Restricting who an Exchange 2010 user gets email from

At work, we have an IT Helpdesk (as part of Spiceworks). Staff can email the helpdesk, and the helpdesk creates a work ticket and the IT staff get notified. It works well.

However, the system is locked so that only people on the work domain, with work email addresses (lets say, can email it. This was intentional, so it didn’t pick up spam and so staff didn’t email it from their home email accounts and so on. If this is the setup you’d want for a user (that is, so they can only receive “internal” email), it’s simple enough to configure:

In the Exchange Management Console, navigate to Recipient Configuration > Mailbox, and open the properties of the mailbox user you want to set up. In the Mail Flow Settings tab, choose Message Delivery Restrictions, and tick “Require that all senders are authenticated.”.

If, however, like us, this user needs to also receive email from an external email address, or domain, then you need to change something else. Make sure the above tickbox isn’t ticked, and then:

Navigate to Organisation Configuration > Hub Transport and choose the Transport Rules tab. Create a new Transport Rule here.

Work through the wizard, with these settings:

In Conditions, choose “sent to people”, and add the email address of the user you want to configure.

In Actions, choose “Delete the message without notifying anyone”. Panic not, we’ll add some exceptions in the next step.

In Exceptions, choose “Except when the message header matches text patterns”, and edit it so that “except when the FROM matches$ or$”. Change$ to your local domain, and$ to the external domain you want to accept email from. Of course, you can just specify a single address (e.g.$) if you like, as well as add more than just these two addresses if necessary. The “$” is important, as without it, “”, and similar, would also match and be allowed.

Note: You can’t use the “Except when the from address matches text patterns” for this rule, as the From Address, in local Exchange communications, doesn’t contain an email address.

That’s it! Save the rule and test it by emailing the user from both allowed and denied email addresses.

Leave a Reply