Setting inbound relay controls

To block relays to a specific domain or from a specific host, set restrictions in the inbound relay controls on the Router/SMTP > Restrictions and Controls > SMTP Inbound Controls tab of the Configuration Settings document.

About this task

Use the inbound relay controls to define:

  • The destination domains to which you allow and deny relays
  • The originating hosts from which you allow and deny relays

In determining whether to allow a relay, Domino® checks the original sender, not just the last hop domain. This prevents people from routing from a denied source through an accepted one to your domain.

Note: SMTP can resolve names for group types of Mail-only or Multi-purpose. When you create or modify the SMTP and Router settings in the Configuration Settings document, be sure to enter group names that have a group type of Mail-only or Multi-purpose. These groups must be in the primary directory. This applies to settings on the Restrictions tab, the SMTP Inbound Controls tab, and the SMTP Outbound Controls tab.

To set inbound relay controls

Procedure

  1. Make sure you already have a Configuration Settings document for the server(s) to be configured.
  2. From the Domino Administrator, click the Configuration tab and expand the Messaging section.
  3. Click Configurations.
  4. Select the Configuration Settings document for the mail server or servers you want to administer and click Edit Configuration.
  5. Click the Router/SMTP > Restrictions and Controls > SMTP Inbound Controls tab.
  6. Complete these fields in the Inbound Relay Controls section, and then click Save & Close:
    Table 1. Inbound Relay Controls fields

    Field

    Enter

    Allow messages to be sent only to the following external Internet domains

    Internet domains to which Domino can relay messages. Domino relays messages to recipients in the specified domains only. Messages for recipients in other external Internet domains are denied.

    For example, if you enter abc.com and xyz.com in this field, Domino accepts only messages to recipients with addresses that end in abc.com or xyz.com domains. Messages for recipients in other domains are denied.

    To name a domain explicitly, prefix an @ sign to the entry. For example, if you enter @xyz.com the server relays messages only if the domain part of the address matches xyz.com exactly, such as User@xyz.com.

    Prefix a percent sign (%) to specify the name of a Domino domain to which mail can be sent; for example, enter %RenovationsEast to specify that the server can send mail to the Domino domain RenovationsEast.

    Group entries cannot contain a domain part or dot (.). For example, the group with the name AllowMail is valid, but the groups named Allow.ibm.com or Allowmail@ibm are not.

    Deny messages to be sent to the following external Internet domains

    Internet domains to which Domino will not relay messages. An asterisk (*) in this field prevents Domino from relaying messages to any external Internet domain.

    Domino denies only messages destined for recipient addresses in the specified domains. All other messages may relay.

    For example, if you enter abc.com in the field, Domino relays messages to recipients in all external Internet domains except abc.com. Domino denies messages for recipients in the abc.com domain.

    To name a domain explicitly, prefix an @ sign to the entry. For example, if you enter @xyz.com, the server rejects messages addressed to users if the domain part of the address matches xyz.com exactly, such as user@xyz.com, but allows messages to relay to other domains that end in xyz.com, such as user@server.xyz.com.

    Prefix a percent sign (%) to specify a Domino domain name; for example, entering %RenovationsEast specifies the Domino domain RenovationsEast. This lets you prevent SMTP users from sending mail to certain internal Domino domains or even foreign domain servers, such as FAX systems.

    Group entries cannot contain a domain part or dot (.). For example, the group with the name DenyMail is valid, but the groups named Deny.ibm.com or Denymail@ibm are not.

    Allow messages only from the following Internet hosts to be sent to external Internet domains

    Specifies the hosts or domains that the Domino SMTP service allows to relay outbound Internet mail. If this field contains valid entries, Domino allows only servers matching these entries to relay. Message relays from other servers are denied. You can specify individual host names or a group name.

    Enter host names or IP addresses to designate the sites that are authorized to use Domino to relay messages to recipients outside your local Internet domain. For example, if you enter renovations.com or ibm.com® in the field, Domino accepts messages for recipients in external Internet domains only from servers with host names that end in renovations.com or ibm.com. Domino rejects messages for external recipients from any server not listed in this field.

    Deny messages from the following Internet hosts to be sent to external Internet domains

    Specifies the hosts or domains that the Domino SMTP service does not allow to relay outbound Internet mail. If this field contains valid entries, Domino denies message relays from servers matching those entries. Domino allows message relays from all other servers. You can specify individual host names or a group name.

    Enter host names or IP addresses to designate the sites that cannot use Domino to relay messages to recipients outside the local Internet domain.

    For example, you enter renovations.com in the field. Domino accepts messages to recipients in external Internet domains from all servers except those with host names ending in renovations.com. Domino denies messages to recipients in external Internet domains from servers in the renovations.com domain.

    An asterisk (*) in this field prevents Domino from relaying messages from any host subject to the relay controls.

  7. Reload the SMTP task, or update the SMTP configuration to put the changes into effect.
    • You can use an asterisk (*) to indicate "all domains." For example, putting * in an Allow field allows all hosts in all domains to perform that operation.
    • Wildcards can be used in place of an entire subnet address; for example, [127.*.0.1]. Wildcards are not valid for representing values in a range -- for example, the entry [123.234.45-*.0-255] is not valid because the asterisk is used to represent the high-end value of the range that begins with 45.
    • When entering multiple addresses, separate them with carriage returns; after the document is saved, Domino automatically reformats the list, inserting semicolons between the entries.
    • When entering an IP address, enclose it within brackets; for example, [127.0.0.1].

Results

How Domino resolves conflicts between settings in the inbound relay controls

When there is a conflict between the allowed and denied relay destinations, and the allowed/denied relay sources, the entry in the Allow field takes precedence. Thus, a host that you explicitly allow to relay can always relay to any destination, including denied destinations. Similarly, if you allow relays to a given domain, all hosts can relay to that destination, including hosts to which you have explicitly denied relaying. Denied hosts cannot relay to domains other than those that you specifically list in the Allow field. The following table provides several examples of how Domino resolves conflicts between entries in the Allow and Deny fields of the Inbound relay controls.

Table 2. Example of conflict between an allowed relay destination and denied relay source
Field Entry Results of Setting
Allow messages to be sent only to the following external internet domains xyz.com All hosts can relay to xyz.com, including smtp.efg.com, which is a denied host.
Deny messages from the following internet hosts to be sent to external internet domains: (* means all) smtp.efg.com smtp.efg.com cannot relay to any destination, except xyz.com, which is explicitly allowed.
Table 3. Example of conflict between a denied relay destination and allowed relay source
Field Entry Results of Setting
Deny messages to be sent to the following external internet domains: (* means all) qrs.com No relays are allowed to qrs.com, except relays originating from relay.abc.com, which is specifically allowed.
Allow messages only from the following internet hosts to be sent to external internet domains: relay.abc.com Relay.abc.com can relay to any destination, including qrs.com, which is a denied destination.
Note: This differs from the behavior of Domino Release 5, where if you denied relays to a destination domain, an allowed source host could not relay to the denied domain, and a denied source could not relay to any destination. You can revert to the Release 5 behavior by setting the variable in the NOTES.INI file.

If the same entry is placed in the list of allowed and denied destinations, or the list of allowed and denied sources, Domino honors the entry in the Deny list. For example, Domino rejects relays to xyz.com if you configure the relay controls as follows:

Table 4. Example of conflict between allowed and denied relay destinations

Field

Entry

Allow messages to be sent only to the following external internet domains:

xyz.com, abc.com, qrs.com

Deny messages to be sent to the following external internet domains: (* means all)

xyz.com