I frequently see questions such as this one about how to restrict users on the network from being able to send emails to external recipients.
I actually wrote an article on the subject about four years ago, though it deals with one specific scenario of “deny most, allow some”, and even though it was written when Exchange Server 2007 was the latest version it still demonstrates how Transport Rules can be used to achieve various restrictions on what email senders can do.
In this article I will specifically answer the question of how to restrict a small number of specific users from being able to send emails to recipients outside of the organization.
The first step in this method is to create a distribution group. The members of this group will be the users who are restricted from sending external emails. It does not need to be a security group, but it does need to be universal in scope.
Next, create a new Transport Rule with the following configuration.
Conditions:
- From a member of a distribution list (and choose the distribution group you created above)
- Sent to users that are inside or outside of the organization, or partners (and choose “Outside”)
Actions:
- Send rejection message to sender with enhanced status code (I set the status code to 5.7.1 and configure a message such as “You are not authorized to send email to recipients outside of this organization”)
Exceptions: (optional)
- Except when a recipient’s address matches text patterns (and add any domain names or email addresses they should still be allowed to send to)
After the new rule has taken effect the members of that distribution group will not be able to send to external recipients, whether they use the To, CC, or BCC fields to do so, and will still be able to send to those domains or email addresses you configure as an exception to the rule (even if the message includes other recipients that will get blocked, the permitted ones will still receive the email).
About Paul Cunningham
Paul
Great article, i only wanted a specific user to be able to send internal emails. I followed your instructions to the T and they worked perfectly, however i have now removed the specific user from the distribution group (only user in the group) but it still blocks any outgoing emails, i have logged the user off and on again, restarted the pc, re-added a dummy account to the dissolution group, logged the user off and on again and waited for a couple of hours and its still being blocked.
Is there a period of time for how long it takes to update all the setting in Exchange 2010 SP2 and 2008 R2 AD when removing users from distribution groups?
Also for another user is it possible to block specific email address and domains.
Thanks
Trevor
Yes there is a delay, I believe up to 4 hours, for changes like this to kick in. Hopefully by now your change has worked
Thanks for the reply and yes all is working as normal after the 4hrs. Not sure if its possible to lower the refresh time from 4hrs to 5mins.
Thanks
Trevor
Hi Paul,
How can I configure it in 2007 Except when a recipient’s address matches text patterns option is not available there in exchange 2007 .Is there any option to add this in exchange2007.
Because of the same users can able to send mails to external world if they put it in cc or bcc.
Hi Paul,
Is it possible to Limit the “Maximum numper of recipients” only on outgoing Mails, but not for internal Mails?
Thanks you
Jörg
Forgive my denseness, but is there a way to set a user up so that they can only send emails to one specific external domain?
We have students from an external organisation who need to send timesheets back to their host employer. I have currently got one of our email address for them to use but I don’t want them to be able to send anywhere else other than anyone at “blah.com”.
Is there an easy way to do this?
Transport rules should allow you to do this. Each rule has a criteria, action, and exceptions. So the criteria would be “From user X” (or a group), action would be “Reject” or similar, and exceptions would be “Unless recipient is in domain Y”.
I’m only vaguely describing it there, but if you explore the New Transport Rule wizard and do some testing you’ll see what I mean.
Hi Paul,
I have the rule and want to add 200 members to restrict sending emails to internet. Instead of adding users i am planning add one securtiy group and merge it in to existing Group which is being used by transport rule for external email blocking.
Please suggest me what happened if we add groups in TR instead of users. Will TR takes time to process the action?
I’m just a new here.
I want my DL of exchange user sending to specify domain.
e.g; i want some DL to allow ” *@abc.com ” ” *@123.com ”
With my regards,
T.Han
Paul
That was very useful as I am now able to configure and edit the transport hub effectively.
But I am now looking to configure the relay to restrict/allow mail from my code but i am getting the following error
I get this error message: ‘Mailbox unavailable. The server response was: 5.7.1 Unable to relay’
Brent
Hey Paul,
is it possible to get the powershell command for that ? We wanna deny one user in one specified org to send emails.
Greetings Oliver
■Except when a recipient’s address matches text patterns option is not available there in exchange 2007 .Is there any option to add this in exchange2007.
Thanks for sharing this, Paul. Any links or pointers that you can share, to add custom rules via C# or something ,would be helpful. Am looking to create a new custom rule that looks for specific patterns in the to and from email addresses.
Thanks
VC