restrict access to external emails in the multi functional printers

I've been tasked to restrict access from our multi functional printers to send external emails.  Can anyone tell me how I can accomplish this?  

WE have exchange 2007 Sp3.

Thanks
LVL 1
annayegAsked:
Who is Participating?
 
MikeyLLBConnect With a Mentor Commented:
My apologies, that's for Exchange 2000/2003.

For 2007 I'll give you the correct instructions!

Create a Distribution Group – call it “NoInternetMail”. Add the recipients you want to prevent from sending internet email as members of the group.

Create a Transport Rule
1) Fire up Exchange console | Organization Configuration | Hub Transport | Transport Rules tab | click New Transport Rule
2) Enter a name for the rule – e.g. NoInternetMail
3) On the Conditions page, select “From a member of a distribution list“
4) In the rule description, click the link for distribution list (underlined)
5) Click Add | Select the distribution list “NoInternetMail”
6) Under Conditions, select a second condition “Sent to users inside or outside the organization“
7) In the rule description, click Inside (underlined) | change scope to Outside
8) Click Next
9) On the Actions page select "Silently Drop the Message"
10) Click Next | verify the rule conditions and action in the summary
11) Click New | click Finish
0
 
MikeyLLBCommented:
What make of printer(s) and models are you using?
0
 
annayegAuthor Commented:
HP laserjet m3035 mfp
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
MikeyLLBCommented:
If you use a dedicated exchange account for the printer (and you should) you can try the following:

In EMC:

Open SMTP Connector->properties->Delivery Restrictions

Click Add under Reject Message from and add the account used by the printer you don't want to send external mail.

The printer itself CANNOT be configured to only send to certain e-mail addresses.
0
 
annayegAuthor Commented:
I have Exchange 2007 sp3, I don't see delivery Restrictions when I go to the properties of my receive connectors.
0
 
MikeyLLBCommented:
you want the send connector, not the receive. What you are doing is telling the outgoing "send" connector, to refuse to send e-mail (externally) from a certain exchange account.
0
 
annayegAuthor Commented:
Where would I see the Delivery Restrictions for the SMTP connector?
0
 
annayegAuthor Commented:
Thank you so much for the information.
Where do you specify the distribution list on the MFP?
0
 
MikeyLLBCommented:
you don't. Create an account for the MFP to use to send it's e-mail, add that account to the Distribution Group and have the MFP use the account/authentication to send it's e-mail.
0
 
annayegAuthor Commented:
I created the dl, created an email address, created the hub transport rule and changed the email settings of the MFP to reflect the new username that I created.  Is there a step that I am missing?   When I try to scan a document to an external address it goes through?
0
 
MikeyLLBCommented:
So to confirm:

You have a distribution group, with the MFP's account as a member.

You have set the MFP to use authentication (on certain devices just entering the username/password may not force the device to use authentication)

You have the hub transport rule set.

If you're willing to post a screenshot of the MFP's e-mail settings screen.
0
 
annayegAuthor Commented:
Does it take awhile for the hub transport rule to kick in?
0
 
MikeyLLBCommented:
http://technet.microsoft.com/en-us/library/bb124703.aspx

Each Hub Transport server maintains a recipient cache that is used to look up recipient and distribution list information. The recipient cache reduces the number of requests that each Hub Transport server must make to an Active Directory domain controller. The recipient cache updates every four hours. You can't modify the recipient cache update interval. Therefore, changes to transport rule recipients, such as the addition or removal of distribution list members, may not be applied to transport rules until the recipient cache is updated. To force an immediate update of the recipient cache, you must stop and start the Microsoft Exchange Transport service. You must do this for each Hub Transport server where you want to forcibly update the recipient cache.

You can re-start the "Microsoft Exchange Transport Service" to force the change.
0
 
annayegAuthor Commented:
"Microsoft Exchange Transport Service" can be restarted any time?  it doesn't hurt anything?
0
 
annayegAuthor Commented:
Email settings:

Send e-mail..
directly from the device
Device's SMTP Gateway:
99.99.99.99
Port:
25
Enable SMTP authentication is not selected

Default from Address
Email address
username (created earlier and placed in the noninternetmail dl)
Prevent Device user from changing the default from address  is checked.
0
 
MikeyLLBCommented:
It will interrupt your e-mail/outlook connections when you restart the service.

You'll may want to use authentication with port 465
0
 
annayegAuthor Commented:
I think I know what the problem was:  My exception rule was incorrect, instead of when the message is sent to users inside the organization, i had it  when the mssage is from users inside the organization.
0
 
MikeyLLBCommented:
Ah, there will still be the 4 hour delay if you change it.

And you want it for messages sent to users outside the organisation.
0
 
annayegAuthor Commented:
basically, I want to block MFP devices from being able to send to outside organization.
0
 
MikeyLLBCommented:
Yeah, this guide will do that for you.
0
 
MikeyLLBCommented:
1) Fire up Exchange console | Organization Configuration | Hub Transport | Transport Rules tab | click New Transport Rule
2) Enter a name for the rule – e.g. NoInternetMail
3) On the Conditions page, select “From a member of a distribution list
4) In the rule description, click the link for distribution list (underlined)
5) Click Add | Select the distribution list “NoInternetMail
6) Under Conditions, select a second condition “Sent to users inside or outside the organization
7) In the rule description, click Inside (underlined) | change scope to Outside
8) Click Next
9) On the Actions page select "Silently Drop the Message"
10) Click Next | verify the rule conditions and action in the summary
11) Click New | click Finish
0
 
annayegAuthor Commented:
My last question: to change the email settings of the MFP is there a fast and easy way of doing it?  We have 200-300 devices all over.
0
 
MikeyLLBCommented:
I'm not certain, we use RICOH printers and they provide a utility for this. It is possible that you manufacturer may provide something similar. It's worth asking their customer support.
0
All Courses

From novice to tech pro — start learning today.