the users to it.
    3. Check the following KB article as you may need to make a registry change before this group works correctly for this particular task: http://support.microsoft.com/kb/277872 or http://support.microsoft.com/kb/279813
  3. Once the restrictions have been placed, apply/ok out of the connector properties.

Restricting users to sending to specific domains

If you want to restrict the domains that users (or a subset of users) can send to, then you need to create two SMTP connectors.

Connector number one is the list of the domains that the users can send to. The cost on each domain needs to be 1, so that it is tried first.
Connector number two is the connector for restricting access. This is created as above - but the cost on the Address Space tab is set to 2, so that it is tried second.

Ensure that you review the kb articles above to check whether you need to make the registry or not.

Restricting users from sending to a specific email address

You can also stop users from sending to a specific email address.

  1. Create an email enabled contact for the email address that you want to block, using Active Directory Users and Computers on the Exchange server.
  2. After creating the contact, click on the tab "Exchange Advanced" and enable the option to hide the user from the Address Lists.
  3. Click on the tab "Exchange General" and adjust the Message Restrictions. Change to "From Everyone Except" and set to your equivalent of your "All Staff" list.

Receiving Internet Email

Receiving internet email is a little more involved.

On Exchange 2000, simply remove the user's external email address. However for the mailbox to operate correctly, all accounts need to have an SMTP address. If you have a local address that isn't valid on the internet, then you should use that.
Otherwise, create a new recipient policy using a non-valid domain - for example company.local . If you don't set any filter on the recipient policy you can then add it to the users as required. You could also set a filter and use the group created in the Sending Internet Email procedure above.
The only drawback with this process is that internal people cannot send to those restricted users by entering a public SMTP address - as they don't have one. They will need to select the users from the GAL. 

For Exchange 2003, things are much easier. While you can use the process outlined above for Exchange 2000, you don't have to live with the restriction on the email addresses. With this version Microsoft introduced a new setting on the user account. Open the Properties of the user in Active Directory Users and Computers and click on the tab "Exchange General", then the button "Delivery Restrictions".
In there you can restrict who can deliver to the user. At the minimum set the "From Authenticated Users Only". You could also use your equivalent of "All Staff".

Note, before deploying this kind of restriction, ensure that it fits with your business processes, particularly if you have automated email messages delivered to users, for example from web sites or databases.