Tutorials

How to restrict users from sending and receiving internet email

How to restrict users from sending and receiving internet email

You may need to block sending and receiving internet email for some users because of a company policy. I had a customer who asked me to implement this for a group of users who were abusing the companies email system and there was no need for those users to send and receive email outside of the domain.

Table of contents

By following the procedure in this article you will be able to block the ability to send and receive internet email but retain mail inside your domain. 


Create a mail enabled group

  1. Open Active Directory Users and Computers from the Start menu and expand your MyBusiness OU.
    How to restrict users from sending and receiving internet email
  2. Right click the OU 'Security Groups' and click New -> Group.
    How to restrict users from sending and receiving internet email
  3. Give the group a meaningfull name. I use 'Block Internet Email'. Click 'Next'.
    How to restrict users from sending and receiving internet email
  4. Make sure you check 'Create an Exchange e-mail address' and click Next.
    How to restrict users from sending and receiving internet email
  5. Click 'Finish'.
    How to restrict users from sending and receiving internet email
  6. Our new group is listed but as you see it does not have a description. If you wish you can double click and add a description.
    How to restrict users from sending and receiving internet email

Add users to the mail enabled group

In the previous of this article we decided to use groups instead of individual users. Now we need to add users to the 'Block Internet Email' group we just created.

  1. Open Active Directory Users and Computers and browse to the 'Block Internet Email' group. Right click the group and choose Properties.
    How to restrict users from sending and receiving internet email
  2. Click the tab 'Members' and click 'Add'.
    How to restrict users from sending and receiving internet email
  3. Click 'Advanced'.
    How to restrict users from sending and receiving internet email
  4. Click 'Find Now'.
    How to restrict users from sending and receiving internet email
  5. Management decided that John Doe should no longer be able to send internet email. Choose the user you want to add and click 'OK'.
    How to restrict users from sending and receiving internet email
  6. Click 'OK' again.
    How to restrict users from sending and receiving internet email
  7. We see that John Doe is now listed as a member of the 'Block Internet Email'. Click Apply and OK. Close the ADUC Management Console.
    How to restrict users from sending and receiving internet email

Modify the registry to turn on connector restrictions

After you configure the delivery restrictions on a connector by using Microsoft Exchange 2000 Server or Microsoft Exchange Server 2003, the restriction settings may not be applied. In Exchange 2000, the following event ID will also be generated:

Type: Warning
Event ID: 957
Source: MSExchangeTransport
Category: Routing Engine/Service
Description:
Connector restrictions (by the group or by the user) are present in the organization. However, restriction checking is disabled. Set the registry value HKLM\SYSTEM\CurrentControlSet\Services\RESvc\Parameters\CheckConnectorRestrictions to 1 (DWORD) and restart resvc and smtpsvc to enable restriction checking on local machine.

If you need to apply a distribution list-based restriction to a connector, you must manually enable the checking process for these restrictions. Restriction checking is controlled by a registry key that must be set on the Exchange bridgehead (Smallbusiness SMTP Connector) that is the source for the connector that is being checked. If you specify a restriction, but do not create the registry key, the restriction is not checked.
Connector restriction checking is turned off by default because it can significantly affect performance to expand distribution groups and check the restrictions for each message that passes through the system. If possible, turn on this setting on where it is necessary (for example, on the bridgehead server for the restricted connector).

  1. Open the Registry Editor. Start -> Run and type 'regedit'. Locate and click the following registry key: HKEY_LOCAL_MACHINE/System/CurrentControlSet/Services/Resvc/Parameters/
    How to restrict users from sending and receiving internet email
  2. On the Edit menu, click New and DWord Value.
    How to restrict users from sending and receiving internet email
  3. Set it to 'CheckConnectorRestrictions'.
    How to restrict users from sending and receiving internet email
  4. Set the value to 1 hexadecimal. Close the registry editor.
    How to restrict users from sending and receiving internet email
  5. Restart the Microsoft Exchange Routing Engine service and the Simple Mail Transfer Protocol (SMTP) services for this change to take effect.

Modify the SmallBusiness SMTP Connector in Exchange 2003

The last step in this procedure is to add the 'Block Internet Email' group in the 'Delivery restrictions'.

  1. Open Exchange System Manager from the Start menu. Right click the SmallBusiness SMTP Connector and choose Properties.
    How to restrict users from sending and receiving internet email
  2. Choose the tab 'Delivery Restrictions' and click 'Add'.
    How to restrict users from sending and receiving internet email
  3. Click 'Advanced'.
    How to restrict users from sending and receiving internet email
  4. Click 'Find Now'.
    How to restrict users from sending and receiving internet email
  5. Highlight the Group you just created and choose 'OK'.
    How to restrict users from sending and receiving internet email
  6. Click 'OK'.
    How to restrict users from sending and receiving internet email
  7. Click 'Apply' and 'OK'. Close the Exchange System Manager.
    How to restrict users from sending and receiving internet email

Make sure you restart the Microsoft Exchange Information Store service from the services applet.


Restrict users from receiving internet email

In this example we want to block all email from external sources but we want to keep the internal mail flow for a user. Here is how we do that.

  1. Open the SBS Server Management console. Browse to the Users hive and highlight the user you want to block internet email for. Choose 'Change User Properties'.
    How to restrict users from sending and receiving internet email
  2. Choose the tab 'Exchange General' and click 'Delivery Restrictions'.
    How to restrict users from sending and receiving internet email
  3. Choose 'From authenticated users only' and click 'OK'.
    How to restrict users from sending and receiving internet email
  4. Click 'Apply' and 'OK'.
    How to restrict users from sending and receiving internet email

Testing and the results

If you try to send an email from a Internet email restricted user account to an email address outside of your local network this should be received in your inbox:

How to restrict users from sending and receiving internet email

If you try to send an email from an email address outside your network to a user account that was restricted to receive internet email this is the result:

How to restrict users from sending and receiving internet email

Join our community.

Excellent content,
great people!

Like what you see? Join us for free*

Subscribe and receive ‘how to’ and ‘best practice’ articles on server and cloud maintenance, design and troubleshooting.

  • Monthly newsletter with a summary of all new tutorials
  • Get an email as soon as a new tutorial has been published

About www.server-essentials.com 

www.server-essentials.com is founded by Mariette Knap, a Dutch Microsoft MVP. www.server-essentials.com is a community for IT Consultants and Business Owners who, themselves, take care of the IT infrastructure and Employees who do that little extra in the company to keep things running. Our forum is for discussing all things ‘IT’ and more.  Our documentation is top notch and written by and for the community.

Change your cookie settings


 
Contact Us
(030) 2250455

International: +31302250455

 

Concentrix BV

C. de Rijcklaan 1

3723 PM Bilthoven

The Netherlands

KvK 30202318

VAT Id 814036739B01

This page is intended to be viewed online and may not be printed. You are not allowed to save or print any documentation on www.server-essentials.com. If you save documentation locally or distribute it you are violating the Terms of Service of this website you agreed on when registering an account. You have access to the documentation as long as you have a valid subscription. If you try to download our documentation we will drop Javascript which makes it possible for us to track you.