• Topics
    • Office 365
    • Teams
    • SharePoint
    • Exchange 2019
    • Exchange 2016
    • Exchange 2013
    • Hybrid
    • Certificates
    • PowerShell
    • Migration
    • Security
    • Azure
  • Blog
  • The Practical 365 Podcast
  • Books
  • Community
  • About
  • Subscribe
    • Facebook
    • Twitter
    • RSS
    • YouTube

Practical 365

You are here: Home / Exchange Server / Block External Emails for an Exchange Server 2013 Mailbox

Block External Emails for an Exchange Server 2013 Mailbox

May 6, 2014 by Paul Cunningham 33 Comments

A reader asks whether it is possible to block external emails sent to an Exchange Server 2013 mailbox user.

Here are two ways to achieve this. I will use one of my mailbox users Alex Heyne for these examples.

Transport Rule

Using an Exchange 2013 transport rule we can block emails sent from external senders to the mailbox user.

In the Exchange Admin Center navigate to Mail Flow -> Rules.

exchange-2013-transport-rule-01

Start a new Transport Rule.

exchange-2013-transport-rule-02

Although there are some pre-canned rule templates that help get you started I prefer to just choose “Create a new rule…” and build it from scratch in this case.

exchange-2013-transport-rule-03

Set the first condition to “The sender is located…” and choose “Outside the organization”. Then click the “More options…” link.

exchange-2013-transport-rule-04

You can then add the second condition that specifies which recipient the messages are being sent to.

exchange-2013-transport-rule-05

Next, set the action to reject the message. There are three rejection options. I prefer to use one that sends back an explanation if the situation is relatively harmless, but for blocking malicious emails it is probably better to just drop them without notifying the sender.

exchange-2013-transport-rule-06

Since you are rejecting the message you probably also want to stop processing other rules.

exchange-2013-transport-rule-07

Save the rule when you have completed the configuration.

The email messages from external senders to that recipient will now be blocked in the transport pipeline, which will show up in message tracking logs.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
Timestamp               : 6/05/2014 8:15:33 PM
ClientIp                :
ClientHostname          : E15MB1
ServerIp                :
ServerHostname          :
SourceContext           : Transport Rule Agent
ConnectorId             :
Source                  : AGENT
EventId                 : FAIL
InternalMessageId       : 49443663511553
MessageId               : <CAPOW2OCFFOcjBXjviMqxoscn3HPqH-Zc95Qvgiw101kUGijM+A@mail.gmail.com>
Recipients              : {alex.heyne@exchange2013demo.com}
RecipientStatus         : {550 5.7.1 TRANSPORT.RULES.RejectMessage; the message was rejected by organization policy}
TotalBytes              : 3095
RecipientCount          : 1
RelatedRecipientAddress :
Reference               :
MessageSubject          : Test 2 Inbound
Sender                  : exchangeserverpro@gmail.com
ReturnPath              : exchangeserverpro@gmail.com
Directionality          : Incoming
TenantId                :
OriginalClientIp        :
MessageInfo             : 2014-05-06T10:14:46.526Z;SRV=E15MB1.exchange2013demo.com:TOTAL=30|SMS=30;SRV=E15MB1.exchange2
                          013demo.com:TOTAL=15;CAT|CATRS|CATRS-Transport Rule Agent
MessageLatency          :
MessageLatencyType      : None
EventData               : {[E2ELatency, 47], [DeliveryPriority, Normal], [ExternalOrgIdNotSetReason, ]}

Although this rule will result in external emails being rejected it will also reject emails sent via a relay connector, unless you set exceptions on the rule for email addresses that you know will be sending via that method.

Message Delivery Restrictions

Another method is using message delivery restrictions on the mailbox itself. This may be a better approach if you want your help desk to manage this type of restriction without having to give them the rights to manage transport rules in your organization.

