Solved

Block External Users sending to Internal Distribution List

Posted on 2016-10-02
20
103 Views
Last Modified: 2016-10-07
Hi Experts,

I have set our Exchange 2010 SP3 to prevent external users to send to our internal Distribution List. In fact, the default is to Require that all senders are authenticated under Message Delivery Restrictions. However, this isn't working at the moment. I also have tried to create Transport Rules with the condition for messages outside the organization destined to members of a certain DL forward to a moderator. This works fine if the email is emailed directly to the DL email address itself but if the email is sent directly to the email address of an individual user it will be quarantined for approval which is not really what we want. Any ideas what's causing this?
0
Comment
Question by:Bogart Bogart
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 11
  • 9
20 Comments
 
LVL 49

Expert Comment

by:Akhater
ID: 41825918
what are you trying to accomplish exactly ? it seems to me that everything is working fine

1) you send from outside to the email address of the DL the email gets rejects (that's what should happen)

2) you created a transport rule to ask for moderation if an email is sent from outside the org to a user in a specific DL and this is what is happening no ?


" Require that all senders are authenticated" means that emails sent TO THE DL will not get accepted and not to its members . if you want no one to send an email to the members change your transport rule to

1) email sender is form outside the organization
2) recipient is member of specific DL
3) Reject the message with the enhanced status code


that should cover you
0
 

Author Comment

by:Bogart Bogart
ID: 41825924
The "Require that all senders are authenticated" isn't working which means external emails are getting through if an external user sends to the DL itself.

Setting up a transport rule it seems that it is working fine like you've oveserved BUT just would like to block the DL@test.com and not on the user level email address i.e. user1@test.com
0
 
LVL 49

Expert Comment

by:Akhater
ID: 41826083
when you say "external emails" you means emails sent from external users like hotmail.com right ?
0
Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

 

Author Comment

by:Bogart Bogart
ID: 41827209
Hi Akhater, Yes external users such as Hotmail, yahoo etc.

The "Require that all senders......" should just do the job by blocking incoming emails directly destined to the DL email address but still allows emails send individually to internal emails.
0
 
LVL 49

Expert Comment

by:Akhater
ID: 41827444
Can you test with a new dl? Create a brand new dl don't change anything in it's config, add to it a couple of users and email the dl from Hotmail / yahoo
0
 

Author Comment

by:Bogart Bogart
ID: 41827449
Hi Akhater, I have done this already and the same is happening.
0
 
LVL 49

Expert Comment

by:Akhater
ID: 41827488
Oh well then please check your receive connectors is it configured with "externally secured"?
0
 

Author Comment

by:Bogart Bogart
ID: 41827510
I have tried that setting as well to no avail. Weird that it just doesn't want to work!
0
 
LVL 49

Expert Comment

by:Akhater
ID: 41827512
Which setting? No you should NOT have externally secured on your receive connector
0
 

Author Comment

by:Bogart Bogart
ID: 41827516
I don't have it.
0
 

Author Comment

by:Bogart Bogart
ID: 41828905
I should have indicated that on my Default connector I don't have that (Externally Secured) selected as I don't want my server to become a relay.

Looking at the connectors it allows incoming emails alright but the behaviour of not allowing unauthenticated (external) users to send to internal DL isn't working which is really the problem.
0
 
LVL 49

Expert Comment

by:Akhater
ID: 41829316
Can you share the output of

Get-ReceiveConnector | fl name,*authmec*
0
 

Author Comment

by:Bogart Bogart
ID: 41829323
Name          : Default XXXXXXXXXXXXXX
AuthMechanism : Tls, Integrated, BasicAuth, BasicAuthRequireTLS, ExchangeServer

Name          : Client XXXXXXXXXXXXXX
AuthMechanism : Tls, Integrated, BasicAuth, BasicAuthRequireTLS

Name          : Application Relay
AuthMechanism : Tls, ExternalAuthoritative
0
 
LVL 49

Accepted Solution

by:
Akhater earned 500 total points
ID: 41829327
OK so we have "Application Relay" that has "ExternalAuthoritative" enabled

how do you receive emails from outside ?
you have an anti-spam / relay that delivers emails to Exchange ?


Get-ReceiveConnector "Application Relay" | fl name,*authmec*,RemoteIPRanges

what is the output of that ?
0
 

Author Comment

by:Bogart Bogart
ID: 41829331
The application relay only allows internal network to relay to our exchange - this is mainly outgoing. So this is not the issue.

We do have Sophos Virtual Email Filter. Spoken to the guys but was advised that it's got nothing to do with the filter.
0
 
LVL 49

Expert Comment

by:Akhater
ID: 41829338
Get-ReceiveConnector "Application Relay" | fl name,*authmec*,RemoteIPRanges
please run this and make sure that the SoPhos ip address is not in the RemoteIPRanges
0
 

Author Comment

by:Bogart Bogart
ID: 41829360
I can confirm that Sophos isn't part of the list.
0
 
LVL 49

Expert Comment

by:Akhater
ID: 41829369
ok can I ask you to create a new Receive connector with just the IP of sophos keep everything default just allow Anonymous on it and test again ?
0
 

Author Comment

by:Bogart Bogart
ID: 41830997
Hi Akhater,

I am tempted to restart the server at this stage before proceeding. I will provide update on any improvements - hopefully.
0
 

Author Closing Comment

by:Bogart Bogart
ID: 41834481
In Exchange 2007 and 2010 having your filter as trusted will bypass authentication.
0

Featured Post

Enroll in May's Course of the Month

May’s Course of the Month is now available! Experts Exchange’s Premium Members and Team Accounts have access to a complimentary course each month as part of their membership—an extra way to increase training and boost professional development.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article lists the top 5 free OST to PST Converter Tools. These tools save a lot of time for users when they want to convert OST to PST after their exchange server is no longer available or some other critical issue with exchange server or impor…
This article aims to explain the working of CircularLogArchiver. This tool was designed to solve the buildup of log file in cases where systems do not support circular logging or where circular logging is not enabled
In this Micro Video tutorial you will learn the basics about Database Availability Groups and How to configure one using a live Exchange Server Environment. The video tutorial explains the basics of the Exchange server Database Availability grou…
This video discusses moving either the default database or any database to a new volume.

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question