I understand that you want mail to be rejected for all but 2 Recipient users/domains.  You also want to declare the users/domains via a Filter instead of in the RAT.  This is not recommended, here is why:

- If you set the RAT to  'All Other Recipients' to 'Accept', other hosts may believe the ESA is an 'Open Relay' and may refuse mail from its IP.

- Bouncing mail after acceptance can cause 'backscatter' emails.  This is where a mail server redistributes spam via bounces and it will cause some hosts to reject your mail.

- If done incorrectly, can cause valid mail to bounce.

- If done incorrectly, can make your ESA an Open Relay that can be abused by others.

---
If you still wish to proceed knowing that the above risks, here are the high-level steps:

1) Set 'All Other Recipients' to 'Accept' in RAT

2) Create a new Incoming Mail Policy
 - Add the valid users and/or domains to this new Policy

3) Create new Incoming Content Filter:
 - Rule: leave empty
 - Action: Bounce

4) Disable all scanning on Default Incoming Mail Policy

5) Apply the new Filter to the Default Incoming Mail Policy

6) Verify that the new Incoming Mail Policy has appropriate scanning enabled
---

This method works by accepting all mail sent to the ESA, even if it is for a domain you do not control or for an invalid recipient for a domain you do control.  When the messages reach the Incoming Mail Policies, valid recipients will match on the new Policy while every other address matches the Default Incoming Mail Policy.  Using the Policies in this way is required so that the message is 'splintered' before processing through most scanning features.  Now only users/domain that do not match your new Policy will be Bounced by the Content Filter.

Again, I wish to stress that I do _not_ recommend this approach: it is far safer to simply list the valid users or domains directly in the RAT.

- Jackie