Security Groups in 2003 SMTP Connector Delivery Restrictions?
We are installing and configuring a new Exchange 2003 server on the Server 2003 platform. My goal is to be able to enable sending and receiving of internet email based on Security group memebership. I have been pulling information from this article to help me do so:
http://www.msexchange.org/tutorials/MF009.html
The recipient policy was successfully enacted and testing regarding the receipt of internet based email. However....
Upon creating an SMTP connector to try to restrict the sending of internet email, I find that the Delivery Restrictions tab will not pull Security Groups into its lookup for adding exceptions to it. My available objects are "Users" and "Other Objects," and the Check Name will not bring up any group names. The Advanced Find will similarly only bring users into the result.
I don't want to have to add users individually to this connector to enable their internet mail. A distinguished Name for the group was required to get the recipient policy to work for receiving mail, however that policy applied a filter. Delivery restrictions simply gives me the option to add objects to the rule and will not bring security groups into its self-limited selection of objects. Big points for the urgency of this issue. Help us out!
http://www.msexchange.org/tutorials/MF009.html
The recipient policy was successfully enacted and testing regarding the receipt of internet based email. However....
Upon creating an SMTP connector to try to restrict the sending of internet email, I find that the Delivery Restrictions tab will not pull Security Groups into its lookup for adding exceptions to it. My available objects are "Users" and "Other Objects," and the Check Name will not bring up any group names. The Advanced Find will similarly only bring users into the result.
I don't want to have to add users individually to this connector to enable their internet mail. A distinguished Name for the group was required to get the recipient policy to work for receiving mail, however that policy applied a filter. Delivery restrictions simply gives me the option to add objects to the rule and will not bring security groups into its self-limited selection of objects. Big points for the urgency of this issue. Help us out!
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
sure it will...that is the ides behind a group in exchnage enviroment....
create a group...add users to the group..and apply restrictions to the group...
if u dont want outside folks send email to the group from internet just apply a .local
to the email address of group....if u dont want inside folks send an email to the group
just hide it(well if folks know the email address they can still send even if u hide it)...
or apply restrictions on the groups properties page designating who can or cant send
to that group....this restriction wont affect internet email delivery...
u have tons of options to work with.....
create a group...add users to the group..and apply restrictions to the group...
if u dont want outside folks send email to the group from internet just apply a .local
to the email address of group....if u dont want inside folks send an email to the group
just hide it(well if folks know the email address they can still send even if u hide it)...
or apply restrictions on the groups properties page designating who can or cant send
to that group....this restriction wont affect internet email delivery...
u have tons of options to work with.....
ASKER
Sorry Vahik. No DICE. I already have an internal domain suffix (.lan) as default for all addresses unless they are added to the "NetMail Users" group, in which case a recipient policy assigns them a .com address. Restriction for RECEIVING internet email are in place and tested and functional. Restriction for SENDING internet email is my current goal.
So I followed your advice and mail-enabled the AD security group of "NetMail Users." I made the registry change required to enable the connector's delivery restrictions as outlined here:
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q277872
Then I created the connector as outlined in the original article link I posted, setting its delivery restrictions to reject all by default, and to accept those from the freshly mail-enabled group ("NetMail Users"). This was all done last night and the server was restarted after these steps so propogation delay of my settings is not the issue.
Then I sent an internet email from a user who is not a member of "NetMail Users" and it shot right through without a problem.
Failing that I tried another method. I Applied Sender Filter on the SMTP Virtual Server and in my Global Settings-->Message Delivery created a sender filter for all addresses with the .lan suffix for my domain. Then I sent an external email from a .lan address and it shot right through.
So now that my SMTP connector has failed to restrict delivery my question becomes more generic:
How do I configure Exchange 2003 to restrict internet email for everyone who is not a member of the "NetMail Users" group?
So I followed your advice and mail-enabled the AD security group of "NetMail Users." I made the registry change required to enable the connector's delivery restrictions as outlined here:
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q277872
Then I created the connector as outlined in the original article link I posted, setting its delivery restrictions to reject all by default, and to accept those from the freshly mail-enabled group ("NetMail Users"). This was all done last night and the server was restarted after these steps so propogation delay of my settings is not the issue.
Then I sent an internet email from a user who is not a member of "NetMail Users" and it shot right through without a problem.
Failing that I tried another method. I Applied Sender Filter on the SMTP Virtual Server and in my Global Settings-->Message Delivery created a sender filter for all addresses with the .lan suffix for my domain. Then I sent an external email from a .lan address and it shot right through.
So now that my SMTP connector has failed to restrict delivery my question becomes more generic:
How do I configure Exchange 2003 to restrict internet email for everyone who is not a member of the "NetMail Users" group?
BG that is the only way...and it has to work and it does work...give it one more try
this way
u click By deafult all messsages are accepted from everyone(that is the default)
the in the reject messages from(in the bottom section) add the users that are suppose to be banned from sending.....restart server again before u try.....
just trust me and try....u have to create another group called Banned or whatever
and add users to it....
this way
u click By deafult all messsages are accepted from everyone(that is the default)
the in the reject messages from(in the bottom section) add the users that are suppose to be banned from sending.....restart server again before u try.....
just trust me and try....u have to create another group called Banned or whatever
and add users to it....
ASKER
I can't default reject all messages and accept the ones from the "NetMail Users" group?
that is very good question...never tried it ur way..but deafult connector behaviour is set
to accept messages from everyone ...and inorder to get what u want it may require
another reg hack....to set the deafult to reject all messages....i am sure it can be done
but i dont know where in the registry to make that change....
well try it the way microsoft suggested to see if restrictions do indeed work for ur
exchange server first....
to accept messages from everyone ...and inorder to get what u want it may require
another reg hack....to set the deafult to reject all messages....i am sure it can be done
but i dont know where in the registry to make that change....
well try it the way microsoft suggested to see if restrictions do indeed work for ur
exchange server first....
ASKER
Okay Vahik it worked for me. I gotta note, though, for any other readers, that it worked only in the configuration we arrived at above. When I set up an SMTP connector the same way, and set it to, by default, reject all messages, it let every message sail through with no impediment.
But by accepting all and rejecting those from a mail-enabled internal-only security group, I was able to apply this limitation as intended.
But by accepting all and rejecting those from a mail-enabled internal-only security group, I was able to apply this limitation as intended.
ASKER