MAIL
When DNS blacklist filters are enabled, for each incoming SMTP connection Domino performs a DNS query against the blacklists at the specified sites. If a connecting host is found on the list, Domino reports the event in a console message and in an entry to the Mail Routing Events view of the Notes Log. Both the console message and log entry provide the host name and IP address of the server, and the name of the site where the server was listed.
In addition to logging the event, you can configure Domino to reject messages from hosts on the blacklist or to add a special IBM® Lotus® Notes® item to flag messages accepted from hosts on the list.
Specifying the DNS blacklist sites to check
After you enable the DNS blacklist filters, you can specify the site or sites the SMTP task uses to determine if a connecting host is a "known" open relay or spam source. Specify sites that support IP-based DNS blacklist queries.
If Domino finds a match for a connecting host in one of the blacklists, it does not continue checking the lists for the other configured sites.
For performance reasons, it's best to limit the number of sites because Domino performs a DNS lookup to each site for each connection.
You can choose from a number of publicly available and private, paid subscription services that maintain DNS blacklists. When using a public blacklist service, Domino performs DNS queries over the Internet. In some cases, it may take a significant amount of time to resolve DNS queries submitted to an Internet site. If the network latency of DNS queries made over the Internet results in slowed performance, consider contracting with a private service that allows zone transfer, so that Domino can perform the required DNS lookups to a local host. During a zone transfer, the contents of the DNS zone file at the service provider are copied to a DNS server in the local network.
Each blacklist service uses its own criteria for adding servers to its list. Blacklist sites use automated tests and other methods to confirm whether a suspected server is sending out spam or acting as an open relay. The more restrictive blacklist sites add servers to their list as soon as they fail the automated tests and regardless of whether the server is verified as a source of spam. Other less restrictive sites list a server only if its administrator fails to close the server to third-party relaying after a specified grace period or if the server plays host to known spammers.
By searching the Internet, you can find Internet sites that provide periodic reports on the number of entries in various DNS blacklist services.
Hosts that are exempt from DNS blacklist checks
To avoid unnecessary DNS lookups, Domino performs DNS blacklist checks only on hosts that are subject to relay checks, as specified in the SMTP inbound relay restrictions. Any host that is authorized to relay is exempt from blacklist checks. For example, by default, Domino enforces the inbound relay restrictions only for external hosts (Router/SMTP - Restrictions and Controls - SMTP Inbound Controls - Perform Anti-Relay enforcement for these connecting hosts). If the default setting is used, internal hosts are not subject to relay controls and thus are also exempt from blacklist checks.
For more information on configuring relay enforcement, refer to the topic Setting inbound relay controls to prevent unauthorized mail relaying.
Specifying how Domino handles connections from hosts found in a DNS blacklist
You can configure IBM® Lotus® Domino™ to take the following actions when it finds a connecting host on one of the blacklists:
When tagging messages, Domino adds a special Note item to messages received from hosts found on a blacklist. After Domino determines that a connecting host is on the blacklist, it adds the Note item, $DNSBLSite, to each message it accepts from the host before depositing the message in MAIL.BOX. The value of a $DNSBLSite item is the blacklist site in which the host was found. Administrators can use the $DNSBLSite note item to provide custom handling of messages received from hosts listed in a blacklist. For example, you can test for the presence of the item through the use of formula language in an agent or view and provide conditional handling of messages that contain the item, such as moving the messages to a special database.
When considering what action to take when Domino finds a host on the blacklist, choose an action that's consistent with the policies of the DNS blacklist site you use. For instance, if the service you use is very restrictive, its blacklist may include "false positives"; that is, it may blacklist hosts that are not known sources of spam. As a result, if you take the action of rejecting mail from any host found on the blacklist, it could prevent the receipt of important messages.
Use restraint when taking action, particularly if you use the blacklist of a more restrictive site. The action you select applies to each of the specified blacklist sites. That is, you cannot configure Domino to deny connections for hosts found on one site's list and log the event only for hosts found on another site's list.
DNS blacklist statistics
The SMTP task maintains statistics that track the total number of connecting hosts that were found on the combined DNSBL of all sites combined, as well as how many were found on the DNSBL of each configured site. Because the statistics are maintained by the SMTP task, they are cumulative for the life of the task only and are lost when the task stops.
You can view the statistics from the Domino Administrator or by using the SHOW STAT SMTP command from the server console. You can further expand the statistics to learn the number of times a given IP address is found on one of the configured DNSBLs. To collect the expanded information, you set the variable SMTPExpandDNSBLStats in the NOTES.INI file on the server. Because of the large numbers generated by the expanded set of statistics, Domino does not record the expanded statistics by default.
Note Domino uses IP version 4 (IPv4) addresses when querying DNS blacklist sites to find out if a connecting host is listed. If the connecting host has an IP version 6 (IPv6) address, Domino skips the DNSBL check for that host.
Changing the default error message
When denying a blacklisted host, Domino returns to it a default SMTP response, which includes the remote host's IP address and the blacklist site that listed the host. You can customize this response in the "Custom error message for denied hosts" field in the Configuration Settings document. The text of a customized response can include the string format specifier "%s" to represent a denied host's IP address and the DNSBL site where the host was found. Refer to the table in the following procedure for more information.
To enable DNS blacklist filters
1. Make sure you already have a Configuration Settings document for the server(s) to be configured.
2. From the Domino Administrator, click the Configuration tab and expand the Messaging section.
3. Click Configurations.
4. Select the Configuration Settings document for the mail server or servers where you want to enable DNS blacklist filters, and click Edit Configuration.
5. Click the Router/SMTP - Restrictions and Controls - SMTP Inbound Controls tab.
6. Complete the following fields in the DNS Blacklist Filters section, and then click Save & Close:
You can use the format specifier "%s" to specify the IP address of the denied host and the DNS blacklist site where Domino found the host listed. For example, if you enter the following:
Your host %s was found in the DNS Blacklist at %s
whenever Domino denies a connection, it returns an error to the host, in which it replaces the first instance of "%s" with the IP address of the host, and the second instance with the DNS blacklist site name. Thus, if you entered the text in the preceding example, a denied host receives an error such as:
Your host 127.0.0.2 was found in the DNS Blacklist at blackholes.mail-abuse.org
See also