Transport Rules

All posts tagged Transport Rules

Copy transport rules

In Exchange 2010 the transport rules functionality have been expanded, as the configuration of Hub servers is saved in the AD transport rules will also be saved there. This has an advantage that multiple Hub servers in the same Exchange organization can use these transport rules.

When having an Edge server this is a little bit more complicated because the Edge is not a member of the AD and has a local ADLDS which makes replication not possible. If you have one Edge it’s not a very big problem to configure the transport rules again. But if you have multiple Edge servers this can be a very time consuming job. In this case you can use the commands Export-TransportRuleCollection and Import-TransportRuleCollection. You can run both commands on both the Hub and Edge transport servers.

With the command below we ensure that we make an export of the transport rules to the export directory which is located on our local harddrive.

$file = Export-TransportRuleCollection
Set-Content -Path “C:\Export\TransportRules.xml” -Value $file.FileData -Encoding Byte

Next step is to copy the xml file to the other Edge servers and run the import command.

[Byte[]]$Data = Get-Content -Path “C:\Import\TransportRules.xml” -Encoding Byte -ReadCount 0
Import-TransportRuleCollection -FileData $Data

This will import the transportrules.xml on the server.

When you make a lot of changes to transport rules it might be usefull to create a script which exports and imports the transport rules.

Below an example script to export the transport rules. This script uses a batch and a Powershell file, the batch is used in the scheduled task to automaticaly run the export, you can also choose to copy the complete command from the batch and place it in the scheduled task. The scheduled task can then be executed every hour or every day depending on your needs. When the command has been executed an entry will be made in the application log. One remark on this script is that you will need to share the export folder and give the account who executes the scheduled task the correct permissions on it:

PowerShell.exe -command “. ‘C:\Program Files\Microsoft\Exchange Server\V14\bin\RemoteExchange.ps1′; Connect-ExchangeServer -auto; C:\Export\exporttransportrules.ps1″

$file = Export-TransportRuleCollection
Set-Content -Path “C:\Export\TransportRules.xml” -Value $file.FileData -Encoding Byte
$evt=new-object System.Diagnostics.EventLog(“Application”)
$evt.Source=”Export transport rules”
$evt.WriteEntry(“Transport rules have been exported”,$infoevent,70)

OK now we have the export part we also need to import part:

PowerShell.exe -command “. ‘C:\Program Files\Microsoft\Exchange Server\V14\bin\RemoteExchange.ps1′; Connect-ExchangeServer -auto; C:\Import\importtransportrules.ps1″

[Byte[]]$Data = Get-Content -Path “\\sourceserver\export\TransportRules.xml” -Encoding Byte -ReadCount 0
Import-TransportRuleCollection -FileData $Data
$evt=new-object System.Diagnostics.EventLog(“Application”)
$evt.Source=”Import transport rules”
$evt.WriteEntry(“Transport rules have been imported”,$infoevent,70)

The import part is almost the same, only the export-transportrulecollection has been changed to import-transportrulecollection and the path to import has been changed to point to the source server.

But what happens in a co-existentse environment where you have transport rules in Exchange 2007 and Exchange 2010. As described earlier these transport rules are saved in the Active Directory for Hub servers, in Exchange 2010 this is another location as for Exchange 2007. During the setup the transport rules will be converted and placed in the right location. When the installation has finished both Exchange 2007 and Exchange 2010 have the same set of transport rules. But when you like to make changes to the transport rules you will need to make this change in both Exchange 2007 and Exchange 2010.

To export the Exchange 2007 transport rules only on a 2010 Hub server execute the following command:

$ file = Export-TransportRuleCollection -ExportLegacyRules
Set-Content -Path “C:\Export\LegacyRules.xml” -Value $file.FileData -Encoding Byte

If you like to have more info about the commands then have a look at the sites mentioned below:

Technet Export-TransportRuleCollection open
Technet Import-TransportRuleCollection open

Block messages to specific domains

With Exchange 2007 you could only configure some specific things on the Edge server, in Exchange 2010 RC some of these functions are also available on the HUB server. One of those things is block messages to specific domains. In Exchange 2007 this could only be configured on the Edge server, in Exchange 2010 RC this can also be done on the HUB server.

