question

OverworkedSysadmin-3915 avatar image
0 Votes"
OverworkedSysadmin-3915 asked OverworkedSysadmin-3915 answered

Exchance 2016 transport rule doesn't apply if forwarding enabled in a user's mail flow

HI,

I've setup a transport rule to bounce back emails for emails in a specific DL. See below:

113463-exemployee.png


However, the rule does not work if there's a mail flow forwarding enabled for that account. See below:

113420-mailflow.png



If I disable the forwarding rule, the transport rule works as expected.

I did my research but could only find reports of issues if there's a forward rule in the user's outlook but the behavior isn't the same here (and its set to match address on header or enveloppe already anyways).

Is there something I can do to make this work? We need the forwarding rule for internal users and some automated stuff with hardcoded emails (I know that's bad, but beyond me).

Thanks.

office-exchange-server-administration
exemployee.png (21.1 KiB)
mailflow.png (11.1 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

AndyDavid avatar image
0 Votes"
AndyDavid answered

Can you make the forwarding rule a transport rule instead and have it a lower priority after the "Reject" rule?
You could also make the criteria in the forwarding rule to only fire if the sender is internal.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

OverworkedSysadmin-3915 avatar image
0 Votes"
OverworkedSysadmin-3915 answered

I could of course, but that would require a distinct transport rule for each mailbox that requires forwarding if the destination isn't the same! And most are different destinations, depending on department or purpose of email.

I did also look into enforcing authentication of sender so external senders are rejected but that causes trouble for internal addresses with no mailboxes (think camera, printers, etc). We are working on making all emails sent internally to authenticate but I'm sure you are aware this is no trivial task.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

AndyDavid avatar image
0 Votes"
AndyDavid answered AndyDavid commented

Gotcha! There is another option if you want to treat all these internal processes as "authenticated".
Create a new receive connector and for the remote addresses, scope it to the IPs of those devices.
Then set the auth on this new receive connector to "Externally Secure". that will effectively treat any devices that sends through that connector as authenticated and internal.
https://docs.microsoft.com/en-us/exchange/mail-flow/connectors/allow-anonymous-relay?view=exchserver-2019

113390-image.png



image.png (51.2 KiB)
· 4
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

That's what I get when I try your recommendation:

You must set the value for the PermissionGroups parameter to ExchangeServers when you set the AuthMechanism parameter to a value of ExternalAuthoritative.

Wouldn't setting ExchangeServers only allow Exchange servers to use that connector?

0 Votes 0 ·
AndyDavid avatar image AndyDavid OverworkedSysadmin-3915 ·

No, because you are scoping the receive connector to the IPs of the devices that are allowed to use it. i.e. you wouldnt enter the IPs of the Exchange Servers for the remote IPs for this connector.

0 Votes 0 ·

I'd scope for a whole subnet to keep this simple and manageable. That would include the exchange servers IPs.

0 Votes 0 ·
Show more comments
ZhengqiLou-MSFT avatar image
0 Votes"
ZhengqiLou-MSFT answered ZhengqiLou-MSFT converted comment to answer

Hi @OverworkedSysadmin-3915 ,

The second screenshot, is it a user mailbox? Because as I know there are no such options for mail users and mail contacts. Then the question is whether this user is inside your organization or from another Exchange server?

And also you could create the forward transport rule(even the sender is from external as below) as Andy said,
113648-image.png
And make it a lower priority.
113608-image.png

I'm a bit confused about the screenshots your provided, if I'm wrong, please fix me:)

Best regards,
Lou


If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


image.png (60.1 KiB)
image.png (13.6 KiB)
· 4
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Yes, the second screenshot is from a user mailbox. Basically setting the ForwardingAddress and/or DeliverToMailboxAndForward properties on the mailbox.

https://docs.microsoft.com/en-us/exchange/recipients/user-mailboxes/email-forwarding?view=exchserver-2019

0 Votes 0 ·
ZhengqiLou-MSFT avatar image ZhengqiLou-MSFT OverworkedSysadmin-3915 ·

Hi @OverworkedSysadmin-3915 ,

Thanks for the clarification, I did a test for these process:
Transport Rule:
114515-image.png

Forwarding enabled:
114561-image.png
And of course "Test User01" is a member of DG1. But note "lucas" is not a member of DG1.

In this case, "lucas" could receive the email from outside.

And if change the forwarding to a member that was in DG1:
114562-image.png

The result is actually what we want:
114563-image.png

So this is based on the final destination of the message, and as a result, the transport rule is not suitable for your case.
And if we enabled "Deliver message to both forwarding address and mailbox" option? OK, "lucas" received the message and "Test User01" didn't, while I received the NDR.

Kindly suggest you could use a scoped receive connector to reject messages from specific IPs or domains as Andy said.

Best regards,
Lou

0 Votes 0 ·
image.png (22.9 KiB)
image.png (12.3 KiB)
image.png (6.6 KiB)
image.png (20.5 KiB)

It would make more senses if server rules applied before mailbox rules. But that's maybe asking a lot from Microsoft. Even documenting this is asking too much of them apparently.

But thanks for testing; you provided more clarity than MS support did!

1 Vote 1 ·
Show more comments
OverworkedSysadmin-3915 avatar image
1 Vote"
OverworkedSysadmin-3915 answered

Nan, too much trouble and poorly manageable.
I setup some rule in CodeTwo instead of the transport rule. That works fine.

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi @OverworkedSysadmin-3915 ,

Glad to hear your have fixed this issue.

I converted your reply to an answer, you could mark it as Accepted to close this thread. It would help others who have same questions with you:)

Have a nice day!

Cheers,
Lou

0 Votes 0 ·