Hi:

We are a K-12 school that does not allow students to send or receive email 
outside of our local network.  Non students are allowed.

We run Exchange 2003 single server
2 Storage groups: staff and students
1 routing group- no connectors
We use Symantec Mail Security for SMTP as our SMTP gateway

We need to be able to restrict students from sending outside or receiving 
from outside, but still allow internal to all staff and students.  Staff 
should not have any restrictions on where they send or who they receive from.

Thanks if you are able to offer any best practice suggestions!

On Mon, 17 Mar 2008 04:42:01 -0700, Rich Booth
 wrote:

>Hi:
>
>We are a K-12 school that does not allow students to send or receive email 
>outside of our local network.  Non students are allowed.
>
>We run Exchange 2003 single server
>2 Storage groups: staff and students
>1 routing group- no connectors
>We use Symantec Mail Security for SMTP as our SMTP gateway
>
>We need to be able to restrict students from sending outside or receiving 
>from outside, but still allow internal to all staff and students.  Staff 
>should not have any restrictions on where they send or who they receive from.
>
>Thanks if you are able to offer any best practice suggestions!

Can't do this by SG membership.
http://www.msexchange.org/tutorials/MF009.html and
http://www.msexchange.org/tutorials/MF023.html will fix you right up.

You can do half of it by an security group membership, the restriction on 
sending mail to the Internet.  The receipt part can be accomplished by 
giving users nonroutable SMTP addresses, like 
first.last@nameofschool.school.  You can have those applied automatically 
through recipient policy if your students are identifiable as such by some 
Active Directory attribute, but OU membership doesn't work.
-- 
Ed Crowley
MVP - Exchange
"Protecting the world from PSTs and brick backups!"

"Mark Arnold [MVP]"  wrote in message 
news:36rst3dhi8crk9sd81p4qq0sgp7fl3flmg@4ax.com...
> On Mon, 17 Mar 2008 04:42:01 -0700, Rich Booth
>  wrote:
>
>>Hi:
>>
>>We are a K-12 school that does not allow students to send or receive email
>>outside of our local network.  Non students are allowed.
>>
>>We run Exchange 2003 single server
>>2 Storage groups: staff and students
>>1 routing group- no connectors
>>We use Symantec Mail Security for SMTP as our SMTP gateway
>>
>>We need to be able to restrict students from sending outside or receiving
>>from outside, but still allow internal to all staff and students.  Staff
>>should not have any restrictions on where they send or who they receive 
>>from.
>>
>>Thanks if you are able to offer any best practice suggestions!
>
> Can't do this by SG membership.
> http://www.msexchange.org/tutorials/MF009.html and
> http://www.msexchange.org/tutorials/MF023.html will fix you right up.

Yeah, that's what old man Fugatt's articles 009 and 023 describe.

Thanks Mark and Ed.  We seem to have a difference in opinions between your 
replies! :o)

Mark says "No" and Ed says "Yes".

The receiving part is fine (or more appropriately, not receiving mail part 
is fine).  Their mail is set up like this: first_last@students.domain.edu.  
There is no public MX resolution to this, so sending mail will fail.

We do not have a "Students" group in AD per se.  We have multiple groups 
that contain students (Grad year).  I could build a students group from the 
grad year groups, or just use the grad year groups, but was hoping that there 
was a way to save this step and just restrict it based upon the 
students.domain.edu.  That way if a student is omitted from a group, they can 
not send mail outside.  This would be one of those cases where the default 
permissions are unrestricted when they should be restricted.

Faculty and staff are first_last@domain.edu (No student sub domain)

If I created a "Students" routing group and a "Staff" routing group, lock 
down the students group and leave the staff open am I on the right track?  
Looking through it, it does appear that there could be alot of empty inboxes 
if I do not configure this correctly.

"Ed Crowley [MVP]" wrote:

> You can do half of it by an security group membership, the restriction on 
> sending mail to the Internet.  The receipt part can be accomplished by 
> giving users nonroutable SMTP addresses, like 
> first.last@nameofschool.school.  You can have those applied automatically 
> through recipient policy if your students are identifiable as such by some 
> Active Directory attribute, but OU membership doesn't work.
> -- 
> Ed Crowley
> MVP - Exchange
> "Protecting the world from PSTs and brick backups!"
> 
> "Mark Arnold [MVP]"  wrote in message 
> news:36rst3dhi8crk9sd81p4qq0sgp7fl3flmg@4ax.com...
> > On Mon, 17 Mar 2008 04:42:01 -0700, Rich Booth
> >  wrote:
> >
> >>Hi:
> >>
> >>We are a K-12 school that does not allow students to send or receive email
> >>outside of our local network.  Non students are allowed.
> >>
> >>We run Exchange 2003 single server
> >>2 Storage groups: staff and students
> >>1 routing group- no connectors
> >>We use Symantec Mail Security for SMTP as our SMTP gateway
> >>
> >>We need to be able to restrict students from sending outside or receiving
> >>from outside, but still allow internal to all staff and students.  Staff
> >>should not have any restrictions on where they send or who they receive 
> >>from.
> >>
> >>Thanks if you are able to offer any best practice suggestions!
> >
> > Can't do this by SG membership.
> > http://www.msexchange.org/tutorials/MF009.html and
> > http://www.msexchange.org/tutorials/MF023.html will fix you right up. 
> 
> 
>

Are students and staff on separate Exchange servers?  If so, then you can 
separate the routing groups and configure an SMTP Connector in the Students 
routing group with address space * to go to dead smart host.  That's not as 
elegant as setting delivery restrictions based on group membership because 
with that method users will get an appropriate NDR rather than "message 
delayed" and "timed out" messages.
-- 
Ed Crowley
MVP - Exchange
"Protecting the world from PSTs and brick backups!"

"Rich Booth"  wrote in message 
news:3396B773-4534-455D-B920-1FD16AB7235F@microsoft.com...
> Thanks Mark and Ed.  We seem to have a difference in opinions between your
> replies! :o)
>
> Mark says "No" and Ed says "Yes".
>
> The receiving part is fine (or more appropriately, not receiving mail part
> is fine).  Their mail is set up like this: first_last@students.domain.edu.
> There is no public MX resolution to this, so sending mail will fail.
>
> We do not have a "Students" group in AD per se.  We have multiple groups
> that contain students (Grad year).  I could build a students group from 
> the
> grad year groups, or just use the grad year groups, but was hoping that 
> there
> was a way to save this step and just restrict it based upon the
> students.domain.edu.  That way if a student is omitted from a group, they 
> can
> not send mail outside.  This would be one of those cases where the default
> permissions are unrestricted when they should be restricted.
>
> Faculty and staff are first_last@domain.edu (No student sub domain)
>
> If I created a "Students" routing group and a "Staff" routing group, lock
> down the students group and leave the staff open am I on the right track?
> Looking through it, it does appear that there could be alot of empty 
> inboxes
> if I do not configure this correctly.
>
> "Ed Crowley [MVP]" wrote:
>
>> You can do half of it by an security group membership, the restriction on
>> sending mail to the Internet.  The receipt part can be accomplished by
>> giving users nonroutable SMTP addresses, like
>> first.last@nameofschool.school.  You can have those applied automatically
>> through recipient policy if your students are identifiable as such by 
>> some
>> Active Directory attribute, but OU membership doesn't work.
>> -- 
>> Ed Crowley
>> MVP - Exchange
>> "Protecting the world from PSTs and brick backups!"
>>
>> "Mark Arnold [MVP]"  wrote in message
>> news:36rst3dhi8crk9sd81p4qq0sgp7fl3flmg@4ax.com...
>> > On Mon, 17 Mar 2008 04:42:01 -0700, Rich Booth
>> >  wrote:
>> >
>> >>Hi:
>> >>
>> >>We are a K-12 school that does not allow students to send or receive 
>> >>email
>> >>outside of our local network.  Non students are allowed.
>> >>
>> >>We run Exchange 2003 single server
>> >>2 Storage groups: staff and students
>> >>1 routing group- no connectors
>> >>We use Symantec Mail Security for SMTP as our SMTP gateway
>> >>
>> >>We need to be able to restrict students from sending outside or 
>> >>receiving
>> >>from outside, but still allow internal to all staff and students. 
>> >>Staff
>> >>should not have any restrictions on where they send or who they receive
>> >>from.
>> >>
>> >>Thanks if you are able to offer any best practice suggestions!
>> >
>> > Can't do this by SG membership.
>> > http://www.msexchange.org/tutorials/MF009.html and
>> > http://www.msexchange.org/tutorials/MF023.html will fix you right up.
>>
>>
>>

They are NOT on separate Exchange servers.  They are, however, in separate 
data stores.  I have 2 storage groups ("Staff" and "Students") each with its 
own store.  I only have 1 Routing Group, which is really not configured at 
all.

I'm not really a fan of the "Message Delayed" and "Time Out" messages, as 
they can make future troubleshooting difficult.

Does this help?





"Ed Crowley [MVP]" wrote:

> Are students and staff on separate Exchange servers?  If so, then you can 
> separate the routing groups and configure an SMTP Connector in the Students 
> routing group with address space * to go to dead smart host.  That's not as 
> elegant as setting delivery restrictions based on group membership because 
> with that method users will get an appropriate NDR rather than "message 
> delayed" and "timed out" messages.
> -- 
> Ed Crowley
> MVP - Exchange
> "Protecting the world from PSTs and brick backups!"
> 
> "Rich Booth"  wrote in message 
> news:3396B773-4534-455D-B920-1FD16AB7235F@microsoft.com...
> > Thanks Mark and Ed.  We seem to have a difference in opinions between your
> > replies! :o)
> >
> > Mark says "No" and Ed says "Yes".
> >
> > The receiving part is fine (or more appropriately, not receiving mail part
> > is fine).  Their mail is set up like this: first_last@students.domain.edu.
> > There is no public MX resolution to this, so sending mail will fail.
> >
> > We do not have a "Students" group in AD per se.  We have multiple groups
> > that contain students (Grad year).  I could build a students group from 
> > the
> > grad year groups, or just use the grad year groups, but was hoping that 
> > there
> > was a way to save this step and just restrict it based upon the
> > students.domain.edu.  That way if a student is omitted from a group, they 
> > can
> > not send mail outside.  This would be one of those cases where the default
> > permissions are unrestricted when they should be restricted.
> >
> > Faculty and staff are first_last@domain.edu (No student sub domain)
> >
> > If I created a "Students" routing group and a "Staff" routing group, lock
> > down the students group and leave the staff open am I on the right track?
> > Looking through it, it does appear that there could be alot of empty 
> > inboxes
> > if I do not configure this correctly.
> >
> > "Ed Crowley [MVP]" wrote:
> >
> >> You can do half of it by an security group membership, the restriction on
> >> sending mail to the Internet.  The receipt part can be accomplished by
> >> giving users nonroutable SMTP addresses, like
> >> first.last@nameofschool.school.  You can have those applied automatically
> >> through recipient policy if your students are identifiable as such by 
> >> some
> >> Active Directory attribute, but OU membership doesn't work.
> >> -- 
> >> Ed Crowley
> >> MVP - Exchange
> >> "Protecting the world from PSTs and brick backups!"
> >>
> >> "Mark Arnold [MVP]"  wrote in message
> >> news:36rst3dhi8crk9sd81p4qq0sgp7fl3flmg@4ax.com...
> >> > On Mon, 17 Mar 2008 04:42:01 -0700, Rich Booth
> >> >  wrote:
> >> >
> >> >>Hi:
> >> >>
> >> >>We are a K-12 school that does not allow students to send or receive 
> >> >>email
> >> >>outside of our local network.  Non students are allowed.
> >> >>
> >> >>We run Exchange 2003 single server
> >> >>2 Storage groups: staff and students
> >> >>1 routing group- no connectors
> >> >>We use Symantec Mail Security for SMTP as our SMTP gateway
> >> >>
> >> >>We need to be able to restrict students from sending outside or 
> >> >>receiving
> >> >>from outside, but still allow internal to all staff and students. 
> >> >>Staff
> >> >>should not have any restrictions on where they send or who they receive
> >> >>from.
> >> >>
> >> >>Thanks if you are able to offer any best practice suggestions!
> >> >
> >> > Can't do this by SG membership.
> >> > http://www.msexchange.org/tutorials/MF009.html and
> >> > http://www.msexchange.org/tutorials/MF023.html will fix you right up.
> >>
> >>
> >> 
> 
> 
>