Block mail to specific domain

As you can see in the screenshot above you configure that internal users can’t send messages to the domain. Besides this options a lot of other options are added to the transport rules in Exchange 2010 RC. I will write a tutorial about it soon which will describe these options and will give some examples what you can do with these options.

In the transport rules from Exchange 2007 you can use regular expressions. This can let you block specific words. But what happens in some cases is that correct words are also blocked because they contain the blocked specified character pattern. You can prevent this by using one or more of the parameters below:

parameter description
\S \S can be used to replace a single character which is not a space.
\s \s can be used to replace a single white-space.
\D \D can be used to match any non-numeric digit.
\d \d can be used to match a single digit.
\w \w can be used to search for a character which is a Unicode character from the category letter or number.
| The pipe ( | ) character can be used to create an OR function.
* The wildcard ( * ) character matches zero or more instances of the character before the parameter.
( ) Characters between the () will be grouped, this makes it possible to search for a specific character pattern.
\\ The 2 backslashes can be used to escape a specific character, for example \\d can be used to search for the pattern \d in an expression.
^ The ^ character can be used to match a pattern which starts with a specific pattern.
$ The $ character can be used to search for a pattern which ends with a specific character pattern.

As you can see there are a lot of possibilities. It may cost a lot of time to figure out which filter works the best in your situation.

More info can be found on the Technet article below.

Regular Expressions in Transport Rules

Block backscatter mails with Exchange 2007

It has been a while ago that I published a tutorial. This tutorial will describe how to block backscatter mails with Transport Rules. This tutorial will describe step by step how to create them. The block the backscatters we need to add 2 Transport rules. The first rule will add a tag to each mail which will be send to the internet. The second rule will check each mail that is a NDR for the specified tag


Backscatters are still active NDR’s who will be delivered to companies where after some investigation the mail is never send from. There are a few possibilities to prevent this, one of this is with SPF records.

I went for some further investigation on how to block those irritating mails. I found out that it could be done with Transport Rules in Exchange 2007.

In this tutorial I will explain how you can configure to get rid of the irritating backscatters.

First we will create a transport rule which adds a tag to the header of an e-mail. With this we can recognize e-mails which are send from our own server.

We can do this by opening the EMC and go to the Hub Transport Server via the Organizational Configuration. After that we can open the tab Transport Rules.

Next step is selecting the option to create a new Transport Rule in the right menu.

In this case we choose the following name Add tag to header but this can be any name you like. When you’ve choosen the name you like you will click on next

On the next page we will select which conditions the mail must met before we will apply the transport rule

Here we define that we want to apply the rule on every mail that is send to outside via the Hub Transport server. When this has been defined we click on next

Next step is the action that needs to be executed. As I said earlier we want to add something to the header of the mail. We can do this by selecting the option set header with value. This rule will be added to the lower part of the screen. The only thing we need to specify is the values we want to add.

First we will define the tag itself

We will give the tag the name anti-spf , this is a name you can change if you like, remember it because we will need it later on. Next we need to specify the value that we want to give to the tag. The best option is to give it a random value. This makes it a little bit harder to hack, but it’s still possible because it’s a static value

When both values are defined we will click on next

We will get a short summary en we can click on next to continue. When the rule is created succesfully we will get the screen below

Each mail who is send to the outside world will get an extra tag in the header anti-spf: 7uTreth2

The next step is to create a Transport Rule who checks if the NDR mail contains the tag.

To do this we will select the option to create a new Transport Rule in the right menu

We will give it a name, in this case NDR Check, and click on next

The next step is to define the conditions the mail must met before we will apply the Transport Rule. In this case we chec:

  • if the mail is send to internal (sent to users inside your organization)
  • if the subjected contains Returned mail (Subject field contains specific words)

When selecting the option Subject field contains don’t forget to add the value Returned mail manually.

The next step is to define the action that needs to be executed

In this case we define that

  • an item should be logged in the event log with the text NDR Check
  • the mail should not be delivered

It can be that the action drop the message is OK for you, in this case you only need to select this one. When you are satisfied with the settings click on next.

The last step is to define the exceptions, if we don’t do it all mails to internal users with the text Returned mail will be dropped. This is not what we want because this would cause legal NDR’s also to be dropped.

By checking the body of the mail for the text anti-spf: 7uTreth2 we can prevent that legal NDR’s will be blocked.

When this is defined we click on next en the rule will be created. When the rule is created succesfully you will get the screen below

I must admit that it will cost you some time to create the rules but it wil save you a lot of calls from users with questions about NDR’s.

Block mails to specific domain

In Exchange 2003 we could prevend sending to a domain with delivery rectrictions. In Exchange 2007 we can do this by using transport rules this can be created on the Hub Transport server. When we start the wizard and specify the name the next step is to define the conditions, here we choose the following options:

  • from users inside the organization
  • when a message header contains specific words, here we specify that we want to check the parameter to which has the value

The next step is choosing the correct action, we could for example bounce the e-mail back to the sender which contains a message that sending to this domain is prohibited by security settings.

  • send bounce message to sender with enhanced status code

The last step we could use is the exceptions, this can be used to allow a specific address that is part of a domain that we will block.

A new feature within Exchange 2007 is message classification. With this you can assign a classification to an e-mail and for example create a transport rule which blocks e-mails of certain classifications.

This functionality can only be used in combination with Outlook 2007 client and Outlook Web Access. Default Exchange 2007 contains 5 message classifications:

  • A/C Privileged
  • Attachment Removed
  • Company Confidential
  • Company Internal
  • Partner Mail

You can get the current message classifications by executing the following Powershell command:


This will give the following result:

You can make new message classifications with the following command new-messageclassification and a few parameters.

new-messageclassification -name Marketing  -DisplayName “Marketing Confidential” -SenderDescription “This classification must be used by the marketing department”

In the example above we will create a new message classification named Marketing.  After that we assign the name that will be displayed in the client as Marketing Confidential  and with the last parameter senderdescription we can give a short description of the classification which will be displayed to the user when selected.

This classification will be used for all languages including Dutch. You can type the senderdescription in Dutch, but you can also add multiple languages. The client will then decide which language it needs, looks if it is available and if it it will display the correct language.

new-messageclassification -Identity Marketing -Locale nl-NL -DisplayName “Marketing NL” -SenderDescription “Deze classificatie mag alleen gebruikt worden door de marketing afdeling”

With the parameters above we will create a Dutch message classification for the earlier created message classification Marketing. That this one is only for dutch is because we specified the parameter -Locale  followed by the language. With the parameter identity  we select the original message classification Marketing. De other parameters displayname and senderdescription have both the same function as when creating a new message classification.

Default all users can use a message classification, you can prevent this:

get-messageclassification Marketing -IncludeLocales |Remove-AdPermission -User AU -AccessRights GenericRead -InheritanceType None

With the command above we remove the right the authenticated users have on the Marketing message classification.

get-messageclassification Marketing  -IncludeLocales | Add-AdPermission -User “domainname\Marketing” -AccessRights GenericRead -InheritanceType None

Next step will be to assign read rights to the members of the group Marketing to the Marketing message classification.

There are a few thinks you should keep in mind when you are gone use message classifications. In OWA it will work but in Outlook 2007 you can’t totally prevent users from using a message classification. This is because users can modify the file Classifications.xml which will allow them to add the message classification to their client.

But it is a way to make it more difficult for a user to use it.

In the previous part we spoke about message classification in Outlook 2007. In OWA you don’t have to configure anything for message classification but for Outlook 2007 you need.

Configuring Outlook 2007 takes two steps:

  • create registry keys
  • create classifications.xml

Before you using the classifications.xml you need to create the registrykeys as displayed below:


“AdminClassificactionPath”=”c:\\Program Files\\Office\\Classifications.xml”



All the parameters are logical, except the last one. The parameter TrustClassifications only needs the value  00000001 when the mailbox of a user is placed on an Exchange 2007 server.

The last step is creating the classifications.xml file. This step needs to be performed on the Exchange 2007 server. Microsoft has developed a standard script for it and placed it in the script directory of Exchange 2007, it called Export-OutlookClassification.ps1

./Export-OutlookClassifications.ps1 > c:\export\classifications.xml

Make sure the folder to which you want to export exists, else you will get an error message The command above will create a xml file called classifications.xml in the export directory.

