How to Restrict a Distribution List in Exchange Server 2010

Exchange Server 2010 allows you to restrict who can send to distribution groups. You can do this in different ways, but it is important to understand the pros and cons of each type of distribution group protection so that you choose the correct one for your situation.

Each of these methods can be implemented from any workstation or server you’ve installed the Exchange 2010 management tools on.

Preventing External Email to Exchange 2010 Distribution Lists

If you want to prevent any external sender from being able to send email to a distribution group you can simple enable the authentication requirement for that group.  This is found in the Properties of the distribution group in the Mail Flow Settings tab under Message Delivery Restrictions.

Requiring authentication for senders to Exchange 2010 distribution groups

This option is enabled by default for distribution groups created in Exchange Server 2010, but may have to be manually enabled for groups that existed before your Exchange 2010 migration occurred.

This will prevent external, unauthenticated senders from being able to send to the distribution group but may also prevent senders such as network devices or applications from sending to the list if the device or application can’t perform SMTP authentication.

Restricting an Exchange 2010 Distribution List to Specific Senders

Requiring authentication for an Exchange 2010 distribution group won’t prevent any authenticated senders from sending to it, for example all of the mailbox users in your organization will still be able to send.  In some organizations it is desirable to restrict certain distribution groups to only certain senders.

This can be performed by configuring the Accept Messages From setting in the Message Delivery Restrictions, and specifying mail-enabled groups who are allowed to send to the list.

Outlook 2010 and OWA users will see a warning if they compose an email to a group they are restricted from sending to.

If the sender persists and sends the email anyway they will receive a non-delivery report.

#550 5.7.1 RESOLVER.RST.NotAuthorized; not authorized ##

Restricting distribution groups in this way gets the job done but it is an all or nothing approach.  There is no scope to allow some messages from people through to the distribution list.

Moderating Exchange Server 2010 Distribution Lists

When you have a distribution group that you want everyone to be able to send to, but you want to be able to approve or reject messages on a case by case basis, you can use moderation.  Moderation allows you to specify one or more mailbox users who can approve/reject emails sent to a distribution group.   This is found in the Properties of the distribution group in the Mail Flow Settings tab under Message Moderation.

Outlook 2010 or OWA users will see a warning when they are composing a mail to send to moderated groups.

The moderators will then receive an Approve/Reject email in their inbox.

Moderation can lead to delivery delays while messages are approved.  You can optionally configure a moderated group so that specific senders bypass the moderation requirement, so that frequent or trusted senders can send messages without any delays.

As you can see each of these methods of restricting who can send to distribution groups has its pros and cons.  There is no one size fits all approach, but you should be able to find a method that works best for your specific scenario.

Comments

  1. Patrick Dufourq says

    Good Day,
    How can you restricts distribtion list in Exchange 2007.

    I would like 3 specific users to be able to send an email using a list to lets say 10 external users (not in the same domain).
    Thank you for your help.
    Kind Regards

    • says

      You can use the second method, “Restricting an Exchange 2010 Distribution List to Specific Senders”. The only difference being that Exchange 2007 users won’t see the warning if they are composing an email to a list they can’t send to, they’ll just get the NDR after they send it.

  2. Kirstin says

    How do I prevent E2010 from enabling the “Require that all senders are authenticated” for every new d-list?

  3. Liz says

    Hi, is there a way to view a list of who is authorized to send to a distribution list once you have restricted it?

    We have a good number of distribution lists within our company that are restricted and need a way to report on who is authorized to send without having to scroll and make screen shots every time HR wants to review them.

    Thank you in advance for your assistance.

    Liz

  4. Brian Johansen says

    Hi Poul
    We have a big problem with sending mails to distribution groups in Exchange 2010. We have just upgraded from Exchange 2007 to 2010, but the problem started in 2007, around may. We have spend several hours investigating with any luck. Maybe it has someting to do with an update?

    The problem occurs only with some groups and we never get any feedback. Sometimes it works with a group sometimes not. It looks like it maybe works if I create a new group. My colleague thinks it has something to do with caché and offline files.

    I’m not quite sure whether we have fixed the problem or not.

    Afther the upgrade we have had a problem expanding groups, sometimes it works, sometimes it works after 1-2 attempts.

    Thank you for your help.
    Brian

      • Brian Johansen says

        No, that’s just another thing that came up after upgrading, sometimes we can’t expand groups and see the members. Sometimes it works if we try 1-2 times to click the + sign.

        The main problem is that we couldn’t send to some groups earlier and i’m not sure if we have solved it. The worst thing was that you didn’t get any respond, so we didn’t know whether the mails got through or not. But it seems like the new group works and maybe also the fix with removing caché mode and delete the .OST file. I haven’t hear from my users in the last weeks during the summer holiday time, I hope that’s good.

