How To Prevent An Exchange User From Sending and Receiving SMTP Emails

How do you prevent an Exchange 2003 user from sending and receiving SMTP traffic through the internet, while still allowing them to receive emails from within the Exchange organization?
By Mark D. MacLachlan

The easiest way to prevent users from receiving Internet e-mail is to give them e-mail addresses that are only valid internally. For example, you could use an internal SMTP domain of mycompany.local. The ".local" address is not a valid public Internet TLD (Top level Domain). As a result, Internet SMTP servers can't send e-mail to anything that uses this TLD, such as mycompany.local. This prevents these users from receiving Internet e-mail, but it enables them to collaborate with everyone within your internal Exchange organization. If your domain uses the public Internet TLD you can easily set this up using Recipient Policies and apply it to users or groups meeting specific criteria. Just add a .local account. Another solution is to add the SMTP addresses to the Recipient filter on the SMTP server. While this works fine for disabled mailboxes, it's not practical to use it for a large number of users as there is a limit to the number of addresses you can add to the list.

Exchange 2003 makes it much easier, by providing you with a feature that will NDR mail originating from the Internet to users or distribution groups if the mail was submitted anonymously. Since anonymous authentication is the typical submission method for mail originating from the Internet, all mail from the Internet to the addresses used by the user is rejected.

To set the feature to require authentication to send to a specific user, follow these steps:

1. Open Active Directory Users and Computers.
2. Right click on the user account, and then on Properties.
3. Select the Exchange General tab.
4. Select Delivery Restrictions.
5. Under Message restrictions, select the From authenticated users only check box.

You can use this same method to control messages sent to distribution groups.

After making this change, all mail from the Internet to those users should be rejected as long as there was no authentication. Messages that are authenticated will be delivered, which would be limited to mail from users with accounts on the server.

The above methods would be the preferred way to restrict Internet mail access. If however you do wish to use filtering here is how to do it.

In the Exchange System Management tool, you have to add the account in question deny lists in two separate places.

The first place is Message Delivery in Global Settings of your organization. Here you go to Properties and select Recipient Filtering tab, add all SMTP addresses for accounts that you want to deny receipt of internet email.

Second place is in any Internet Mail SMTP Connectors you have for your organization. Go into the Properties for each connector and select the Delivery Restriction tab. Add the accounts in question to the Reject Messages From list.

Might take 15 minutes or so before the changes become active.

If the filtering does not work, it may be necessary to implement a registry change as outlined in
http://support.microsoft.com/default.aspx?scid=kb;en-us;277872