Become a Columnist Microsoft Exchange Site Microsoft Support SiteMSDN Exchange Site

   

Subscribe to OutlookExchange
What's New
Columnist
Anderson Patricio
Ann Mc Donough
Bob Spurzem
Brian Veal
Catherine Creary
Cherry Beado
Colin Janssen
Collins Timothy Mutesaria
Drew Nicholson
Fred Volking
Glen Scales
Goran Husman
Guy Thomas
Henrik Walther
Jason Sherry
Jayme Bowers
John Young
Joyce Tang
Justin Braun
Konstantin Zheludev
Kristina Waters
Kuang Zhang
Mahmoud Magdy
Martin Tuip
Michael Dong
Michele Deo
Mitch Tulloch
Nicolas Blank
Pavel Nagaev
Ragnar Harper
Ricardo Silva
Richard Wakeman
Russ Iuliano
Santhosh Hanumanthappa
Steve Bryant
Steve Craig
Todd Walker
Tracey J. Rosenblath
Development
More Resources
Software
Other Links
 
  Creating a Spam Quarantine with Exchange 2007

Limiting external users from sending mail to Exchange objects
Page 1

By default, when mail enabled groups are created in Exchange 2007 only authenticated (internal) user can send mail to them.  On the other hand, users and contacts allow non-authenticated (anonymous) users to send mail to them, by default.  In some cases, an organization may want certain external users to be able to send mail to groups or want to restrict some user or contacts so only certain internal or external users can send mail to them.  This article will go over how to enable this ability. 

The primary reason for doing this, in my environment, was because I have multiple anonymous SharePoint discussion groups, which show up as a contact in the AD, and mail enabled groups that contain both internal and external users.  In both cases, those groups and users were receiving the occasional message from spammers.  Therefore, I wanted to find a way to prevent the spammers from posting anonymously, via e-mail, to SharePoint list and sending spam to members of those groups.

As mentioned above, the default option for groups is to require all senders to a group to be authenticated.  This "Require that all senders are authenticated" setting limits who can send mail to the group of users with internal an e-mail address who are authenticating, via MAPI or SMTP.  So this meant that my external users couldn’t send mail to groups with this option selected, so I had to disable this requirement.  Doing this then allowed the groups to accept mail from anyone.

Figure 1 - Delivery Restrictions

If your organization has a need to enable some groups to be able to receive e-mail from a limited number of external or non-authenticated users you can do the following:

1)      Create contacts for the external users that contain the e-mail address(s) that need to be able to send mail to objects that have restricted delivery permissions

Note: If an external person has multiple e-mail addresses that need to be able to send mail to your internal groups you can add all of their e-mail addresses to a single contact.

2)      Add those contacts to the "Accept messages from" list

 

To make this a bit easier in my environment, I created a dynamic group that contains all recipients, which includes contacts (see Figure 2 - Dynamic Group Filter).  I then added this group to the "Accept messages from" list (see Figure 3 - Delivery Restricted to Known Senders) on mail enabled groups that needed to receive messages from known external users.  I would assume you could do the inverse of this by adding "bad senders" to the "Reject messages from" list, but it would probably be best to block them at the EDGE or HUB server using filtering rules.

Figure 2 - Dynamic Group Filter

Figure 3 - Delivery Restricted to Known Senders

With the settings above you can control which external users can send mail to groups and contacts without opening them up to e-mail from any external e-mail address.  These known external users must have a contact in the AD that contains their external e-mail addresses.

Limiting external users from sending mail to Exchange objects
Page 1

Disclaimer: Your use of the information contained in these pages is at your sole risk. All information on these pages is provided "as is", without any warranty, whether express or implied, of its accuracy, completeness, fitness for a particular purpose, title or non-infringement, and none of the third-party products or information mentioned in the work are authored, recommended, supported or guaranteed by Stephen Bryant or Pro Exchange. OutlookExchange.Com, Stephen Bryant and Pro Exchange shall not be liable for any damages you may sustain by using this information, whether direct, indirect, special, incidental or consequential, even if it has been advised of the possibility of such damages.

Copyright Stephen Bryant 2008