Block users from sending and receiving external emails ? 7

[DavrosDalek]

Hi

I have a requirement to prevent some of our users from sending and receiving emails to and from external recipients. We are using Exchange 2000.

Any Ideas ?

Cheers

Craig

 

[Marcs41]

Modify their SMTP address to a fake one such as fake1@yourdomain.local , fake2....

Marc
_{If 'something' 'somewhere' gives 'some' error, expect random guesses or no replies at all. Please specify details.
Free Tip: The F1 Key does NOT destroy your PC!}

 

[tnai]

To stop them sending:
Create a distribution group containing the restricted users.
In the Exchange System Manager, navigate to the connector Properties, Delivery Restrictions, Reject Messages From. Add the distribution group.

To restrict receiving:
Create a distribution group containing all staff.
In ADU&C navigate to each user’s Properties, Exchange General, Delivery Restrictions, Accept Messages, Only From. Add the name of the group.

This works for us and we also prevent some users from mailing each other by omitting them from the second group.

 

[jbud]

To extend tnai's excellent post, you can't deny permissions to users with SMTP virtual servers. Since, by default, Exchange is installed without SMTP connectors, you may have to create them and routing groups to go with them.

 

[DavrosDalek]

What's the implications of creating the SMTP connectors and routing groups ?

Is there any other ways of doing this ?

Cheers
Craig

 

[Marcs41]

Yes, like my first post

Marc
_{If 'something' 'somewhere' gives 'some' error, expect random guesses or no replies at all. Please specify details.
Free Tip: The F1 Key does NOT destroy your PC!}

 

[DavrosDalek]

Will that stop them sending though ? I thought that would only stop inbound email

Cheers

Craig

 

[Marcs41]

They will not be able to send from a fake user and domain.

Marc
_{If 'something' 'somewhere' gives 'some' error, expect random guesses or no replies at all. Please specify details.
Free Tip: The F1 Key does NOT destroy your PC!}

 

[DavrosDalek]

I'm trying to apply this using a recipient policy. Has anybody else done this ?

I have created a security group which contains the people that i want to block from recieving and sending external emails. I have created a recipient policy that filters on this secuity group and sets the email domain to @no.external.email to block the users.

How long does the policy take to work ? I guess it's not instant ?

Cheers again

Craig

 

[Davetoo]

Why don't you want to do it by giving them a non-existant SMTP address?

I'm Certifiable, not certified.
It just means my answers are from experience, not a book.

 

[xmsre]

To stop them from SENDING, you would put the SMTP connector in place and put a restriction on the connector. To stop them from RECEIVING use .local addressing internally. Don't accept delivery for .local. For those users that will receive external email, add a secondary SMTP address for which you do accept delivery.

If you have very many users, DO NOT use a group added to the restriction of each mailbox unless you plan on using MASSIVE GC servers with HUGE network bandwidth between exchange and the GC.

One hotsite issue I was on involved a 45,000 seat organization that used restrictions as in tnai's post above to restrice a 1000 member group. Prior to the restrictions, the morning corporate spam message to all employees took 5 minutes to deliver. After the restrictions it took 2 days.

If you turned up categorizer logging, all you saw was 6004 retryable errors. A one minute netmon trace was over 1GB of ldap lookups. A 30 second regtrace was over 8GB.

When you send a message to a group, the categorizer enumerates the membership of the group and looks up each member. For our 45,000 member group that's 45,000 LDAP lookups. When you add a 1,000 member group to the restrictions of each mailbox, after looking up each member that categorizer checks the restrictions and expands the restricted group; looking up each member of the restricted group each time. That's 45,000 X 1,000 or 45,000,000 LDAP lookups. Your network will crawl to a stop. Keep any restriction on the connector if at all possible. That's a best practice.

 

[DavrosDalek]

"lander215 (IS/IT--Manageme) Jan 21, 2004
Why don't you want to do it by giving them a non-existant SMTP address?"

I do but i want to do it using a recipient policy to make it easy for the other "administrators" to use without them going anywhere near the exchange server and breaking it.

Now i know what i want to do i just need to get it to work ! I'm giving the users a fake smtp address but need advice on getting this to work with a recipient policy thats tied to a security group.

I want to put blocked users in the security group. I want members of this group to have the fake smtp recipent policy applied to them and the correct smtp address removed.

Is this possible and how do i do it if it is ?

Cheers Again

Craig

 

[Davetoo]

The SMTP address(s) are modified through ADUC, so the other "administrators" won't have to go anywhere near the Exchange server and risk "breaking" it.

If you can't trust your admins to modify an SMTP address, I'd think twice about giving them admin rights to begin with.

I'm Certifiable, not certified.
It just means my answers are from experience, not a book.

 

[buddafish]

hey,
thought i would piggy-back on this thread...

just a quick question for lander215 and marcs41,

so i have changed some users smtp addressing to bogus values. now in-bound is returned but outbound is still going, well, out... am i being hasty here? do i need to wait for the RUS or some other process to run ?

thanks,
scottie

 

[Zelandakh]

you need to set the delivery restrictions on the SMTP to reject the .local stuff too.

<signature for rent>

 

[lanman1865]

Any trick here I can't get this one to work. I'm trying to do the same thing. My test user can still send out. I created a 2 test users, a distribution group. I created a SMTP connector in exchange. Under Delivery Retrictions, I added the Distribution group to Reject From:.

Now the only thin I didn't do was change the email address to a fake one. The above should work.

do you need to restart any service?

 

[Alex53]

I have done all of the above, and restarted the Exchange routing service, the SMTP and the Information Store. Still when I look at users' SMTP address it has not changed to the fake one, and they can still send.

I dont know if they would be able to receive yet because I am waiting for my ISP to change the MX records to point to my the public IP on my exchange server, but meanwhile I'd like to know when that happens its not going to be a free for all.

Why is the SMTP address not changing? Its been hours now it cant just be taking time to replicate.

 

[Marcs41]

I hate saying this, but it may be worth a try to restart the entire server.

Marc
_{If 'something' 'somewhere' gives 'some' error, expect random guesses or no replies at all.
Free Tip: The F1 Key does NOT destroy your PC!}
Have a look at the shop @

http://www.cafepress.com/tektips

!