On Tue, 18 Mar 2008 08:36:01 -0700, Rich Booth
 wrote:

>Thanks Mark and Ed.  We seem to have a difference in opinions between your 
>replies! :o)
>
>Mark says "No" and Ed says "Yes".

No, actually we both say yes. 
>
>The receiving part is fine (or more appropriately, not receiving mail part 
>is fine).  Their mail is set up like this: first_last@students.domain.edu.  
>There is no public MX resolution to this, so sending mail will fail.
>
>We do not have a "Students" group in AD per se.  We have multiple groups 
>that contain students (Grad year).  I could build a students group from the 
>grad year groups, or just use the grad year groups, but was hoping that there 
>was a way to save this step and just restrict it based upon the 
>students.domain.edu.  That way if a student is omitted from a group, they can 
>not send mail outside.  This would be one of those cases where the default 
>permissions are unrestricted when they should be restricted.
>
>Faculty and staff are first_last@domain.edu (No student sub domain)
>
>If I created a "Students" routing group and a "Staff" routing group, lock 
>down the students group and leave the staff open am I on the right track?  
>Looking through it, it does appear that there could be alot of empty inboxes 
>if I do not configure this correctly.
>
>"Ed Crowley [MVP]" wrote:
>
>> You can do half of it by an security group membership, the restriction on 
>> sending mail to the Internet.  The receipt part can be accomplished by 
>> giving users nonroutable SMTP addresses, like 
>> first.last@nameofschool.school.  You can have those applied automatically 
>> through recipient policy if your students are identifiable as such by some 
>> Active Directory attribute, but OU membership doesn't work.
>> -- 
>> Ed Crowley
>> MVP - Exchange
>> "Protecting the world from PSTs and brick backups!"
>> 
>> "Mark Arnold [MVP]"  wrote in message 
>> news:36rst3dhi8crk9sd81p4qq0sgp7fl3flmg@4ax.com...
>> > On Mon, 17 Mar 2008 04:42:01 -0700, Rich Booth
>> >  wrote:
>> >
>> >>Hi:
>> >>
>> >>We are a K-12 school that does not allow students to send or receive email
>> >>outside of our local network.  Non students are allowed.
>> >>
>> >>We run Exchange 2003 single server
>> >>2 Storage groups: staff and students
>> >>1 routing group- no connectors
>> >>We use Symantec Mail Security for SMTP as our SMTP gateway
>> >>
>> >>We need to be able to restrict students from sending outside or receiving
>> >>from outside, but still allow internal to all staff and students.  Staff
>> >>should not have any restrictions on where they send or who they receive 
>> >>from.
>> >>
>> >>Thanks if you are able to offer any best practice suggestions!
>> >
>> > Can't do this by SG membership.
>> > http://www.msexchange.org/tutorials/MF009.html and
>> > http://www.msexchange.org/tutorials/MF023.html will fix you right up. 
>> 
>> 
>>

Go and read the article you were pointed at.
These have been there for years.  You're asking a question that gets
asked several times a week and has been asked since 2000. The 009 and
023 update have stood hundreds of admins in good stead. They stop
people sending to the Internet. They stop people receiving from the
Internet. They can even stop people sending to the Internet except a
certain number of contacts. They can also stop people receiving from
the Internet except from a certain set of contacts.
Trust me, this is a very very old and trodden path.

That's what I thought, too.
-- 
Ed Crowley
MVP - Exchange
"Protecting the world from PSTs and brick backups!"

"Mark Arnold [MVP]"  wrote in message 
news:iv20u391h5ekeuiffdj06qjp8rej6911q8@4ax.com...
> On Tue, 18 Mar 2008 08:36:01 -0700, Rich Booth
>  wrote:
>
>>Thanks Mark and Ed.  We seem to have a difference in opinions between your
>>replies! :o)
>>
>>Mark says "No" and Ed says "Yes".
>
> No, actually we both say yes.
>>
>>The receiving part is fine (or more appropriately, not receiving mail part
>>is fine).  Their mail is set up like this: first_last@students.domain.edu.
>>There is no public MX resolution to this, so sending mail will fail.
>>
>>We do not have a "Students" group in AD per se.  We have multiple groups
>>that contain students (Grad year).  I could build a students group from 
>>the
>>grad year groups, or just use the grad year groups, but was hoping that 
>>there
>>was a way to save this step and just restrict it based upon the
>>students.domain.edu.  That way if a student is omitted from a group, they 
>>can
>>not send mail outside.  This would be one of those cases where the default
>>permissions are unrestricted when they should be restricted.
>>
>>Faculty and staff are first_last@domain.edu (No student sub domain)
>>
>>If I created a "Students" routing group and a "Staff" routing group, lock
>>down the students group and leave the staff open am I on the right track?
>>Looking through it, it does appear that there could be alot of empty 
>>inboxes
>>if I do not configure this correctly.
>>
>>"Ed Crowley [MVP]" wrote:
>>
>>> You can do half of it by an security group membership, the restriction 
>>> on
>>> sending mail to the Internet.  The receipt part can be accomplished by
>>> giving users nonroutable SMTP addresses, like
>>> first.last@nameofschool.school.  You can have those applied 
>>> automatically
>>> through recipient policy if your students are identifiable as such by 
>>> some
>>> Active Directory attribute, but OU membership doesn't work.
>>> -- 
>>> Ed Crowley
>>> MVP - Exchange
>>> "Protecting the world from PSTs and brick backups!"
>>>
>>> "Mark Arnold [MVP]"  wrote in message
>>> news:36rst3dhi8crk9sd81p4qq0sgp7fl3flmg@4ax.com...
>>> > On Mon, 17 Mar 2008 04:42:01 -0700, Rich Booth
>>> >  wrote:
>>> >
>>> >>Hi:
>>> >>
>>> >>We are a K-12 school that does not allow students to send or receive 
>>> >>email
>>> >>outside of our local network.  Non students are allowed.
>>> >>
>>> >>We run Exchange 2003 single server
>>> >>2 Storage groups: staff and students
>>> >>1 routing group- no connectors
>>> >>We use Symantec Mail Security for SMTP as our SMTP gateway
>>> >>
>>> >>We need to be able to restrict students from sending outside or 
>>> >>receiving
>>> >>from outside, but still allow internal to all staff and students. 
>>> >>Staff
>>> >>should not have any restrictions on where they send or who they 
>>> >>receive
>>> >>from.
>>> >>
>>> >>Thanks if you are able to offer any best practice suggestions!
>>> >
>>> > Can't do this by SG membership.
>>> > http://www.msexchange.org/tutorials/MF009.html and
>>> > http://www.msexchange.org/tutorials/MF023.html will fix you right up.
>>>
>>>
>>>
>