2. Preventing unauthorized SMTP hosts from using Domino as a relay.
3. Open relays.
1. Enabling DNS blacklist filters for SMTP connections.
To prevent unsolicited commercial e-mail (UCE), or spam, from entering your system, you can set up Domino to check whether incoming SMTP connections originate from servers listed in one or more DNS blacklists (DNSBLs). DNSBLs are databases that keep a record of Internet SMTP hosts that are known sources of spam or permit third-party, open relaying.
When DNS blacklist filters are enabled, for each incoming SMTP connection Domino performs a DNS query against the blacklists at the specified sites. If a connecting host is found on the list, Domino reports the event in a console message and in an entry to the Mail Routing Events view of the Notes Log. Both the console message and log entry provide the host name and IP address of the server, and the name of the site where the server was listed.
In addition to logging the event, you can configure Domino to reject messages from hosts on the blacklist or to add a special Notes item to flag messages accepted from hosts on the list.
Specifying the DNS blacklist sites to check
After you enable the DNS blacklist filters, you can specify the site or sites the SMTP task uses to determine if a connecting host is a "known" open relay or spam source. Specify sites that support IP-based DNS blacklist queries.
If Domino finds a match for a connecting host in one of the blacklists, it does not continue checking the lists for the other configured sites.
For performance reasons, it's best to limit the number of sites because Domino performs a DNS lookup to each site for each connection.
You can choose from a number of publicly available and private, paid subscription services that maintain DNS blacklists. When using a public blacklist service, Domino performs DNS queries over the Internet. In some cases, it may take a significant amount of time to resolve DNS queries submitted to an Internet site. If the network latency of DNS queries made over the Internet results in slowed performance, consider contracting with a private service that allows zone transfer, so that Domino can perform the required DNS lookups to a local host. During a zone transfer, the contents of the DNS zone file at the service provider are copied to a DNS server in the local network.
Each blacklist service uses its own criteria for adding servers to its list. Blacklist sites use automated tests and other methods to confirm whether a suspected server is sending out spam or acting as an open relay. The more restrictive blacklist sites add servers to their list as soon as they fail the automated tests and regardless of whether the server is verified as a source of spam. Other less restrictive sites list a server only if its administrator fails to close the server to third-party relaying after a specified grace period or if the server plays host to known spammers.
By searching the Internet, you can find Internet sites that provide periodic reports on the number of entries in various DNS blacklist services.
Hosts that are exempt from DNS blacklist checks
To avoid unnecessary DNS lookups, Domino performs DNS blacklist checks only on hosts that are subject to relay checks, as specified in the SMTP inbound relay restrictions. Any host that is authorized to relay is exempt from blacklist checks. For example, by default, Domino enforces the inbound relay restrictions only for external hosts (Router/SMTP - Restrictions and Controls - SMTP Inbound Controls - Perform Anti-Relay enforcement for these connecting hosts). If the default setting is used, internal hosts are not subject to relay controls and thus are also exempt from blacklist check
Specifying how Domino handles connections from hosts found in a DNS blacklist
You can configure Domino to take the following actions when it finds a connecting host on one of the blacklists:
Log only
Log and tag message
Log and reject message
In each case, the server records the following information in the Notes log: the host's IP address and host name (if a reverse DNS lookup can determine this information) and the name of the site that listed the host.
When tagging messages, Domino adds a special Note item to messages received from hosts found on a blacklist. After Domino determines that a connecting host is on the blacklist, it adds the Note item, $DNSBLSite, to each message it accepts from the host before depositing the message in MAIL.BOX. The value of a $DNSBLSite item is the blacklist site in which the host was found. Administrators can use the $DNSBLSite note item to provide custom handling of messages received from hosts listed in a blacklist. For example, you can test for the presence of the item through the use of formula language in an agent or view and provide conditional handling of messages that contain the item, such as moving the messages to a special database.
