question

JackChuong-8462 avatar image
0 Votes"
JackChuong-8462 asked YukiSun-MSFT commented

Exchange 2013 transport rule - question about header and sender's properties

Hi all,
My environment : Exchange 2013 CU23
My request : Allow usermailbox1@mydomain.com receive messages from internal and specific external customer domain.
I have to create a transport rule that block all external messages to usermailbox1@mydomain.com except if they come from *@mycustomer.com
I'm confused between "A message header matches" and "The sender's specified properties match these text patterns" at "Except if" part when create transport rule
With message header like this

 Received: from exserver (192.168.2.9) by exserver
  (192.168.2.12) with Microsoft SMTP Server (TLS) id 15.0.1497.2 via Frontend
  Transport; Thu, 5 Aug 2021 09:49:43 +0700
 Received: from EUR04-HE1-obe.outbound.protection.outlook.com (mail-eopbgr70078.outbound.protection.outlook.com [40.107.7.78])
  by ex  with ESMTP id 1752oCCm001331-1752oCCp001331
  (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA bits=256 verify=CAFAIL);
  Thu, 5 Aug 2021 09:50:14 +0700
 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
  b=RDtHm/3EMnNIljSp6SQT73Urumqo7/NwtAp8N59hGFqfE0bkYX36TAJNuieo6OvY36OZ9Ol7VRgZQW3oCI9X+yeGHNV1JTEauLnVTNISCH+ugIhMFsTeZHKgKpg/itehNBjAkoQ1N1sBVbPEmMtelePv31/zGItCiTVrrJtInRFHL59lXWyCguhVeiWi5A1uq1durVHSLItMF7a4pWePrMm1lIOEY1J9bQiXr1jVzQEUk5Y558leJeshJOYTZMgZGidpPwuGQI6/h+onQAkiHmzntLTxqzok/HlUThIo/S8ObuWog2M9M+t9kgbh+YeiqHWK6psF9Za1wai0q5R+WQ==
 ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
  s=arcselector9901;
  h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
  bh=hbn8GTBFDZsNLLcWVi6RPXs5MV8GbS4QMtsFkN6IPXo=;
  b=a1TMao3K8Tn3Wf/CcRaASYuG4Hiug+gPvFEsTPDM5dzWYo9aJGwdCptabLOWk4P9QVMBdrydt5/fbX1B19NN0x/3cvD5Om26g9gtNMRcAH/eAhXAQCgGU6gxq6s5V0ZY0x5Vw0bKzw2Q01j1erRDqVehVrAPVShoHd3gHLjxHcS5vT7jMCl6PnB3YhAlH917HIIJNEnR0UKCGMre3fvb527fZnfrASf+q6UXvP7Pr/G5LtcTzlF1v1BOsiT018ROeUFTnMqCNJKo8JQB4u2M5KF4S+0S+Evs8EEqPEFzg+0pLmBrNRz9fJ7lVS8OxtQ4csRYM10y3dPJ3dWzQn5jPA==
 ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass
  smtp.mailfrom=customer.com; dmarc=pass action=none
  header.from=customer.com; dkim=pass header.d=customer.com; arc=none
 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
  d=mycustomer.onmicrosoft.com; s=selector2-customer-onmicrosoft-com;
  h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
  bh=hbn8GTBFDZsNLLcWVi6RPXs5MV8GbS4QMtsFkN6IPXo=;
  b=l1zGcgywP3NRc1m2WFsbZvynVoWKne89/pVvzFlY1tiARwazd8xRs0W2TUYW/PKXnpDc8d8zyY1/1PPGRzxbnIFDSel0Jcqu5a445NUAfj3g6zYjMWoD1Q487Z5/yMBb3lp0MXXi1qioGuVN1aA2xJNPGS0lTFdpEcv8YuPil8A=
 Received: from AM6PR05MB6104.eurprd05.prod.outlook.com (2603:10a6:20b:ac::32)
  by AS8PR05MB7974.eurprd05.prod.outlook.com (2603:10a6:20b:319::10) with
  Microsoft SMTP Server (version=TLS1_2,
  cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4373.21; Thu, 5 Aug
  2021 02:48:52 +0000
 Received: from AM6PR05MB6104.eurprd05.prod.outlook.com
  ([fe80::61d9:19be:eb22:ee2a]) by AM6PR05MB6104.eurprd05.prod.outlook.com
  ([fe80::61d9:19be:eb22:ee2a%3]) with mapi id 15.20.4373.026; Thu, 5 Aug 2021
