none
Unable to get rule to trigger for mail sent to distribution group

    Question

  • I have a distribution group in Exchange 2013 CU17, we want to restrict email to that group to a select group of external domains.  So the rule should go something like this..

    "Apply this rule if the recipient is/matches/includes 'group name'"

    "Do the following: 'reject the message with the explanation....'"

    Except if 'the sender domain is....'

    So I have created a test group to test out this rule before applying it to the production group and so far none of the ways I have setup this rule are triggering the rule.  I have tried multiple different conditions for the recipient (ie. recipient includes, recipient matches, recipient properties include/match, etc) with RegEx statements and without, with no luck.  Now if I take the same exact rule, and change the condition for recipient to 'The recipient is' I can then go into the GAL and select myself as the recipient, and save the rule.  I send an email from my personal email account to my work account and the rule triggers, I get the rejection notification back to my mailbox.  Unfortunately that condition does not allow you to choose Groups, so I am forced to using some of the aforementioned combinations, none of which are working.

    Can someone help me figure out what I am doing wrong here?  I really feel like this should be working and my syntax is correct but nothing works when I enter the group in the condition for recipient.

    Thanks!


    I'm not even supposed to be here today.

    Wednesday, November 29, 2017 8:30 PM

Answers

  • I ended up accomplishing this task at our email security appliance instead of Exchange.  This rule in Exchange for whatever reason will not work against groups.

    I'm not even supposed to be here today.

    • Marked as answer by 911Eric Thursday, December 21, 2017 2:42 PM
    Thursday, December 21, 2017 2:42 PM

All replies

  • My understanding is that the group-oriented conditions check permissions but contacts aren't a security principal.

    If you'd help us debug your rule, please tell us exactly and completely what you've done and please try not to redact things because it makes it harder for us to figure out what might be wrong.


    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."
    Celebrating 20 years of providing Exchange peer support!

    Wednesday, November 29, 2017 9:03 PM
    Moderator
  • Hi Eric,

    Could you give us an example how your rule is configured?


    Regards,

    Alex


    Please remember to mark the replies as answers if they helped.
    If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.

    Friday, December 1, 2017 9:01 AM
  • Here is a copy paste from the ECP of a rule I have been testing with.  The only thing I have changed in this copy/paste is the mail domain.

    If the message...
    Includes these words in the recipient's address 'testgroup@domain.org'
    Do the following...
    reject the message and include the explanation 'Rejected!' with the status code: '5.7.1'
    Except if...
    sender's address domain portion belongs to any of these domains: 'gmail.com'
    Rule comments
    Rule mode
    Enforce
    Additional properties
    Sender address matches: Header
    Version: 15.0.5.2

    With that configured rule, it is currently accepting email from my gmail account as well as my yahoo account.  If I create a rule with those same exact settings and the only difference being that I enter a user address instead of a distribution group address, the rule works as intended; mail from Gmail.com domain is allowed and mail from any other domain receives the NDR.

    If it would help I can also provide Powershell output of how the rule is configured.


    I'm not even supposed to be here today.

    Monday, December 11, 2017 4:39 PM
  • you can try through powershell.


    Thanks & Regards Ramandeep Singh

    Wednesday, December 13, 2017 11:51 AM
  • You have to restart transport service after applying rule....
    Wednesday, December 13, 2017 12:30 PM
  • I ended up accomplishing this task at our email security appliance instead of Exchange.  This rule in Exchange for whatever reason will not work against groups.

    I'm not even supposed to be here today.

    • Marked as answer by 911Eric Thursday, December 21, 2017 2:42 PM
    Thursday, December 21, 2017 2:42 PM