I frequently see questions about how to restrict users on the network from being able to send emails to external recipients.
I actually wrote an article on the subject about four years ago, though it deals with one specific scenario of “deny most, allow some”, and even though it was written when Exchange Server 2007 was the latest version it still demonstrates how Transport Rules can be used to achieve various restrictions on what email senders can do.
In this article I will specifically answer the question of how to restrict a small number of specific users from being able to send emails to recipients outside of the organization.
The first step in this method is to create a distribution group. The members of this group will be the users who are restricted from sending external emails. It does not need to be a security group, but it does need to be universal in scope.
Next, create a new Transport Rule with the following configuration.
- From a member of a distribution list (and choose the distribution group you created above)
- Sent to users that are inside or outside of the organization, or partners (and choose “Outside”)
- Send rejection message to sender with enhanced status code (I set the status code to 5.7.1 and configure a message such as “You are not authorized to send email to recipients outside of this organization”)
- Except when a recipient's address matches text patterns (and add any domain names or email addresses they should still be allowed to send to)
After the new rule has taken effect the members of that distribution group will not be able to send to external recipients, whether they use the To, CC, or BCC fields to do so, and will still be able to send to those domains or email addresses you configure as an exception to the rule (even if the message includes other recipients that will get blocked, the permitted ones will still receive the email).