In Exchange Server 2010, transport
rules provide the ability to apply e-mail and compliance policies to
messages as they flow through your organization, providing the
controlled access and information and process integrity capabilities . Transport rules are configured and managed on an organizational level as a component of the Hub Transport configuration.
Transport rules are composed of the following components:
Conditions
Conditions consist of one or more predicates that define which portions
of a message to examine, and what criteria to use for identifying
messages that the rule is applied to. For example, the To: field could
contain David Jones, or the subject or body of the message could
contain the phrase "Top Secret". Most predicates require a comparison
operator (equals, does not equal, contains) and a value to look for.
Think of the conditions as the if portion of an if-thenall messages unless exceptions are defined.
statement. Exchange Server 2010 includes new predicates that were not
available in Exchange Server 2007, such as messages sent to partners,
if the sender and recipient's specified Active Directory attribute
matches a defined value, or if a message is not marked with a message
classification. If no conditions are defined, the rule will apply to
Exceptions Exceptions are composed of the same components as conditions except that they identify messages that transport rules should not
be applied to. Exceptions override conditions; a message identified by
an exception will not have the rule applied to it, even if it meets all
of the conditions. Exceptions are optional; they are included only if
necessary.
Actions
Actions specify what to do with messages that meet the defined
conditions and do not match any exceptions in the rule. A large number
of actions are available for transport
rules. Exchange Server 2010 includes new actions in addition to those
offered in Exchange Server 2007; for example, adding the sender's
manager as a specific recipient type, forwarding the message to a
specified address or manager for moderation, or applying rights
management protection with an AD RMS template. Actions are mandatory; you cannot create a
rule without defining at least one action, although you can define
multiple actions in the same rule.
1. Rules Agents
Rules agents are responsible for applying transport rules on Hub Transport and Edge Transport servers. The Transport Rules agent applies rules on the Hub Transport, whereas the Edge
Rules agent performs this task on the Edge Transport server. Although
these two agents are comparable in function, they are each unique in
the predicates and actions available to them, the priority of the rule
agent relative to other transport agents, and what transport event the
agent fires on.
1.1. Transport Rules Agent
The Transport Rules agent runs on the Hub Transport server, and fires on the OnRoutedMessage transport event. Hub Transport
rules are created and managed at the Exchange organization level,
stored in Active Directory, and processed on all Hub Transport servers
in the organization. This provides Exchange Server 2010 with the
ability to consistently apply a uniform set of rules across the entire
organization, but because the rules are stored in Active Directory, the
availability of the rules across the organization is dependent on
Active Directory replication.
1.2. Edge Rules Agent
Transport rules are processed on the Edge Transport server by the Edge Rules agent, which fires on the EndOfData
transport event. The primary purpose of the Edge Transport role is to
act as an e-mail gateway between your internal Exchange organization
and the Internet, so it is an ideal place to apply antivirus and
anti-spam checks and policy restrictions to inbound messages, so that
unwanted messages can be filtered out without consuming resources on
your internal Exchange servers.
Note:
Edge Transport
rules can also be used to process outbound Internet e-mail for policy
and compliance purposes. However, you cannot apply disclaimers to
outbound Internet e-mail with Edge Transport rules; this must be done
with Hub Transport rules.
Rules created on Edge Transport servers are stored in the Active Directory Lightweight Directory Services (AD LDS) database, formerly known as Active
Directory Application Mode (ADAM), on each Edge Transport server. Rules
configured on one Edge Transport server are not replicated to other
Edge Transport servers, regardless of whether EdgeSync is configured.
This means that if you want the same rules applied on multiple Edge
Transport servers, they must be configured on each Edge Transport
server, although you can use the Export-TransportRuleCollection and Import-TransportRuleCollection
cmdlets to automate the process. This requirement does provide you with
the flexibility to configure unique rules on each Edge Transport
server, however, which can be desirable in many cases—for example, to
configure unique rules based on the Edge Transport server's address or
type of e-mail traffic that it handles.
