How to restrict users from sending and receiving internet email By Mariette Knap email, block You may need to block sending and receiving internet email for some users because of a company policy. I had a customer who asked me to implement this for a group of users who were abusing the companies email system and there was no need for those users to send and receive email outside of the domain. Pages How to restrict users from sending and receiving internet emailCreate a mail enabled groupAdd users to the mail enabled groupModify the registry to turn on connector restrictionsModify the SmallBusiness SMTP Connector in Exchange 2003Restrict users from receiving internet emailTesting and the results By following the procedure in this article you will be able to block the ability to send and receive internet email but retain mail inside your domain. Create a mail enabled group Open Active Directory Users and Computers from the Start menu and expand your MyBusiness OU. Right click the OU 'Security Groups' and click New -> Group. Give the group a meaningfull name. I use 'Block Internet Email'. Click 'Next'. Make sure you check 'Create an Exchange e-mail address' and click Next. Click 'Finish'. Our new group is listed but as you see it does not have a description. If you wish you can double click and add a description. Add users to the mail enabled group In the previous of this article we decided to use groups instead of individual users. Now we need to add users to the 'Block Internet Email' group we just created. Open Active Directory Users and Computers and browse to the 'Block Internet Email' group. Right click the group and choose Properties. Click the tab 'Members' and click 'Add'. Click 'Advanced'. Click 'Find Now'. Management decided that John Doe should no longer be able to send internet email. Choose the user you want to add and click 'OK'. Click 'OK' again. We see that John Doe is now listed as a member of the 'Block Internet Email'. Click Apply and OK. Close the ADUC Management Console. Modify the registry to turn on connector restrictions After you configure the delivery restrictions on a connector by using Microsoft Exchange 2000 Server or Microsoft Exchange Server 2003, the restriction settings may not be applied. In Exchange 2000, the following event ID will also be generated: Type: Warning Event ID: 957 Source: MSExchangeTransport Category: Routing Engine/Service Description: Connector restrictions (by the group or by the user) are present in the organization. However, restriction checking is disabled. Set the registry value HKLM\SYSTEM\CurrentControlSet\Services\RESvc\Parameters\CheckConnectorRestrictions to 1 (DWORD) and restart resvc and smtpsvc to enable restriction checking on local machine. If you need to apply a distribution list-based restriction to a connector, you must manually enable the checking process for these restrictions. Restriction checking is controlled by a registry key that must be set on the Exchange bridgehead (Smallbusiness SMTP Connector) that is the source for the connector that is being checked. If you specify a restriction, but do not create the registry key, the restriction is not checked. Connector restriction checking is turned off by default because it can significantly affect performance to expand distribution groups and check the restrictions for each message that passes through the system. If possible, turn on this setting on where it is necessary (for example, on the bridgehead server for the restricted connector). Open the Registry Editor. Start -> Run and type 'regedit'. Locate and click the following registry key: HKEY_LOCAL_MACHINE/System/CurrentControlSet/Services/Resvc/Parameters/ On the Edit menu, click New and DWord Value. Set it to 'CheckConnectorRestrictions'. Set the value to 1 hexadecimal. Close the registry editor. Restart the Microsoft Exchange Routing Engine service and the Simple Mail Transfer Protocol (SMTP) services for this change to take effect. Modify the SmallBusiness SMTP Connector in Exchange 2003 The last step in this procedure is to add the 'Block Internet Email' group in the 'Delivery restrictions'. Open Exchange System Manager from the Start menu. Right click the SmallBusiness SMTP Connector and choose Properties. Choose the tab 'Delivery Restrictions' and click 'Add'. Click 'Advanced'. Click 'Find Now'. Highlight the Group you just created and choose 'OK'. Click 'OK'. Click 'Apply' and 'OK'. Close the Exchange System Manager. Make sure you restart the Microsoft Exchange Information Store service from the services applet. Restrict users from receiving internet email In this example we want to block all email from external sources but we want to keep the internal mail flow for a user. Here is how we do that. Open the SBS Server Management console. Browse to the Users hive and highlight the user you want to block internet email for. Choose 'Change User Properties'. Choose the tab 'Exchange General' and click 'Delivery Restrictions'. Choose 'From authenticated users only' and click 'OK'. Click 'Apply' and 'OK'. Testing and the results If you try to send an email from a Internet email restricted user account to an email address outside of your local network this should be received in your inbox: If you try to send an email from an email address outside your network to a user account that was restricted to receive internet email this is the result: