Lotus Domino Administrator 8 Help - Setting inbound relay controls

MAIL

Setting inbound relay controls
To block relays to a specific domain or from a specific host, set restrictions in the inbound relay controls on the Router/SMTP - Restrictions and Controls - SMTP Inbound Controls tab of the Configuration Settings document.

Use the inbound relay controls to define:

The destination domains to which you allow and deny relays
The originating hosts from which you allow and deny relays

In determining whether to allow a relay, IBM® Lotus® Domino™ checks the original sender, not just the last hop domain. This prevents people from routing from a denied source through an accepted one to your domain.

Note SMTP can resolve names for group types of Mail-only or Multi-purpose. When you create or modify the SMTP and Router settings in the Configuration Settings document, be sure to enter group names that have a group type of Mail-only or Multi-purpose. These groups must be in the primary directory. This applies to settings on the Restrictions tab, the SMTP Inbound Controls tab, and the SMTP Outbound Controls tab.

To set inbound relay controls

1. Make sure you already have a Configuration Settings document for the server(s) to be configured.

2. From the Domino Administrator, click the Configuration tab and expand the Messaging section.

3. Click Configurations.

4. Select the Configuration Settings document for the mail server or servers you want to administer and click Edit Configuration.

5. Click the Router/SMTP - Restrictions and Controls - SMTP Inbound Controls tab.

6. Complete these fields in the Inbound Relay Controls section, and then click Save & Close:

Inbound Relay Controls

Field Enter

Allow messages to be sent only to the following external Internet domains Internet domains to which Domino can relay messages. Domino relays messages to recipients in the specified domains only. Messages for recipients in other external Internet domains are denied.
For example, if you enter abc.com and xyz.com in this field, Domino accepts only messages to recipients with addresses that end in abc.com or xyz.com domains. Messages for recipients in other domains are denied.
To name a domain explicitly, prefix an @ sign to the entry. For example, if you enter @xyz.com the server relays messages only if the domain part of the address matches xyz.com exactly, such as User@xyz.com. Messages to addresses in other domains that end in xyz.com, such as User@uvwxyz.com or User@abc.xyz.com, are denied.
Prefix a percent sign (%) to specify the name of a Domino domain to which mail can be sent; for example, enter %AcmeEast to specify that the server can send mail to the Domino domain AcmeEast.
Group entries cannot contain a domain part or dot ('.'). For example, the group with the name AllowMail is valid, but the groups named Allow.iris.com or Allowmail@iris are not.

Deny messages to be sent to the following external Internet domains Internet domains to which Domino will not relay messages. An asterisk (*) in this field prevents Domino from relaying messages to any external Internet domain.
Domino denies only messages destined for recipient addresses in the specified domains. All other messages may relay.
For example, if you enter abc.com in the field, Domino relays messages to recipients in all external Internet domains except abc.com. Domino denies messages for recipients in the abc.com domain.
To name a domain explicitly, prefix an @ sign to the entry. For example, if you enter @xyz.com, the server rejects messages addressed to users if the domain part of the address matches xyz.com exactly, such as user@xyz.com, but allows messages to relay to other domains that end in xyz.com, such as user@server.xyz.com.
Prefix a percent sign (%) to specify a Domino domain name; for example, entering %AcmeEast specifies the Domino domain AcmeEast. This lets you prevent SMTP users from sending mail to certain internal Domino domains or even foreign domain servers, such as FAX systems.
Group entries cannot contain a domain part or dot ('.'). For example, the group with the name DenyMail is valid, but the groups named Deny.iris.com or Denymail@iris are not.

Allow messages only from the following Internet hosts to be sent to external Internet domains Specifies the hosts or domains that the Domino SMTP service allows to relay outbound Internet mail. If this field contains valid entries, Domino allows only servers matching these entries to relay. Message relays from other servers are denied. You can specify individual host names or a group name.
Enter host names or IP addresses to designate the sites that are authorized to use Domino to relay messages to recipients outside your local Internet domain. For example, if you enter lotus.com or ibm.com in the field, Domino accepts messages for recipients in external Internet domains only from servers with host names that end in lotus.com or ibm.com. Domino rejects messages for external recipients from any server not listed in this field.

