I would do something like:
Mail Flow rule for mail-enabled security groups
Hi,
Is it possible to add a Mail Flow rule for an AD Synced mail-enabled security group?
This is my general layout:
If the message...
'To' header matches the following patterns: 'AllEmployees'
and Is received from 'Outside the organization'
Do the following...
reject the message and include the explanation 'Non-Coprate domain detected - Contact xyz@keyman .com if you believe this is wrong.' with the status code: '5.7.1'
Except if...
sender's address domain portion belongs to any of these domains: 'customdomain1.com'
This rule doesn't work.
I have also tried the "To box contains" (it dosen't work either) according to https://learn.microsoft.com/en-us/exchange/security-and-compliance/mail-flow-rules/conditions-and-exceptions#recipients that one should be used as the "The recipient is" don't match distribution groups.
Any advice?
BR
Johannes
4 answers
Sort by: Most helpful
-
Andy David - MVP 141.6K Reputation points MVP
2022-04-12T11:26:09.137+00:00 -
MrBunne 1 Reputation point
2022-04-13T06:49:44.533+00:00 Hello Andy and joyceshen,
Thanks for confirming that the mail flow should actually work. I struggled all day yesterday to no avail. Perhaps there was a service issue with our tenant as I have tried multiple times.
I'll simply my rule and break it down as to your suggestion and let you know my results. Am I just wondering if the fact that the mail-enabled security group is AD synced affects the mail flow from working?
BR
Bunne -
MrBunne 1 Reputation point
2022-04-19T13:41:19.107+00:00 Hi, the NDR report is not being sent out to the recipient but the message is getting rejected (can confirm that from a Massage trace).
The issue only seems to occur when I change to a distribution group in the mail flow rule. If I use the same rule but for a single recipient i.e. a user the NDR is being sent out correctly.Thanks.
BR
Bunne -
Joyce Shen - MSFT 16,641 Reputation points
2022-04-20T06:49:59.92+00:00 Hi @MrBunne ,
Can this issue be related to the group configuration?
Get-distributiongroup | fl name, *ReportTo*
-ReportToOriginatorEnabled
The ReportToOriginatorEnabled parameter specifies whether delivery status notifications (also known as DSNs, non-delivery reports, NDRs, or bounce messages) are sent to senders who send messages to this group. Valid values are:$true: Delivery status notifications are sent to the message senders. This is the default value.
$false: Delivery status notifications aren't sent to the message senders.
The ReportToManagerEnabled and ReportToOriginatorEnabled parameters affect the return path for messages sent to the group. Some email servers reject messages that don't have a return path. Therefore, you should set one parameter to $false and one to $true, but not both to $false or both to $true.You could use Set-DistributionGroup to modify this parameter
Set-DistributionGroup "group" -ReportToOriginatorEnabled $true -ReportToManagerEnabled $false
If an Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.