This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(108.80000000000001, 93%, 20%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EOS%3C/text%3E%3C/svg%3E)
HI,
I've setup a transport rule to bounce back emails for emails in a specific DL. See below:
However, the rule does not work if there's a mail flow forwarding enabled for that account. See below:
If I disable the forwarding rule, the transport rule works as expected.
I did my research but could only find reports of issues if there's a forward rule in the user's outlook but the behavior isn't the same here (and its set to match address on header or enveloppe already anyways).
Is there something I can do to make this work? We need the forwarding rule for internal users and some automated stuff with hardcoded emails (I know that's bad, but beyond me).
Thanks.
Nan, too much trouble and poorly manageable.
I setup some rule in CodeTwo instead of the transport rule. That works fine.
Hi @Overworked Sysadmin ,
Glad to hear your have fixed this issue.
I converted your reply to an answer, you could mark it as Accepted to close this thread. It would help others who have same questions with you:)
Have a nice day!
Cheers,
Lou
Can you make the forwarding rule a transport rule instead and have it a lower priority after the "Reject" rule?
You could also make the criteria in the forwarding rule to only fire if the sender is internal.
I could of course, but that would require a distinct transport rule for each mailbox that requires forwarding if the destination isn't the same! And most are different destinations, depending on department or purpose of email.
I did also look into enforcing authentication of sender so external senders are rejected but that causes trouble for internal addresses with no mailboxes (think camera, printers, etc). We are working on making all emails sent internally to authenticate but I'm sure you are aware this is no trivial task.
Gotcha! There is another option if you want to treat all these internal processes as "authenticated".
Create a new receive connector and for the remote addresses, scope it to the IPs of those devices.
Then set the auth on this new receive connector to "Externally Secure". that will effectively treat any devices that sends through that connector as authenticated and internal.
https://learn.microsoft.com/en-us/exchange/mail-flow/connectors/allow-anonymous-relay?view=exchserver-2019
That's what I get when I try your recommendation:
You must set the value for the PermissionGroups parameter to ExchangeServers when you set the AuthMechanism parameter to a value of ExternalAuthoritative.
Wouldn't setting ExchangeServers only allow Exchange servers to use that connector?
No, because you are scoping the receive connector to the IPs of the devices that are allowed to use it. i.e. you wouldnt enter the IPs of the Exchange Servers for the remote IPs for this connector.
I'd scope for a whole subnet to keep this simple and manageable. That would include the exchange servers IPs.
Ok, that should still be fine since this also should be enabled for anonymous connections and the Exchange Servers communicate on port 2525.
Test it out and see!
Hi @Overworked Sysadmin ,
The second screenshot, is it a user mailbox? Because as I know there are no such options for mail users and mail contacts. Then the question is whether this user is inside your organization or from another Exchange server?
And also you could create the forward transport rule(even the sender is from external as below) as Andy said,
And make it a lower priority.
I'm a bit confused about the screenshots your provided, if I'm wrong, please fix me:)
Best regards,
Lou
If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
Yes, the second screenshot is from a user mailbox. Basically setting the ForwardingAddress and/or DeliverToMailboxAndForward properties on the mailbox.
Hi @Overworked Sysadmin ,
Thanks for the clarification, I did a test for these process:
Transport Rule:
Forwarding enabled:
And of course "Test User01" is a member of DG1. But note "lucas" is not a member of DG1.
In this case, "lucas" could receive the email from outside.
And if change the forwarding to a member that was in DG1:
The result is actually what we want:
So this is based on the final destination of the message, and as a result, the transport rule is not suitable for your case.
And if we enabled "Deliver message to both forwarding address and mailbox" option? OK, "lucas" received the message and "Test User01" didn't, while I received the NDR.
Kindly suggest you could use a scoped receive connector to reject messages from specific IPs or domains as Andy said.
Best regards,
Lou
It would make more senses if server rules applied before mailbox rules. But that's maybe asking a lot from Microsoft. Even documenting this is asking too much of them apparently.
But thanks for testing; you provided more clarity than MS support did!
Hello @Overworked Sysadmin ,
Thanks for your understanding.
Have you tried the connector method? Will that work for you? If the issue has been resolved, please click “Accept as answer” to mark the helpful reply as an answer, this will make answer searching in the forum easier and be beneficial to other community members as well.
If you are still stuck in this issue, please feel free to post your questions.
Best Regards,
Lou
If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.