question

MrBunne-7444 avatar image
0 Votes"
MrBunne-7444 asked joyceshen-MSFT commented

Mail Flow rule for mail-enabled security groups

Hi,

Is it possible to add a Mail Flow rule for an AD Synced mail-enabled security group?

This is my general layout:

If the message...
'To' header matches the following patterns: 'AllEmployees'
and Is received from 'Outside the organization'
Do the following...
reject the message and include the explanation 'Non-Coprate domain detected - Contact xyz@domain.com if you believe this is wrong.' with the status code: '5.7.1'
Except if...
sender's address domain portion belongs to any of these domains: 'customdomain1.com'

This rule doesn't work.

I have also tried the "To box contains" (it dosen't work either) according to https://docs.microsoft.com/en-us/exchange/security-and-compliance/mail-flow-rules/conditions-and-exceptions#recipients that one should be used as the "The recipient is" don't match distribution groups.

Any advice?

BR
Johannes

office-exchange-server-mailflow
· 2
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

joyceshen-MSFT avatar image joyceshen-MSFT ·

Hi @MrBunne-7444

Have you tried the suggestion below from Andy and and any progress so far?

I also test the rule using "To box contains" in my environment, it can work properly:

192559-image.png
192594-image.png


0 Votes 0 ·
image.png (22.5 KiB)
image.png (40.5 KiB)
joyceshen-MSFT avatar image joyceshen-MSFT ·

Hi @MrBunne-7444,

Have you checked the configuration for your groups, any progress so far?

If an Answer is helpful, please click "Accept Answer" and upvote it.

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


0 Votes 0 ·

4 Answers

AndyDavid avatar image
0 Votes"
AndyDavid answered

I would do something like:
192285-image.png



image.png (51.8 KiB)
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

MrBunne-7444 avatar image
0 Votes"
MrBunne-7444 answered joyceshen-MSFT commented

Hello Andy and joyceshen,

Thanks for confirming that the mail flow should actually work. I struggled all day yesterday to no avail. Perhaps there was a service issue with our tenant as I have tried multiple times.

I'll simply my rule and break it down as to your suggestion and let you know my results. Am I just wondering if the fact that the mail-enabled security group is AD synced affects the mail flow from working?

BR
Bunne

· 3
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

AndyDavid avatar image AndyDavid ·

That should not make a difference, no.

1 Vote 1 ·
MrBunne-7444 avatar image MrBunne-7444 AndyDavid ·

Hi, so some results.

This first rule actually seems to work:

If the message...
'To' header contains ''AllEmployees''
and Is received from 'Outside the organization'
Do the following...
reject the message and include the explanation 'Non-Corporate domain detected - Contact xyz@domain.com if you believe this is wrong.' with the status code: '5.7.1'

I can see in the transport logs that the message is indeed rejected

Reason: [{LED=550 5.7.1 TRANSPORT.RULES.RejectMessage; the message was rejected by organization policy};{MSG=};{FQDN=};{IP=};{LRT=}]

But I don't get the 5.7.1. email report?

I do get the report if I change to a regular recipient (normal user).

Any thoughts on that? Otherwise, I'll just leave it as is now as emails are rejected. But would be nice to actually get a message about it.

BR
Bunne

0 Votes 0 ·
joyceshen-MSFT avatar image joyceshen-MSFT MrBunne-7444 ·

Hi,

Do you mean the message is getting rejected, however the sender doesn't receive the NDR message?

Could you please verify if this issue occurs on other groups?

0 Votes 0 ·
MrBunne-7444 avatar image
0 Votes"
MrBunne-7444 answered

Hi, the NDR report is not being sent out to the recipient but the message is getting rejected (can confirm that from a Massage trace).
The issue only seems to occur when I change to a distribution group in the mail flow rule. If I use the same rule but for a single recipient i.e. a user the NDR is being sent out correctly.

Thanks.

BR
Bunne

5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

joyceshen-MSFT avatar image
0 Votes"
joyceshen-MSFT answered joyceshen-MSFT commented

Hi @MrBunne-7444,

Can this issue be related to the group configuration? 

 Get-distributiongroup | fl name, *ReportTo*

-ReportToOriginatorEnabled
The ReportToOriginatorEnabled parameter specifies whether delivery status notifications (also known as DSNs, non-delivery reports, NDRs, or bounce messages) are sent to senders who send messages to this group. Valid values are:

$true: Delivery status notifications are sent to the message senders. This is the default value.
$false: Delivery status notifications aren't sent to the message senders.
The ReportToManagerEnabled and ReportToOriginatorEnabled parameters affect the return path for messages sent to the group. Some email servers reject messages that don't have a return path. Therefore, you should set one parameter to $false and one to $true, but not both to $false or both to $true.

You could use Set-DistributionGroup to modify this parameter

 Set-DistributionGroup "group" -ReportToOriginatorEnabled $true -ReportToManagerEnabled $false

If an Answer is helpful, please click "Accept Answer" and upvote it.

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


· 2
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

MrBunne-7444 avatar image MrBunne-7444 ·

Hi Joyceshen, thanks for this information piece. You are correct!

However this seems to be my problem:

PS C:\WINDOWS\system32> Set-DistributionGroup "sg-fos-AllEmployees" -ReportToOriginatorEnabled $true -ReportToManagerEnabled $false
The operation on Identity "sg-fos-AllEmployees" failed because it's out of the current user's write scope. The action '
Set-DistributionGroup', 'ReportToManagerEnabled,ReportToOriginatorEnabled', can't be performed on the object 'sg-fos-Al
lEmployees' because the object is being synchronized from your on-premises organization. This action should be performe
d on the object in your on-premises organization.

I know I cant write to a AD synced object from Cloud. But these attributes don't exist in our on-premises AD environment (the Exchange schema is not installed).
I'm hesitant to do so as well as I don't want to extend the schema just for this purpose.
1. Do you know if I can manually add these attributes?
2. Are there any drawbacks to extending the local schema with Exchange attributes? (I don't want to add something I won't really need).

Thanks!



0 Votes 0 ·
joyceshen-MSFT avatar image joyceshen-MSFT MrBunne-7444 ·

Hi,

Here seems discussed the same issue with yours, set local ad distro group -ReportToOriginatorEnabled $true
Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.

196868-image.png

I'm afraid you will still need to extend the AD schema for your environment

0 Votes 0 ·
image.png (28.4 KiB)