none
Block certain emails from being sent

    Question

  • Hi,

    I need help blocking certain emails from our test server. That test server is using Exchange 2010 (separate server) for sending out messages without authentication. What I want to do is to block messages to all outside domains except one internal domain, but only from that test server. Is that possible?

    Friday, November 27, 2015 9:02 AM

Answers

  • Hi,

    You've posted in the Exchange 2013 forum but it seems like you're using Exchange 2010. For Exchange 2010, run this command instead:

    New-ReceiveConnector -Name “Device Notifications” -Usage Custom -Bindings 0.0.0.0:25 -RemoteIPRanges 192.168.0.1-192.168.0.8,192.168.0.100 –PermissionGroups AnonymousUsers

    It's the same command but without the -TransportRole parameter.

    Thanks.


    Please mark as an answer if this answers your question

    Mark Gossa

    MCSE 2003, MCITP Enterprise Administrator 2008 R2, MCSA 2012 R2, MCTS Exchange 2010, MCTS SQL 2012, MCTS SharePoint 2007, VCP4, VCP5, CCNA

    Blog: http://markgossa.blogspot.com   LinkedIn:

    Posts are provided “AS IS” without warranty of any kind, either expressed or implied.

    • Marked as answer by Vlado84 Monday, November 30, 2015 2:36 PM
    Monday, November 30, 2015 1:54 PM

All replies

  • Hi,

    Configure the server to use SMTP authentication (set up a mailbox and then use these credentials in the SMTP settings for the server) then set up two transport rules. One rule to block emails sent to outside the organization and another rule to block emails sent to all domains apart from the domain you wish to email. 

    For more information about transport rules and how to set them up, see below:

    Thanks.


    Please mark as an answer if this answers your question

    Mark Gossa

    MCSE 2003, MCITP Enterprise Administrator 2008 R2, MCSA 2012 R2, MCTS Exchange 2010, MCTS SQL 2012, MCTS SharePoint 2007, VCP4, VCP5, CCNA

    Blog: http://markgossa.blogspot.com   LinkedIn:

    Posts are provided “AS IS” without warranty of any kind, either expressed or implied.

    Friday, November 27, 2015 10:03 AM
  • Setting SMTP authentication is not an option since a lot of services are using the SMTP anonymously, and it would require a lot of change in the code of our web apps.
    Friday, November 27, 2015 10:17 AM
  • Hi Vlado84,

    As already suggested by Mark, how about using Transport Rules.

    Can you clarify what do you meant by this. Maybe an example.

    "What I want to do is to block messages to all outside domains except one internal domain, but only from that test server."

    Is it something like this:

    if(sending server = TestServer)

    {Allow all emails}

    elseif( recipient = oneInternaldomain.com)

    {Allow mails}

    else #Not the test server and recipient is outside domain

    {Block}

    Sample Transport Rule:

    Name: BlockExternal
    
    If the message...
    Is sent to 'Outside the organization'
    
    
    Do the following...
    reject the message and include the explanation 'You are not authorized to send external emails' with the status code: '5.7.1'
    
    Except if...
    sender ip addresses belong to one of these ranges: '192.168.10.100'
    
    Additional properties
    Sender address matches: Header or envelope
    


    Regards,

    Satyajit

    Please“Vote As Helpful” if you find my contribution useful or “MarkAs Answer” if it does answer your question. That will encourage me - and others - to take time out to help you.


    • Edited by Satyajit321 Friday, November 27, 2015 10:31 AM
    Friday, November 27, 2015 10:25 AM
  • Hi Satyajit,

    no, it should be like this:

    if(sending server = TestServer)

    {Block all emails}

    elseif( recipient = oneInternaldomain.com)

    {Allow mails}

    else #Not the test server and recipient is outside domain

    {Allow}

    Friday, November 27, 2015 11:03 AM
  • Hi,

    I've tested transport rules based on sender IP but this doesn't seem to work.

