Lotus Domino Administrator 8 Help - Restricting users from receiving Internet mail

MAIL

Restricting users from receiving Internet mail
IBM® Lotus® Domino™ provides SMTP intended recipient filters that let you control the users for whom the server accepts mail sent over SMTP connections. One filter triggers a directory lookup that enables the server to verify that an intended recipient exists before accepting a message. The other two filters let you explicitly specify the Internet addresses that can and cannot receive mail. To ensure that you don't unintentionally block desirable mail, use discretion when applying these settings.

During the SMTP conversation, the connecting host sends the Domino SMTP listener a RCPT TO command, which specifies the recipient's Internet address. Each of the Inbound Intended Recipient Controls works by examining the addresses specified as arguments to the RCPT TO command. For example, if you enable directory verification and the address specified in the RCPT TO command is in the local Internet domain, the SMTP listener refers to the Domino Directory to determine whether the address is valid. Messages for invalid addresses are rejected, preventing them from becoming "dead" messages in MAIL.BOX.

Note Because enabling this setting results in messages for recipients not found in the directory being rejected, do not use this setting in environments that require mail to be forwarded to a smart host for further processing.

The "Allow messages" setting lets you list Internet addresses that are allowed to receive mail. If the RCPT TO command contains one of the specified addresses, the SMTP listener accepts the message; messages for all other recipients are rejected. The "Deny messages" setting lets you explicitly deny mail to certain addresses. If the RCPT To command contains a denied address, the SMTP listener rejects the message, but messages for all other recipients are accepted.

Note If the server supports Local Part name lookups, users whose addresses are listed in the Deny field may still receive mail addressed to any alternate Internet addresses configured for them. To ensure greater control, specify the Internet address in each user's Person document and allow users to receive inbound mail destined for their fullname addresses only.

SMTP can resolve names for group types of Mail-only or Multi-purpose. When you create or modify the SMTP and Router settings in the Configuration Settings document, be sure to enter group names that have a group type of Mail-only or Multi-purpose. These groups must be in the primary directory. This applies to settings on the Restrictions tab, the SMTP Inbound Controls tab, and the SMTP Outbound Controls tab.

For information on restricting how Domino looks up recipient names, see the topic Specifying how Domino looks up the recipients of incoming SMTP messages.

1. Make sure you already have a Configuration Settings document for the server(s) to be configured.

2. From the Domino Administrator, click the Configuration tab and expand the Messaging section.

3. Click Configurations.

4. Select the Configuration Settings document for the mail server or servers you want to administer, and click Edit Configuration.

5. Click the Router/SMTP - Restrictions and Controls - SMTP Inbound Controls tab.

6. Complete these fields in the Inbound Intended Recipients Controls section, and then click Save & Close:

Field Description

Verify that local domain recipients exist in the Domino Directory Specifies whether the SMTP listener checks recipient names specified in RCPT TO commands against entries in the Domino Directory
Choose one:

Enabled - If the domain part of an address specified in an SMTP RCPT TO command matches one of the configured local Internet domains, the SMTP listener checks all configured directories to determine whether the specified recipient is a valid user. If all lookups complete successfully and no matching user name is found, the SMTP server returns a 550 permanent failure response indicating that the user is unknown. For example:
550 bad_user@yourdomain.com ... No such user
Choosing this setting can help prevent messages sent to nonexistent users (for example, spam messages and messages intended for users who have left the organization) from accumulating in MAIL.BOX as dead mail.
To avoid messages from being rejected as a result of directory unavailability, Domino accepts messages when an attempted directory lookup does not complete successfully.
To avoid unnecessary directory lookups, Domino applies this setting only after performing all other configured SMTP inbound checks (inbound relay, sender, and recipient controls).
Note When this setting is enabled, and there is an entry in the field "Local Internet domain smart host", messages that cannot be resolved are not accepted; therefore, they will not be forwarded to the smart host. When this setting is enabled, and the field "Smart host is used for all local Internet domain recipients" is enabled, only those messages sent to recipients that can be resolved are accepted, and these will be forwarded to the smart host.

Disabled - (default) The SMTP listener does not check whether local domain recipients specified in the RCPT TO command are listed in the Domino Directory.

