Blog Post

Exchange Team Blog
2 MIN READ

How to block all inbound Internet mail to specific users or distribution groups in Exchange 2003

The_Exchange_Team's avatar
Jun 28, 2004

Very often you may find that you want to prohibit certain users from receiving mail from the internet. In the past, the solution would have been to give the specific users that are prohibited from receiving internet mail with non-resolvable SMTP domain addresses. Exchange 2003 now provides you with a feature that will NDR mail originating from the internet to users or distribution groups if they  mail was submitted anonymously. Anonymous authentication / mail will be the typical submission for mail originating from the internet.

To set the feature to require authentication to send to a distribution group, follow these steps:
 
1. Click "Start", point to "Programs", point to "Administrative Tools", and then click "Active Directory Users and Computers".

2. Right-click the distribution group, and then click "Properties".

3. Click the "Exchange General" tab.

4. Under "Message restrictions", click to select the "From authenticated users only" check box.


To set the feature to require authentication to send to a specific user, follow these steps:

1. Click "Start", point to "Programs", point to "Administrative Tools", and then click "Active Directory Users and Computers".

2. Right-click the user account, and then click "Properties".

3. Click the "Exchange General" tab.

4. Click "Delivery Restrictions".

5. Under "Message restrictions", click to select the "From authenticated users only" check box.


After this change, mail from the internet should effectively be rejected to the configured users as long as there was no authentication

- Ade Famoti

Published Jun 28, 2004
Version 1.0
  • this sounds feasible, however, would it also not deny mail from internal POP / IMAP users who do not authenticate to send?
  • The default send settings ...send denoting relay settings on the SMTP virtual server are by default" only the list below", and "allow all users and computers that successfully authenticate to relay".

    In essence, your POP/IMAP users are relay users when they send using SMTP and are expected to authenticate. When they do, mail will not be denied from them.

    However, if your internal POP/IMAP users are not authenticating to send mail, they're mail will be denied i.e result in 5.7.1 NDR. Most importantly it poses a security issue because SMTP relay is then anonymous (open to any client).

    If you would prefer to deviate from the default settings on the SMTP virtual server relay config, then you can choose specific user (security principals) that have the right to relay mail. This would be your internal POP/IMAP users in your case.
  • It is strongly recommended that for inbound internet mail to honor this configuration, the internet facing only or first server in the organization to receive the message should be an Exchange 2003 server.