• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 912
  • Last Modified:

Security Groups in 2003 SMTP Connector Delivery Restrictions?

We are installing and configuring a new Exchange 2003 server on the Server 2003 platform.  My goal is to be able to enable sending and receiving of internet email based on Security group memebership.  I have been pulling information from this article to help me do so:

http://www.msexchange.org/tutorials/MF009.html

The recipient policy was successfully enacted and testing regarding the receipt of internet based email.  However....

Upon creating an SMTP connector to try to restrict the sending of internet email, I find that the Delivery Restrictions tab will not pull Security Groups into its lookup for adding exceptions to it.  My available objects are "Users" and "Other Objects," and  the Check Name will not bring up any group names.  The Advanced Find will similarly only bring users into the result.

I don't want to have to add users individually to this connector to enable their internet mail.  A distinguished Name for the group was required to get the recipient policy to work for receiving mail, however that policy applied a filter.  Delivery restrictions simply gives me the option to add objects to the rule and will not bring security groups into its self-limited selection of objects.  Big points for the urgency of this issue.  Help us out!  
0
bgarrabrant
Asked:
bgarrabrant
  • 4
  • 4
1 Solution
 
VahikCommented:
mail enable security groups and they will appear....orelse they wont...
when u open" select recipient" page  all u have to do is click on advanced and then
click on find now and all the mail enabled objects will appear in ur search result....as simple as that....but the key word is if they are mail enabled....this is exchange that u are working with not ur active directory....well u could argue otherwise
0
 
bgarrabrantAuthor Commented:
Okay.  But I thought if I mail-enabled a security group that it created an email address for the group, which I do.n't want, and then the delivery restrictions will apply only to that group email address.  If I mail-enable the group so it shows up in my delivery restrictions tab on my SMTP connector, will exchange expand that group and apply the delivery restriction to all members of the group?
0
 
VahikCommented:
sure it will...that is the ides behind a group in exchnage enviroment....
create a group...add users to the group..and apply restrictions to the group...
if u dont want outside folks send email to the group from internet just apply a .local
to the email address of group....if u dont want inside folks send an email to the group
just hide it(well if folks know the email address they can still send even if u hide it)...
or apply restrictions on the groups properties page designating who can or cant send
to that group....this restriction wont affect internet email delivery...
u have tons of options to work with.....
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
bgarrabrantAuthor Commented:
Sorry Vahik.  No DICE.  I already have an internal domain suffix (.lan) as default for all addresses unless they are added to the "NetMail Users" group, in which case a recipient policy assigns them a .com address.  Restriction for RECEIVING internet email are in place and tested and functional.  Restriction for SENDING internet email is my current goal.

So I followed your advice and mail-enabled the AD security group of "NetMail Users."  I made the registry change required to enable the connector's delivery restrictions as outlined here:

http://support.microsoft.com/default.aspx?scid=kb;en-us;Q277872

Then I created the connector as outlined in the original article link I posted, setting its delivery restrictions to reject all by default, and to accept those from the freshly mail-enabled group ("NetMail Users").  This was all done last night and the server was restarted after these steps so propogation delay of my settings is not the issue.

Then I sent an internet email from a user who is not a member of "NetMail Users" and it shot right through without a problem.

Failing that I tried another method.  I Applied Sender Filter on the SMTP Virtual Server and in my Global Settings-->Message Delivery created a sender filter for all addresses with the .lan suffix for my domain.  Then I sent an external email from a .lan address and it shot right through.

So now that my SMTP connector has failed to restrict delivery my question becomes more generic:

How do I configure Exchange 2003 to restrict internet email for everyone who is not a member of the "NetMail Users" group?
0
 
VahikCommented:
BG that is the only way...and it has to work and it does work...give it one more try
this way
u click By deafult all messsages are accepted from everyone(that is the default)
the in the reject messages from(in the bottom section) add the users that are suppose to be banned from sending.....restart server again before u try.....
just trust me and try....u have to create another group called Banned or whatever
and add users to it....
0
 
bgarrabrantAuthor Commented:
I can't default reject all messages and accept the ones from the "NetMail Users" group?
0
 
VahikCommented:
that is very good question...never tried it ur way..but deafult connector behaviour is set
to accept messages from everyone ...and inorder to get what u want it may require
another reg hack....to set the deafult to reject all messages....i am sure it can be done
but i dont know where in the registry to make that change....

well try it the way microsoft suggested to see if restrictions do indeed work for ur
exchange server first....
0
 
bgarrabrantAuthor Commented:
Okay Vahik it worked for me.  I gotta note, though, for any other readers, that it worked only in the configuration we arrived at above.  When I set up an SMTP connector the same way, and set it to, by default, reject all messages, it let every message sail through with no impediment.

But by accepting all and rejecting those from a mail-enabled internal-only security group, I was able to apply this limitation as intended.
0

Featured Post

Become an Android App Developer

Ready to kick start your career in 2018? Learn how to build an Android app in January’s Course of the Month and open the door to new opportunities.

  • 4
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now