Restrict Exchange mail users from sending to Internet__net

Source: Internet
Author: User

Source: http://www.5dmail.net/html/2003-10-31/20031031205516.htm

In the work of your system administrator, you may want to block mailbox users from sending and receiving mail over the Internet, and the following description of this article will help you achieve this task.
Restrict users from sending mail to the Internet
To restrict users from sending mail to the Internet, we need to create an SMTP Connector (connector) because you cannot set this restriction on the SMTP Virtual server.
1. In the Activery Directory Users and Computers management program, create a mail support group, give a meaningful group name, we take the group name No Intenert Mail Bar.
2. Increase the number of users who are not allowed to send mail to the Internet to this newly created group.
Now we need to create an SMTP Connector (connector).
1, open Exchange System Manager (ESM), and navigate to connectors.

2. Right-click Connectors, select New->smtp Connector, in the General tab of the Bouncing Properties dialog box, write the name of the new SMTP Connector, in this case we write the Default SMTP Connector.

3. We now associate the new SMTP Connector with the SMTP Virtual server, pressing the "ADD ..." button in the local bridgeheads of the General tab, in the displayed SMTP Virtual server lists Select the local SMTP Virtual server to add to the list of local bridgehead servers.

, the next step is to set the address space of the new SMTP connector, which is the list of locations where the SMTP connector can send messages, select Address Spaces tab, and press the "Add ..." button , select SMTP in the "Add Address spaces" selection box that pops up.

5, the next "Internet Address Spaces Properties" dialog box, the value of e-mail domain is retained as "*", which ensures that SMTP connector can send mail to any SMTP domain.

We are now restricting the established no Intenert mail group from sending mail to the Internet.
6, select the Delivery Restrictions tab, add the No intenert Mail group to the Reject messages from list, as shown in the following figure:

7, click OK to exit the Default smtp connector property box. When
is so set, when a user in the no intenert mail  group tries to send a message to the Internet, the following information is fed back:
Your message did  not reach some or all of the intended recipients. [/center]
Subject:
sent:    18/10/2003 10:29 pm
the following  Recipient (s)  could not be reached:
' test@yupai.net '  on 18/10/2003 10:29  PM
You do not have permission to send to this recipient.   For assistance, 

Contact your system administrator.

So, if we want to restrict a user from sending mail to the Internet, just put the user in the No Intenert mail group.
Now let's look at how to restrict users from receiving mail from the Internet, which is more complicated than limiting the user's setting to send mail to the Internet.
We will continue to operate with the No Intenert Mail group that has been created.

To prevent a user from receiving messages from the Internet, you need to give the user a false SMTP address, so that messages sent via SMTP do not know what mailbox it will be sent to, and the message is returned to the sender.
We have two ways to do this, first, manually customize the SMTP address of a user, two, use the recipient policy to apply the SMTP address, we in this example with a second method to set.

When you create a recipient policy that is based on a group member, the recipient policy filter requires that the distinguished Name (DN) property value be written to the group member. So first we need to know the DN attribute value of group No Intenert Mail.
We can use the ADSIEdit tool to get the group member No Intenert Mail Dn,adsiedit tool is one of the tools in the Windows 2000 support toolset to install CD discs in Windows 2000 support/ Tools directory found.

Note: Please use ADSIEDIT carefully, a little careless, will bring serious disaster.
1, open ADSIEdit.
2. Find the organizational unit where No Intenert Mail is located, in this case, in the users unit, as shown in the following illustration:

The pictures are as follows:

3, locate the  CN=No Intenert Mail  group in the list on the right, and right-click to select Properties.
    4, in the property box, select DistinguishedName from the Select a property to view drop-down list, In the value (s) field, the DN attribute value of the group member no intenert mail  is displayed.
    5, note the DN value of the no intenert mail  displayed in the value (s) field.
    6, close ADSIEdit
 
Now we are ready to create a recipient policy based on group membership, which will provide a false SMTP address to No intenert All users in the  Mail  group. &NBSP
    1, open Exchange system manager (ESM).
    2, find Recipient -〉recipient policy.

3, select Recipient Policies, right click to select New-〉recipient Policy ...
4, in the New Policy dialog box only select the e-mail addresses check box.
5, name your strategy name, in this case we named No Intenert Mail policy.
6, now to specify the filter criteria, to apply policy only to users belonging to the no Intenert Mail group, we click the "Modify" button to do the following:
7. In the General tab of the "Find Exchange Recipients" dialog box that pops up, clear all check boxes except for the users with Exchange mailboxes to keep the selection.

8, select the "Advanced" tab, click the "Field" button, select the user-〉 group members.
The relevant pictures of this topic are as follows:

9, in the "condition" Drop-down list, select as (exactly the same).
10. In the "Value" field, fill in the DN of the No Intenert Mail group obtained by ADSIEdit and click the "Add" button.

The relevant pictures of this topic are as follows:

11, you can click the "Start Find" button to test whether the correct display
Group of user members, if everything is OK, click "OK" to exit the "Find Exchange Recipients" dialog box.
12, return to the No Intenert mail Policy property box, select the E-mail Addresses (Policy) tab.
13. Click "New ..." and select SMTP address in the list provided.
14. In the Address field in the SMTP Address Properties dialog box, enter a message suffix that includes the @ symbol with the fake domain name. In this example we enter: @fakedomain. Local

15, click OK accept the new SMTP address, return the e-mail Addresses (Policy) tab.
16. Select the bogus SMTP address in the Generation rules list and click the "Set as Primary" button, which will be displayed in bold text.
17, select the rest of the other SMTP address, click the "Remove" button to remove them.
Note: Do not remove the X.400 address.

18, click OK Exit recipient Policy box, you will be prompted to apply this new strategy, click Yes.
I suggest that you now force the new recipient policy to be applied, right-click the new policy, and select "Apply this policy".

If there are already users in the No Intenert Mail group before creating a new recipient policy, those users will still have a valid SMTP address.

So in active Directory users and Computers, select the users you want to not receive Internet mail, and remove the SMTP addresses they had before they created the policy. New and immediately put in when policy is created
No Intenert users in the Mail group will not produce a valid SMTP address.

---------------
Attachment:
Please note that the following registry operation is performed:
1.Start Registry Editor (Regedt32.exe).
2.Locate and click the following registry key:
hkey_local_machine/system/currentcontrolset/services/resvc/parameters/
3.On the Edit menu, click Add Value, and then add the following registry value:
Value Name:checkconnectorrestrictions
Data Type:reg_dword
Radix:hexadecimal
Value:1
4.Quit Registry Editor.
5.Restart the Microsoft Exchange Routing Engine Service and the simple
Mail Transfer Protocol (SMTP) services for this change
Two. The original English version of this article please see:
Http://www.msexchange.org/tutorials/MF009.html

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.