Forum Discussion
Distribution Group External Senders Restriction
I have a distribution group under Exchange Server 2016 which should not receive mail from external users. I checked the option "Only senders internal to my organization"(see screenshot attached). But Gmail accounts still manage to send mail to distribution group
Can you help me understand why this?
What we need to confirm first is
- Are the emails from specific external GMAIL users or from all GMAIL users
- Does the email expands to all members of the Distribution Group or to specific members
- Can we confirm if this has been working before or a new settings
By design, external members should not be able to email a distribution group after checking the "Only allow messages from people inside my organization".
If per adventure, external members are still getting emails sent to a distribution group after checking the “Only allow messages from people inside my organization” option, it could be due to a delay in the replication of the changes made to the distribution group settings if it has just been saved. It usually takes about 60 minutes for distribution groups to be fully created and ready for management.
However, if it has been working before an stopped working, you may need to uncheck the Only allow messages from people inside my organization, save the settings, refresh the browser. Go back to the DG management again, check the Only allow messages from people inside my organization >> save the settings >> refresh the browser again and try reproducing the issue.
Check if the emails does delivers to specific users, we need to check if these users has not added the external users as safe senders in their outlook.
In conclusion, if all the above has been tested and the issue is not resolved, we may be considering exporting members of the distribution group, deleting the distribution group and recreating a new one. If that still does not assist, then we would be looking at creating a Transport rule to block external emails from sending emails to the Distribution Group.
If I have answered your question, please mark your post as Solved
If you like my response, please give it a Like
Appreciate your Kudos! Proud to contribute! 🙂
- Hello Deleted,
Thank you for your detailed answer.
In answer to your questions 1 & 2, the email is delivered to all users if sent by any GMAIL user.
In fact we were able to solve the problem by choosing the option "Add users authorized to send mail to this distribution group".
But. Our great wish is to understand why if we tick "Only users internal to the organization" the members of the group continue to receive emails from GMAIL.
we will test the different suggestions you have given and get back to you.
Thanking you more,
Best regards.Thank you for your prompt response. What you have done is to specify who can message the Distribution Group. This is not actually a fix though but rather a work around. Just like I mentioned in my previous email that by default, when you have the settings "only senders inside your organization" checked, external senders should not and cannot be able to send message to a distribution group. But I think there are some additional settings we nee to take a look at which might be taking precedence over the settings we have there. I have not been able to reproduce the issue after making the changes. Yours might still be different though.
Please proceed to check the value of RequireSenderAuthenticationEnabled
In the Exchange Server 2016, run the below PowerShell
Get-DistributionGroup -identity "email address removed for privacy reasons" | fl RequireSenderAuthenticationEnabled
The function of this value
Spoiler-RequireSenderAuthenticationEnabledThe RequireSenderAuthenticationEnabled parameter specifies to accept messages only from authenticated (internal) senders. Valid values are:
- $true: Messages are accepted only from authenticated (internal) senders. Messages from authenticated (external) senders are rejected
- $false: Messages are accepted from authenticated (internal) and unauthenticated (external) senders.
So if for the affected group, the value for the requiredsenderauthenticationenabled is $false, then we would be considering setting it to $true using the PowerShell command below.
Get-DistributionGroup -identity "email address removed for privacy reasons" | Set-DistributionGroup -RequireSenderAuthenticationEnabled $true
One more last thing I would need to confirm, is it only receiving emails from GMAILs or from every other external emails.
If I have answered your question, please mark your post as Solved
If you like my response, please give it a Like
Appreciate your Kudos! Proud to contribute! 🙂
Hi, so we had a similar problem.
External contacts were able to send emails, to our internal distribution groups, even though we had the -RequireSenderAuthenticationEnabled $True.
So what we found out, was that in our exchange 2016, Under Mailflow / Receiving connectors. Our spamfilter server, was allowed to use port 25 as an external anonymous relay.
We removed it from the allowed list, and now the emails are denied from external contacts towards out internal distribution groups, as intended.
The reason (for our sake) was that our exchange server, saw everything received from the spamfilter, as an authenticated user, because of the above setting.
I hope this helps you.
BR
Martin