2. Creating Transport Rules
Transport rules can be created via the EMC, the ECP, or by using the New-TransportRule
cmdlet in the EMS. One significant difference in Exchange Server 2010
is that, unlike with Exchange Server 2007, you no longer need to
instantiate predicates and actions with the Get-TransportRulePredicate and Get-TransportRuleActionNew-TransportRule cmdlet. The Get-TransportRulePredicate and Get-TransportRuleAction
cmdlets now only list the predicates and actions available for use on
the Hub Transport or Edge Transport servers that you run the cmdlet on.
In Exchange Server 2010, all the predicates and actions are available
as parameters for the New-TransportRule and Set-TransportRule cmdlets, providing the means for you to create or modify a transport rule with a single command. cmdlets for use in the
The predicates available on Exchange Server 2010 Hub Transport servers are outlined in Table 1;
the variables that can be configured for each predicate are indicated
in italics. These predicates are listed by their display names as they
appear in the New Transport Rule or Edit Transport Rule wizards in the
Exchange Server 2010 EMC.
Table 1. Hub Transport Rule Predicates
From people | When any of the recipients in the To field is a member of distribution list | With a spam confidence level (SCL) rating that is greater than or equal to limit |
From a member of distribution list | When any of the recipients in the Cc field is people | When the size of any attachment is greater than or equal to limit |
From users that are inside or outside the organization | When any of the recipients in the Cc field is member of distribution list | Marked with importance |
Sent to people | When any of the recipients in the To or Cc fields is people | If the message is Message Type |
Sent to a member of distribution list | When any of the recipients in the To or Cc fields is a member of distribution list | When the sender's properties contain specific words |
Sent to users that are inside or outside the organization, or partners | Marked with classification | When the sender's properties match text patterns |
Between members of distribution list and distribution list | When the Subject field contains specific words | Not marked with a message classification |
When the manager of any sender is people | When the Subject field or message body contains specific words | When an attachment's content contains words |
When the sender is the manager of a recipient | When the message header contains specific words | When an attachment's content matches text patterns |
If the sender and recipient's Active Directory Attributes are attribute value | When the From address contains specific words | When an attachment is unsupported |
When a recipient's address contains specific words | When the Subject field contains text patterns |
|
When a recipient's address contains text patterns | When the Subject field or the message body contains text patterns |
|
When a recipient's properties contains specific words | When the message header matches text patterns |
|
When a recipient's properties contains text patterns | When the From address matches text patterns |
|
When any of the recipients in the To field is people | When any attachment file name matches text patterns |
The predicates listed in Table 1 also have equivalent exceptions that can be configured in the New Transport Rule and Edit Transport Rule wizards, as well as with the New-TransportRule and Set-TransportRule cmdlets. Exceptions are expressed as the predicate preceded with ExceptIf. For example, the exception parameter for the FromMemberOf predicate is called ExceptIfFromMemberOf.
Because the same predicate object contains the logic for use in a
transport rule condition and exception, exceptions aren't shown
separately when you use the Get-TransportRulePredicate cmdlet to list predicates.
The predicates available on Exchange Server 2010 Edge Transport servers are listed in Table 2. The available predicates for Edge Transport rules are for the most part a subset of the Hub Transport rule predicates, along with a couple of predicates that are unique to the Edge Transport.
Table 2. Edge Transport Rule Predicates
PREDICATE | AVAILABLE ON HUB TRANSPORT? |
---|
When the Subject field contains specific words | Yes |
When the Subject field or message body contains specific words | Yes |
When the message header contains specific words | Yes |
When the From address contains specific words | Yes |
When any recipient address contains specific words | No |
When the Subject field matches text patterns | Yes |
When the Subject field or the message body matches text patterns | Yes |
When the message header matches text patterns | Yes |
When the From address matches text patterns | Yes |
When any recipient address matches text patterns | No |
With an SCL rating that is greater than or equal to limit | Yes |
When the size of any attachment is greater than or equal to limit | Yes |
From users that are inside or outside the organization | Yes |
Note:
Exchange Server 2010 supports many new transport rule predicates and
actions, and has changes to some predicates and actions from Exchange
Server 2007. Because Exchange Server 2007 Hub Transport servers can't
process these new and changed predicates and actions, transport
rules are stored in a different format and location in Active
Directory. Thus, any Exchange Server 2010–specific transport rules are
only processed when the message traverses an Exchange Server 2010 Hub
Transport server.