  02:48:52 +0000
 From: *@customer.com>
 To: myuser@mydomain.com>
 Subject: adsfasdf
 Thread-Topic: adsfasdf
 Thread-Index: Add0fX8dKI7HN4jxSiyobZV3s3IpwwE4oViAAACjjCAEEHPqwA==
 Date: Thu, 5 Aug 2021 02:48:52 +0000
 Message-ID: <AM6PR05MB6104B5AAB3669F1EFD48D54BF0F29@AM6PR05MB6104.eurprd05.prod.outlook.com>
 References: <AM6PR05MB6104A14EDB6E8A8CDAD06C81F0189@AM6PR05MB6104.eurprd05.prod.outlook.com>
  <AM0PR05MB61002FE8A5AF6F5BC8F6B4BFF0129@AM0PR05MB6100.eurprd05.prod.outlook.com>
  <c453ef66512c4c178c2b3e50b22cc8d6@IDCEXC003.mydomain.com>
 In-Reply-To: <c453ef66512c4c178c2b3e50b22cc8d6@ex.mydomain.com>
 Accept-Language: en-US
 Content-Language: en-US
 X-MS-Has-Attach: yes
 X-MS-TNEF-Correlator:
 Authentication-Results: ;
  spf=pass (
  dkim=pass header.i=
 x-ms-publictraffictype: Email
 x-ms-office365-filtering-correlation-id: f7709162-ed42-464f-d10e-08d957bb8f5f
 x-ms-traffictypediagnostic: AS8PR05MB7974:
 x-microsoft-antispam-prvs: <AS8PR05MB79744D8241D401142129F79CF0F29@AS8PR05MB7974.eurprd05.prod.outlook.com>
 x-ms-oob-tlc-oobclassifiers: OLM:8273;
 x-ms-exchange-senderadcheck: 1
 x-ms-exchange-antispam-relay: 0
 x-microsoft-antispam: BCL:0;
 x-microsoft-antispam-message-info: JzrDiaA79N14gFY6Jw8L1UYqedshK3RZWDJljKR917/3EQ4lMC/NS2IEY4h5WwKwzUYpGiur7F+oNJk6kfLIL5trgBaTlMtCVK0c0vutiPRO8cGxMYMOPaGucFPVI/mmTNSMV+qke5trLIzGBuP31znl0XeNL0jwUJ9XfiVeDbKMGppMfYOBAMourfjLzYfF13V29vhlky4YUHGBOccpCnz0E/VNnH5DX4FUXVS1XjQ7dDc+oHO9bXf45H3GSQGrghOiaVHA7CP4FrLEo7orTHB5A5hSH9vKhascLz0IbSWukfFcxDOs3OyXUDfwQekeqNWMLp5rzgNcNUSzTIpSN1XMWBhLmgyOew3eB+5942QxZtdq7rCJrB6qEONJtgRS44ZD3xSez6LzOnpkg+i5Kz5y7D1NwaUDSp6x6RAtm4SEXTZeq9M3BAlRx5Y1YrwhPd3RbfufuG4pdv9V1H6ZZnUmXOoSYDI0cWK2vOSPVuaOVY96tOkGLxGkE+ZZmh8VJYzuq0aCDMxlmZZi0McvlMw3/HUKseeiQWtkDrPAwGObK6F10DSCnylIuwqrReuWSbjGnCz+EcnvkVur1LyHVBzObuVStxgFeH8R2kgFLeS/Rjn4OE0yIQed0M165JoB7dd9IxQtlweik/KAf9Ei+u1yQ6q0AaCN/LyKDs7HyNgy2eCM+8v8Q7yHVG51vyFdAOl+tLE+AalT4UtPwW7FuePKQPNzSHkevXCPkNEf43ZkV4PY3+IrFJNjYn4guNp6
 x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:vi;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:AM6PR05MB6104.eurprd05.prod.outlook.com;PTR:;CAT:NONE;SFS:(6019001)(396003)(136003)(366004)(39860400002)(376002)(346002)(269900001)(478600001)(4326008)(76116006)(6916009)(86362001)(8676002)(66446008)(83380400001)(66574015)(316002)(66616009)(99936003)(66476007)(66946007)(64756008)(66556008)(450100002)(55016002)(9686003)(26005)(6506007)(122000001)(52536014)(7696005)(53546011)(71200400001)(2906002)(7116003)(8936002)(38070700005)(5660300002)(186003)(38100700002)(33656002);DIR:OUT;SFP:1101;
 x-ms-exchange-antispam-messagedata-chunkcount: 1
 x-ms-exchange-antispam-messagedata-0: =?utf-8?B?bnNPM0h6TVBYSVlJcHl2S1pPVGtpdmVDbk9sVUVrZkZ4dkt6S0FvTWxjUWVx?=
  =?utf-8?B?NkpLa09NY2VBdDhtd09pZ0JGRStoNzdxYlBET1R3WXZiZjRuUU5POGpINkU4?=
  =?utf-8?B?c3hNNnVKSExYMlJ0UitNR3JSM2ZIQ3pseVJJWHhvOGg4dmZpVmxCb2RpM1dY?=
  =?utf-8?B?UGdxU21oYWlTc1M0Q1ZZeGh6dnNKYWNMcHVUR1c3OTF6WCtqbnRjYVNhU0du?=
  =?utf-8?B?OU1XU2pKKzZuRkcxUWtHM1VUdlF4ZkJpdGRUNFRPK3luMjJEZHp3bUhSYzJW?=
  =?utf-8?B?SFdTS0FCZWorTUoyS01qdy9LL00zQzQ4UlRWVS81WVF6d1NLbEIyZCtrZG9w?=
