Managing Active Directory can get complicated. Often, the native tools for managing AD are just not up to the task. The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.
Solved
Block External Users sending to Internal Distribution List
Posted on 2016-10-02
Hi Experts,
I have set our Exchange 2010 SP3 to prevent external users to send to our internal Distribution List. In fact, the default is to Require that all senders are authenticated under Message Delivery Restrictions. However, this isn't working at the moment. I also have tried to create Transport Rules with the condition for messages outside the organization destined to members of a certain DL forward to a moderator. This works fine if the email is emailed directly to the DL email address itself but if the email is sent directly to the email address of an individual user it will be quarantined for approval which is not really what we want. Any ideas what's causing this?
I have set our Exchange 2010 SP3 to prevent external users to send to our internal Distribution List. In fact, the default is to Require that all senders are authenticated under Message Delivery Restrictions. However, this isn't working at the moment. I also have tried to create Transport Rules with the condition for messages outside the organization destined to members of a certain DL forward to a moderator. This works fine if the email is emailed directly to the DL email address itself but if the email is sent directly to the email address of an individual user it will be quarantined for approval which is not really what we want. Any ideas what's causing this?
[X]
Welcome to Experts Exchange
Add your voice to the tech community where 5M+ people just like you are talking about what matters.
- Help others & share knowledge
- Earn cash & points
- Learn & ask questions
-
11
9
20 Comments
Active today
what are you trying to accomplish exactly ? it seems to me that everything is working fine
1) you send from outside to the email address of the DL the email gets rejects (that's what should happen)
2) you created a transport rule to ask for moderation if an email is sent from outside the org to a user in a specific DL and this is what is happening no ?
" Require that all senders are authenticated" means that emails sent TO THE DL will not get accepted and not to its members . if you want no one to send an email to the members change your transport rule to
1) email sender is form outside the organization
2) recipient is member of specific DL
3) Reject the message with the enhanced status code
that should cover you
1) you send from outside to the email address of the DL the email gets rejects (that's what should happen)
2) you created a transport rule to ask for moderation if an email is sent from outside the org to a user in a specific DL and this is what is happening no ?
" Require that all senders are authenticated" means that emails sent TO THE DL will not get accepted and not to its members . if you want no one to send an email to the members change your transport rule to
1) email sender is form outside the organization
2) recipient is member of specific DL
3) Reject the message with the enhanced status code
that should cover you
Active 1 day ago
The "Require that all senders are authenticated" isn't working which means external emails are getting through if an external user sends to the DL itself.
Setting up a transport rule it seems that it is working fine like you've oveserved BUT just would like to block the DL@test.com and not on the user level email address i.e. user1@test.com
Setting up a transport rule it seems that it is working fine like you've oveserved BUT just would like to block the DL@test.com and not on the user level email address i.e. user1@test.com
Active today
when you say "external emails" you means emails sent from external users like hotmail.com right ?
Active 1 day ago
Hi Akhater, Yes external users such as Hotmail, yahoo etc.
The "Require that all senders......" should just do the job by blocking incoming emails directly destined to the DL email address but still allows emails send individually to internal emails.
The "Require that all senders......" should just do the job by blocking incoming emails directly destined to the DL email address but still allows emails send individually to internal emails.
Active today
Can you test with a new dl? Create a brand new dl don't change anything in it's config, add to it a couple of users and email the dl from Hotmail / yahoo
Active today
Oh well then please check your receive connectors is it configured with "externally secured"?
Active 1 day ago
I have tried that setting as well to no avail. Weird that it just doesn't want to work!
Active 1 day ago
I should have indicated that on my Default connector I don't have that (Externally Secured) selected as I don't want my server to become a relay.
Looking at the connectors it allows incoming emails alright but the behaviour of not allowing unauthenticated (external) users to send to internal DL isn't working which is really the problem.
Looking at the connectors it allows incoming emails alright but the behaviour of not allowing unauthenticated (external) users to send to internal DL isn't working which is really the problem.
Active 1 day ago
Name : Default XXXXXXXXXXXXXX
AuthMechanism : Tls, Integrated, BasicAuth, BasicAuthRequireTLS, ExchangeServer
Name : Client XXXXXXXXXXXXXX
AuthMechanism : Tls, Integrated, BasicAuth, BasicAuthRequireTLS
Name : Application Relay
AuthMechanism : Tls, ExternalAuthoritative
AuthMechanism : Tls, Integrated, BasicAuth, BasicAuthRequireTLS, ExchangeServer
Name : Client XXXXXXXXXXXXXX
AuthMechanism : Tls, Integrated, BasicAuth, BasicAuthRequireTLS
Name : Application Relay
AuthMechanism : Tls, ExternalAuthoritative
Active today
OK so we have "Application Relay" that has "ExternalAuthoritative" enabled
how do you receive emails from outside ?
you have an anti-spam / relay that delivers emails to Exchange ?
Get-ReceiveConnector "Application Relay" | fl name,*authmec*,RemoteIPRan
what is the output of that ?
how do you receive emails from outside ?
you have an anti-spam / relay that delivers emails to Exchange ?
Get-ReceiveConnector "Application Relay" | fl name,*authmec*,RemoteIPRan
what is the output of that ?
Active 1 day ago
The application relay only allows internal network to relay to our exchange - this is mainly outgoing. So this is not the issue.
We do have Sophos Virtual Email Filter. Spoken to the guys but was advised that it's got nothing to do with the filter.
We do have Sophos Virtual Email Filter. Spoken to the guys but was advised that it's got nothing to do with the filter.
Active today
Get-ReceiveConnector "Application Relay" | fl name,*authmec*,RemoteIPRan
please run this and make sure that the SoPhos ip address is not in the RemoteIPRanges
please run this and make sure that the SoPhos ip address is not in the RemoteIPRanges
Active today
ok can I ask you to create a new Receive connector with just the IP of sophos keep everything default just allow Anonymous on it and test again ?
Featured Post
![[Webinar] Lessons on Recovering from Petya](https://filedb.experts-exchange.com/files/public/2017/7/11/dcb3272a-62a8-4274-a34e-d1771610ec3b.png)
Skyport is working hard to help customers recover from recent attacks, like the Petya worm. This work has brought to light some important lessons. New malware attacks like this can take down your entire environment. Learn from others mistakes on how to prevent Petya like worms.
Question has a verified solution.
If you are experiencing a similar issue, please ask a related question
This article will help to fix the below error for MS Exchange server 2010
I. Out Of office not working
II. Certificate error "name on the security certificate is invalid or does not match the name of the site"
III. Make Internal URLs and External…
A couple of months ago we ran into an issue that necessitated re-creating our Edge Subscriptions. However, when we attempted to execute the command: New-EdgeSubscription -filename C:\NewEdgeSub_01.xml we received an error indicating that the LDAP se…
Many of my clients call in with monstrous Gmail overloading issues with Outlook. A quick tip is to turn off the All Mail and Important folders from synching. Here is a quick video I made to show you how to turn off these and other folders in Gmail s…
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA).
For free email signatures designs, visit https://www.mail-signatures.com/articles/signature-templates/?sts=6651
If you want to manage em…
Suggested Courses
Course of the Month11 days, 1 hour left to enroll
719 members asked questions and received personalized solutions in the past 7 days.
Join the community of 500,000 technology professionals and ask your questions.