A reader asks whether it is possible to block external emails sent to an Exchange Server 2013 mailbox user.

Here are two ways to achieve this. I will use one of my mailbox users Alex Heyne for these examples.

Transport Rule

Using an Exchange 2013 transport rule we can block emails sent from external senders to the mailbox user.

In the Exchange Admin Center navigate to Mail Flow -> Rules.

exchange-2013-transport-rule-01

Start a new Transport Rule.

exchange-2013-transport-rule-02

Although there are some pre-canned rule templates that help get you started I prefer to just choose “Create a new rule…” and build it from scratch in this case.

exchange-2013-transport-rule-03

Set the first condition to “The sender is located…” and choose “Outside the organization”. Then click the “More options…” link.

exchange-2013-transport-rule-04

You can then add the second condition that specifies which recipient the messages are being sent to.

exchange-2013-transport-rule-05

Next, set the action to reject the message. There are three rejection options. I prefer to use one that sends back an explanation if the situation is relatively harmless, but for blocking malicious emails it is probably better to just drop them without notifying the sender.

exchange-2013-transport-rule-06

Since you are rejecting the message you probably also want to stop processing other rules.

exchange-2013-transport-rule-07

Save the rule when you have completed the configuration.

The email messages from external senders to that recipient will now be blocked in the transport pipeline, which will show up in message tracking logs.

Timestamp               : 6/05/2014 8:15:33 PM
ClientIp                :
ClientHostname          : E15MB1
ServerIp                :
ServerHostname          :
SourceContext           : Transport Rule Agent
ConnectorId             :
Source                  : AGENT
EventId                 : FAIL
InternalMessageId       : 49443663511553
MessageId               : <CAPOW2OCFFOcjBXjviMqxoscn3HPqH-Zc95Qvgiw101kUGijM+A@mail.gmail.com>
Recipients              : {alex.heyne@exchange2013demo.com}
RecipientStatus         : {550 5.7.1 TRANSPORT.RULES.RejectMessage; the message was rejected by organization policy}
TotalBytes              : 3095
RecipientCount          : 1
RelatedRecipientAddress :
Reference               :
MessageSubject          : Test 2 Inbound
Sender                  : exchangeserverpro@gmail.com
ReturnPath              : exchangeserverpro@gmail.com
Directionality          : Incoming
TenantId                :
OriginalClientIp        :
MessageInfo             : 2014-05-06T10:14:46.526Z;SRV=E15MB1.exchange2013demo.com:TOTAL=30|SMS=30;SRV=E15MB1.exchange2
                          013demo.com:TOTAL=15;CAT|CATRS|CATRS-Transport Rule Agent
MessageLatency          :
MessageLatencyType      : None
EventData               : {[E2ELatency, 47], [DeliveryPriority, Normal], [ExternalOrgIdNotSetReason, ]}

Although this rule will result in external emails being rejected it will also reject emails sent via a relay connector, unless you set exceptions on the rule for email addresses that you know will be sending via that method.

Message Delivery Restrictions

Another method is using message delivery restrictions on the mailbox itself. This may be a better approach if you want your help desk to manage this type of restriction without having to give them the rights to manage transport rules in your organization.

Open the properties of the mailbox and select Mailbox Features, then scroll down to the Message Delivery Restrictions and click View Details.

exchange-2013-message-delivery-restrictions-01

Enabling the option to “Require that all senders are authenticated” will have the effect of rejecting emails from external senders.

exchange-2013-message-delivery-restrictions-02

However…

  • You don’t get to choose whether to send an NDR or not, it is always sent
  • The NDR is slightly unfriendly compared to a custom rejection message you can use with transport rules
  • This option will also reject email sent via relay connectors, as with the transport rule option; but
  • There is no way to set exceptions for this option

So what you gain in handing off this administrative task to your help desk you lose in flexibility.

Summary

As you can see there are options available for blocking external emails sent to an Exchange Server 2013 mailbox user. However each has pros and cons, and so requires some consideration before you choose which option to implement.

About the Author

Paul Cunningham

Paul is a former Microsoft MVP for Office Apps and Services. He works as a consultant, writer, and trainer specializing in Office 365 and Exchange Server. Paul no longer writes for Practical365.com.

Comments

  1. Ganesh Wadkar

    Hello Sir,

    I have MS Exchange server 2016. I am getting many spam email in Queue Viewer with Blank sender email, like.. From Address:

    how can i block this type Emails.

  2. Nabil IT

    Hi,
    Good Good Post, Can We block incoming mail iso files example for all domain ?
    Regards

  3. Rizwan Ahmed Sahibzada

    Hi,
    How we can do this by Exchange management shell ?

  4. William Henderson

    How do I block specific ip addresses from external sources?

    1. Paul Cunningham

      You could look at using a transport rule to block based on source IP address.

  5. Alain De Meulemeester

    I tried using this to block incoming external mail to a group of people.
    Created a security group “RejectExternalMail” , added a couple of test users.
    Created Rule
    If the message is sent to a member of group RejectExternalMail and is received from ‘Outside the organization’
    do the following
    reject the message and include the explanation etc…..
    Rule mode “Enforce”

    Rule IS active and there are no other rules are active.

    Any ideas / tips???

    1. Alain De Meulemeester

      Sorry, forgot to say that I tested sending a mail from my private acoount to one of the test users, but the mail goes straight through

    2. Dan Gurney

      Not saying this is definately the case but the problem I was having would certainly produce this behaviour.

      Try running
      Get-RemoteDomain | select IsInternal | fl

      If it returns “IsInternal : True” then Exchange will treat all domains as Internal and no rules based on Internal vs External domains will work properly.

