Changing the inbound SMTP port settings

Inbound port settings affect how other SMTP hosts connect to HCL Domino®. For inbound connections, you can specify TCP/IP port settings and TLS port settings. For both ports you can define port numbers, port status, and the supported authentication methods.

Configuring SMTP authentication options on servers that use Internet Site documents

About this task

On servers that use Internet Site documents, the SMTP service obtains port authentication settings from the Security tab of the SMTP Inbound Site document, rather than from the Server document. As a result, when Internet Site documents are used, you cannot use the Server document to configure TCP/IP and TLS authentication settings for the SMTP port. Settings in the Server document still provide the port numbers and status for the SMTP TCP/IP and TLS ports, and enable the SMTP ports to honor server access restrictions.

To determine whether the use of Internet Site documents is enabled for a server, check the value of the Load Internet configurations from Server\Internet Sites documents field on the Basics tab of the Server document. If this field is set to Enabled, the server uses Internet Site documents to configure all of its Internet protocols (SMTP, IMAP, POP3, and so forth).

If the server uses Internet Site documents, then you must use Site documents to configure all Internet protocols on the server. If an SMTP Site document is not present in the Domino® Directory, or the authentication options in a configured SMTP Site document are set to No, users cannot connect to the SMTP service. In each case, SMTP clients receive the error This site is not enabled on the server. when attempting to connect to the SMTP service:

Changing the default port number

About this task

By default, after you enable the SMTP task, it "listens" for client connections on TCP/IP port 25 on the Domino® server. The default SMTP TLS port is port 465. In some cases -- for example, on partitioned servers -- you might need to specify a port number other than the default to avoid conflicts. You might also change the default port to a nonstandard port number to hide it from clients attempting to connect to the default port or if another application uses the default port on the server.

Disabling the SMTP inbound TCP/IP port or TLS port prevents other servers from accessing the SMTP Listener on that port.

Note: On servers with multiple TCP/IP ports, by default, the SMTP service uses the port listed first in the NOTES.INI file as the preferred path. You can configure the service to use a different port.

Changing the default SMTP greeting

About this task

You can modify the default reply that the SMTP service sends in response to a connecting host. By default, the Domino® SMTP server reveals its host name and software version to connecting clients. For security reasons, you can change the default greeting so that the server does not disclose essential information. Use the variable SMTPGreeting in the NOTES.INI file to customize the SMTP service greeting.

To change inbound SMTP TCP/IP port settings

About this task

Keep the following in mind when selecting options:
  • If you enable the TCP port, at least one authentication option must be set to Yes to save the document.
  • To support inbound SMTP connections, the server must have at least one SMTP port enabled and be running the SMTP task.

Procedure

  1. From the Domino® Administrator, click the Configuration tab and then open the Server document for the server that runs the SMTP service.
  2. Click the Ports > Internet Ports > Mail tab.
  3. In the Mail (SMTP Inbound) column, complete these fields, and then click Save & Close:
    Table 1. Inbound SMTP TCP/IP Port Settings

    Field

    Enter

    TCP/IP port number

    Choose 25 (default) to use the industry standard port for SMTP connections over TCP/IP. You can specify a different port, but 25 works in most situations. When specifying a nonstandard port, make sure the port is not reserved for another service. Port numbers can be any number from 1 to 65535.

    TCP/IP port status

    Choose one:

    • Enabled - (default) SMTP clients can connect to the Domino® SMTP service using the designated TCP/IP port. Depending on the authentication options you choose, users may have to supply a user name and Internet password to connect.
    • Disabled - SMTP clients cannot connect to the Domino® SMTP service using the TCP/IP port.

    Enforce server access settings

    Choose one:

    • Yes - Access to the SMTP listener is controlled by the server access settings on the Security tab of the Server document. Users and servers that are not allowed to access the server cannot send mail to the SMTP port. For this option to be effective you must enable authentication for the port.
    • No - (default) The SMTP listener ignores the server access settings in the Server document. Users and servers can send mail to the SMTP port, even if they are denied other access to the server.