Open the properties of the mailbox and select Mailbox Features, then scroll down to the Message Delivery Restrictions and click View Details.

exchange-2013-message-delivery-restrictions-01

Enabling the option to “Require that all senders are authenticated” will have the effect of rejecting emails from external senders.

exchange-2013-message-delivery-restrictions-02

However…

  • You don't get to choose whether to send an NDR or not, it is always sent
  • The NDR is slightly unfriendly compared to a custom rejection message you can use with transport rules
  • This option will also reject email sent via relay connectors, as with the transport rule option; but
  • There is no way to set exceptions for this option

So what you gain in handing off this administrative task to your help desk you lose in flexibility.

Summary

As you can see there are options available for blocking external emails sent to an Exchange Server 2013 mailbox user. However each has pros and cons, and so requires some consideration before you choose which option to implement.

Paul Cunningham

Paul is a Microsoft MVP for Office Apps and Services and a Pluralsight author. He works as a consultant, writer, and trainer specializing in Office 365 and Exchange Server.

Exchange Server Exchange 2013, Mail Flow, Security, Transport Rules

Comments

  1. Ganesh Wadkar says

    July 12, 2019 at 6:28 pm

    Hello Sir,

    I have MS Exchange server 2016. I am getting many spam email in Queue Viewer with Blank sender email, like.. From Address:

    how can i block this type Emails.

    Reply
  2. Nabil IT says

    July 11, 2018 at 8:19 pm

    Hi,
    Good Good Post, Can We block incoming mail iso files example for all domain ?
    Regards

    Reply
  3. Rizwan Ahmed Sahibzada says

    April 18, 2018 at 5:10 pm

    Hi,
    How we can do this by Exchange management shell ?

    Reply
  4. William Henderson says

    August 22, 2017 at 7:34 am

    How do I block specific ip addresses from external sources?

    Reply
    • Paul Cunningham says

      August 22, 2017 at 8:27 am

      You could look at using a transport rule to block based on source IP address.

      Reply
  5. Alain De Meulemeester says

    May 18, 2017 at 10:40 pm

    I tried using this to block incoming external mail to a group of people.
    Created a security group “RejectExternalMail” , added a couple of test users.
    Created Rule
    If the message is sent to a member of group RejectExternalMail and is received from ‘Outside the organization’
    do the following
    reject the message and include the explanation etc…..
    Rule mode “Enforce”

    Rule IS active and there are no other rules are active.

    Any ideas / tips???

    Reply
    • Alain De Meulemeester says

      May 18, 2017 at 10:49 pm

      Sorry, forgot to say that I tested sending a mail from my private acoount to one of the test users, but the mail goes straight through

      Reply
    • Dan Gurney says

      July 24, 2017 at 9:20 pm

      Not saying this is definately the case but the problem I was having would certainly produce this behaviour.

      Try running
      Get-RemoteDomain | select IsInternal | fl

      If it returns “IsInternal : True” then Exchange will treat all domains as Internal and no rules based on Internal vs External domains will work properly.

      Reply
  6. Phil says

    May 5, 2017 at 12:19 pm

    Hi Paul
    I think I have sorted it. I did a rule:
    Apply this rule if recipient is user@internaldomain
    and the sender is located outside the organisation
    Do the following, delete the message without notify
    Except if the senders domain is special.outsidedomain

    Reply
  7. Phil says

    May 5, 2017 at 12:02 pm

    Hi Paul
    How can I drop all external mail to a particular user, except for from a certain domain?

    Reply
  8. DanGurney says

    May 4, 2017 at 6:01 pm

    Hi,
    I have a strange issue with our Exchange 2013 on premises: I need to block users from a certain group sending external mail. We had a rule which achieved this set up under Exchange2007 which we migrated off at the end of Feb, and it’s just come to my attention that the rule is no longer working. I set up a rule for testing which is basically the same but uses my own account as a ‘guinea pig’. It’s set to reject any mail sent by me to a recipient outside the organisation, but it fails to fire. If I change it to “Inside the organisation” it works fine.

    I’ve read elsewhere about it taking a long time for rules to take effect, so I left it overnight, to no avail, and tried restarting both the Transport services.

