Specifying enforcement of inbound relay controls

When you create a Configuration Settings document for a server, by default, the SMTP inbound relay controls, or anti-relay settings, apply to all external hosts only, that is, to hosts that are not located in the local Internet domain. After you set inbound relay controls, you can customize how Domino® applies them by selecting inbound relay enforcement options.

About this task

The available options allow you to specify how strictly to enforce the relay controls by letting you exempt certain hosts from enforcement. You can exempt hosts from relay enforcement based on:

  • Domain location - By default, Domino® enforces relay controls for hosts outside the local Internet domain only. You can enforce stricter control by applying them to all connecting hosts or relax enforcement entirely so Domino® does not perform any relay checks (not recommended).
  • Authentication status - By default, Domino® applies relay controls to authenticated SMTP sessions. You can relax enforcement by exempting all authenticated users from relay checks.
  • Host name or IP address - By default, all external hosts are subject to relay controls. You can specify a list of hosts (by IP address or host name) to exempt from relay checks.

Applying relay restrictions to internal hosts

About this task

By default, Domino® enforces anti-relay settings for external hosts only. Internal hosts are exempt from anti-relay checks so Domino® does not consider an internal host as a possible relay, even if it is explicitly listed in the Inbound relay controls Deny messages from the following Internet hosts to be sent to external Internet domains field.

Depending on your environment, you may want to extend the scope of enforcement by applying relay restrictions to both internal and external hosts. This is equivalent to setting the variable SMTPAllHostsExternal=1 in the NOTES.INI file.

Applying relay enforcement to internal hosts lets you achieve more secure and controlled routing. For example, you can configure your Domino® SMTP server so that only other Domino® mail servers are allowed to relay. By doing so you can prevent internal users who run other mail clients (for example, POP or IMAP clients), as well as servers in other internal mail systems, from using the Domino® SMTP server to send mail to the Internet.

You might also enable relay enforcement for internal hosts if you have a Domino® SMTP server that receives mail from a dual-interface firewall server. For security purposes, some organizations may not connect their Domino® SMTP servers directly to the Internet, choosing instead to set up an internal SMTP relay host or firewall to receive Internet mail destined for the organization's Internet domain. The relay or firewall then routes the mail to a Domino® SMTP server, which, in turn, transfers it to the organization's internal mail servers.

A host in the local Internet domain can always relay to external Internet domains unless it is explicitly denied by an entry in the field Deny messages from the following internet hosts to be sent to external internet domains.

If the internal relay or the firewall does not implement its own relay controls, the Domino® SMTP server may then receive mail that is not destined for a local user. If the Domino® server is set up to perform anti-relay enforcement on external hosts only, then mail received from the internal relay or firewall is not subject to the Inbound Relay Controls because the sending system, the relay or the firewall, belongs to the same local Internet domain. Thus, when the Router determines that the Internet address listed in the RCPT TO command has no match in the $Users view in the Domino® Directory, it routes the message back out to the Internet.

Note: SMTP can resolve names for group types of Mail-only or Multi-purpose. When you create or modify the SMTP and Router settings in the Configuration Settings document, be sure to enter group names that have a group type of Mail-only or Multi-purpose. These groups must be in the primary directory. This applies to settings on the Restrictions tab, the SMTP Inbound Controls tab, and the SMTP Outbound Controls tab.

Allowing relays from authenticated users connecting from outside the local domain

About this task

By default, if you deny relaying for a domain or set of domains (for example, all external domains), all hosts in the denied domains are subject to the relay controls. This level of restriction prevents remote IMAP or POP3 clients that connect to Domino® by way of Internet service providers (ISPs) in external domains from sending outbound Internet mail because Domino® does not recognize the source of the message as a valid relay origin.

To ensure that Domino® allows POP3 or IMAP users to send outbound Internet mail, you can customize relay enforcement to allow all authenticated users to relay. After the Domino® SMTP listener determines that a connecting host has been authenticated, it treats the connection as though it originated from a local user and exempts it from the Inbound relay controls.

Specifying enforcement exceptions based on host name or IP address

About this task

By default, after you deny relaying for a domain, all hosts in that domain are subject to the relay controls. You can customize relay enforcement to allow specific clients or servers in a domain to relay by entering host names or IP addresses in the field Exclude these connecting hosts from anti-relay checks. For each specified exception, Domino® does not enforce the inbound relay controls. Use exceptions to allow hosts outside the local Internet domain to use the Domino® SMTP server as a relay to send and receive their mail from the Internet, while still preventing Domino® from being used as an open relay by unauthorized Internet hosts.

Note: Because many ISPs use the dynamic host control protocol (DHCP) to assign IP addresses to each connecting user, a user's IP address may differ from session to session. As a result, specifying enforcement exceptions based on host name or IP address is not effective for ensuring relay access for IMAP and POP3 users who connect to Domino® from an ISP. To ensure relay access for these users, enable enforcement exceptions for authenticated users.

To specify relay enforcement

Procedure

  1. Make sure you already have a Configuration Settings document for the server(s) to be configured.
  2. From the Domino® Administrator, click the Configuration tab and expand the Messaging section.
  3. Click Configurations.
  4. Select the Configuration Settings document for the mail server or servers you want to restrict mail on, and click Edit Configuration.
  5. Click the Router/SMTP > Restrictions and Controls > SMTP Inbound Controls tab.
  6. Complete these fields in the Inbound Relay Enforcement section, and then click Save & Close:
    Table 1. Inbound Relay Enforcement fields
    Field Description
    Perform Anti-relay enforcement for these connecting hosts

    Specifies the connections for which the server enforces the inbound relay controls. Choose one:

    • External hosts - (default) The server applies the inbound relay controls only to hosts that connect to it from outside the local Internet domain. Hosts in the local Internet domain are exempt from anti-relay restrictions. The local Internet domain is defined by either a Global Domain document, if one exists, or as the Internet domain of the host server.
    • All connecting hosts - The server applies the Inbound relay controls to all hosts attempting to relay mail to external Internet domains.
    • None - The server ignores the settings in the Inbound relay controls. All hosts can always relay.
    Exceptions for authenticated users

    Specifies whether users who supply login credentials when connecting to the server are exempt from enforcement of the inbound relay controls. Choose one:

    • Perform anti-relay checks for authenticated users - The server does not allow exceptions for authenticated users. Authenticated users are subject to the same enforcement as non-authenticated users.
    • Allow all authenticated users to relay - (default) Users who log in with a valid name and password are exempt from the applicable inbound relay controls. Use this to enable relaying by POP3 or IMAP users who connect to the network from ISP accounts outside the local Internet domain.
    Exclude these connecting hosts from anti-relay checks

    You create an exceptions list containing the IP addresses or host names of hosts that relay to any permitted domain. For each specified exception, the inbound relay controls will not be enforced. Enter the IP addresses or host names of hosts to be exempted from the restrictions specified in the Inbound relay controls section. You can also enter group names in this field.

    When entering an IP address, enclose it within brackets; for example, [127.0.0.1].

    You can use wildcards to represent an entire subnet address, but not to represent values in a range. For example, [127.*.0.1] is valid; [123.123.12-*.123] is not.

  7. Reload the SMTP task or update the SMTP configuration to put changes into effect.