I need a better way to control email delivery restrictions for limited employee accounts

Michael Campellone
Michael Campellone used Ask the Experts™
on
At our bank, we have two domains; one is hosted through Office 365 and we utilize Exchange Online as part of the package.  However, on our other domain, we have an on-premises Exchange Server 2010 running on Server 2008 Standard.  This server will be retired by the new year, and the domain/Exchange accounts will then also be migrated to 365.  In the meantime, however, I have a confusing/cumbersome configuration question, and my query is only concerning the old on-premises Exchange 2010 server.

As part of our job requirements and under stringent compliance rules (being a bank that handles large cash transactions), we have a good amount of the workforce that has email, but is *ONLY ALLOWED* to receive email from all internal users on our domain, and a specific list of external domains (for health insurance emails, payroll and benefits companies, outside card processors etc.)  - and aside from all internal users, and this specific list of external email addresses, they are not allowed to receive any other email.  This is not by my design, but is relegated by requirements set forth by the board of directors at this bank.  I am not happy lol...

This affects a large number of mailboxes.  When I select the typical "all senders must be authenticated", this allows all internal email naturally, however no external addresses of any kind.  I should also mention, that I created an Exchange mail contact entry for each of these external senders.  Even then, those external emails never show up.

So far, the only way I have managed to get this to work, is under each of the mailboxes, I set up delivery restrictions by selecting "only senders in the following list", and then in the provided selection box, I select all of the email entries, as well as the external mail contact entries.  This does work, but the list is extensive (several hundred), and is somewhat problematic whenever we add new email addresses, etc.

There has to be an easier way?  Again - I only need a stopgap fix to last until the end of the year.  But I have tried "thinking outside the box" in a variety of scenarios and tried different methods, only to have to come back to this cumbersome, slow method.  More than anything, I am looking for a more "efficient" way of handling this strange setup...

Any ideas/input are greatly appreciated - thank you!
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Exchange Engineer
Distinguished Expert 2018
Commented:
I would suggest you remove the senders must be authenticated and use Transport rule like the below example

Outside Emails Test
If the message...
Is received from 'Outside the organization'
Do the following...
Delete the message without notifying the recipient or sender
Except if...
Is received from 'postmaster@domain.com' or 'Jobs@domain.com' or 'health@domains.com'


This will drop all emails from external senders other than what you specify, and when you have to add a sender you can easily go back to the rule and just add the address, that way you don't have to bother the user mailbox because exchange will stop it before it get there. This will not affect internal to internal, it will only affect external to internal. Remove the authenticated sender requirement from the mailboxes though.
AlexSenior Infrastructure Analyst

Commented:
I was going to recommend the transport rule way, but in addition to that there is more than likely a way in powershell.
Michael CampelloneSr. Vice President, Info Technology

Author

Commented:
The transport rule is a great idea - I do have about 30-40% users who do receive unrestricted email access, so can I apply this rule to specific boxes only?
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

William FulksSystems Analyst & Webmaster

Commented:
You might want to look at getting Barracuda email filtering. You could then use it to whitelist only the domains you want to allow and block everything else. It costs money, but that may be a better way of managing things.
timgreen7077Exchange Engineer
Distinguished Expert 2018
Commented:
You will have to add an additional exception for those internal recipients that have no restrictions, something like the following:

If the message...
Is received from 'Outside the organization'
Do the following...
Delete the message without notifying the recipient or sender
Except if...
Is received from 'postmaster@domain.com' or 'Jobs@domain.com' or 'health@domains.com'
or Is sent to a member of group 'Unrestricted Group'

So you will need to create a distribution group and add those users that have no restrictions to that group, and that way you can easily add or remove users as you need to without needing to modify the rule every time you need to make a change to those users.
Michael CampelloneSr. Vice President, Info Technology

Author

Commented:
This is an excellent solution.  Thank you for that input!
timgreen7077Exchange Engineer
Distinguished Expert 2018

Commented:
sure thing.
Michael CampelloneSr. Vice President, Info Technology

Author

Commented:
All of you gave excellent options in ways to approach this somewhat unconventional situation - and I appreciate it very much!
Michael CampelloneSr. Vice President, Info Technology

Author

Commented:
Overall, the solutions provided were great, and everyone was so expedient in getting back to me!  I'm impressed! :)

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial