CONFIGURING


Specifying enforcement of inbound relay controls

When you create a Configuration Settings document for a server, by default, the SMTP inbound relay controls, or anti-relay settings, apply to all external hosts only, that is, to hosts that are not located in the local Internet domain. After you set inbound relay controls, you can customize how Domino® applies them by selecting inbound relay enforcement options.

About this task

The available options allow you to specify how strictly to enforce the relay controls by letting you exempt certain hosts from enforcement. You can exempt hosts from relay enforcement based on:


Applying relay restrictions to internal hosts

About this task

By default, Domino enforces anti-relay settings for external hosts only. Internal hosts are exempt from anti-relay checks so Domino does not consider an internal host as a possible relay, even if it is explicitly listed in the Inbound relay controls Deny messages from the following Internet hosts to be sent to external Internet domains field.

Depending on your environment, you may want to extend the scope of enforcement by applying relay restrictions to both internal and external hosts. This is equivalent to setting the variable SMTPAllHostsExternal=1 in the NOTES.INI file.

Applying relay enforcement to internal hosts lets you achieve more secure and controlled routing. For example, you can configure your Domino SMTP server so that only other Domino mail servers are allowed to relay. By doing so you can prevent internal users who run other mail clients (for example, POP or IMAP clients), as well as servers in other internal mail systems, from using the Domino SMTP server to send mail to the Internet.

You might also enable relay enforcement for internal hosts if you have a Domino SMTP server that receives mail from a dual-interface firewall server. For security purposes, some organizations may not connect their Domino SMTP servers directly to the Internet, choosing instead to set up an internal SMTP relay host or firewall to receive Internet mail destined for the organization's Internet domain. The relay or firewall then routes the mail to a Domino SMTP server, which, in turn, transfers it to the organization's internal mail servers.

A host in the local Internet domain can always relay to external Internet domains unless it is explicitly denied by an entry in the field Deny messages from the following internet hosts to be sent to external internet domains.

If the internal relay or the firewall does not implement its own relay controls, the Domino SMTP server may then receive mail that is not destined for a local user. If the Domino server is set up to perform anti-relay enforcement on external hosts only, then mail received from the internal relay or firewall is not subject to the Inbound Relay Controls because the sending system, the relay or the firewall, belongs to the same local Internet domain. Thus, when the Router determines that the Internet address listed in the RCPT TO command has no match in the $Users view in the Domino Directory, it routes the message back out to the Internet.

Note: SMTP can resolve names for group types of Mail-only or Multi-purpose. When you create or modify the SMTP and Router settings in the Configuration Settings document, be sure to enter group names that have a group type of Mail-only or Multi-purpose. These groups must be in the primary directory. This applies to settings on the Restrictions tab, the SMTP Inbound Controls tab, and the SMTP Outbound Controls tab.

Allowing relays from authenticated users connecting from outside the local domain

About this task

By default, if you deny relaying for a domain or set of domains (for example, all external domains), all hosts in the denied domains are subject to the relay controls. This level of restriction prevents remote IMAP or POP3 clients that connect to Domino by way of Internet service providers (ISPs) in external domains from sending outbound Internet mail because Domino does not recognize the source of the message as a valid relay origin.

To ensure that Domino allows POP3 or IMAP users to send outbound Internet mail, you can customize relay enforcement to allow all authenticated users to relay. After the Domino SMTP listener determines that a connecting host has been authenticated, it treats the connection as though it originated from a local user and exempts it from the Inbound relay controls.

Specifying enforcement exceptions based on host name or IP address

About this task

By default, after you deny relaying for a domain, all hosts in that domain are subject to the relay controls. You can customize relay enforcement to allow specific clients or servers in a domain to relay by entering host names or IP addresses in the field Exclude these connecting hosts from anti-relay checks. For each specified exception, Domino does not enforce the inbound relay controls. Use exceptions to allow hosts outside the local Internet domain to use the Domino SMTP server as a relay to send and receive their mail from the Internet, while still preventing Domino from being used as an open relay by unauthorized Internet hosts.

Note: Because many ISPs use the dynamic host control protocol (DHCP) to assign IP addresses to each connecting user, a user's IP address may differ from session to session. As a result, specifying enforcement exceptions based on host name or IP address is not effective for ensuring relay access for IMAP and POP3 users who connect to Domino from an ISP. To ensure relay access for these users, enable enforcement exceptions for authenticated users.

To specify relay enforcement

Procedure

1. Make sure you already have a Configuration Settings document for the server(s) to be configured.

2. From the Domino Administrator, click the Configuration tab and expand the Messaging section.

3. Click Configurations.

4. Select the Configuration Settings document for the mail server or servers you want to restrict mail on, and click Edit Configuration.

5. Click the Router/SMTP -> Restrictions and Controls -> SMTP Inbound Controls tab.

6. Complete these fields in the Inbound Relay Enforcement section, and then click Save & Close:


7. Reload the SMTP task or update the SMTP configuration to put changes into effect.

Related tasks
Creating a Configuration Settings document
Stopping and starting the Domino SMTP service
Updating the SMTP configuration
Preventing unauthorized SMTP hosts from using Domino as a relay
Setting inbound relay controls
Configuring Domino to send mail to a relay host or firewall
How Domino uses Global domain documents during inbound and outbound SMTP routing