In a
coexistence environment with Exchange Server 2007 and Exchange Server
2010, any changes to transport rules in Exchange Server 2007 or
Exchange Server 2010 must be applied to the other version as well.
2.1. Transport Rule Examples
In this section, we'll discuss a few examples of transport rules used to meet compliance requirements.
2.1.1. Disclaimers
Disclaimers are typically
used to provide warnings about unknown or unverified e-mail senders or
legal information, or for other reasons as determined by an
organization. In Exchange Server 2010, you now have the ability to use
HTML for disclaimers to e-mail messages that are processed on Hub
Transport servers; this is in addition to the ability to apply
plain-text disclaimers, which was introduced in Exchange Server 2007.
HTML tags can also include images by using IMG tags; note, however, that these images are not embedded in the message and
so should be located on a Web server that is accessible to the e-mail's
recipients. In addition, you should remember that Exchange Server 2007
Outlook Web Access, Outlook Web App, and Outlook 2007 and later block
external Web content (including images) by default, so it is
recommended to test your disclaimers to verify that the recipient's
experience is what you are expecting.
With Exchange Server 2010, Active Directory attributes can also be added to disclaimers (DisplayName, FirstName, LastName, Department, and Company).
The attribute names are replaced by the values from the sender's Active
Directory user account when the disclaimer rule is triggered. The
attribute is enclosed in two percent signs (%%) to use it in the
disclaimer; for example, to use the DisplayName attribute you include %%DisplayName%%.
Disclaimers can be
appended or prepended to messages. When a disclaimer is appended (the
default), it is inserted at the bottom of the message thread; Exchange
Server 2010 doesn't check whether disclaimers have been added
previously. A prepended disclaimer is inserted before the text of the
newest message in the thread.
Disclaimers are configured as actions in Hub Transport rules; as mentioned in the Section 8.3.1.2 section of this chapter, disclaimers cannot be configured using Edge Transport rules.
The following EMS
example creates a transport rule that applies a disclaimer using HTML
formatting to all messages sent to recipients outside of the
organization:
New-TransportRule -Name ExternalDisclaimer -Enabled $true -SentToScope
'NotInOrganization' -ApplyHtmlDisclaimerLocation 'Append' -ApplyHtmlDisclaimerText
"<h3>Disclaimer Title</h3><p>This is the disclaimer text.</p>"
-ApplyHtmlDisclaimerFallbackAction Wrap
8.3.2.1.2. Ethical Walls
Ethical walls are used to block communication
between specified departments or sections of your organization.
Although an ethical wall can encompass numerous methods of
communication, including telephone, instant messaging, and postal mail,
in the context of e-mail an ethical wall is implemented using transport
rules in Exchange Server 2010. In a typical configuration, when a
message is sent that matches the conditions defined in the transport
rule, Exchange Server 2010 rejects the message and returns a non-delivery report (NDR)
to the sender informing them that the message was rejected due to
policy restrictions. This NDR can be modified by customizing the delivery
status notification (DSN) code used to provide the sender with specific
instructions or hypertext links to inform the sender of the policies or
regulations that prevented delivery.
Note:
The primary purpose of an ethical
wall is to prevent communication, so when implementing the transport
rule for the ethical wall it is crucial to properly define the scope
(conditions and exceptions) of the rule. An improperly defined scope
can potentially block all messages sent to or from all recipients or
senders in your organization.
The following example
shows how to create a transport rule that implements an ethical wall
using the EMC. This example specifies a new, custom DSN code in the RejectMessageEnhancedStatusCode property:
New-TransportRule "Sample Ethical Wall" -Enabled $true -BetweenMemberOf1 BrokerageGroup@
contoso.com -BetweenMemberOf2 [email protected] -ExceptIfFromMemberOf
[email protected] -RejectMessageReasonText "Sample Rejection Message"
-RejectionMessageEnhancedStatusCode '5.7.228'
This example then creates the custom DSN code and its specified text that is returned to the sender with the DSN code:
New-SystemMessage -DsnCode 5.7.228 -Internal $true -Language En -Text "A message was
sent that violates company policy #123. For more information, please contact the
Compliance department."