Our setup: Exchange 2003 SP2 with a spam filter appliance for inbound/outbound. We have only the default SMTP Virtual server, and we have 2 connectors for internet traffic. The main connector is to the smart host (spam appliance) for the * namespace. We then have a second connector with the same namespace but set to use DNS instead of the smart host. This is because we have issues every now and then with the appliance freezing up and mail not flowing. When this happens mail can still flow by using the second connector. On the spam appliance we have SMTP over TLS enabled inbound/outbound and required for a specific remote domain that our HR department sends SSN numbers to. What we need to do is block email to this domain from the exchange server when using DNS to send instead of the smarthost, so that if the smart host fails and traffic starts routing through the secondary connector (that doesn't have the TLS capability) they can't send unencrypted SSNs to the remote domain. We have been testing with one of our own private domains. We changed our main internet connector (to the smarthost) to have a cost of 2 and namespace *. We made a new connector and set the namespace to our test domain (abc.com, for example). We set that cost to 1 and set the connector to reject all on the delivery restriction. Basically the mail was rejected here and then flowed out through the second choice. We were hoping it would get rejected (ndr?). Then we tried our second idea, which was to set a fake smart host on the 1 cost connector (abc.com) of 1.1.1.1. We were hoping now that when we sent mail to abc.com it would get stuck in queue trying to find that smarthost and not get rerouted to the second option. It still was rerouted to the other connector and flowed out through our real smarthost just fine. how can I block traffic to a specific domain like this?

Why not just create a dedicated SMTP connector just for those domains that need TLS and have it set for DNS? ( You dont need to scan outbound mail for SPAM do you?)http://support.microsoft.com/kb/329061Exchange Server cannot communicate with non-TLS domainshttp://support.microsoft.com/kb/829721How to help protect SMTP communication by using the Transport Layer Security protocol in Exchange Server

Honestly it seemed a bit more complicated to set up the TLS on the exchange side of things. Getting a cert and all of the stuff outlined in the KB. With the spam filter we basically just checked a box and typed in the domain. If there isn't a way to do it as I had described above we may look at doing it this way, but only as a last choice. The other benefit of using the spam filter's TLS support is that it is sending/receiving email over TLS for all remote domains that support it. Basically it's an added security benefit for quite a bit of mail coming in and out.

Yep, understand. Its using Opportustic TLS. But if youhave remotedomains that require TLS, then setting up a specific connector for them will ensure it always goes out using that connector.

Thanks, we'll consider. Does it mean that there isn't a way to do it how we were/are originally attempting? That is, using a lower cost connector for that domain and rejecting all, or sending them to a fake smart host?

Connectors are funny things. Exchange 2003 will send messages through a SMTP connectorfor a defined SMTP namespaceif it exists rather thanover the * namespace connector. However, when you add sender or scope or message restrictions to that connector, the routing logic will take that into consideration and may not use that connector, preferring the one that doesnt have the restrictions. ( Thereare some ways to mitigate this for preventing some users from sending to the internet - that's another thread)Needless to say, trying to outsmart the routing engine usually doesnt work and produces unexpected results. The alternative of course to creating a SMTP Connector just for those TLS domains, is to make sure your appliance doesnt freeze up or build the redundancy there instead of the SMTP connectors.More info:http://technet.microsoft.com/en-us/library/aa998800(EXCHG.65).aspxExchange Server 2003 Message Routing

We decide that we still don't want to delve into setting up TLS on the server (exchange) side. It's working very well on the firewall side. If creating an SMTP connector with reject settings for the domain doesn't work, is it possible to set up a second virtual server (which won't go anywhere) and point the connector at that?

We found the right solution for us. We made an SMTP connector just for the domain in question. It has two smarthosts listed in the connector. The first is our spam filter, the second a fake smarthost 1.1.1.1. Because the namespace is specific all mail for said domain is routed through this connector and ignores our main connector to the spam filter (* namespace). Thus, if the smarthost stops responding mail for this domain will still flow through this connector, but to the second smarthost where it will die in the queue. Normal mail will failover to our third connector, the * namespace straight out to the internet via DNS.