        I just wondered if you had experienced something like that before and had some input. My Exchange colleague is back in business next week and we wil sit down and evaluta.

        I appreciate your quick answer.

        Brian

      • Brian Johansen says

        Yes, we have changed most of our groups to Universal, before they were Global. If it’s Global we can’t look up the AD groups in Exchange. Is it necessary to use Universal when we have Exchange 2010?

      • says

        Yes they should be Universal. Having them Global would be a likely explanation for the non-delivery. When you created new ones they would be Universal and I’d expect them to work fine.

  5. Brian Johansen says

    I see. I learned som years ago to use Global groups, unless we have more than 1 domain and I can’t remeber more :-)

    But, I don’t think that was the reason why we many times didn’t receive the mails sent to the groups. Sometimes they worked and sometimes not. It was very strange.

    • Brian Johansen says

      You are probably right regarding Universal, we have made som tests and it seems like we can expand all Universal groups and not always the old Global ones. it might also have fixed the problem with receiving mails. I haven’t heard of one single problem with the univesal groups in weeks, but yesterday I had a colleague who sent a mail and nobody received it, but it was one of our Global groups. I will now change the rest of the groups to Universal. I’m just concerned about one thing, what about if the Global group is a security group, is it possible to change it to Universal and keep the security settings/members?

      Brian

  6. Lanny Evans says

    What I am trying to do is restrict who can send an email to certain email accounts. We have email accounts for physicians that certain people need to be able to see and send email to. Everyone else in the organization needs to be restricted from sending email to those email boxes and hopefully not even seeing them in their GAL. Is there a way to accomplish that? Thanks,

    • says

      Hi Lanny, you can hide mailboxes from the GAL (it is a checkbox in the mailbox properties) and mailboxes also have similar delivery restrictions settings as groups do (also available in the mailbox properties).

  7. Nathan says

    Hello,
    I host email for nearly all the school districts in a geographic region. Some schools run their own mail servers. We have mail contacts setup for those districts so they can receive mail from distribution lists.

    Is there any way to authenticate a mail contact to send to the distribution list without allowing the whole world to be able to send to that list? We also have to allow sending for any user inside exchange as well.

    Thanks for your help,
    -Nathan

  8. Peter says

    I have setup the distribution group as stated above and it was all working. Now all of a sudden if a user tries to send to the DG it says they do not have permission and just below it it states that it is going to send it to the members (Sending to 402 for example). If I create a brand new DG the permissions are enforced and the user cannot send at all. It would appear something has happened to the DG that I created a few months ago.

      • Peter says

        I did that this weekend. It would appear all of the news are staying the same except 4 of them which then reverted back to being the same thing I stated above. The rest appear to be holding up and rejecting emails as expected.

        I think I have gremlins in my exchange enviroment and I may need to call Ghostbusters or I mean Microsoft. ;)

  9. says

    Hi Paul,

    I have for several months had a distribution list that had external contacts blocked from sending emails to that list. The list is actually a Contact Us distribution list and we have potentially lost many emails of people trying to contact us. I wonder if there is a place where this emails are stored or can be seen?

    Thanks for the help,

    Ignacio

  10. Dave says

    Hi Paul,

    I am not able to choose a group to allow access to send to distribution groups. I can see all of the users in the AD but no groups… I oviously do not wish to add individual users as this would prove to be a nightmare!

    Do you have any ideas?

    Thanks

  11. Rolf says

    Hello Paul

    My problem is that though my distribution groups are configured to requier authentication for senders to the Exchange 2010 system, still that protection does not work. I thought that maybe some trust between the mail gateway from Internet and the Exchange HUB-server was the problem. But even if you just connect with telnet to port 25 on the HUB server you can address the mail to a distribution group!

    Is there maybe something in the receive connector that can make all incoming mail as if it was sent by an authenticated sender?

    Thank You for Your help!
    Please accept to have a very Happy 2012!

    /Rolf

  12. Ally Laurente says

    Hi Paul,

    We have lots of restricted DG but users is just clicking the + sign and it will expand and they can send to the members. Is there a way to restrict the expansion of the restricted DG?

    Thanks,
    Ally

    • says

      Not that I’m aware of.

      Perhaps you can mask them using contacts that point to hidden DLs? Might get a bit complicated to administer though.

      If they are large DLs you could look at limiting the max recipients that people can send to.

  13. Oscar Pedroza says

    Paul,
    I hope you are well, do you know a way to moderate the number of recipients per mail, i have been looking for these for a long time and I don´t get any way to do this, I hope that you can give me and idea.

