Working with private whitelists for SMTP connections

Use Domino® private whitelist filters to specify exceptions to blacklist filters. Prior to the introduction of private whitelist filters, to exclude a host from blacklist filter processing, you had to either define the client's mail server as a relay exception -- which creates a security risk, or disable the DNS blacklists filters. Now you can use private whitelist filters to specify the hosts and/or domains to exclude from blacklist processing. Hosts that are specified in private whitelists are exempt from blacklist checks. Whitelisted hosts bypass blacklist filter checks but there are other controls which may prevent the message from being accepted. Members of the private whitelist are still subjected to connection, relay, sender, and recipient controls.

Before you begin

Make sure you have previously set up a Configuration Settings document for the server.

About this task

Whitelists can be used independently of blacklists.

When private whitelists are enabled, the SMTP listener task compares hosts that may be subject to relay enforcement against the defined private whitelist. If there is a match, the private blacklist, DNS whitelists, and DNS blacklists are skipped. Otherwise, processing continues beginning with the private blacklist.

Using private whitelist filters

Procedure

  1. From the Domino® Administrator, click the Configuration tab and expand the Messaging section.
  2. Click Configurations.
  3. Select the Configuration Settings document for the server on which you are enabling private whitelist filters.
  4. Click Router / SMTP > Restrictions and Controls > SMTP Inbound Controls.
  5. Complete these fields in the Private Whitelist Filters section and then click Save and Close.
    Table 1. Private Whitelist Filters

    Field

    Action

    Private Whitelist Filters
    Note: Private whitelist filtering applies only to hosts subject to inbound relay enforcement.

    Choose Enabled to allow the SMTP listener task to determine if connecting hosts have been whitelisted, that is, to determine whether they have been entered in the field Whitelist the following hosts.

    By default this setting is disabled.

    Whitelist the following hosts

    Enter IP addresses or host names of the systems to add to the whitelist.

    IP ranges and masks are supported. Wildcards can be used except within ranges.

    Desired action when a connecting host is found in the private whitelist

    Choose one of these:

    • Silently skip blacklist filters -- All actions skip blacklist filter checks. No logging occurs and all actions skip blacklist filters. This is the default setting.
    • Log only -- Records the host name and IP address of the connecting server found in the private whitelist.
    • Log and tag message -- Logging occurs in the same manner as in the Log only option. Tags the message by adding the Note item, $DNSWLSite, to messages accepted from whitelisted hosts. The value of $DNSWLSite will be PrivateWhitelist.

Viewing private whitelist statistics

About this task

The SMTP listener task maintains a statistic to keep a cumulative count of the number of connections accepted from whitelisted hosts. The statistic, SMTP.PrivateWL.TotalHits, can be viewed using the Domino® Administrator client, or by issuing this command from the server console:

show stat SMTP