CONFIGURING


Setting inbound relay controls

To block relays to a specific domain or from a specific host, set restrictions in the inbound relay controls on the Router/SMTP -> Restrictions and Controls -> SMTP Inbound Controls tab of the Configuration Settings document.

About this task

Use the inbound relay controls to define:


In determining whether to allow a relay, Domino® checks the original sender, not just the last hop domain. This prevents people from routing from a denied source through an accepted one to your domain.

Note: SMTP can resolve names for group types of Mail-only or Multi-purpose. When you create or modify the SMTP and Router settings in the Configuration Settings document, be sure to enter group names that have a group type of Mail-only or Multi-purpose. These groups must be in the primary directory. This applies to settings on the Restrictions tab, the SMTP Inbound Controls tab, and the SMTP Outbound Controls tab.

To set inbound relay controls

Procedure

1. Make sure you already have a Configuration Settings document for the server(s) to be configured.

2. From the Domino Administrator, click the Configuration tab and expand the Messaging section.

3. Click Configurations.

4. Select the Configuration Settings document for the mail server or servers you want to administer and click Edit Configuration.

5. Click the Router/SMTP -> Restrictions and Controls -> SMTP Inbound Controls tab.

6. Complete these fields in the Inbound Relay Controls section, and then click Save & Close:


7. Reload the SMTP task, or update the SMTP configuration to put the changes into effect. Results

How Domino resolves conflicts between settings in the inbound relay controls

When there is a conflict between the allowed and denied relay destinations, and the allowed/denied relay sources, the entry in the Allow field takes precedence. Thus, a host that you explicitly allow to relay can always relay to any destination, including denied destinations. Similarly, if you allow relays to a given domain, all hosts can relay to that destination, including hosts to which you have explicitly denied relaying. Denied hosts cannot relay to domains other than those that you specifically list in the Allow field. The following table provides several examples of how Domino resolves conflicts between entries in the Allow and Deny fields of the Inbound relay controls.

Table 2. Example of conflict between an allowed relay destination and denied relay source
FieldEntryResults of Setting
Allow messages to be sent only to the following external internet domainsxyz.comAll hosts can relay to xyz.com, including smtp.efg.com, which is a denied host.
Deny messages from the following internet hosts to be sent to external internet domains: (* means all)smtp.efg.comsmtp.efg.com cannot relay to any destination, except xyz.com, which is explicitly allowed.

Table 3. Example of conflict between a denied relay destination and allowed relay source
FieldEntryResults of Setting
Deny messages to be sent to the following external internet domains: (* means all)qrs.comNo relays are allowed to qrs.com, except relays originating from relay.abc.com, which is specifically allowed.
Allow messages only from the following internet hosts to be sent to external internet domains:relay.abc.comRelay.abc.com can relay to any destination, including qrs.com, which is a denied destination.

Note: This differs from the behavior of Domino Release 5, where if you denied relays to a destination domain, an allowed source host could not relay to the denied domain, and a denied source could not relay to any destination. You can revert to the Release 5 behavior by setting the variable in the NOTES.INI file.

If the same entry is placed in the list of allowed and denied destinations, or the list of allowed and denied sources, Domino honors the entry in the Deny list. For example, Domino rejects relays to xyz.com if you configure the relay controls as follows:

Table 4. Example of conflict between allowed and denied relay destinations
FieldEntry
Allow messages to be sent only to the following external internet domains:xyz.com, abc.com, qrs.com
Deny messages to be sent to the following external internet domains: (* means all)xyz.com

Related concepts
Understanding open relays

Related tasks
Creating a Configuration Settings document
Stopping and starting the Domino SMTP service
Updating the SMTP configuration
Preventing unauthorized SMTP hosts from using Domino as a relay
Specifying enforcement of inbound relay controls
Enabling DNS blacklist filters for SMTP connections

Related reference
How inbound anti-relay settings control message transfer to external Internet domains