Distribution Group External Senders Restriction

Copper Contributor

I have a distribution group under Exchange Server 2016 which should not receive mail from external users. I checked the option "Only senders internal to my organization"(see screenshot attached). But Gmail accounts still manage to send mail to distribution group

Can you help me understand why this?

Distribution group restriction

7 Replies

@mlaminedouba 

What we need to confirm first is

  1. Are the emails from specific external GMAIL users or from all GMAIL users
  2. Does the email expands to all members of the Distribution Group or to specific members
  3. Can we confirm if this has been working before or a new settings

By design, external members should not be able to email a distribution group after checking the "Only allow messages from people inside my organization".

 

If per adventure, external members are still getting emails sent to a distribution group after checking the “Only allow messages from people inside my organization” option, it could be due to a delay in the replication of the changes made to the distribution group settings if it has just been saved. It usually takes about 60 minutes for distribution groups to be fully created and ready for management. 

 

However, if it has been working before an stopped working, you may need to uncheck the Only allow messages from people inside my organization, save the settings, refresh the browser. Go back to the DG management again, check the Only allow messages from people inside my organization >> save the settings >> refresh the browser again and try reproducing the issue. 

 

Check if the emails does delivers to specific users, we need to check if these users has not added the external users as safe senders in their outlook.

 

In conclusion, if all the above has been tested and the issue is not resolved, we may be considering exporting members of the distribution group, deleting the distribution group and recreating a new one. If that still does not assist, then we would be looking at creating a Transport rule to block external emails from sending emails to the Distribution Group.

 

If I have answered your question, please mark your post as Solved

If you like my response, please give it a Like :smile:

Appreciate your Kudos! Proud to contribute! 🙂

 

Hello @Deleted,
Thank you for your detailed answer.

In answer to your questions 1 & 2, the email is delivered to all users if sent by any GMAIL user.
In fact we were able to solve the problem by choosing the option "Add users authorized to send mail to this distribution group".
But. Our great wish is to understand why if we tick "Only users internal to the organization" the members of the group continue to receive emails from GMAIL.

we will test the different suggestions you have given and get back to you.
Thanking you more,
Best regards.

@mlaminedouba 

 

Thank you for your prompt response. What you have done is to specify who can message the Distribution Group. This is not actually a fix though but rather a work around. Just like I mentioned in my previous email that by default, when you have the settings "only senders inside your organization" checked, external senders should not and cannot be able to send message to a distribution group. But I think there are some additional settings we nee to take a look at which might be taking precedence over the settings we have there. I have not been able to reproduce the issue after making the changes. Yours might still be different though. 

 

Please proceed to check the value of RequireSenderAuthenticationEnabled

 

In the Exchange Server 2016, run the below PowerShell

 

Get-DistributionGroup -identity "email address removed for privacy reasons" | fl RequireSenderAuthenticationEnabled

 

The function of this value

Spoiler
-RequireSenderAuthenticationEnabled

 

The RequireSenderAuthenticationEnabled parameter specifies to accept messages only from authenticated (internal) senders. Valid values are:

  • $true: Messages are accepted only from authenticated (internal) senders. Messages from authenticated (external) senders are rejected
  • $false: Messages are accepted from authenticated (internal) and unauthenticated (external) senders.

So if for the affected group, the value for the requiredsenderauthenticationenabled is $false, then we would be considering setting it to $true using the PowerShell command below.

 

RecepGencaslan_0-1679905115675.png

 

Get-DistributionGroup -identity "email address removed for privacy reasons" | Set-DistributionGroup -RequireSenderAuthenticationEnabled $true

 

One more last thing I would need to confirm, is it only receiving emails from GMAILs or from every other external emails. 

If I have answered your question, please mark your post as Solved

If you like my response, please give it a Like :smile:

Appreciate your Kudos! Proud to contribute! 🙂

 

The email @Deleted 

Thank you again, 

The email is delivered to all users if sent by any GMAIL user.

The value of -RequireSenderAuthenticationEnabled is true.

 

Capture d’écran 2023-03-28 095311.png

We have created a new Distribution group but this distribution group has the same problem.

 

Cordialement.

@mlaminedouba

 

If you have the RequireSenderAuthenticationEnabled set to true, meanwhile, emails that delivers to the Distribution Group are only GMAIL and do you mean that after creating a new Distribution Group, issue still persists?

 

Then you might be looking at analyzing the message header to see what is making the email past the server. 

 

Before then, you can confirm if there are any transport rules set to allow emails from domain Gmail to deliver. 

If I have answered your question, please mark your post as Solved

If you like my response, please give it a Like :smile:

Appreciate your Kudos! Proud to contribute! 🙂

 

@Deleted 

Hello, we have constated that are now receving email from alls external users event if the parameter requireSenderAuthenticationEnabled is set to True,

We really need a help.

@mlaminedouba 

 

Hi, so we had a similar problem.

External contacts were able to send emails, to our internal distribution groups, even though we had the  -RequireSenderAuthenticationEnabled $True. 

 

So what we found out, was that in our exchange 2016, Under Mailflow / Receiving connectors. Our spamfilter server, was allowed to use port 25 as an external anonymous relay. 

 

We removed it from the allowed list, and now the emails are denied from external contacts towards out internal distribution groups, as intended.

 

The reason (for our sake) was that our exchange server, saw everything received from the spamfilter, as an authenticated user, because of the above setting. 

 

I hope this helps you.

 

BR

Martin