Exchange - Distribution List - Restrict Sending

Hi Guys,

We have an exisiting Distribution List setup in Exchange 2010 and have been requested:

(i) To restrict sending to it from an individual mailbox.
(ii) Set "require that all senders are authenticated" option in the DL

We've had a test user send in a test email from the mailbox set in the Message Delivery Restrictions for the Distribution List, however they get the following error:

"Your message wasn't delivered due to a permission or security issue. It may have been rejected by a moderator, the address may only accept e-mail from certain senders, or another restriction may be preventing delivery."

Looking at the response from the server, there is a user who has CC'd themselves in the test email that was sent out - Would that cause an issue?
khanfeAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Zacharia KurianAdministrator- Data Center & NetworkCommented:
Look at the below article which details many ways to restrict a distribution group;

http://exchangeserverpro.com/restrict-distribution-group-exchange-server-2010/

Zac.
Amit KumarCommented:
This is correct thing is happening in your case. Simple thing is you restricted user to send e-mail to a DL where test user is getting message "Your message wasn't delivered due to a permission or security issue" this is all you need actually.

Now who has been CC'd so mail will be sent out to the users those are individually added it is working as expected.

"require that all senders are authenticated" is an option to restrict your DL where any external user won't be able to send e-mail to that DL. users only from same/trusted Exchange org will be able to send mail to this DL.
khanfeAuthor Commented:
The configuration and understanding that we have is no different to the article posted.  This is the message seen - obviously actual IPs and addresses have been obfuscated:

Delivery has failed to these recipients or groups:

allteststaff@systems.com

Your message wasn't delivered due to a permission or security issue. It may have been rejected by a moderator, the address may only accept e-mail from certain senders, or another restriction may be preventing delivery.

Diagnostic information for administrators:
Generating server: MAILHC02.ORG.NET
allteststaff@uk.lnk.net
#< #5.7.1 smtp;550 5.7.1 RESOLVER.RST.AuthRequired; authentication required> #SMTP#
Original message headers:
Received: from dc005.lnk.net (10.104.52.32) by
 MAILHC02.ORG.NET (172.35.76.34) with Microsoft SMTP Server id
 12.6.138.2; Wed, 9 Sep 2015 11:18:35 +0300
To: "allteststaff@systems.com" <allteststaff@systems.com>
X-IronPort-AV: E=Sophos;i="5.17,495,1437433200";
   d="gif'147?png'147,150?scan'147,150,208,217,147,150";a="115445651"
Received: from gl0005v.lnk.net ([10.106.8.39])  by
 dc005.lnk.net with ESMTP; 09 Sep 2015 09:18:33 +0100
Received: from GL0004V.LNK.net ([168.254.2.186]) by
 GL0005V.LNK.net ([10.106.8.39]) with mapi id 14.03.0248.002; Wed, 9
 Sep 2015 09:18:33 +0100
From: "Corporate Communications"
        <corporate.communications@systems.com>
CC: "Smith, Jane" <jane.smith@systems.com>
Subject: Test DL
Thread-Topic: Test DL
Thread-Index: AdDq2Bc0XUCrpSH2Tje/uinLM66ZLQ==
Date: Wed, 9 Sep 2015 08:18:32 +0000
Message-ID: <A8094A4D69667441BF586496197C7D6C82CCCE89@GLKXM0004V.LNK.net>
Accept-Language: en-GB, en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-originating-ip: [11.102.76.5]
Content-Type: multipart/related;
        boundary="_009_A8094A4D69667441BF586496197C7D6C82CCCE89GLKXM0004VBLUE_";
        type="multipart/alternative"
MIME-Version: 1.0
Return-Path: corporate.communications@systems.com
Acronis True Image 2019 just released!

Create a reliable backup. Make sure you always have dependable copies of your data so you can restore your entire system or individual files.

Amit KumarCommented:
This is working as expected. message delivery failure is for DL only not for CC'd user.
Zacharia KurianAdministrator- Data Center & NetworkCommented:
I agree with @Amit. This is the expected result.  Do you have any other requirement with this setting other than the expected resulted?


Zac.
khanfeAuthor Commented:
Okay, would anyone happen to know why the mailbox set up in the  Message Delivery Restrictions to send emails to the DL is getting this error?

I've checked through articles online about security and permissions, however not found an answer to help?
Exchange1.jpg
Amit KumarCommented:
It is your and management choice if you want to restrict your DL. If anyone asks question so tell the same.
khanfeAuthor Commented:
Apologies for the confusion.

The point I wish to make is that the emails are not coming through to members of the DL from the mailbox specified in the Message Delivery Restrictions.  The senders are receiving the above error and members in the DL are not receiving the emails.
Zacharia KurianAdministrator- Data Center & NetworkCommented:
Ok. have you added the "users who are supposed to receive the email" as the members of the Dl, in the ADUC? If not,  in ADUC, right click on the DL, then in the properties, select "members" and  add the desired users to it.

Zac.
Zacharia KurianAdministrator- Data Center & NetworkCommented:
As per you  attached screen shot, it sounds like you have add a Group in "receive only from".

So make sure that the "users who are supposed to receive the email" is not included in the Groups, you have added.

Do this way:

Try adding only user names instead of the Groups in "receive only from" and test.

Zac.
khanfeAuthor Commented:
Yes, users have already been added as members of the DL to receive emails.

The image is showing a mailbox of a user and not defined as a group here.
Zacharia KurianAdministrator- Data Center & NetworkCommented:
Is it a new exchange server or a migrated one? If it is a migrated one, would it be a big deal to delete and recreate the DL again? or could you try creating another new DL and have it properly configured and test it?

Do you have any Anti Spam software installed in your exchange?

Zac.
khanfeAuthor Commented:
These tests are being run on a test DL we've created.  We wanted to determine if the changes would work, before making changes to the actual DL.  

I'm new to messaging, so excuse the lack of knowledge, but I believe they are using a product called Ironport.
Zacharia KurianAdministrator- Data Center & NetworkCommented:
Wait a minute,
From the Diagnostic information which you posted are now a bit confusing with your requirement.
Please calcify the below;
The Dl you have created  in your domain is allteststaff@systems.com?
Then you are receiving email from an external recipient called corporate.communications@systems.com?

If this is the case, then setting " Requires all senders are authenticated" will not allow the emails pass through.

Zac.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Amit KumarCommented:
Wait wait...

If I am not understanding wrong.... you mentioned that

The point I wish to make is that the emails are not coming through to members of the DL from the mailbox specified in the Message Delivery Restrictions.  The senders are receiving the above error and members in the DL are not receiving the emails.

If this is the case when you restricted a member to send e-mail that subjected DL and sender is receiving NDR then why mail should be delivered to members of DL? It is same as expected behavior.
Zacharia KurianAdministrator- Data Center & NetworkCommented:
@ Amit,

Yes, he had 2 contradictory stuff in his question.

1. The Diagnostic information
2.  The point he wished.

So he has to clarify  his question for a final answer.

Zac.
khanfeAuthor Commented:
@Zac,

I think you've hit the nail on the head.

It seems we may need to disable the setting " Requires all senders are authenticated" for this to work.  We are waiting on our test user to send in a test email.  It turns out that there two exchange servers communicating over two sites and addresses use aliases as well.
khanfeAuthor Commented:
As per Zac's recommendation, disabling the "Requires all senders are authenticated" has resolved the issue.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Exchange

From novice to tech pro — start learning today.