MAIL


Specifying enforcement of inbound relay controls
When you first create a Configuration Settings document for a server, by default, the SMTP inbound relay controls, or anti-relay settings, apply to all external hosts only, that is, to hosts that are not located in the local Internet domain. After you set inbound relay controls, you can customize how IBM® Lotus® Domino™ applies them by selecting inbound relay enforcement options.

The available options allow you to specify how strictly to enforce the relay controls by letting you exempt certain hosts from enforcement. You can exempt hosts from relay enforcement based on:

Applying relay restrictions to internal hosts

By default, Domino enforces anti-relay settings for external hosts only. Internal hosts are exempt from anti-relay checks so Domino does not consider an internal host as a possible relay, even if it's explicitly listed in the Inbound relay controls' "Deny messages from the following Internet hosts to be sent to external Internet domains" field.

Depending on your environment, you may want to extend the scope of enforcement by applying relay restrictions to both internal and external hosts. This is equivalent to setting the variable SMTPAllHostsExternal=1 in the NOTES.INI file.

Applying relay enforcement to internal hosts lets you achieve more secure and controlled routing. For example, you can configure your Domino SMTP server so that only other Domino mail servers are allowed to relay. By doing so you can prevent internal users who run other mail clients (for example, POP or IMAP clients), as well as servers in other internal mail systems, from using the Domino SMTP server to send mail to the Internet.

You might also enable relay enforcement for internal hosts if you have a Domino SMTP server that receives mail from a dual-interface firewall server. For security purposes, some organizations may not connect their Domino SMTP servers directly to the Internet, choosing instead to set up an internal SMTP relay host or firewall to receive Internet mail destined for the organization's Internet domain. The relay or firewall then routes the mail to a Domino SMTP server, which, in turn, transfers it to the organization's internal mail servers.

A host in the local Internet domain can always relay to external Internet domains unless it is explicitly denied by an entry in the field "Deny messages from the following internet hosts to be sent to external internet domains."

If the internal relay or the firewall does not implement its own relay controls, the Domino SMTP server may then receive mail that is not destined for a local user. If the Domino server is set up to perform anti-relay enforcement on external hosts only, then mail received from the internal relay or firewall is not subject to the Inbound Relay Controls because the sending system, the relay or the firewall, belongs to the same local Internet domain. Thus, when the Router determines that the Internet address listed in the RCPT TO command has no match in the $Users view in the Domino Directory, it routes the message back out to the Internet.

Note SMTP can resolve names for group types of Mail-only or Multi-purpose. When you create or modify the SMTP and Router settings in the Configuration Settings document, be sure to enter group names that have a group type of Mail-only or Multi-purpose. These groups must be in the primary directory. This applies to settings on the Restrictions tab, the SMTP Inbound Controls tab, and the SMTP Outbound Controls tab.

Allowing relays from authenticated users connecting from outside the local domain

By default, if you deny relaying for a domain or set of domains (for example, all external domains), all hosts in the denied domains are subject to the relay controls. This level of restriction prevents remote IMAP or POP3 clients that connect to Domino by way of Internet service providers (ISPs) in external domains from sending outbound Internet mail because Domino does not recognize the source of the message as a valid relay origin.

To ensure that Domino allows POP3 or IMAP users to send outbound Internet mail, you can customize relay enforcement to allow all authenticated users to relay. After the Domino SMTP listener determines that a connecting host has been authenticated, it treats the connection as though it originated from a local user and exempts it from the Inbound relay controls.

Specifying enforcement exceptions based on host name or IP address

By default, after you deny relaying for a domain, all hosts in that domain are subject to the relay controls. You can customize relay enforcement to allow specific clients or servers in a domain to relay by entering host names or IP addresses in the field "Exclude these connecting hosts from anti-relay checks." For each specified exception, Domino does not enforce the inbound relay controls. Use exceptions to allow hosts outside the local Internet domain to use the Domino SMTP server as a relay to send and receive their mail from the Internet, while still preventing Domino from being used as an open relay by unauthorized Internet hosts.

Note Because many ISPs use the dynamic host control protocol (DHCP) to assign IP addresses to each connecting user, a user's IP address may differ from session to session. As a result, specifying enforcement exceptions based on host name or IP address is not effective for ensuring relay access for IMAP and POP3 users who connect to Domino from an ISP. To ensure relay access for these users, enable enforcement exceptions for authenticated users.

To specify relay enforcement

1. Make sure you already have a Configuration Settings document for the server(s) to be configured.

2. From the Domino Administrator, click the Configuration tab and expand the Messaging section.

3. Click Configurations.

4. Select the Configuration Settings document for the mail server or servers you want to restrict mail on, and click Edit Configuration.

5. Click the Router/SMTP - Restrictions and Controls - SMTP Inbound Controls tab.

6. Complete these fields in the Inbound Relay Enforcement section, and then click Save & Close:
Inbound Relay Enforcement
FieldDescription
Perform Anti-relay enforcement for these connecting hostsSpecifies the connections for which the server enforces the inbound relay controls. Choose one:
  • External hosts (default) - The server applies the inbound relay controls only to hosts that connect to it from outside the local Internet domain. Hosts in the local Internet domain are exempt from anti-relay restrictions. The local Internet domain is defined by either a Global Domain document, if one exists, or as the Internet domain of the host server.
  • All connecting hosts - The server applies the Inbound relay controls to all hosts attempting to relay mail to external Internet domains.
  • None - The server ignores the settings in the Inbound relay controls. All hosts can always relay.
Exceptions for authenticated usersSpecifies whether users who supply login credentials when connecting to the server are exempt from enforcement of the inbound relay controls. Choose one:
  • Perform anti-relay checks for authenticated users - The server does not allow exceptions for authenticated users. Authenticated users are subject to the same enforcement as non-authenticated users.
  • Allow all authenticated users to relay - Users who log in with a valid name and password are exempt from the applicable inbound relay controls. Use this to enable relaying by POP3 or IMAP users who connect to the network from ISP accounts outside the local Internet domain.
Exclude these connecting hosts from anti-relay checksYou create an exceptions list containing the IP addresses or host names of hosts that relay to any permitted domain. For each specified exception, the inbound relay controls will not be enforced. Enter the IP addresses or host names of hosts to be exempted from the restrictions specified in the Inbound relay controls section. You can also enter group names in this field.

When entering an IP address, enclose it within square brackets; for example, [127.0.0.1]. You can use wildcards to represent an entire subnet address, but not to represent values in a range. For example, [127.*.0.1] is valid; [123.123.12-*.123] is not.

7. Reload the SMTP task or update the SMTP configuration to put changes into effect.

See also