Hey All - I need to lock down a DL for internal users only.. Problem is I cannot use "Require that all senders are authenticated" because internal relays outside of Exchange still need to send to it i.e. UNIX servers. Ideas?

Do your Hub Transport servers recieve external (internet) email directly, or do you have Edge Transport servers or some other type of bastion host that it comes through?

HT receives\sends external mail from Edge

http://technet.microsoft.com/en-us/library/aa998898(EXCHG.80).aspx Configuring Recipient Filtering<!---->

Assuming your Unix servers are on the internal network and sending directly to the HT servers, I think you can set up a transport rule to bounce or drop emails to that DL coming from the internet by checking for the hostnames or ip addresses of the Edge Transport servers in the Received headers.

Cool.. I think I figured it out.. transport rule on Edge will suffice.. I assume I need to create the rule on each Edge?

Yes, you'll need to do it on both Edge servers. Use the "recipient address contains specific words", or "recipient address contains text patterns" conditions, and put in the smtp address of the DL.

I went with recipient address contains specific words "dl smtp address" reject with 550 not auth except for when inside the org