    You can configure the receive connector that is used by the servers so that it prevents anonymous relay to external domains. To do this, run this command:

    Get-ReceiveConnector "Device Notifications" | Remove-ADPermission -User "NT AUTHORITY\ANONYMOUS LOGON" -ExtendedRights "ms-Exch-SMTP-Accept-Any-Recipient"

    The servers will still be able to relay email to all internal addresses.

    Thanks.


    Please mark as an answer if this answers your question

    Mark Gossa

    MCSE 2003, MCITP Enterprise Administrator 2008 R2, MCSA 2012 R2, MCTS Exchange 2010, MCTS SQL 2012, MCTS SharePoint 2007, VCP4, VCP5, CCNA

    Blog: http://markgossa.blogspot.com   LinkedIn:

    Posts are provided “AS IS” without warranty of any kind, either expressed or implied.

    Friday, November 27, 2015 12:11 PM
  • Hi Mark,

    Nope, can't do that either, since we use it like that to send mail to external domains. Would need some other solution if possible.

    Friday, November 27, 2015 12:29 PM
  • Hi,

    In this case, for the servers that you need to limit, create a new receive connector and add the server IPs to it. Exchange will use the most restrictive connector. See below for the command to create a new receive connector:

    New-ReceiveConnector -Name “Device Notifications” -Usage Custom -Bindings 0.0.0.0:25 -RemoteIPRanges 192.168.0.1-192.168.0.8,192.168.0.100 –PermissionGroups AnonymousUsers -TransportRole FrontendTransport
    

    This connector will only allow relay to internal domains. Other servers will continue to use their original connector so will be able to relay to external and internal domains. 

    Thanks.


    Please mark as an answer if this answers your question

    Mark Gossa

    MCSE 2003, MCITP Enterprise Administrator 2008 R2, MCSA 2012 R2, MCTS Exchange 2010, MCTS SQL 2012, MCTS SharePoint 2007, VCP4, VCP5, CCNA

    Blog: http://markgossa.blogspot.com   LinkedIn:

    Posts are provided “AS IS” without warranty of any kind, either expressed or implied.

    Friday, November 27, 2015 2:34 PM
  • Hi Mark,

    Thanks for your answer. Just to clarify something, -Bindings would be the address of the server I want to limit, or -RemoteIPRange should be that?

    Friday, November 27, 2015 3:26 PM
  • Hi,

    RemoteIPRanges are the IPs of the servers you need to allow relay for. In the example script, 192.168.0.1-192.168.0.8,192.168.0.100 are a list of servers that you want to force to use this connector (and prevent relaying to the external domains)

    Thanks.


    Please mark as an answer if this answers your question

    Mark Gossa

    MCSE 2003, MCITP Enterprise Administrator 2008 R2, MCSA 2012 R2, MCTS Exchange 2010, MCTS SQL 2012, MCTS SharePoint 2007, VCP4, VCP5, CCNA

    Blog: http://markgossa.blogspot.com   LinkedIn:

    Posts are provided “AS IS” without warranty of any kind, either expressed or implied.

    Friday, November 27, 2015 3:40 PM
  • Hi Satyajit,

    no, it should be like this:

    if(sending server = TestServer)

    {Block all emails}

    elseif( recipient = oneInternaldomain.com)

    {Allow mails}

    else #Not the test server and recipient is outside domain

    {Allow}

    Your logic appears to be messy. Not sure if I have understood. Let me frame it again.

    You have a TestServer from which emails should be only delivered to @oneinternaldomain.com, all other emails should be dropped.

    or

    What I want to do is to block messages to all inside\outside domains except one internal domain, from that test server.

    All emails from anywhere else goes as usual.


    Basically do you want to filter only the TestServer emails or other internal senders as well.

    Another question what is the sender Email address you are using, is it fixed as Payroll@oneinternaldomain.com or something. It will be easier for making a email based rule than IP based as Mark suggested.

    If your TestServer is capable of Authentication, then you should create a new receive connector and use it.


