Restricting email to the Internet on a per user AND per domain basis

Published Jan 18 2010 12:39 PM 16.2K Views

You requested it... and we delivered it in Exchange 2010!

One of the most requested items in exchange 2007 was something like this...

...we have 5-12 external domains that we need to allow some users to send to, but prevent sending to all other domains...

Or like this...

...we need a way to allow everyone to send to the internet but restrict members of 'contract workers group' to just certain domains. 

This blog post is meant to show how easy it now is to accomplish this oft heard request in Exchange 2010. Transport rules, introduced with Exchange 2007, provided a lot of new options for administration of mail resulting in even more requests for additional functionality. The rules now have new predicates and actions extending the possibilities of what can be done.

In particular, the predicates for address matching that were previously only available on the Edge role are now available for Hub role as well!

For more information about the new predicate and actions see the following links below:

Exchange 2010 Transport Rule Predicates:

Exchange 2010 Transport Rule Actions:

So I will use the 2nd "request" above to demonstrate how to create a rule in 2010 to accomplish it.

For our example, the rule will restrict "Active Directory Mail enabled users" who have their 'Department' defined as 'Temp Employees' from sending mail to the internet, except they must be allowed to send to 2 external domains called: '' and ''. Additionally, to reduce Helpdesk calls, you want to send an NDR when they violate the rule. For demonstration purposes I will use 2 Conditions, one Action and one Exception.

Creating a new rule

1. Conditions

a. First condition:

"Sent to users that are inside or outside the Organization, or partners"

Screenshot #1 above, set the dropdown to Outside the Organization option

b. Second condition:

"When the sender's properties match text patterns".

Now note the new options with this in the 3rd screenshot below allowing selection of Active Directory properties on the user object!

Here we will be using the 'Title' property to match the rule to a sender.

2. Actions

"Send rejection message to sender with enhanced status code". The text you add here is displayed in the "Diagnostic information for administrators:" section of the NDR and can say whatever you wish.  Originally I started out with "You may only send internet mail to and".

While the NDR provides the information, it is somewhat 'hidden' to be practical for your typical user, so I will create a customized DSN. At this point, all we need to do is specify the text and enhanced status code for our administrators.  The new text will be "Diagnostic information for System Administrators" and we specified a specific and unique error code 5.7.122 that is easy for administrators to associate with this rule, should troubleshooting be necessary.

3. Exceptions

"Except when a recipient's address matches text patterns". This is where we add domains that these senders are allowed to send mail to on the "Specify text patterns" dialog box.

And finally, this is the customized NDR that senders receive when violating the rule we created. This test was to two recipients where one is an allowed domain,, and another is not an allowed domain: mthomas@e2k3.dom.

Notice how the NDR was only generated for the rejected recipient.  All other recipients were allowed through.

For more information:

- Understanding Transport Rules

- Understanding How Transport Rules Are Applied

- Create a Custom DSN

- Associating a DSN Message with a Transport Rule

- Dave Forrest
Contributions by Scott Landry, Stephen Gilbert and Steve Clagg)

Version history
Last update:
‎Jan 18 2010 12:39 PM
Updated by: