Articles on the Web are spotty on how to accomplish this...most are all or nothing. MS TechNet has an article on blocking all attachments, but we need to allow the ones mentioned above to come through. In this post, I'll expand on that.
We'll be using the EAC (Exchange Admin Center) to create our Transport Rule (aka Mail Flow Rules) since it's a little bit easier to see all of our options.
In the EAC, navigate to Mail Flow > Rules.
Click the "+" and select "Create a new rule...":
In the rule creator, give it a name.
Under "*Apply this rule if..." select "the recipient is..." and then search for and select your recipient(s).
Click the "more options" link and then click "add condition".
Drop-down to "any attachment" then mouse over to "is greater than or equal to..."
Input "1" in the field - for 1KB.
**Note** The EAC will only accept 1KB as the lowest value, which will block all attachments in my experience. If you need to go lower, like 0KB, you'll need to use the Shell to set it later.
Under "*Do the following..." drop-down to "Reject the message with the explanation..." and enter your outgoing bounce reason. In my case I specify that only PDF and TIFF are allowed.
Under "Except if..." drop-down to "Any attachment's file extension matches..." and enter "tiff" and "pdf".
**Note** Don't enter a dot in front of the file extensions, as it will throw an error; only enter the extension name.
Set your priority and leave "enforced" selected.
Click "Save"
The results should look like so:
Basically, what we did is block all attachments, but since we set an exception, we allowed those two specific ones through.
This might seem counterintuitive at first, but think if you did it the other way around and had to manually block every file type...that would take forever!
**Note** In the above example I set the rule for one mailbox, but if you need to allow only these certain attachments to all mailboxes, under "Apply this rule if..." you would choose "the recipient is... located inside the organization". You can also set it to "a member of this group" if you have groups set up for different settings.
Now, test your rule by sending a blocked attachment like a JPEG, to the mailbox and then send an allowed attachment like a PDF.
The blocked attachment should generate a 5.7.1 reply like so:
Delivery has failed to these recipients or groups:
invoices@exchangeitup.com (invoices@exchangeitup.com)
This message was rejected because only PDF or TIFF attachment types are allowed.
Your message wasn't delivered because the email admin for the organization 'exchangeitup.com' created an email rule restriction. Please contact the email admin for that organization and ask them to remove or update the rule restriction.
For more information about this error, see DSN code 5.7.1 in Exchange Online - Office 365.
As you can see, the sender will get the 571 bounce, and it includes my custom outgoing message under the recipient email address: "This message was rejected because only PDF or TIFF attachment types are allowed."
Happy attachment blocking!
Good article, thank you. One questions though: if somebody attaches two files, one allowed, one disallowed the whole rule won't work anymore as expected, both attachments are delivered. How can you avoid that?
ReplyDelete