    Best regards,
    Oscar

  14. zohaib says

    well i want to distribute the list in such a way that a single person can mail both mail and female user but mail nd female cant send mail to each other but they can said mail to same gender . if u knw how to do it plz help me

  15. Kristina says

    Hi Paul,

    Is there a way to restrict access for a group of people from sending to groups in such a way that they do not have to be explicitly denied access (or left out of the people granted access) to each group when it is created ?

    What I want to do is set up a group which will have people who should not be able to email any distribution groups, wondering if the security on the Exchange Distribution groups could perhaps be used to do this ?

    Your thoughts would be very welcome :-)

  16. ONP says

    I wanted to enquire whether we can restrict the users from creating their own local distribution list in MS Outlook 2007?

  17. Tom Bedell says

    Hi Paul. Thanks for your help. I appreciate it.

    Are there any tricks or gotchas with regards to setting delivery restrictions on an Exchange 2010 object in a user account/resource account organization? I know I need to link the permission to the user account and not on the disabled account in the resource forest, but I’m wondering what the cmdlt would use for the -User parameter. Thanks for any insight you can provide.

    Regards,

    Tom Bedell

  18. says

    Paul:

    We are running exchange 2007 and have rules set up for who can send to a couple of DG. The problem is that any user can expand the list and send an email to all of the individuals in that DG. Is there any way to shut this option off?

    Thank you,

    Elliot B

  19. Roy P says

    Is there a way within ex 2010 to allow people to create a new email and send to a DL
    BUT
    Prevent people who recieve that email from doing the annoying reply to all.

    I cant really disable their reply to all option as thats not workable.
    Teaching them to NOT use reply to all and only reply to the person who sent the original email doesnt work with some of them either.

    So we end up with a swathe of emails going back and forth to everyone in the distribution list .

  20. Roy P says

    No believe it or not paul it is actually an All Staff DL which goes out to the entire company, but the directors are very laid back about everyone having access to this and the constant reply to alls going to everyone. However as I.T we get moaned at about all these replys going back and forth from people who simply do not wish to see them and I can appreciate their point. It is quite embarressing as well some of the comments they put in knowing the MD’s see these and dont seem to mind.
    I did put in the Outlook 2010 mailtips with the ignore option to ignore the threads from filling your mailbox with the constant back and forth, but wondered if there is a discreet way of preventing them from simply replying to all on this All Users DL.
    You could say if the MDs are not bothered then why bother, but from a professional I.T persepctive it is embarressing as some of these threads turn to jokes etc that all members of staff see and go on and on. Basically just trying to discreetly keep the peace.
    I saw your thread here and have followed your tips over the last 10 yrs or so on various ex projects and thought if one of the Exc MVPs doesnt know then it cant be done from a technical stance so we will just live with it.
    If it cant be done thats fair enough.

    • says

      Ok, so you’re looking for a technology solution to solve a human behavior problem :)

      You’ve got a few options, none of which will be perfect.

      The first would be to restrict who can send to the DL. It seems like that won’t fly though, based on your comment above.

      The second would be to use moderation so that messages to the DL need to be manually approved. This will stifle responses quite a bit and may stop people abusing the list, but means anything urgent may get delayed, depending on how you configure it (moderation allows you to also specify users who are not subject to moderation).

      Another option may be to use a Transport Rule to detect any message with a subject starting with “Re:” that is going to that DL, and send it to a moderation queue. I imagine users will quickly work out how to get around this though :)

      Tough situation you’re in, especially if the bosses don’t care.

  21. Bhushan says

    1. how can sender get notification if message is approved by moderators.

    2. what if message is ignored by moderators i.e. its not approved and not rejected.

  22. Abhishek says

    Hi All,

    I am a little confused over one thing here and I don’t have a test environment to test this.

    A user has permission to send emails to a particular Distribution List (DL)- A , that distribution list has quite a few distribution lists as its members ( DLs B C and D are member of A) for which the user doesn’t have permission to send to.

    So, will he be able to send emails to “A” DL without getting a bounce back message ?

    Please let me know

    Thanks,
    Abhishek

  23. Aussupport says

    HI Paul,

    Is there way to allow from trusted domains?

    i have set the “only allow messages from authenticated users”

    now network devices or applications cannot sending to the list. Also some of our other domains?

    AS

  24. says

    Hello,

    I used your method to enable moderation on our distribution groups.
    When emails are sent from external addresses, they are moderate.
    But the emails sent from internal addresses, moderation does not work and the emails are delivered directly.

