CONFIGURING
To prevent your mail system from accepting unwanted mail, Domino® provides a set of controls that let you restrict incoming SMTP connections. The Inbound Connection controls let you specify whether Domino checks the names of connecting hosts in DNS or, if by host name or IP address, the remote hosts from which the server allows and denies connections.
About this task
To determine whether a connection attempt is allowed or denied, the Domino SMTP task first checks the remote host's IP address, which the server's TCP/IP stack reads from the incoming IP packet headers. If the IP address does not match any entry in the Inbound Connection control fields, the SMTP task performs a second check, querying DNS to obtain the host name for the given address. If the query is successful, Domino compares the name obtained against the host names in Allow and Deny fields.
If you create a separate Configuration Settings document for your internal SMTP servers, you can use the inbound connection controls to ensure that these internal servers accept SMTP connections from specific SMTP hosts only. For example, configure servers to allow SMTP connections only from servers that receive mail from the Internet. Restricting connections in this way prevents users with POP3 or IMAP clients from sending mail through the server, helps you define valid outbound routing paths, and limits the load on the server.
Note: SMTP can resolve names for group types of Mail-only or Multi-purpose. When you create or modify the SMTP and Router settings in the Configuration Settings document, be sure to enter group names that have a group type of Mail-only or Multi-purpose. These groups must be in the primary directory. This applies to settings on the Restrictions tab, the SMTP Inbound Controls tab, and the SMTP Outbound Controls tab.
In addition to these inbound connection controls, Domino provides two other means for blocking connections:
DNS blacklist filters enable a server to check a host against one or more blacklists during the SMTP conversation. If a connecting host matches an entry in a blacklist, you can configure the server to reject the connection, tag any received messages, or record the transaction in the Notes® Log.
Extension Manager (EM) services allow developers to access some functions of the SMTP Listener task. The Extension Manager (EM) allows an executable program library, such as a dynamic link library or shared object library, to register a callback routine that will be called before, after, or before and after Domino performs selected internal operations. Using EM hooks in the SMTP Listener can extend current functionality by providing:
For additional information on the Extension Manager and registering callback routines, see the Lotus® C API Toolkit for Notes/Domino, listed in the Additional documentation resources topic linked from the related references at the end of this topic.
Procedure
1. Make sure you already have a Configuration Settings document for the server(s) to be configured.
2. From the Domino Administrator, click the Configuration tab and expand the Messaging section.
3. Click Configurations.
4. Select the Configuration Settings document for the mail server or servers you want to restrict mail on, and click Edit Configuration.
5. Click the Router/SMTP -> Restrictions and Controls -> SMTP Inbound Controls tab.
6. Complete these fields in the Inbound Connection Controls section and then click Save & Close.
Enter IP addresses in brackets -- for example, [192.168.10.17].
Host name entries may be complete, as in the fully qualified host name of a particular server, or partial and imply the existence of a wildcard. That is, if you enter:
If you specify host name entries, each time a host connects, Domino checks DNS for a PTR record for the connecting host. If Domino cannot resolve the IP address to a host name because DNS is unavailable or no PTR record exists, no mail is accepted from the connection.
Host name entries may be complete, as in the fully qualified host name of a particular server, or partial and use an implied wildcard. That is, if you enter:
The entry abc.com does not prevent connections from xyzabc.com.
Do not use a leading dot (.) in an entry; for example, .abc.com. Because Domino does not match the leading dot, the entry .abc.com does not prevent connections originating from the domain abc.com.
Restricting the total number of inbound SMTP sessions
By default, the SMTP service supports an unlimited number of inbound sessions; that is, as many connections as the server's resources physically permit. To restrict the number of concurrent SMTP sessions that a server accepts, set the variable SMTPMaxSessions in the server's NOTES.INI file, where xxx is the maximum number of sessions allowed without any buffering. When the specified number of inbound SMTP connections is reached, the server refuses additional connections and returns the following error:
421 Server.domain.com SMTP service not available, closing transmission channel
Related concepts Customizing SMTP Routing Restricting SMTP inbound routing
Related tasks Enabling DNS blacklist filters for SMTP connections Creating a Configuration Settings document Stopping and starting the Domino SMTP service Updating the SMTP configuration Restricting mail routing based on domain, organization, and organizational unit Restricting who can send Internet mail to your users Restricting users from receiving Internet mail Supporting inbound SMTP extensions Setting server mail rules