Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Restricting Email - Exchange 2003

4 views
Skip to first unread message

Michael Ober

unread,
Dec 22, 2009, 10:48:00 PM12/22/09
to
Sorry for the crossposting - I'm not sure which group is best here.

I need to restrict emails for the majority of my users. Specifically,
emails going in and out of the company need to be blocked. Most users need
to only send/receive emails to other users in the company, but they still
need to be able to receive emails from our other SMTP servers. In addition,
we have a few users who need full email access.

Here's the environment.

Domain Controllers - Multiple AD Servers in multiple sites. All in a single
forest and domain. Not every site has an AD Server. There is at least one
GC in each site with a AD Server and the Servers are in a full mesh for
replication, although partial meshes may occur in the future. All DCs are
DNS Servers.
Exchange - Multiple Exchange Servers in multiple sites. All are in the same
AD forest and domain as the AD Server. Not every site has an Exchange
Server. Every site with an Exchange Server has a DC.
Windows member servers - using the built in SMTP interface to route all
their emails to an Exchange server in the nearest site as a smart host.
OpenVMS and Linux servers - using the built in SMTP interface to route via
MX records to any Exchange server.

We have multiple SMTP addresses assigned to some of our system level
accounts that are sending the emails. All users must be able to receive
emails from any server originating inside our domain. Some users will have
full inbound/outbound email access, but most will not have inbound/outbound
email access.

Questions - can this be done? If yes, can we do this via a AD security
group that lists the users who have full email access or do I have to
configure each user individually?

Thanks,
Mike Ober.

Mark Arnold [MVP]

unread,
Dec 23, 2009, 2:23:10 AM12/23/09
to
Sure.
Top two:
http://www.msexchange.org/search.asp?s=restrict#art

Users have been doing it for 10 years now.
You'll need to follow both carefully.
You shouldn't need to ask a follow up though, given it's a 10 year old
tutorial it's prety much been perfected to death.

Michael Ober

unread,
Dec 23, 2009, 7:40:23 PM12/23/09
to
Mark,

The top article, which restricts users to receiving from Authenticated users
only, doesn't work. I tried it already and it blocked email from our
OpenVMS system, which must be allowed through. However, the second article
looks promising and I'll give it a try on Monday.

Thanks,
Mike.

"Mark Arnold [MVP]" <ma...@mvps.org> wrote in message
news:37h3j5dg5t76348uv...@4ax.com...

Mark Fugatt [MSFT]

unread,
Dec 23, 2009, 8:29:06 PM12/23/09
to
The top article does work :-), just not in your scenario as your OpenVMS
system does not authenticate.

--
Mark Fugatt
Premier Field Engineer - Unified Communications
Microsoft Limited

This posting is provided AS IS with no warranties and confers no rights

"Michael Ober" <obermd.@.alum.mit.edu.nospam> wrote in message
news:dpWdnSLnpcXjJa_W...@earthlink.com...

Rich Matheisen [MVP]

unread,
Dec 23, 2009, 9:17:11 PM12/23/09
to
On Thu, 24 Dec 2009 01:29:06 -0000, "Mark Fugatt [MSFT]"
<mar...@online.microsoft.com> wrote:

>The top article does work :-), just not in your scenario as your OpenVMS
>system does not authenticate.

And how hard could it be to _make_ it authenticate???
---
Rich Matheisen
MCSE+I, Exchange MVP

Michael Ober

unread,
Dec 24, 2009, 10:45:44 AM12/24/09
to

"Rich Matheisen [MVP]" <rich...@rmcons.com.NOSPAM.COM> wrote in message
news:aoj5j5p6mslhd23l1...@4ax.com...

It can't for various reasons. The biggest is that I don't want the VMS
System account, or any of the Linux root accounts to be tied to AD. That
way if the AD Servers are down, I can still control the non-Windows
environment.

In addition, the VMS system account's email address sys...@domain.com is a
secondary SMTP address for an existing account in AD so that replies to this
address can be handled from somone without using VMS Mail. The option to
allow only Authenticated users doesn't check the secondary SMTP Addresses.
If it did, restricting to Authenticated users would be very easy to do.

Mike.

Rich Matheisen [MVP]

unread,
Dec 24, 2009, 11:26:11 PM12/24/09
to
On Thu, 24 Dec 2009 08:45:44 -0700, "Michael Ober"
<obermd.@.alum.mit.edu.nospam> wrote:

>
>"Rich Matheisen [MVP]" <rich...@rmcons.com.NOSPAM.COM> wrote in message
>news:aoj5j5p6mslhd23l1...@4ax.com...
>> On Thu, 24 Dec 2009 01:29:06 -0000, "Mark Fugatt [MSFT]"
>> <mar...@online.microsoft.com> wrote:
>>
>>>The top article does work :-), just not in your scenario as your OpenVMS
>>>system does not authenticate.
>>
>> And how hard could it be to _make_ it authenticate???
>> ---
>> Rich Matheisen
>> MCSE+I, Exchange MVP
>
>It can't for various reasons. The biggest is that I don't want the VMS
>System account, or any of the Linux root accounts to be tied to AD. That
>way if the AD Servers are down, I can still control the non-Windows
>environment.

Does the VMS system use the Exchange server as a SMTP relay for all
its email? If so, if the AD is unavailable Exchange isn't going to be
working at all. If that's not the case then only connections to your
Exchange server have to be authenticated and you can use some other
account to authenticate with.

>In addition, the VMS system account's email address sys...@domain.com is a
>secondary SMTP address for an existing account in AD so that replies to this
>address can be handled from somone without using VMS Mail. The option to
>allow only Authenticated users doesn't check the secondary SMTP Addresses.
>If it did, restricting to Authenticated users would be very easy to do.