    Reply
    • Paul Cunningham says

      May 4, 2017 at 8:07 pm

      When you change it to “Inside the organization” are you still testing it by sending to an external recipient?

      Reply
      • Dan Gurney says

        May 4, 2017 at 10:54 pm

        Hi Paul, No, sorry. Should have been clearer. Sending to a colleague causes it to fire. So in other words it behaves as you’d expect.

        Thanks,

        Dan

        Reply
      • Dan Gurney says

        May 4, 2017 at 11:03 pm

        Your question got me thinking though: so I set it to “Inside the Organization” and sent a mail to an external address. It fired. So it appears to think that all domains are inside the organization. I was under the impression that it decided what was ‘inside’ by looking at it’s ‘Accepted Domains’ list?

        Reply
        • Paul Cunningham says

          May 5, 2017 at 8:35 am

          How are you sending the test email?

          Reply
          • Dan Gurney says

            May 8, 2017 at 8:24 pm

            Hi Paul,

            Sending from Outlook using my own standard account.

            Cheers,

            Dan

          • Paul Cunningham says

            May 9, 2017 at 8:52 am

            Ok. I can’t think of a reason why that would be happening then. Perhaps something weird with the accepted domains, remote domains, or send/receive connectors. Probably worth opening a support case with MS so they can see your environment and provide advice.

        • Dan Gurney says

          July 3, 2017 at 8:14 pm

          Just in case any one is interested; this turned out to be due to the IsInternal parameter. Somehow (don’t ask me how) it had been set to ‘True’ for the default remote domain (*). Set it to false and all works as it should. I can’t imagine how it’s happened, it must have been at some point during our co-existence with 2007.

          Reply
  9. Mahbod Fouladi says

    February 21, 2017 at 12:48 am

    How can block sending emails to all external domain unless to some especial address who are in a whitelist, for example, A user in my organization can send email internally and send just to abcd@gmail.com .

    Reply
    • Paul Cunningham says

      February 21, 2017 at 11:27 am

      You could use a transport rule. Set up a rule that blocks email from those internal senders to any external recipient, then add exceptions for the addresses they’re allowed to send to. If you look at the configuration options when creating a transport rule it should become clear.

      Reply
  10. ahmed says

    November 28, 2016 at 5:01 pm

    how to stop sending emails to specific domain in exchange 2013

    Reply
    • Paul Cunningham says

      November 28, 2016 at 8:44 pm

      You can use transport rules to block emails to specific domains.

      Reply
  11. Shanaya Sharma says

    June 2, 2016 at 2:19 am

    I want to set the rule in “Mail flow” to restrict the email access if sender’s IP is from particular range……..What should I do?? I have try to set the rule by setting “Apply the rule if”–>Sender’s IP in the range of or exactly match” but still it is not working if I m accessing OWA from different network..plz give me solution.

    Reply
    • Paul Cunningham says

      June 2, 2016 at 11:20 am

      That won’t work. When you send using OWA the transport rules can’t see which IP your computer was connecting from.

      Reply
  12. Gideon Kofi says

    February 23, 2016 at 1:51 am

    Wow!!! This is an amazing post. Well explained, has all the vital areas captured.
    Thanks Paul.

    However, is it possible for me hold all incoming message to a specific user (mailbox) ,say i direct the message to a line manger to read through before approving or releasing them out to the user?.

    This has been a concern in my environment, where there are some scam messages coming in to my users every single day.
    Guys your inputs will be appreciated.

    Thanks.

    Reply
  13. Prabhuk says

    December 30, 2015 at 6:56 pm

    Superb support article no words to explain

    Reply
  14. kaniwi says

    August 5, 2015 at 9:53 am

    Great post – like the “Mail Flow” idea.
    Especially for users you want to disable as they are going on Disability or Maternity leave for a period of time and you don’t want email filling up there inbox.
    I followed your suggestion but created a group to place those users in and then referenced that group in the rule.
    Also created two rules
    – one for outside senders that get a message back
    – one for internal users, that have there email deleted (no NDR)

    Thanks for the tip.