    Regards,

    Satyajit

    Please “Vote As Helpful” if you find my contribution useful or “Mark As Answer” if it does answer your question. That will encourage me - and others - to take time out to help you.

    Sunday, November 29, 2015 2:54 PM
  • Hi Mark,

    Thanks again. What about bindings, which IP address should I put there?

    Monday, November 30, 2015 8:30 AM
  • Hi,

    In this case, for the servers that you need to limit, create a new receive connector and add the server IPs to it. Exchange will use the most restrictive connector. See below for the command to create a new receive connector:

    New-ReceiveConnector -Name “Device Notifications” -Usage Custom -Bindings 0.0.0.0:25 -RemoteIPRanges 192.168.0.1-192.168.0.8,192.168.0.100 –PermissionGroups AnonymousUsers -TransportRole FrontendTransport

    This connector will only allow relay to internal domains. Other servers will continue to use their original connector so will be able to relay to external and internal domains. 

    Thanks.


    Please mark as an answer if this answers your question

    Mark Gossa

    MCSE 2003, MCITP Enterprise Administrator 2008 R2, MCSA 2012 R2, MCTS Exchange 2010, MCTS SQL 2012, MCTS SharePoint 2007, VCP4, VCP5, CCNA

    Blog: http://markgossa.blogspot.com   LinkedIn:

    Posts are provided “AS IS” without warranty of any kind, either expressed or implied.

    Hi,

    For the bindings, leave it is as 0.0.0.0:25 as per the above command. This means that Exchange will listen on all it's IPs for connections from these servers. Generally you should only have a single IP on Exchange but the default is to listen on all IPs which is useful in case you ever need to change the Exchange server IP. 

    Let me know how it goes. 

    Thanks.


    Please mark as an answer if this answers your question

    Mark Gossa

    MCSE 2003, MCITP Enterprise Administrator 2008 R2, MCSA 2012 R2, MCTS Exchange 2010, MCTS SQL 2012, MCTS SharePoint 2007, VCP4, VCP5, CCNA

    Blog: http://markgossa.blogspot.com   LinkedIn:

    Posts are provided “AS IS” without warranty of any kind, either expressed or implied.

    Monday, November 30, 2015 11:23 AM
  • I get this error when running the script: 

    A positional parameter cannot be found that accepts argument '-TransportRole'.


    Monday, November 30, 2015 1:49 PM
  • Hi,

    You've posted in the Exchange 2013 forum but it seems like you're using Exchange 2010. For Exchange 2010, run this command instead:

    New-ReceiveConnector -Name “Device Notifications” -Usage Custom -Bindings 0.0.0.0:25 -RemoteIPRanges 192.168.0.1-192.168.0.8,192.168.0.100 –PermissionGroups AnonymousUsers

    It's the same command but without the -TransportRole parameter.

    Thanks.


    Please mark as an answer if this answers your question

    Mark Gossa

    MCSE 2003, MCITP Enterprise Administrator 2008 R2, MCSA 2012 R2, MCTS Exchange 2010, MCTS SQL 2012, MCTS SharePoint 2007, VCP4, VCP5, CCNA

    Blog: http://markgossa.blogspot.com   LinkedIn:

    Posts are provided “AS IS” without warranty of any kind, either expressed or implied.

    • Marked as answer by Vlado84 Monday, November 30, 2015 2:36 PM
    Monday, November 30, 2015 1:54 PM
  • Yes, it seemed to work. Thank you very much!
    Monday, November 30, 2015 2:36 PM
  • Hi,

    That's great. All the best!

    Thanks.


    Please mark as an answer if this answers your question

    Mark Gossa

    MCSE 2003, MCITP Enterprise Administrator 2008 R2, MCSA 2012 R2, MCTS Exchange 2010, MCTS SQL 2012, MCTS SharePoint 2007, VCP4, VCP5, CCNA

    Blog: http://markgossa.blogspot.com   LinkedIn:

    Posts are provided “AS IS” without warranty of any kind, either expressed or implied.

    Monday, November 30, 2015 2:48 PM