  6. Phil

    Hi Paul
    I think I have sorted it. I did a rule:
    Apply this rule if recipient is user@internaldomain
    and the sender is located outside the organisation
    Do the following, delete the message without notify
    Except if the senders domain is special.outsidedomain

  7. Phil

    Hi Paul
    How can I drop all external mail to a particular user, except for from a certain domain?

  8. DanGurney

    Hi,
    I have a strange issue with our Exchange 2013 on premises: I need to block users from a certain group sending external mail. We had a rule which achieved this set up under Exchange2007 which we migrated off at the end of Feb, and it’s just come to my attention that the rule is no longer working. I set up a rule for testing which is basically the same but uses my own account as a ‘guinea pig’. It’s set to reject any mail sent by me to a recipient outside the organisation, but it fails to fire. If I change it to “Inside the organisation” it works fine.

    I’ve read elsewhere about it taking a long time for rules to take effect, so I left it overnight, to no avail, and tried restarting both the Transport services.

    1. Paul Cunningham

      When you change it to “Inside the organization” are you still testing it by sending to an external recipient?

      1. Dan Gurney

        Hi Paul, No, sorry. Should have been clearer. Sending to a colleague causes it to fire. So in other words it behaves as you’d expect.

        Thanks,

        Dan

      2. Dan Gurney

        Your question got me thinking though: so I set it to “Inside the Organization” and sent a mail to an external address. It fired. So it appears to think that all domains are inside the organization. I was under the impression that it decided what was ‘inside’ by looking at it’s ‘Accepted Domains’ list?

          1. Dan Gurney

            Hi Paul,

            Sending from Outlook using my own standard account.

            Cheers,

            Dan

          2. Paul Cunningham

            Ok. I can’t think of a reason why that would be happening then. Perhaps something weird with the accepted domains, remote domains, or send/receive connectors. Probably worth opening a support case with MS so they can see your environment and provide advice.

        1. Dan Gurney

          Just in case any one is interested; this turned out to be due to the IsInternal parameter. Somehow (don’t ask me how) it had been set to ‘True’ for the default remote domain (*). Set it to false and all works as it should. I can’t imagine how it’s happened, it must have been at some point during our co-existence with 2007.

  9. Mahbod Fouladi

    How can block sending emails to all external domain unless to some especial address who are in a whitelist, for example, A user in my organization can send email internally and send just to abcd@gmail.com .

    1. Paul Cunningham

      You could use a transport rule. Set up a rule that blocks email from those internal senders to any external recipient, then add exceptions for the addresses they’re allowed to send to. If you look at the configuration options when creating a transport rule it should become clear.

  10. ahmed

    how to stop sending emails to specific domain in exchange 2013

    1. Paul Cunningham

      You can use transport rules to block emails to specific domains.

  11. Shanaya Sharma

    I want to set the rule in “Mail flow” to restrict the email access if sender’s IP is from particular range……..What should I do?? I have try to set the rule by setting “Apply the rule if”–>Sender’s IP in the range of or exactly match” but still it is not working if I m accessing OWA from different network..plz give me solution.

    1. Paul Cunningham

      That won’t work. When you send using OWA the transport rules can’t see which IP your computer was connecting from.

  12. Gideon Kofi

    Wow!!! This is an amazing post. Well explained, has all the vital areas captured.
    Thanks Paul.

    However, is it possible for me hold all incoming message to a specific user (mailbox) ,say i direct the message to a line manger to read through before approving or releasing them out to the user?.

    This has been a concern in my environment, where there are some scam messages coming in to my users every single day.
    Guys your inputs will be appreciated.

    Thanks.

  13. Prabhuk

    Superb support article no words to explain

  14. kaniwi

    Great post – like the “Mail Flow” idea.
    Especially for users you want to disable as they are going on Disability or Maternity leave for a period of time and you don’t want email filling up there inbox.
    I followed your suggestion but created a group to place those users in and then referenced that group in the rule.
    Also created two rules
    – one for outside senders that get a message back
    – one for internal users, that have there email deleted (no NDR)

    Thanks for the tip.

  15. christo

    Not quite what I was looking for but a great article.
    How can I set a list of email address or domains to block.
    Basically junk mail filtering as can be achieved within outlook, but on the exchange server.

    Thanks

  16. Laurie

    Hi

    Firstly great post!

    How can I stop a user from sending emails externally more specifically read receipts? I need to do this for just a few days, and then after the few days, I will re-enable this user to send externally, but I do not then want all read receipts that did not send, to then just suddenly send as soon as the user is re enabled.

    1. Paul Cunningham

      So your scenario is that when this mailbox receives an email, and the mailbox owner reads it, you don’t want any read receipts to be sent at all.

      If I’m understanding your request then a transport rule should do the job for you. Start a new rule and before you set any conditions click on More options. You should see the condition available to apply the rule if “The message type is…” and the type “Read receipt”. If you combine that with a condition for who the message is from, and an action to block/drop the messages, then it should prevent that mailbox from sending any read receipts.

  17. Phil Ready

    Hi Paul
    Can you set an mailbox to accept messages from null?
    Maybe: set-mailbox “user” -AcceptMessagesOnlyFrom “”

  18. Antonio

    ONLY ONE WORD: MARVELOUS!!!!!

  19. ian shapton

    Another great article, thanks.
    On a similar note I want to create a rule to notify senders if they email certain domains:

    Apply this rule if…A recipient’s domain is…’domain.com’
    Notify the sender with a Policy Tip…Notify the sender, but allow them to send

    However, I get error:
    One of the conditions you specified can’t be used for rules where you want to notify the sender. Error details: The NotifySender action isn’t compatible with ‘RecipientDomainIs’ predicate.

    Do you know what I am doing wrong here?
    thanks

Leave a Reply