I need a better way to control email delivery restrictions for limited employee accounts

At our bank, we have two domains; one is hosted through Office 365 and we utilize Exchange Online as part of the package.  However, on our other domain, we have an on-premises Exchange Server 2010 running on Server 2008 Standard.  This server will be retired by the new year, and the domain/Exchange accounts will then also be migrated to 365.  In the meantime, however, I have a confusing/cumbersome configuration question, and my query is only concerning the old on-premises Exchange 2010 server.

As part of our job requirements and under stringent compliance rules (being a bank that handles large cash transactions), we have a good amount of the workforce that has email, but is *ONLY ALLOWED* to receive email from all internal users on our domain, and a specific list of external domains (for health insurance emails, payroll and benefits companies, outside card processors etc.)  - and aside from all internal users, and this specific list of external email addresses, they are not allowed to receive any other email.  This is not by my design, but is relegated by requirements set forth by the board of directors at this bank.  I am not happy lol...

This affects a large number of mailboxes.  When I select the typical "all senders must be authenticated", this allows all internal email naturally, however no external addresses of any kind.  I should also mention, that I created an Exchange mail contact entry for each of these external senders.  Even then, those external emails never show up.

So far, the only way I have managed to get this to work, is under each of the mailboxes, I set up delivery restrictions by selecting "only senders in the following list", and then in the provided selection box, I select all of the email entries, as well as the external mail contact entries.  This does work, but the list is extensive (several hundred), and is somewhat problematic whenever we add new email addresses, etc.

There has to be an easier way?  Again - I only need a stopgap fix to last until the end of the year.  But I have tried "thinking outside the box" in a variety of scenarios and tried different methods, only to have to come back to this cumbersome, slow method.  More than anything, I am looking for a more "efficient" way of handling this strange setup...

Any ideas/input are greatly appreciated - thank you!
Michael CampelloneSr. Vice President, Info TechnologyAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

timgreen7077Exchange EngineerCommented:
I would suggest you remove the senders must be authenticated and use Transport rule like the below example

Outside Emails Test
If the message...
Is received from 'Outside the organization'
Do the following...
Delete the message without notifying the recipient or sender
Except if...
Is received from 'postmaster@domain.com' or 'Jobs@domain.com' or 'health@domains.com'


This will drop all emails from external senders other than what you specify, and when you have to add a sender you can easily go back to the rule and just add the address, that way you don't have to bother the user mailbox because exchange will stop it before it get there. This will not affect internal to internal, it will only affect external to internal. Remove the authenticated sender requirement from the mailboxes though.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Alex GreenProject Systems EngineerCommented:
I was going to recommend the transport rule way, but in addition to that there is more than likely a way in powershell.
0
Michael CampelloneSr. Vice President, Info TechnologyAuthor Commented:
The transport rule is a great idea - I do have about 30-40% users who do receive unrestricted email access, so can I apply this rule to specific boxes only?
0
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

William FulksSystems Analyst & WebmasterCommented:
You might want to look at getting Barracuda email filtering. You could then use it to whitelist only the domains you want to allow and block everything else. It costs money, but that may be a better way of managing things.
0
timgreen7077Exchange EngineerCommented:
You will have to add an additional exception for those internal recipients that have no restrictions, something like the following:

If the message...
Is received from 'Outside the organization'
Do the following...
Delete the message without notifying the recipient or sender
Except if...
Is received from 'postmaster@domain.com' or 'Jobs@domain.com' or 'health@domains.com'
or Is sent to a member of group 'Unrestricted Group'

So you will need to create a distribution group and add those users that have no restrictions to that group, and that way you can easily add or remove users as you need to without needing to modify the rule every time you need to make a change to those users.
0
Michael CampelloneSr. Vice President, Info TechnologyAuthor Commented:
This is an excellent solution.  Thank you for that input!
0
timgreen7077Exchange EngineerCommented:
sure thing.
0
Michael CampelloneSr. Vice President, Info TechnologyAuthor Commented:
All of you gave excellent options in ways to approach this somewhat unconventional situation - and I appreciate it very much!
0
Michael CampelloneSr. Vice President, Info TechnologyAuthor Commented:
Overall, the solutions provided were great, and everyone was so expedient in getting back to me!  I'm impressed! :)
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Office

From novice to tech pro — start learning today.