    Showing the moderation parameters we have for distributions groups:
    BypassNestedModerationEnabled: False
    BypassModerationFromSendersOrMembers: {}
    ModerationEnabled: True
    SendModerationNotifications: Always

    Thank you for your help.

    Regards.

  25. Anil says

    hi Paul,

    we have an urgent request here:
    1. Needs to block an external email address coming to our Hybrid exchange environment (On permises and 0365)
    2. However with an exception to allow the external email address to talk to only one person within our organisation.

    Please advise how to go about it

    Thanks
    Anil

  26. Jon W says

    Is there a way to allow external users to send to a distribution group but restrict internal users who can send to the group? I had the Require that all senders are authenticated NOT checked. I also added a list of users who could send to the group. As it turned out, only those internal users I specified could send to it. External users were not able to get to it.

      • Jon W says

        I created transport rule on the HTP server that says:
        Apply rule to message
        sent to a member of ‘DistGroup@ourdomain.com’
        Delete the message without notifying anyone
        except when the message is from ‘me@ourdomain.com’ or ‘2nduser@ourdomain.com’
        or except when the message is from users that are ‘Outside the organization’.

        When I send a message to the group as me or 2nduser, it works. However, when I send from outside the organization from a Mindspring or Yahoo account, it never arrived. No NDR does not get sent back either.

        Any suggestions?

        • says

          You chose “Delete the message without notifying anyone” so naturally there will be no NDR.

          Remove or change that action to notify the sender while you test your rule. You can also use message tracking log searches to try and work out what happened to the test emails.

  27. Jon W says

    I found one problem with the Transport Rule I set up. The “sent to a member of the group” and “delete the message except when the message is from” really came back to bite me. What ended up happening was that the members of the groups and external users could e-mail to the members of those groups. All other internal members had their e-mails deleted with no NDR. So, we ended up missing two days of mail without realizing it since we could e-mail each other. BEWARE!!!! Read those transport rules through. They are VERY literal.

  28. Graeme C says

    Hi Paul, I’ve set up moderation for a test group, and the mechanism works. The only thing I don’t see is the user warning in OWA and Outlook 2010 that the group is moderated. Have you seen this before? Is there anything I should check?

  29. Sahin Boluk says

    Hi Paul,

    After you restrict a DL to only a few people and anyone that add’s the DL to an email can expand the list and send to those users. Is there a way to restrict the expansion of certain DL’s?

  30. Jeremy Steger says

    Paul, We have email that goes through an antispam service and is then delivered to our network load balancer which is then delivered to our Exchange servers. We have the NLB set to TLS and externally secured in the hub transport.
    My thought is that since the NLB is delivering the mail and it’s considered an “authenticated” device that Exchange is processing the message as being from an “authenticated sender” and the mail is delivered to the DL.
    Have you experienced this anywhere? Your thoughts?
    I need to reject all senders if they are not internal. Moving forward we will only use the “domain.local” for the smtp only but I have hundreds of “domain.com” email addresses that are in use.
    thanks
    Jeremy

    • says

      Yes that is what is happening and it is a common mistake when people use the same load balancer VIP for inbound SMTP as well as SMTP relay for internal apps/systems.

      Do you have enough public IPs so that you could NAT both your Transport servers, and have the antispam service configured with two equal-cost inbound routes (one to each public IP)? That would bypass the load balancer while still providing HA for inbound email.

      • Jeremy Steger says

        Thanks for the quick reply Paul. I’ve asked our Network team if they can do anything about the F5 in this situation.

  31. Andy Bigsby says

    Hi Paul,

    Have you ever see a Restricted Distribution group still get an email from a non-authorized person? I just had this happen yesterday and cannot figure it out how it got through? I did message tracking on it and the logs show it failed, however the 223 recipients in the restricted distribution group still received the email.

  32. Gary says

    Hi Paul,
    I have one user who is able to recieve emails sent to a All Staff Distribution Group but they are not able to send to it (They get the don’t have permission to send) message when composing an email.

    Any ideas?
    Thanks

  33. Azeez says

    thanks a lot,
    i tried to add a user to dose that can send mail to all staff from message delivery restriction.
    then i select to receive mail only from the sender list and it works.
    am greatfull

  34. Girish says

    Hi,

    I have a DL .While sending mail to the DL the sender who is member of the DL should not receive the email.Is this possible to achieve?

    Thanks
    Girish

  35. Girish says

    Hi,

    I have a DL .While sending mail to the DL the sender who is member of the DL should not receive the email.Is this possible to achieve this scenario?

    Thanks
    Girish

Leave a Reply

Your email address will not be published. Required fields are marked *