  =?utf-8?B?eEFLMkFHb1ZNQm9sUjBWYlNwL0M2anF3blBidEZTT1ErOFVPMzMxNEQ3aGIz?=
  =?utf-8?B?dzFXMkx0UlBJVWFmQ0ZUak9mVlB4MDllWmFnT2JJcWNDUWxzdG1BVlEzTHlY?=
  =?utf-8?B?VW9YQjlvQmFrNXZITWFsVlU0RC9iL0FYazNTSklRRWg2a1djaXVESExjYWdZ?=
  =?utf-8?B?Ry9GTmloZDJHWFhxNlluTDk5YmlNbUhrcDFBL1RvYlJWMUs4clFvK2xPZWk2?=
  =?utf-8?B?WU85c0tydDdXa1V6SDIwZndtZzRGWit0NzQ3MVpSVTlBTVZ2NnJFb25WQ0w3?=
  =?utf-8?B?QllndytydWRWTGY0bFFXV3IxaXkxWm05bTNncGpPQnc2aGJvajYzb2dHYzNy?=
  =?utf-8?B?c2ZpUXBocU1MdXduMHFwUVpubU9iaXBGYTBmOU44M3pJUVp1NWNpODRVeHA5?=
  =?utf-8?B?RTYzZFhRd2M5cG9Xei9JNCtMdDdjNmR5aGs0NjF4Q3FtWmRocWRSRHJpb0F1?=
  =?utf-8?B?ekdQdGF1aS9mdmVEVmt6U0pyYlgvMWNmaUZSZThNYjlja3pPaTNWQ0ZJL2lt?=
  =?utf-8?B?RzNNMG5XMldjU3ZuLzRhSVJoY1BLS0RzUE1jY3ZWeUZWRTZ4T2dlUDBwVTUx?=
  =?utf-8?B?OHJpK0doSmxKS3pUV3lzTFBoWXVHUHFlMm41WGxrREtWWjVKQzV4aWZtc2pP?=
  =?utf-8?B?ODRCR3FxVzdWbzFYK3NMblRVYjZrV3U5Z0EwL3EvZ1BYS1BmYzd4TEN4a0tk?=
  =?utf-8?B?aFdDL1hiWFFsRVQ5WE81NFc5SytRcisxbDhsRHZJUHY2U2lMOUptcmtIZFpV?=
  =?utf-8?B?dkhZcGFoWG9ySDN6K2pBOW4rTm9YbjJHVEdRc0xFckFpWVJNeS9FdS92ZnlQ?=
  =?utf-8?B?Ty9YODZlczFjMXVaR0laRTEvZTBVdVFMcmNqbzFrOU85YjFxNStoNTByYUt5?=
  =?utf-8?B?K0c0aUdjYnp1TTJzb0RReWFLTXQraUlSeFZDamwrOTRoU2lEdjZHTHVzc1l4?=
  =?utf-8?B?QkdhSVhjdTMxQUhIMGo0aVpaY1N0QnVZRytBa3VWUDRRVEpWRzZlL29KQVph?=
  =?utf-8?B?cWxlaGgyYU5ybzJ5c2tEVC80d0FlYWpaRTdrUDNBOVdZc1NEaHFEY1dmdTZ4?=
  =?utf-8?B?NTZDYjFvYTEzTi83OEpEMStCdlhWK3pzUzVrTjVWRUxiVDQ3OGJiUDN2NVlQ?=
  =?utf-8?B?ZFllbUlaOGlFMS93SnRadG5LSU5tRHFUU0JoL1JHVTA1cnVvR1hBOUhobkpQ?=
  =?utf-8?B?bTJCUHVFZm1zMW5STmVZLzkvVGVxdFFzYjhXQnJGZ1VWNmNyeEVBMHN5YUc5?=
  =?utf-8?B?b3lTdk5rQTc4MGZLcTgxQjZ0aW5Ib2NKZGplSUJWalI4dkw2eWRlcW9ZZjhz?=
  =?utf-8?B?dXdrR0p6MGN6UWpzOXcyS3RseVZpZ05oNFFkdzVCRkRXOExxRDRCcnJINTY3?=
  =?utf-8?Q?nRNMn6WPie52Qg3t/I9bfxK3sqJv8rcBmu1bwOT?=
 x-ms-exchange-transport-forked: True
 Content-Type: multipart/mixed;
  boundary="_004_AM6PR05MB6104B5AAB3669F1EFD48D54BF0F29AM6PR05MB6104eurp_"
 MIME-Version: 1.0
 X-MS-Exchange-CrossTenant-AuthAs: Internal
 X-MS-Exchange-CrossTenant-AuthSource: AM6PR05MB6104.eurprd05.prod.outlook.com
 X-MS-Exchange-CrossTenant-Network-Message-Id: f7709162-ed42-464f-d10e-08d957bb8f5f
 X-MS-Exchange-CrossTenant-originalarrivaltime: 05 Aug 2021 02:48:52.4178
  (UTC)
 X-MS-Exchange-CrossTenant-fromentityheader: Hosted
 X-MS-Exchange-CrossTenant-id: 9180b9a6-a316-4a88-9910-39cb4079ee5f
 X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
 X-MS-Exchange-CrossTenant-userprincipalname: sbwsVvQo2TtBG3f4RG5QKQs1g1LPMvtuIJIBS7o/l77XPsrhUkG+VBvgQYXi3yHMhAiudqrC0xVbciw8vY2fk2hP8ZirsHegX6x2UykzUcA=
 X-MS-Exchange-Transport-CrossTenantHeadersStamped: AS8PR05MB7974
 X-OrganizationHeadersPreserved: AS8PR05MB7974.eurprd05.prod.outlook.com
 X-FEAS-SPF: pass, ip=40.107.7.78, helo=eur04-he1-obe.outbound.protection.outlook.com, mailFrom=*@mycustomer.com
 X-FEAS-DKIM: Valid
 Return-Path: *@mycustomer.com
 X-CrossPremisesHeadersFiltered: 
 X-MS-Exchange-Organization-Network-Message-Id: ddac2bc8-d106-4eac-7d65-08d957bbad78
 X-MS-Exchange-Organization-AVStamp-Enterprise: 1.0
 X-Auto-Response-Suppress: DR, OOF, AutoReply
 X-MS-Exchange-Organization-AuthSource: 
 X-MS-Exchange-Organization-AuthAs: Anonymous