Deny messages from the following Internet hosts to be sent to external Internet domains Specifies the hosts or domains that the Domino SMTP service does not allow to relay outbound Internet mail. If this field contains valid entries, Domino denies message relays from servers matching those entries. Domino allows message relays from all other servers. You can specify individual host names or a group name.
Enter host names or IP addresses to designate the sites that cannot use Domino to relay messages to recipients outside the local Internet domain.
For example, you enter lotus.com in the field. Domino accepts messages to recipients in external Internet domains from all servers except those with host names ending in lotus.com. Domino denies messages to recipients in external Internet domains from servers in the lotus.com domain.
An asterisk (*) in this field prevents Domino from relaying messages from any host subject to the relay controls.

7. Reload the SMTP task, or update the SMTP configuration to put the changes into effect.

You can use an asterisk (*) to indicate "all domains." For example, putting * in an Allow field allows all hosts in all domains to perform that operation.
Wildcards may be used in place of an entire subnet address; for example, [127.*.0.1]. Wildcards are not valid for representing values in a range -- for example, the entry [123.234.45-*.0-255] is not valid because the asterisk is used to represent the high-end value of the range that begins with 45.
When entering multiple addresses, separate them with carriage returns; after the document is saved, Domino automatically reformats the list, inserting semicolons between the entries.
When entering an IP address, enclose it within square brackets; for example, [127.0.0.1].

How Domino resolves conflicts between settings in the inbound relay controls

When there is a conflict between the allowed and denied relay destinations, and the allowed/denied relay sources, the entry in the "Allow" field takes precedence. Thus, a host that you explicitly allow to relay can always relay to any destination, including denied destinations. Similarly, if you allow relays to a given domain, all hosts can relay to that destination, including hosts to which you have explicitly denied relaying. Denied hosts cannot relay to domains other than those that you specifically list in the Allow field. The following table provides several examples of how Domino resolves conflicts between entries in the Allow and Deny fields of the Inbound relay controls.

Example of conflict between an allowed relay destination and denied relay source

Field Entry Results of settings

Allow messages to be sent only to the following external internet domains: xyz.com All hosts can relay to xyz.com, including smtp.efg.com, which is a denied host.

Deny messages from the following internet hosts to be sent to external internet domains: (* means all) smtp.efg.com smtp.efg.com cannot relay to any destination, except xyz.com, which is explicitly allowed.

Example of conflict between a denied relay destination and allowed relay source

Field Entry Results of settings

Deny messages to be sent to the following external internet domains: (* means all) qrs.com No relays are allowed to qrs.com, except relays originating from relay.abc.com, which is specifically allowed.

Allow messages only from the following internet hosts to be sent to external internet domains: relay.abc.com Relay.abc.com can relay to any destination, including qrs.com, which is a denied destination.

Note This differs from the behavior of Domino Release 5, where if you denied relays to a destination domain, an allowed source host could not relay to the denied domain, and a denied source could not relay to any destination. You can revert to the Release 5 behavior by setting the variable in the NOTES.INI file.

Example of conflict between allowed and denied relay destinations
If the same entry is placed in the list of allowed and denied destinations, or the list of allowed and denied sources, Domino honors the entry in the Deny list. For example, Domino rejects relays to xyz.com if you configure the relay controls as follows:

Field Entry

Allow messages to be sent only to the following external internet domains: xyz.com, abc.com, qrs.com

Deny messages to be sent to the following external internet domains: (* means all) xyz.com

See also

Preventing unauthorized SMTP hosts from using Domino as a relay

Open relays

Specifying enforcement of inbound relay controls

How inbound anti-relay settings control message transfer to external Internet domains

Enabling DNS blacklist filters for SMTP connections

Glossary

Feedback on Help or Product Usability?