    Authentication options: Name & password

    Choose one:

    • Yes - Sets the ESMTP AUTH extension for the TCP/IP port. Domino® advertises AUTH=LOGIN to connecting SMTP clients. Clients must supply a user name and Internet password to connect to the SMTP service over the TCP/IP port and transfer mail. Remote SMTP servers that do not support the AUTH extension cannot connect to the SMTP service over this port. When Name and password authentication is enabled, you can specify whether authenticated POP3 and IMAP users sending mail to the SMTP port are subject to anti-relay enforcement.
    • No - (default) Domino® does not support Name-and-password authentication over the TCP/IP port. If you choose No, you must enable Anonymous connections to allow SMTP connections to this port.
    Note: On servers supporting negotiated TLS on the inbound TCP/IP port (STARTTLS), the setting in the TLS Name & password field -- not the setting in the TCP/IP Name & password field -- determines whether the server accepts SMTP AUTH commands for TLS-over-TCP/IP sessions. For information about enabling support for STARTTLS, see Supporting inbound SMTP extensions in the related links.

    Authentication options: Anonymous

    If the TCP/IP port status is set to Enabled, choose one:

    • Yes - (default) The SMTP service allows clients and servers to connect to the TCP/IP port anonymously to transfer mail. If both Name and password and Anonymous authentication are enabled (set to Yes), the port allows connections from SMTP hosts that supply a name and password as well as those that connect anonymously.
    • No - The SMTP service does not allow anonymous connections over the TCP/IP port. SMTP hosts can connect to the TCP/IP port only if Name & password authentication for the port is set to Yes, and the connecting host must send the SMTP AUTH command.
  4. Restart the SMTP task to put the new settings into effect.
    Tip: As an alternative to restarting the SMTP service to incorporate configuration updates, you can use a console command to refresh SMTP service parameters.

Results

If you change the default SMTP port, inbound SMTP connections fail if the connecting host is not configured to use the new port. See the related links for information about configuring Domino® servers to connect to nonstandard SMTP ports.

To change inbound SMTP TLS port settings

About this task

If you change the default TLS port, inbound SMTP TLS connections fail unless the connecting host is configured to use the new port.

Procedure

  1. Familiarize yourself with the Domino® security model.
  2. To secure SMTP sessions using TLS, set up TLS on the Domino® server.
  3. From the Domino® Administrator, click the Configuration tab and then open the Server document for the server that runs the SMTP service.
  4. Click the Ports > Internet Ports > Mail tab.
  5. In the Mail (SMTP Inbound) column, complete these fields, and then click Save & Close:
    Table 2. Inbound SMTP TLS Port Settings

    Field

    Enter

    TLS port number

    Choose 465 (default) to use the industry standard port for SMTP connections over TLS. You can specify a different port, but 465 works in most situations. When specifying a nonstandard port, make sure the port is not reserved for another service. Port numbers can be any number from 1 to 65535.

    TLS port status

    Choose one:

    • Enabled - SMTP clients can connect to the Domino® SMTP service using the designated TLS port.
    • Disabled (default) - SMTP clients cannot connect to the Domino® SMTP service using the designated TLS port.

    Authentication options: Name & password

    Choose one:

    • Yes - Enables the TLS port to support the SMTP AUTH command. POP3 and IMAP clients, and remote SMTP servers that send AUTH, must supply a name and password to connect to the SMTP service over the TLS port and transfer mail. To allow remote SMTP servers that do not send the SMTP AUTH command to connect to the SMTP service over this port, set Anonymous authentication to Yes.
    • No - (default) Domino® does not support name and password authentication for hosts connecting to the SMTP service over the TLS port. If a connecting host sends AUTH, Domino® rejects the command and returns an error indicating that the command is not implemented. If you choose No, you must set Anonymous authentication to Yes to allow SMTP connections to this port.
    Note: On servers supporting negotiated TLS on the inbound TCP/IP port (STARTTLS), the setting in the TLS Name & password field -- not the setting in the TCP/IP Name & password field -- determines whether the server accepts SMTP AUTH commands for TLS-over-TCP/IP sessions.

    Authentication options: Anonymous

    If the TLS port status field is set to Enabled, choose one:

    • Yes - (default) The SMTP service allows clients and servers to connect to the TLS port anonymously to transfer mail. If Anonymous is set to Yes and Name and password authentication is also set to Yes, IMAP and POP3 clients are prompted to supply a name and password when connecting to this port, but servers can connect anonymously.
    • No - The SMTP service does not allow anonymous connections over the TLS port. IMAP and POP3 clients, and servers that send the SMTP AUTH command, may connect to the TLS port if you set Name and password authentication for the port to Yes.
  6. Restart the SMTP task to put the new settings into effect.
    Tip: As an alternative to restarting the SMTP service to incorporate configuration updates, you can use a console command to refresh SMTP service parameters.