What are sender's specified properties ?
I should check message headers "From" , "Authentication-Results" , right ?

office-exchange-server-mailflow
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

YukiSun-MSFT avatar image
0 Votes"
YukiSun-MSFT answered YukiSun-MSFT commented

Hi @JackChuong-8462,

I have to create a transport rule that block all external messages to usermailbox1@mydomain.com except if they come from *@mycustomer.com

Based on your description, I'd recommend using the expection below instead for your transport rule as it would be simpler:
The sender's domain is "mycustomer.com"
121552-1.png


I'm confused between "A message header matches" and "The sender's specified properties match these text patterns" at "Except if" part when create transport rule

I cited the description for these two exceptions from this official document and hopefully it can be of some help:
121553-2.png
As per the "text patterns" mentioned in the exceptions, you may refer to Regular Expression Reference.

And regarding your concern about "sender's specified properties", as mentioned in the image above, it means a sender's specified Active Directory attribute like City, Company, Displayname, etc. For more about the attributes which can be used, we can search for "ExceptIfSenderADAttributeMatchesPatterns" in this document and check the explaniation there.


If an Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


1.png (3.9 KiB)
2.png (43.0 KiB)
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thank you very much.
I want to clarify a side question , "sender's specified properties" means a sender's specified Active Directory attribute like City, Company, Displayname, etc , so it only works for my internal Exchange users ?

0 Votes 0 ·

Hi @JackChuong-8462,

I haven't see it explictly mentioned in any documentation that "the sender's specified properties match these text patterns" can only be used for internal users, so I am assuming that it can be used for external users as well. But based on my research, in most scenarios this is used for internal users.


If an Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.



0 Votes 0 ·