Help on Help

All Help Contents

Glossary

Inbound Relay Controls
Field	Enter
Allow messages to be sent only to the following external Internet domains	Internet domains to which Domino can relay messages. Domino relays messages to recipients in the specified domains only. Messages for recipients in other external Internet domains are denied. For example, if you enter abc.com and xyz.com in this field, Domino accepts only messages to recipients with addresses that end in abc.com or xyz.com domains. Messages for recipients in other domains are denied. To name a domain explicitly, prefix an @ sign to the entry. For example, if you enter @xyz.com the server relays messages only if the domain part of the address matches xyz.com exactly, such as User@xyz.com. Messages to addresses in other domains that end in xyz.com, such as User@uvwxyz.com or User@abc.xyz.com, are denied. Prefix a percent sign (%) to specify the name of a Domino domain to which mail can be sent; for example, enter %AcmeEast to specify that the server can send mail to the Domino domain AcmeEast. Group entries cannot contain a domain part or dot ('.'). For example, the group with the name AllowMail is valid, but the groups named Allow.iris.com or Allowmail@iris are not.
Deny messages to be sent to the following external Internet domains	Internet domains to which Domino will not relay messages. An asterisk (*) in this field prevents Domino from relaying messages to any external Internet domain. Domino denies only messages destined for recipient addresses in the specified domains. All other messages may relay. For example, if you enter abc.com in the field, Domino relays messages to recipients in all external Internet domains except abc.com. Domino denies messages for recipients in the abc.com domain. To name a domain explicitly, prefix an @ sign to the entry. For example, if you enter @xyz.com, the server rejects messages addressed to users if the domain part of the address matches xyz.com exactly, such as user@xyz.com, but allows messages to relay to other domains that end in xyz.com, such as user@server.xyz.com. Prefix a percent sign (%) to specify a Domino domain name; for example, entering %AcmeEast specifies the Domino domain AcmeEast. This lets you prevent SMTP users from sending mail to certain internal Domino domains or even foreign domain servers, such as FAX systems. Group entries cannot contain a domain part or dot ('.'). For example, the group with the name DenyMail is valid, but the groups named Deny.iris.com or Denymail@iris are not.
Allow messages only from the following Internet hosts to be sent to external Internet domains	Specifies the hosts or domains that the Domino SMTP service allows to relay outbound Internet mail. If this field contains valid entries, Domino allows only servers matching these entries to relay. Message relays from other servers are denied. You can specify individual host names or a group name. Enter host names or IP addresses to designate the sites that are authorized to use Domino to relay messages to recipients outside your local Internet domain. For example, if you enter lotus.com or ibm.com in the field, Domino accepts messages for recipients in external Internet domains only from servers with host names that end in lotus.com or ibm.com. Domino rejects messages for external recipients from any server not listed in this field.
Deny messages from the following Internet hosts to be sent to external Internet domains	Specifies the hosts or domains that the Domino SMTP service does not allow to relay outbound Internet mail. If this field contains valid entries, Domino denies message relays from servers matching those entries. Domino allows message relays from all other servers. You can specify individual host names or a group name. Enter host names or IP addresses to designate the sites that cannot use Domino to relay messages to recipients outside the local Internet domain. For example, you enter lotus.com in the field. Domino accepts messages to recipients in external Internet domains from all servers except those with host names ending in lotus.com. Domino denies messages to recipients in external Internet domains from servers in the lotus.com domain. An asterisk (*) in this field prevents Domino from relaying messages from any host subject to the relay controls.

Field	Entry	Results of settings
Allow messages to be sent only to the following external internet domains:	xyz.com	All hosts can relay to xyz.com, including smtp.efg.com, which is a denied host.
Deny messages from the following internet hosts to be sent to external internet domains: (* means all)	smtp.efg.com	smtp.efg.com cannot relay to any destination, except xyz.com, which is explicitly allowed.