Allow messages intended only for the following Internet addresses Internet addresses that are within the local Internet domain and that are allowed to receive mail from the Internet. If you enter addresses in this field, only those recipients can receive Internet mail. Domino denies mail for all other recipients.
You can create a Notes group containing a list of addresses allowed to receive mail from the Internet and enter the group name in this field. A group entry is valid only if it does not contain a domain part or dot ("."). For example, the group with the name group1 is valid, but the groups named yourdomain.com or group2@yourdomain are not.

Deny messages intended for the following Internet addresses Internet addresses within the local Internet domain that are prohibited from receiving mail from the Internet. If you enter addresses in this field, all addresses except those listed in this field can receive Internet mail. Domino denies mail for only the addresses in this field.
You can create a Notes group containing a list of addresses that cannot receive mail from the Internet and enter the group name in this field. A group entry is valid only if it does not contain a domain part or dot ("."). For example, the group with the name group1 is valid, but the groups named yourdomain.com or group2@yourdomain are not.

Note

The SMTP listener accepts messages addressed to any variant of a user's name that is not explicitly denied and that is otherwise acceptable to Domino. For example, if you deny mail to Kieran.Campion@acme.com, a message addressed to Kcampion@acme.com may be accepted and delivered to the same user.

7. Reload the SMTP task, or update the SMTP configuration to put changes into effect.

Note Be careful not to specify the same entry in an Allow field and a Deny field because Domino will deny messages for that entry. The Deny setting takes precedence for security reasons.

See also

Restricting SMTP inbound routing

Preventing unauthorized SMTP hosts from using Domino as a relay

Enabling DNS blacklist filters for SMTP connections

Restricting mail routing based on Domino domains, organizations, and organizational units

Restricting who can send Internet mail to your users

Restricting users from sending mail to groups listed in the Domino Directory

Glossary

Feedback on Help or Product Usability?

Help on Help

All Help Contents

Glossary

Field	Description
Verify that local domain recipients exist in the Domino Directory	Specifies whether the SMTP listener checks recipient names specified in RCPT TO commands against entries in the Domino Directory Choose one: Enabled - If the domain part of an address specified in an SMTP RCPT TO command matches one of the configured local Internet domains, the SMTP listener checks all configured directories to determine whether the specified recipient is a valid user. If all lookups complete successfully and no matching user name is found, the SMTP server returns a 550 permanent failure response indicating that the user is unknown. For example: 550 bad_user@yourdomain.com ... No such user Choosing this setting can help prevent messages sent to nonexistent users (for example, spam messages and messages intended for users who have left the organization) from accumulating in MAIL.BOX as dead mail. To avoid messages from being rejected as a result of directory unavailability, Domino accepts messages when an attempted directory lookup does not complete successfully. To avoid unnecessary directory lookups, Domino applies this setting only after performing all other configured SMTP inbound checks (inbound relay, sender, and recipient controls). Note When this setting is enabled, and there is an entry in the field "Local Internet domain smart host", messages that cannot be resolved are not accepted; therefore, they will not be forwarded to the smart host. When this setting is enabled, and the field "Smart host is used for all local Internet domain recipients" is enabled, only those messages sent to recipients that can be resolved are accepted, and these will be forwarded to the smart host. Disabled - (default) The SMTP listener does not check whether local domain recipients specified in the RCPT TO command are listed in the Domino Directory.
Allow messages intended only for the following Internet addresses	Internet addresses that are within the local Internet domain and that are allowed to receive mail from the Internet. If you enter addresses in this field, only those recipients can receive Internet mail. Domino denies mail for all other recipients. You can create a Notes group containing a list of addresses allowed to receive mail from the Internet and enter the group name in this field. A group entry is valid only if it does not contain a domain part or dot ("."). For example, the group with the name group1 is valid, but the groups named yourdomain.com or group2@yourdomain are not.
Deny messages intended for the following Internet addresses	Internet addresses within the local Internet domain that are prohibited from receiving mail from the Internet. If you enter addresses in this field, all addresses except those listed in this field can receive Internet mail. Domino denies mail for only the addresses in this field. You can create a Notes group containing a list of addresses that cannot receive mail from the Internet and enter the group name in this field. A group entry is valid only if it does not contain a domain part or dot ("."). For example, the group with the name group1 is valid, but the groups named yourdomain.com or group2@yourdomain are not.