Avatar of Bogart Bogart
Bogart Bogart
 asked on

Block External Users sending to Internal Distribution List

Hi Experts,

I have set our Exchange 2010 SP3 to prevent external users to send to our internal Distribution List. In fact, the default is to Require that all senders are authenticated under Message Delivery Restrictions. However, this isn't working at the moment. I also have tried to create Transport Rules with the condition for messages outside the organization destined to members of a certain DL forward to a moderator. This works fine if the email is emailed directly to the DL email address itself but if the email is sent directly to the email address of an individual user it will be quarantined for approval which is not really what we want. Any ideas what's causing this?
ExchangeOutlook

Avatar of undefined
Last Comment
Bogart Bogart

8/22/2022 - Mon
Akhater

what are you trying to accomplish exactly ? it seems to me that everything is working fine

1) you send from outside to the email address of the DL the email gets rejects (that's what should happen)

2) you created a transport rule to ask for moderation if an email is sent from outside the org to a user in a specific DL and this is what is happening no ?


" Require that all senders are authenticated" means that emails sent TO THE DL will not get accepted and not to its members . if you want no one to send an email to the members change your transport rule to

1) email sender is form outside the organization
2) recipient is member of specific DL
3) Reject the message with the enhanced status code


that should cover you
Bogart Bogart

ASKER
The "Require that all senders are authenticated" isn't working which means external emails are getting through if an external user sends to the DL itself.

Setting up a transport rule it seems that it is working fine like you've oveserved BUT just would like to block the DL@test.com and not on the user level email address i.e. user1@test.com
Akhater

when you say "external emails" you means emails sent from external users like hotmail.com right ?
I started with Experts Exchange in 2004 and it's been a mainstay of my professional computing life since. It helped me launch a career as a programmer / Oracle data analyst
William Peck
Bogart Bogart

ASKER
Hi Akhater, Yes external users such as Hotmail, yahoo etc.

The "Require that all senders......" should just do the job by blocking incoming emails directly destined to the DL email address but still allows emails send individually to internal emails.
Akhater

Can you test with a new dl? Create a brand new dl don't change anything in it's config, add to it a couple of users and email the dl from Hotmail / yahoo
Bogart Bogart

ASKER
Hi Akhater, I have done this already and the same is happening.
⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
Akhater

Oh well then please check your receive connectors is it configured with "externally secured"?
Bogart Bogart

ASKER
I have tried that setting as well to no avail. Weird that it just doesn't want to work!
Akhater

Which setting? No you should NOT have externally secured on your receive connector
Experts Exchange is like having an extremely knowledgeable team sitting and waiting for your call. Couldn't do my job half as well as I do without it!
James Murphy
Bogart Bogart

ASKER
I don't have it.
Bogart Bogart

ASKER
I should have indicated that on my Default connector I don't have that (Externally Secured) selected as I don't want my server to become a relay.

Looking at the connectors it allows incoming emails alright but the behaviour of not allowing unauthenticated (external) users to send to internal DL isn't working which is really the problem.
Akhater

Can you share the output of

Get-ReceiveConnector | fl name,*authmec*
⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
Bogart Bogart

ASKER
Name          : Default XXXXXXXXXXXXXX
AuthMechanism : Tls, Integrated, BasicAuth, BasicAuthRequireTLS, ExchangeServer

Name          : Client XXXXXXXXXXXXXX
AuthMechanism : Tls, Integrated, BasicAuth, BasicAuthRequireTLS

Name          : Application Relay
AuthMechanism : Tls, ExternalAuthoritative
ASKER CERTIFIED SOLUTION
Akhater

THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
GET A PERSONALIZED SOLUTION
Ask your own question & get feedback from real experts
Find out why thousands trust the EE community with their toughest problems.
Bogart Bogart

ASKER
The application relay only allows internal network to relay to our exchange - this is mainly outgoing. So this is not the issue.

We do have Sophos Virtual Email Filter. Spoken to the guys but was advised that it's got nothing to do with the filter.
Akhater

Get-ReceiveConnector "Application Relay" | fl name,*authmec*,RemoteIPRanges
please run this and make sure that the SoPhos ip address is not in the RemoteIPRanges
Your help has saved me hundreds of hours of internet surfing.
fblack61
Bogart Bogart

ASKER
I can confirm that Sophos isn't part of the list.
Akhater

ok can I ask you to create a new Receive connector with just the IP of sophos keep everything default just allow Anonymous on it and test again ?
Bogart Bogart

ASKER
Hi Akhater,

I am tempted to restart the server at this stage before proceeding. I will provide update on any improvements - hopefully.
⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
Bogart Bogart

ASKER
In Exchange 2007 and 2010 having your filter as trusted will bypass authentication.