If the VMS server is allowed to use Exchange as a SMTP relay then the
account it uses for authentication doesn't need to be assigned to a
mailbox in your email system.

Michael Ober

unread,
Dec 25, 2009, 12:11:13 AM12/25/09
to

"Rich Matheisen [MVP]" <rich...@rmcons.com.NOSPAM.COM> wrote in message
news:34f8j5h4en9c6511f...@4ax.com...

> On Thu, 24 Dec 2009 08:45:44 -0700, "Michael Ober"
> <obermd.@.alum.mit.edu.nospam> wrote:
>
>>
>>"Rich Matheisen [MVP]" <rich...@rmcons.com.NOSPAM.COM> wrote in message
>>news:aoj5j5p6mslhd23l1...@4ax.com...
>>> On Thu, 24 Dec 2009 01:29:06 -0000, "Mark Fugatt [MSFT]"
>>> <mar...@online.microsoft.com> wrote:
>>>
>>>>The top article does work :-), just not in your scenario as your OpenVMS
>>>>system does not authenticate.
>>>
>>> And how hard could it be to _make_ it authenticate???
>>> ---
>>> Rich Matheisen
>>> MCSE+I, Exchange MVP
>>
>>It can't for various reasons. The biggest is that I don't want the VMS
>>System account, or any of the Linux root accounts to be tied to AD. That
>>way if the AD Servers are down, I can still control the non-Windows
>>environment.
>
> Does the VMS system use the Exchange server as a SMTP relay for all
> its email? If so, if the AD is unavailable Exchange isn't going to be
> working at all. If that's not the case then only connections to your
> Exchange server have to be authenticated and you can use some other
> account to authenticate with.
>

Yes it does. However, if the Exchange server is down, VMS will hold the
mail for later delivery. If AD is down, I still have a requirement to be
able to control the VMS system. The exchange server itself is configured to
allow unauthenticated access. It has relay restrictions configured to only
allow relays from a small number of known IP addresses, all of which are
blocked from entering the network from outside.

>>In addition, the VMS system account's email address sys...@domain.com is a
>>secondary SMTP address for an existing account in AD so that replies to
>>this
>>address can be handled from somone without using VMS Mail. The option to
>>allow only Authenticated users doesn't check the secondary SMTP Addresses.
>>If it did, restricting to Authenticated users would be very easy to do.
>
> If the VMS server is allowed to use Exchange as a SMTP relay then the
> account it uses for authentication doesn't need to be assigned to a
> mailbox in your email system.
> ---

Only if I don't want to receive bounces from emails VMS sends to our
clients. By assigning the VMS server's return SMTP address to an AD user
with a mailbox, we know when outbound mail bounces.

This goes back to the fact that the "Only Allow Authenticated Users" doesn't
check _ALL_ known email addresses listed in AD.

Michael Ober

unread,
Dec 28, 2009, 9:06:04 PM12/28/09
to
Here's the solution. As I originally stated, I have internal, non-Windows,
servers that use standard, unauthenticated, SMTP to send emails to users.
However, all return addresses generated by these servers are in Active
Directory as alternate SMTP addresses. It's a multi-part solution and
actually takes two Exchange Servers, a front end server and a mailbox
server.

Step 1 - On your mailbox servers, set the Default SMTP Virtual Server
Properties to "Resolve anonymous e-mail"
Open Exchange System Manager
On each mailbox server, select Protocols -> SMTP.
Right click the Default SMTP Virtual Server and select Properties
On the Access tab, click the Authentication button and check "Anonymous
access" and then check "Resolve anonymous e-mail"
Click OK twice to close the property pages.
This appears to force the Exchange server to resolve any SMTP message
against Active Directory and returns the AD account that that email is a
member of.
Do _NOT_ do this on Front End servers handling inbound internet emails.
It also assumes that internal emails bypass the Front End Exchange servers.

Step 2 - Create a "Query Based Distribution Group" in Active Directory.
Apply the filter to the root of your AD domain and create a Custom
filter
Do a "Custom Search" and enter the following LDAP query in the Advanced
tab.

(mailNickname=*)(msExchRequireAuthToSendTo=TRUE)(!objectClass=group)

This query "ANDs" the following queries
mailNickname=* ; Technically not needed, but this appears to be a
keyed field in Active Directory so it vastly speeds up the rest of the query

msExchRequireAuthToSendTo=TRUE ; This is the attribute the AD
Exchange General Delivery Restrictions "From authenticated users only" sets
and resets

!objectClass=group ; This prevents this query from impacting
users who are in groups that have been set to block inbound internet emails.
Note the "!" at the start of this query.

Step 3 - Apply your new group to the Public SMTP Connector's Delivery
Restrictions as a "Reject messages from" entry. You will also need to apply
the registry edit described in
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q277872 to each
Bridgehead server listed in the connector's General tab.

Step 4 - On each AD user who you want to block the inbound/outbound email,
select the Exchange General tab. Click Delivery Restrictions, and check the
"From authenticated users only" check box. You can use the query you
created in step 2 to do a "Preview" of who is blocked.

You're done.

My thanks to the Mark Arnold, Mark Gugatt, and Rich Matheisen, who gave me
pointers to the articles that were close enough for me to decipher the rest.
I have tested this configuration and it meets our company's requirement to
be able to block internet email for specific users but allow all users to
receive SMTP traffic from our internal servers.

Mike Ober.


"Michael Ober" <obermd.@.alum.mit.edu.nospam> wrote in message

news:SI2dnZdqiL1uD6zW...@earthlink.com...

0 new messages