XADM: Mail Delivery Is Slow if Recipients Are Configured with Delivery Restrictions Based on Group Membership

When you send an e-mail message to a user or group that has a delivery restriction, mail delivery may be slower than you expect. In some cases, messages may remain in the Exchange message categorizer from several minutes to several hours before delivery.

This problem may occur if you configure delivery restrictions on that user or group to reject messages based on distribution group or universal security group membership. For example, you click From everyone except under Message restrictions on the Exchange General tab of the user account or distribution group properties, and then add a distribution group to the exception list.

When you send an e-mail message to a recipient that is configured with a restriction that rejects messages from members of a particular distribution group or security group, Exchange 2000 Server must expand that group to make sure that the sender is not a member of the restricted group. The results of this group expansion are not cached by Exchange 2000 Server and must be performed each time. If you send a message to a group that contains many recipients, and each of those recipients is configured with a delivery restriction to reject messages from the members of a distribution group that contains many members, Exchange 2000 Server must expand the restricted distribution group one time for each member of the group to which you sent the message. Also, if a failure that can be retried occurs during this process, Exchange Server stops the group expansion process, and then retries the connection an hour later. This causes the messages to be held in the categorizer queues and may delay message processing.

To work around this problem, put the users whose messages you want to reject in a separate routing group, and then create a delivery restriction that is based on a connector restriction:

1. In Exchange System Manager, create a new routing group that contains all the users from which you want to restrict messages. For additional information about how to create a routing group, click the following article numbers to view the articles in the Microsoft Knowledge Base:
   266744 XADM: How to Create a Routing Group
   319416 HOW TO: Use Routing Group Connectors to Connect Routing Groups in Exchange 2000
2. Create an SMTP connector from the routing group that contains non-restricted users to the new routing group that contains the restricted users. This is to make sure that messages from unrestricted e-mail recipients are delivered to the restricted user's mailboxes successfully. To do so:
   1. Under the non-restricted routing group such as First Routing Group, right-click Connectors, point to New, and then click SMTP Connector.
   2. In the Name box, type a descriptive name. For example, type Allow messages to restricted users.
   3. Click Forward all mail through this connector to the following smart hosts, and then type the name or IP address of a smart host that resides in the restricted routing group. IP addresses must be enclosed in square brackets ( [] ).
   4. Under Local bridgeheads, click Add, click an SMTP virtual server from the non-restricted routing group, and then click OK.
   5. Click the Connected Routing Groups tab, and then click Add.
   6. In the Routing group list, click the restricted routing group, and then click OK.
   7. Click Apply, and then click OK.
3. Create an SMTP Connector from the restricted routing group to the unrestricted routing group. This is to prevent messages from restricted users from becoming backlogged in the destination unreachable queues in the restricted routing group. To do so:
   1. Under the restricted routing group, right-click Connectors, point to New, and then click SMTP Connector.
   2. In the Name box, type a descriptive name. For example, type Block messages to non-restricted users.
   3. Under Local bridgeheads, click Add, click an SMTP virtual server from the restricted routing group, and then click OK.
   4. Click Forward all mail through this connector to the following smart hosts, and then type the name or IP address of a smart host that is configured to delete or return the messages. For example, type the IP address enclosed in square brackets ([]) of the same server that you use as the bridgehead server. This has the effect of creating a loop and the messages are returned as undeliverable. Although this method does return the messages as undeliverable, the Non-Delivery Report (NDR) code would specify a loop as the reason for the undeliverable message instead of a delivery restriction.
   5. Click the Connected Routing Groups tab, and then click Add.
   6. In the Routing group list, click the non-restricted routing group, and then click OK.
   7. Click Apply, and then click OK.
4. Because the configuration of the routing group connector in step 3 prevents NDR messages and Delivery Status Notifications (DSN) that you may want to allow between these routing groups, modify the routing group connector in the restricted routing group so that it is not used for System messages:
   1. Right-click the new routing group SMTP Connector that you created in the restricted group, and then click Properties.
   2. Click the Content Restrictions tab, and then click to clear the System messages check box under Allowed types.
   3. Click Apply, and then click OK.
5. Create a second SMTP Connector in the restricted routing group to allow system messages:
   1. Under the restricted routing group, right-click Connectors, point to New, and then click SMTP Connector.
   2. In the Name box, type a descriptive name. For example, type Allow System messages.
   3. Click Forward all mail through this connector to the following smart hosts, and then type the name or IP address of a smart host that resides in the unrestricted routing group.
   4. Under Local bridgeheads, click Add, and then add an SMTP virtual server from the restricted routing group.
   5. Click the Content Restrictions tab, and then click to clear the Non-system messages check box.
   6. Click the Connected Routing Groups tab, and then click Add.
   7. In the Routing group list, click the non-restricted routing group, and then click OK.
   8. Click Apply, and then click OK.
6. To make it possible for the users in the restricted routing group to send e-mail messages over the Internet, create an additional lower-cost SMTP connector with the same address space as other Internet-bound connectors, but use the routing group as the connector scope:
   1. Under the restricted routing group, right-click Connectors, point to New, and then click SMTP Connector.
   2. In the Name box, type a descriptive name. For example, type Allow Internet access.
   3. Under Local bridgeheads, click Add, and then add an SMTP virtual server from the restricted routing group.
   4. Click the Address Space tab, click Routing group under Connector scope, and then click Add.
   5. Click SMTP, click OK, and then click OK.
      
      Note This step assumes the default SMTP address space of asterisk ( * ). Modify these settings to specify the address space that is used in your organization. The cost that is shown for this address space must be less than the cost of the other SMTP connectors that you created.
   6. Click Apply, and then click OK.

Note This workaround uses only routing as a means of delivery restriction and is scalable, independent from the number of users in the restricted routing group.

Microsoft has confirmed that this is a problem in Microsoft Exchange 2000 Server.

Service Pack 3 (SP3) for Exchange 2000 Server includes updates to the message categorizer that make it more fault tolerant. These updates make it less likely that large message categorizations fail. For information about how to obtain SP3 for Exchange 2000 Server, visit the following Web site: