In prior versions of Exchange an organisation that wished to restrict who could send outbound internet emails could apply the restriction on an SMTP connector.  In this example emails sent to the * address space are rejected by default unless sent by a group listed in the “Accept messages from:” list, for example a group named “Internet Email Users”.

Exchange Server 2007 uses Send Connectors for configuring where outbound internet email is delivered, much like an SMTP connector in Exchange 2003 Server.  However, the Send Connector is not the place to apply restrictions on who can send outbound internet email.  These restrictions are instead applied with Transport Rules.

If you are new to the concept of Transport Rules you should read Understanding How Transport Rules Are Applied In An Exchange Server 2007 Organisation.

To configure the restrictions you create a Transport Rule that follows the same “Deny by default, except if from these groups” approach as Exchange 2003 Server.

Configuring a Transport Rule to Restrict Outbound Internet Email

1. Create a distribution group through your Exchange Management Console, and give it a descriptive name such as ”Internet Email Users”.
2. In the EMC go to Organization Configuration -> Hub Transport, and click on the Transport Rules tab.
3. Create a new Transport Rule, name it something like “Restrict Internet Email”
   
4. Select “Sent to users Outside the organisation” as the first condition.
   
5. Select “Send bounce message…” as the second condition, and configure a bounce message that will be informative enough for your end users.
   
6. Select “Except when the message is from member of distribution list” as the exception criteria, and add the Internet Email Users group that was created earlier.
   
7. Complete the Transport Rule wizard so that the rule is created in the Exchange Organization.

It may take a short time for the rule to replicate to all Hub Transport servers throughout your Active Directory sites.  Because the rule is applied by Hub Transport servers, messages do not have to traverse the network all the way to the last outbound hop before being rejected by this rule.  Instead they are rejected by the Hub Transport server within the Active Directory site in which the user’s Mailbox Server is located.

The Hub Transport server caches recipient and distribution list information for four hours, so if you have a rule such as this in place and add new users to the Internet Email Users group, those users may not be able to start sending outbound internet email until the recipient cache has refreshed on the Hub Transport server.  Where this is not acceptable you can restart the “Microsoft Exchange Transport” service on each Hub Transport server which will initiate a cache refresh.