Restricting users from sending Internet mail

You can control the transfer of outbound mail from your organization to the Internet.

About this task

Domino® provides two methods for restricting outbound Internet mail:

  • Outbound sender controls - These controls specify which users in your organization are allowed to send mail to the Internet.
  • Outbound recipient controls - These controls specify the Internet destinations to which users can send mail.

Setting outbound sender controls

About this task

The outbound sender controls let you specify who can and cannot send mail to the Internet. The controls are implemented in two sets of Allow and Deny lists:

  • Internet addresses of users who can or cannot send mail to the Internet
  • Notes® addresses of users who can or cannot send mail to the Internet

Domino® sends a restriction failure message to restricted users who attempt to send outbound mail. You can customize the text of mail failure messages.

The Outbound sender controls are not intended to restrict SMTP relay access. To configure relay restrictions, use the Inbound Relay Controls on the Router/SMTP - Restrictions and Controls > SMTP Inbound Controls tab of the Configuration Settings document.

Note: SMTP can resolve names for group types of Mail-only or Multi-purpose. When you create or modify the SMTP and Router settings in the Configuration Settings document, be sure to enter group names that have a group type of Mail-only or Multi-purpose. These groups must be in the primary directory. This applies to settings on the Restrictions tab, the SMTP Inbound Controls tab, and the SMTP Outbound Controls tab.

Procedure

  1. Make sure you already have a Configuration Settings document for the server(s) to be configured.
  2. From the Domino® Administrator, click the Configuration tab and expand the Messaging section.
  3. Click Configurations.
  4. Select the Configuration Settings document for the mail server or servers you want to administer, and click Edit Configuration.
  5. Click the Router/SMTP > Restrictions and Controls > SMTP Outbound Controls tab.
  6. Complete these fields and then click Save & Close:
    Table 1. Outbound Sender Controls fields
    Field Description
    Allow messages only from the following Internet addresses to be sent to the Internet Specifies the RFC 821 Internet addresses of users in the local Internet domain from whom Domino® accepts mail destined for Internet addresses outside the local Internet domain. If this field contains entries, Domino® accepts outbound Internet mail from the specified Internet addresses only and rejects outbound Internet mail sent from other addresses. Rejected mail is returned to the sender.

    Enter Internet addresses in the form user@domain.com, or enter the name of a Notes® group containing a list of Internet addresses allowed to send mail to the Internet. Domino® expands entries for groups only if the group name can be found in the primary Domino® Directory.

    Wildcards (for example, *renovations.com) and isolated Internet domain suffixes (for example, renovations.com) are not acceptable values in this field.

    Group entries cannot contain a domain part or dot (.).

    Deny messages from the following Internet addresses to be sent to the Internet Specifies the RFC 821 Internet addresses of users in the local Internet domain from which Domino® does not accept mail destined for external Internet addresses. If this field contains entries, Domino® rejects outbound Internet mail sent from the specified Internet addresses and returns it to the sender. All other users can send Internet mail.

    Enter Internet addresses in the form user@domain.com, or enter the name of a Notes® group listing the Internet addresses from which to deny outbound Internet mail. Domino® expands entries for groups only if the group name can be found in the primary Domino® Directory.

    Wildcards (for example, *renovations.com) and isolated Internet domain suffixes (for example, renovations.com) are not acceptable values in this field.

    Group entries cannot contain a domain part or dot (.).

    Allow messages only from the following Notes® addresses to be sent to the Internet Specifies the Notes® user names from which Domino® accepts mail destined for external Internet addresses. If this field contains entries, Domino® accepts outbound Internet mail from the specified entries only and rejects outbound Internet mail sent from all other Notes® addresses. Rejected mail is returned to the sender.

    Enter fully qualified Notes® addresses in the form User/Organizational_unit/Organization, or enter the name of a Notes® group whose members you want to prevent from sending Internet mail. Domino® expands entries for groups only if the group name can be found in the primary Domino® Directory.

    Deny messages from the following Notes® addresses to be sent to the Internet Specifies the Notes® user names from which Domino® does not accept mail destined for external Internet addresses. If this field contains entries, Domino® rejects outbound Internet mail sent from the specified entries and returns it to the sender. Domino® accepts outbound Internet mail from all other Notes® addresses.

    Enter fully qualified Notes® addresses in the form User/Organizational_unit/Organization or the name of a Notes® group whose members you want to prevent from sending Internet mail. Domino® expands entries for groups only if the group name can be found in the primary Domino® Directory.

    Note: Group entries cannot contain a domain qualifier ('@' sign).
  7. The change takes effect after the next Router configuration update. To put the new setting into effect immediately, reload the routing configuration.

What to do next

This outbound sender controls are not intended to control relaying. For information on using Domino's inbound relay controls, see the related topics.

Setting outbound recipient controls

About this task

The Outbound recipient controls let you specify the Internet domains, and host names users are allowed to and denied from sending mail to. The controls consist of a set of pair of lists, one specifying the Internet domains or host names to which users can send mail and another listing the domains and host names to which users cannot send mail.

Procedure

  1. Make sure you already have a Configuration Settings document for the server(s) to be configured.
  2. From the Domino® Administrator, click the Configuration tab and expand the Messaging section.
  3. Click Configurations.
  4. Select the Configuration Settings document for the mail server or servers you want to administer, and click Edit Configuration.
  5. Click the Router/SMTP > Restrictions and Controls > SMTP Outbound Controls tab.
  6. Complete these fields and then click Save & Close:
    Table 2. Outbound Recipient Controls
    Field Description
    Allow messages only to recipients in the following Internet domains or hostnames Specifies the Internet domains, such as renovations.com, and Internet host names, such as mailhost.renovations.com, to which Domino® can send mail. If there are entries in this field, users can send Internet mail to the specified entries only. Domino® denies mail to all other domains or host names.

    If you specify an Internet domain, users can send mail to any host or sub-domain in that domain. Domino® matches entries against the last part of domain names or host names, so entering host.renovations.com allows mail to mail.host.renovations.com as well inbound.host.renovations.com.

    Note: If you list a host name that matches an MX record for a domain, Domino® allows mail to all recipients in that domain.
    Deny messages to recipients in the following Internet domains or hostnames Specifies the Internet domains, such as renovations.com, and Internet host names, such as mailhost.renovations.com, to which Domino® cannot send mail. Domino® allows mail to all other domains or host names.
    Note: If you enter a host name that matches an MX record for a domain, mail to all host names / MX records for that domain is denied.
  7. The change takes effect after the next Router configuration update. To put the new setting into effect immediately, reload the routing configuration.

Results

For security reasons, if there is a conflict between the two fields for a given setting, entries in the Deny field take precedence. For example, if renovations.com appears in both the Allow messages only to recipients in the following Internet domains or host names field and the corresponding Deny messages field, Domino® denies messages sent to renovations.com. Be careful not to have the same entry in an Allow field and a Deny field for the same setting.

Domino® checks each address to see if it is an Internet address or a Notes® address. The Router then applies the restrictions specified for that type of address.

If you are entering multiple names in a field, consider creating a group and entering the group name in the field. Domino® expands the group into a list of members. If you update the group list in this document or edit the group members in the Domino® Directory, changes do not take effect immediately.