You can also choose to only export the Dutch language message classifications:

./Export-OutlookClassifications.ps1 -Locale “nl” >Classifications.xml

As you can see only nl is used instead of nl-NL both are the same, for a full overview have a look at this  page.

Message classifications can be used in transport rules. You could do a check if a message is marked with a specific message classification and block the e-mail.

Besides that option you can also let a transport rule assign a classification to a mail according to the conditions you specify.

A new feature in Exchange 2007 is Transport rules this rules can be added in two ways, via the Exchange Management Console or via the Exchange Management Shell.

The transport rules will be created on the Hub transport server. The transport rules will be executed as follows:

When you choose to create the rules via the Exchange Management Shell you will see you will pass those steps.

Besides the parameters you can assign a priority to each Transport Rule. The priority start with 0, this rule has the highest priority. When a mail matches multiple rules all the rules will be applied to the mail, the priority will be used to make the decision in which order they will be applied. When you have created a rule you can adjust it very easy.

First we are going to create a Transport Rule via the Exchange Management Console. You have to start the Exchange Management Console  for this, next click on Organizational Configuration, Hub Transport and select the tab Transport Rules.

Now click somewhere in the white space in the center of the screen and choose the option New Transport Rule, you can also do this on the right side of the screen. You will get the following screen:

Fill in the fields that are displayed, Name is the name you want to give to the Transport Rule, Description  is a short description of the rules. The checkmark before Enable Rule is enabled by default, when you don’t want to use the rule immediately uncheck it, click on next.

First we will select the Conditions, this are the conditions that a message has to have. This can be for example: all mail to external users

The next step will be the Rules that are applied to the mail. In this case we will add a disclaimer to the e-mail.

You can see in the flowchart that we only need the define the Exceptions. In this case we don’t want to add exceptions and click on next

Before the rule is created you will get a small summary of the parameters we defined. Click on New to create the Transport Rule.

When you get the same screen as above the rule is created successfully and a disclaimer is added to all messages send to external users.

Now we created a Transport Rule via the Exchange Management Console it’s time to create one via Powershell.

We will create a rule which blocks e-mails with the word Finance in the body or subject except when the mail is send from Klaas Vaak.

Normally you get give the Powershell command directly, but with a Transport Rule this is not the case. First we will define the values for the conditions, rules and exceptionsand will use them in the Powershell command.

Below the script what what creates the Transport Rule:

$Condition = Get-TransportRulePredicate SubjectOrBodyContains

$Condition.Words = @(“Finance”)

$Exception = Get-TransportRulePredicate From

$Exception.Addresses = @((Get-Mailbox “Klaas.Vaak”))

$Action = Get-TransportRuleAction RejectMessage

$Action.RejectReason = “E-mail messages sent from departments except the Finance department are prohibited.”

New-TransportRule -name “Block e-mail messages with the word Finance” -Condition @($Condition) -Exception @($Exception) -Action @($Action)

The same as with the wizard the script will be separated in logical steps.

With $Condition we define the conditions which a mail should meet. You can do this by specifying the command Get-TransportRulePredicate followed by , in this case SubjectOrBodyContains.

The next step we will do is assign a value for the condition, we can those this with the parameter $Condition.Words. We will give the value after the – sign.

The next step is to define the exception, this will be done by the parameters $Exception and $Exception.Addresses. With this we will tell Exchange to use the command Get-TransportRulePredicate From to get the value from the from field and assign the value to $Exception.Addresses.

The last parameter we define is the action that needs to be executed when a mail matches all requirements.  This is done by the parameters $Action and $Action.RejectReason, in this case we will send a message back to the sender with the following text E-mail messages sent from departments except the Finance department are prohibited.

Now we defined all parameters we can use the New-TransportRule to create the rule. The only extra parameter we need is name which defines the name of the rule. When we don’t want to rule to be active after creation we need to add the parameter Enabled $false. The new rules will be assigned the lowest priority, can you change this by assigning the Priority parameter a numeric value.

I saved the script myself and executed it, the screen below shows the result:

The links below will direct you to the pages on Technet about the two commands:

New-TransportRule open

Get-TransportRulePredicate open