    Reply
  15. christo says

    July 10, 2015 at 8:55 pm

    Not quite what I was looking for but a great article.
    How can I set a list of email address or domains to block.
    Basically junk mail filtering as can be achieved within outlook, but on the exchange server.

    Thanks

    Reply
  16. Laurie says

    April 29, 2015 at 8:05 pm

    Hi

    Firstly great post!

    How can I stop a user from sending emails externally more specifically read receipts? I need to do this for just a few days, and then after the few days, I will re-enable this user to send externally, but I do not then want all read receipts that did not send, to then just suddenly send as soon as the user is re enabled.

    Reply
    • Paul Cunningham says

      April 29, 2015 at 8:45 pm

      So your scenario is that when this mailbox receives an email, and the mailbox owner reads it, you don’t want any read receipts to be sent at all.

      If I’m understanding your request then a transport rule should do the job for you. Start a new rule and before you set any conditions click on More options. You should see the condition available to apply the rule if “The message type is…” and the type “Read receipt”. If you combine that with a condition for who the message is from, and an action to block/drop the messages, then it should prevent that mailbox from sending any read receipts.

      Reply
  17. Phil Ready says

    February 3, 2015 at 9:55 am

    Hi Paul
    Can you set an mailbox to accept messages from null?
    Maybe: set-mailbox “user” -AcceptMessagesOnlyFrom “”

    Reply
  18. Antonio says

    July 22, 2014 at 8:37 pm

    ONLY ONE WORD: MARVELOUS!!!!!

    Reply
  19. ian shapton says

    June 13, 2014 at 8:10 pm

    Another great article, thanks.
    On a similar note I want to create a rule to notify senders if they email certain domains:

    Apply this rule if…A recipient’s domain is…’domain.com’
    Notify the sender with a Policy Tip…Notify the sender, but allow them to send

    However, I get error:
    One of the conditions you specified can’t be used for rules where you want to notify the sender. Error details: The NotifySender action isn’t compatible with ‘RecipientDomainIs’ predicate.

    Do you know what I am doing wrong here?
    thanks

    Reply

Leave a Reply Cancel reply

You have to agree to the comment policy.

Recent Articles

  • The Practical 365 Podcast: Ep 4 – Teams, Azure AD, Updates & Roadmap
  • Hijacking the Cloud Legacy DN Writeback – Part 2
  • Hijacking the Cloud Legacy DN Writeback – Part 1
  • The Practical 365 Podcast: Ep 3 – New Data Centers, Teams and more
  • Build your own custom SharePoint document library bulk provisioning system using the PowerPlatform – Part 1
Practical 365

Related Posts

Better Spam Filtering with Exchange Online Mail Flow Rules
How to use Exchange Online mail flow rules to improve the effectiveness of your EOP
Using Transport Rules to Block Outbound Email to Untrustworthy Domains
How to use mail flow rules in Exchange Server and Exchange Online to block outbound
Redirect Outbound Emails to a New Email Address
How to use an Exchange Server transport rule to redirect emails that are being sent

Training Courses

  • Configuring and Managing Office 365 Security
  • Office 365 Admin Playbook
  • Exchange 2016 Exam 70-345
  • Managing Exchange Mailboxes and Distribution Groups in PowerShell
  • More Training Courses...

Recommended Resources

  • Office 365 Security Resources
  • Office 365 Books
  • Exchange Server Books
  • Exchange Server Migrations
  • Exchange Analyzer
  • Digicert SSL Certificates

About This Site

Practical 365 is a leading site for Office 365 and Exchange Server news, tips and tutorials. Read more...

Find out more about advertising with us.

Contact us


Subscribe to our newsletter
  • Facebook
  • Twitter
  • RSS
  • YouTube

Copyright © 2019 Quadrotech Solutions AG · Disclosure · Privacy Policy
Alpenstrasse 15, 6304 Zug, Switzerland