Community Pick: Many members of our community have endorsed this article.
Editor's Choice: This article has been selected by our editors as an exceptional contribution.

Controlling mail-flow with Message Classifications and Transport Rules in Exchange 2010

Glen KnightLead Techical Consultant


Exchange 2010 brings us the ability to add different message classifications to outlook and outlook web app (OWA).  This in turn allows us to determine how messages that are given these classifications are handled by Exchange.

A perfect example of this would be the CEO has emailed a confidential document to all staff regarding an imminent take over.  This is not public knowledge yet and any leaks to the press could cause the whole deal to fall through but you want to keep your staff informed so it’s not a surprise to them when they find out.

You therefore put as much detail as you are able to into a global staff email and of it goes.  Of course there is always one disgruntled employee who remembers the day 25 years ago when you walked past and didn’t say “Hello” so they forward the email you have sent onto

Well, with Message Classifications and Transport rules in Exchange 2010 we can now prevent this email from leaving the organisation, and below I will show you how.

Exchange Server Configuration

The first thing we need to do is create the message classification on the Exchange Server.  Using the Exchange Management Shell we need to execute the New-MessageClassification commandlet.

An example command for creating a message classification with the following settings:
Identity: InternalConfidential
Display Name: Internal Only Confidential
Sender Description: This classification is for Internal Only Confidential Messages
 New-MessageClassification -Name InternalConfidential -DisplayName "Internal Only Confidential" 
                      -SenderDescription "This classification is for Internal Only Confidential Messages"

Open in new window

Please note the above code should be on a single line but for the purposes of display on this article I have had to place it on 2 lines.

Whilst we are using the Exchange Management Shell we also need to create a custom NDR message called a DSNCode.  To do this run the following command:
 New-SystemMessage -DSNCode 5.7.100 -Text "The message you have 
                      just forwarded is restricted for internal confidential use only." -Internal $True -Language EN

Open in new window

Please note the above code should be on a single line but for the purposes of display on this article I have had to place it on 2 lines.

This will create an NDR with an error code of 5.7.100 and a text of “The message you have just forwarded is restricted for internal confidential use only” this will be the code and text that is returned to the end user in the form of an NDR message.

Once we have done this we then need to create the Transport Rule.  To do this using the Exchange Management Console navigate to Organisation Configuration > Hub Transport and select New Transport Rule.  This will start the transport rule wizard (see image below).  On the opening screen give the transport rule a name, it doesn’t matter what you call the rule but I like to give them names that makes them easily identifiable.
 Transport-Rule-01.jpgOnce you have given your rule a name click Next.  On the conditions screen select the sent to users inside or outside the organisation or partners and the marked with classification option.  Once done using the hyperlinks in the lower section of the dialogue box click the inside the organisation and from the drop down box select Outside the organisation and click OK.  Then  click the Classification and select the classification created earlier (see image below).
 Transport-Rule-02.jpgOnce these selections have been made click Next.  From the Actions screen put a check in the send rejection message to sender with enhanced status code.  Then in the lower section of the screen click the hyperlink for rejection message and enter text for the NDR message to be sent back to the user.  Click the enhanced status code and enter the 5.7.100 code that was used to create the DSNCode earlier (see image below).
 Transport-Rule-03.jpgOnce this has been completed click Next, if you want to add exceptions to this rule then do so on the Exceptions screen and click Next.  And then click New to create the rule.

Outlook Configuration

We can use message classifications in Outlook 2007/2010 and Outlook Web App.  With Outlook Web App there is no further configuration required.

From within Outlook Web App, open the new message window.  From within this window select the permissions button (shown below) and chose the Internal Only Confidential option.
 Transport-Rule-04.jpgEnter an external email address and a subject and click Send.

You will then receive the following message back from the Exchange Server and your e-mail will be dropped.
 Transport-Rule-05.jpgThe same thing would happen if you were sent this message from an internal user and then tried to forward it to an external recipient.

Getting this to work with the full outlook the first thing that is needed is to export the classifications from Exchange.  Using the Exchange Management Shell navigate to C:\Program Files\Microsoft\Exchange Server\V1\Scripts and execute the following command:
”./Export-OutlookClassification.ps1 > C:\Classifications.xml”

Open in new window

This XML file then needs to be copied to the client machine, you can store the XML file on a network location for centralised management, however Microsoft do recommend against it.

Once the file has been copied to the client machine.  Launch regedit, navigate to HKEY_CURRENT_USER\Software\Microsoft\Office\x-version\Common\ if using Outlook 2007 then replace x-version with 12.0 if using Outlook 2010 then replace it with 14.0

Create a new key called Policy
Then under here create a new String Value with the following configuration:
Name: AdminClassificationPath
Value: C:\Classifications.xml”
This assumes the XML you exported from the Exchange Server has been copied to the C:\ on the client machine.

You also need to create 2 DWORD Values as follows:
Name: EnableClassifications
Value: 1
Name: TrustClassifications
Value: 1
Once you have completed these tasks restart Outlook if you have it open and then open the new message windows.  Under Options click the permissions button and your new message classification should appear.

Of course if we need to make these changes en masse then there are a number of deployment methods available to us, including the use of login scripts & Group Policy Preferences.  Some of these methods are discussed here:

Further Reading

Managing Message Classifications:
Glen KnightLead Techical Consultant

Comments (0)

Have a question about something in this article? You can receive help directly from the article author. Sign up for a free trial to get started.