Microsoft KB Archive/827616

= How to restrict the users who can send inbound Internet e-mail to another user or to a distribution group in Exchange 2003 =

Article ID: 827616

Article Last Modified on 10/25/2007

-

APPLIES TO


 * Microsoft Exchange Server 2003 Enterprise Edition
 * Microsoft Exchange Server 2003 Standard Edition

-





SUMMARY
Microsoft Exchange Server 2003 has a new feature that permits mailbox users or distribution groups to only receive e-mail messages from authenticated users. This feature permits you to restrict inbound Internet e-mail for specific users or for distribution groups. The feature is enabled when you click to select the From authenticated users only check box in the Message restrictions settings for an individual user or a distribution group.



MORE INFORMATION
Because most Internet Simple Mail Transfer Protocol (SMTP) servers do not require authentication for inbound Internet e-mail, there is the risk that unauthorized Internet users might send e-mail messages to users and to distribution lists that are for internal use only. If you configure a user or a distribution group to receive e-mail messages from authenticated users only, those recipients do not receive e-mail messages that are submitted anonymously. Authenticated users can include the following:
 * External users who pass credentials when they send e-mail from the Internet.
 * Internal users in the Exchange organization.

To set the value to require authentication to send to a distribution group, follow these steps:
 * 1) Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Users and Computers.
 * 2) Right-click the distribution group, and then click Properties.
 * 3) Click the Exchange General tab.
 * 4) Under Message restrictions, click to select the From authenticated users only check box.

To set the value to require authentication to send to a specific user, follow these steps:
 * 1) Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Users and Computers.
 * 2) Right-click the user account, and then click Properties.
 * 3) Click the Exchange General tab.
 * 4) Click Delivery Restrictions.
 * 5) Under Message restrictions, click to select the From authenticated users only check box.

Note When you click to select the From authenticated users only check box, the value of the msExchRequireAuthtoSendTo Active Directory attribute is changed. The msExchRequireAuthtoSendTo attribute is present on all distribution group objects and on all user recipient objects. The msExchRequireAuthtoSendTo attribute is set the first time that you click to select the From authenticated users only check box.

For both distribution groups and individual users, if you click to select the From authenticated users only check box, this setting affects how the other settings in the Message restrictions section are implemented.
 * If you click From everyone, anyone that is considered to be an authenticated user can send e-mail messages to the user or the distribution list. By default, From everyone is selected.
 * If you click Only from, you can specify a set of authenticated users or groups that can send e-mail messages to the user or the distribution list.
 * If you click From everyone except, all authenticated users except for those that you specify can send e-mail messages to the user or the distribution list.

When you send an e-mail message to a recipient who has restricted the receipt of your e-mail messages, you may receive a non-delivery report (NDR) that is similar to the following:

Your message did not reach some or all of the intended recipients.

Subject: Hello...

Sent: Thu, 15 Jan 2004 12:00:16 -0500

did not reach the following recipient(s):

on Thu, 15 Jan 2004 12:11:37 -0500

You do not have permission to send to this recipient. For assistance, contact your system administrator.



Description of authenticated users
The following types of e-mail messages are considered to be from authenticated users:
 * E-mail messages that originate from Microsoft Outlook MAPI clients that are internal to the Exchange organization.
 * E-mail messages that originate from Microsoft Outlook Web Access that are internal to the Exchange organization.
 * E-mail messages that originate from POP clients or from IMAP clients where the sender supplied credentials to the SMTP server.

If the Exchange Server 2003 computer is configured to accept anonymous access as an authentication method for the SMTP virtual server, and the Internet e-mail message is submitted without any credentials, the e-mail message is not considered to be authenticated.

Note that NDRs, delivery receipts, and read receipts are also not delivered from clients that are not authenticated to an internal mailbox when the From authenticated users only setting for the mailbox is enabled.

Note If you enable the Resolve anonymous e-mail setting on your front-end SMTP servers, anonymous senders can bypass the From authenticated users only setting. For more information, click the following article number to view the article in the Microsoft Knowledge Base:

828770 Resolve anonymous senders functionality in Microsoft Exchange 2003

Event log messages that occur when an e-mail message from an anonymous sender is blocked
If you turn on maximum diagnostic logging on the MSExchangeTransport event source, the following events are logged in the application event log when an e-mail message from an anonymous sender is blocked: Source: MSExchangeTransport

Category: Categorizer

Event ID: 9014

Type: Information

Description:

A message from an anonymous sender could not be delivered to 'smtp:Administrator@contoso.com' because the recipient is configured to accept mails from authenticated senders only. (Message-ID: ). A DSN will be generated. For more information, see Help and Support Center at http://support.microsoft.com.

Source: MSExchangeTransport

Category: Categorizer

Event ID: 6015

Type: Information

Description:

Categorizer is NDRing a recipient with address SMTP:Administrator@contoso.com with reason code 0xc00402de (The sender does not have the permissions required to send this message to the intended recipients. For more information, see Help and Support Center at http://support.microsoft.com.

Source: MSExchangeTransport

Category: NDR

Event ID: 3027

Type: Information

Description:

A non-delivery report with a status code of 5.7.1 was generated for recipient rfc822;Administrator@contoso.com (Message-ID ). Causes: This message indicates that the sender was denied access or general access was denied. Solution: Check system privileges and attributes for the contact and retry sending the message. For more information, click http://search.support.microsoft.com/search/?adv=1.

Note To turn on maximum logging of the MSExchangeTransport event source, follow these steps:
 * 1) In Exchange System Manager, expand Servers, right-click the Exchange computer name where you want to configure logging, and then click Properties.
 * 2) Click the Diagnostics Logging tab.
 * 3) In the Services pane, click MSExchangeTransport.
 * 4) In the Categories pane, click a category, and then click Maximum.
 * 5) Repeat step 4 for each category.
 * 6) Click OK when you are finished.

Additional query words: XADM

Keywords: kbhowto KB827616

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.