In prior versions of Exchange an organisation that wished to restrict who could send outbound internet emails could apply the restriction on an SMTP connector.  In this example emails sent to the * address space are rejected by default unless sent by a group listed in the “Accept messages from:” list, for example a group named “Internet Email Users”.

Exchange 2003 Server outbound mail restrictions

Exchange Server 2007 uses Send Connectors for configuring where outbound internet email is delivered, much like an SMTP connector in Exchange 2003 Server.  However, the Send Connector is not the place to apply restrictions on who can send outbound internet email.  These restrictions are instead applied with Transport Rules.

If you are new to the concept of Transport Rules you should read Understanding How Transport Rules Are Applied In An Exchange Server 2007 Organisation.

To configure the restrictions you create a Transport Rule that follows the same “Deny by default, except if from these groups” approach as Exchange 2003 Server.

Configuring a Transport Rule to Restrict Outbound Internet Email

  1. Create a distribution group through your Exchange Management Console, and give it a descriptive name such as “Internet Email Users”.
  2. In the EMC go to Organization Configuration -> Hub Transport, and click on the Transport Rules tab.
  3. Create a new Transport Rule, name it something like “Restrict Internet Email”
  4. Select “Sent to users Outside the organisation” as the first condition.
  5. Select “Send bounce message…” as the second condition, and configure a bounce message that will be informative enough for your end users.
  6. Select “Except when the message is from member of distribution list” as the exception criteria, and add the Internet Email Users group that was created earlier.
  7. Complete the Transport Rule wizard so that the rule is created in the Exchange Organization.

It may take a short time for the rule to replicate to all Hub Transport servers throughout your Active Directory sites.  Because the rule is applied by Hub Transport servers, messages do not have to traverse the network all the way to the last outbound hop before being rejected by this rule.  Instead they are rejected by the Hub Transport server within the Active Directory site in which the user’s Mailbox Server is located.

The Hub Transport server caches recipient and distribution list information for four hours, so if you have a rule such as this in place and add new users to the Internet Email Users group, those users may not be able to start sending outbound internet email until the recipient cache has refreshed on the Hub Transport server.  Where this is not acceptable you can restart the “Microsoft Exchange Transport” service on each Hub Transport server which will initiate a cache refresh.

About the Author

Paul Cunningham

Paul is a former Microsoft MVP for Office Apps and Services. He works as a consultant, writer, and trainer specializing in Office 365 and Exchange Server. Paul no longer writes for


  1. Dumitru

    the rule it works..but I must allow only AutomaticReply messages to go Outside.. just to inform about changing some details of user.. I can’t find a way to do this…

  2. Armin

    Can Transport Rules (here MSX2k7) be used with MAPI Client Outlook? Problem is we send all Mails through Transport Rule to a Exchange DMS Mailbox, from where it is exported by MAPI and deleted after Export.

    If the internal Sender requests a “read receipt” from internal mail receipient, he get’s a “your email was deleted without being read”.

    Is there any solution Thank You in advance

  3. Quincy Orsot

    It would be nice and also insrtumental to have a threshold lock in Microsoft Exchange that automatically locks out transport of large bulk email bundles sent by a particular email address whenever it reaches a (user defined) threshold. This would virtually nullify the propagation of spam from the source and simultaneously lower the load on the mail server. If Exchange already has this option, please let me know because I didn’t find it in our documentation. I’m currently doing an internship with the Calcasieu Parish School Board in Lake Charles, Louisiana and we have a very large user-base including administrators, teachers, and students. This presents a problematic situation where user downloading has caused the propagation of spam from inside the network to outside sources and thereby causing some of our email accounts to be blacklisted until we have the chance to clean them out. My suggestion is meant as a means of saving man-hours and resources before the problem gets to the administrative level.
    Please let me know if you have any solutions and Thank You in advance
    Quincy Orsot

    1. Avatar photo
      Paul Cunningham

      There are anti-spam products available that can handle outbound outbreaks like that.

Leave a Reply