How inbound anti-relay settings control message transfer to external Internet domains

The following description shows the checks that are made before a message is transferred to an external Internet domain.

  1. The SMTP listener receives a connection request.
  2. The server performs a reverse DNS lookup, querying DNS to find the host name that matches the connecting host's IP address. If the address resolves to a name in one of the local Internet domains, the host is considered internal. IP addresses that resolve to host names outside the local Internet domains or that do not have DNS entries are considered external.
  3. The server checks the setting in the field Perform Anti-Relay enforcement for these connecting hosts to determine whether anti-relay controls are enabled, and if so, whether they apply to all hosts or external hosts only. If connections from the sending domain are not subject to inbound relay controls, the server allows relays for this session.
  4. If the relay controls apply, Domino® next checks whether the host name appears in the field Exclude these connecting hosts from anti-relay checks. If the host name is found, the server allows relays for this session.
  5. If the relay controls still apply and the connecting host successfully authenticated with the server, the server checks the field Exceptions for authenticated users to determine whether authenticated users are exempt from the inbound relay checks. If authenticated users are exempt, the server allows relays for this session.
    Note: A connecting host provides authentication credentials only when Domino requests them. Because Domino closes the session if authentication is not successful, there is no case where Domino needs to determine whether a host that could not authenticate might be allowed to relay.
  6. The SMTP listener receives RCPT TO commands from the connecting host.
  7. The server examines each recipient address to see if the message would be a relay to an external domain. If so, the server checks the Inbound relay controls to determine:
    • Whether the connecting host is allowed to relay
    • Whether relays are allowed to the target domain

    Matching for domain is performed by looking for the restricted domain name as a trailing substring of the recipient's domain. If you deny the domain spamme.com, you also deny the domain you.spamme.com. Rejected recipients receive a failure status in response to the RCPT commands.