When considering what action to take when Domino finds a host on the blacklist, choose an action that's consistent with the policies of the DNS blacklist site you use. For instance, if the service you use is very restrictive, its blacklist may include "false positives"; that is, it may blacklist hosts that are not known sources of spam. As a result, if you take the action of rejecting mail from any host found on the blacklist, it could prevent the receipt of important messages.
Use restraint when taking action, particularly if you use the blacklist of a more restrictive site. The action you select applies to each of the specified blacklist sites. That is, you cannot configure Domino to deny connections for hosts found on one site's list and log the event only for hosts found on another site's list.
DNS blacklist statistics
The SMTP task maintains statistics that track the total number of connecting hosts that were found on the combined DNSBL of all sites combined, as well as how many were found on the DNSBL of each configured site. Because the statistics are maintained by the SMTP task, they are cumulative for the life of the task only and are lost when the task stops.
You can view the statistics from the Domino Administrator or by using the SHOW STAT SMTP command from the server console. You can further expand the statistics to learn the number of times a given IP address is found on one of the configured DNSBLs. To collect the expanded information, you set the variable SMTPExpandDNSBLStats in the NOTES.INI file on the server. Because of the large numbers generated by the expanded set of statistics, Domino does not record the expanded statistics by default.
Note Domino uses IP version 4 (IPv4) addresses when querying DNS blacklist sites to find out if a connecting host is listed. If the connecting host has an IP version 6 (IPv6) address, Domino skips the DNSBL check for that host.
Changing the default error message
When denying a blacklisted host, Domino returns to it a default SMTP response, which includes the remote host's IP address and the blacklist site that listed the host. You can customize this response in the "Custom error message for denied hosts" field in the Configuration Settings document. The text of a customized response can include the string format specifier "%s" to represent a denied host's IP address and the DNSBL site where the host was found. Refer to the table in the following procedure for more information.
To enable DNS blacklist filters
1. Make sure you already have a Configuration Settings document for the server(s) to be configured.
2. From the Domino Administrator, click the Configuration tab and expand the Messaging section.
3. Click Configurations.
4. Select the Configuration Settings document for the mail server or servers where you want to enable DNS blacklist filters, and click Edit Configuration.
5. Click the Router/SMTP - Restrictions and Controls - SMTP Inbound Controls tab.
6.Complete the following fields in the DNS Blacklist Filters section, and then click Save & Close:
Field |
Enter |
DNS Blacklist filters |
Choose one: Enabled - When Domino receives an SMTP connection request, it checks whether the connecting host is listed in the blacklist at the specified sites. Disabled - Domino does not check whether a connecting host is on the blacklist. |
DNS Blacklist sites |
If DNS blacklist filters are enabled, specify the DNSBL sites to check when Domino receives an SMTP connection request. |
Desired action when connecting host is found in a DNS Blacklist |
Choose one: Log - When Domino finds that a connecting host is on the blacklist, it accepts messages from the host and records the host name and IP address of the connecting server and the name of the site where the server was listed. Log and tag message - When Domino finds that a connecting host is on the blacklist, it accepts messages from the hosts, logs the host name and IP address of the connecting server, and the name of the site where the server was listed, and adds the Notes item $DNSBLSite to each accepted message. Log and reject message - When Domino finds that a connecting host is on the blacklist, it rejects the connection and returns a configurable error message to the host. |
Custom SMTP error response for rejected messages |
Enter the text of the error message Domino returns when denying a connection because it found the host in the DNS blacklist. The default error message indicates that the connection was denied for policy reasons. You can use the format specifier "%s" to specify the IP address of the denied host and the DNS blacklist site where Domino found the host listed. For example, if you enter the following: Your host %s was found in the DNS Blacklist at %s When ever Domino denies a connection, it returns an error to the host, in which it replaces the first instance of "%s" with the IP address of the host, and the second instance with the DNS blacklist site name. Thus, if you entered the text in the preceding example, a denied host receives an error such as: Your host 127.0.0.2 was found in the DNS Blacklist at blackholes.mail-abuse.org |
Restricting who can send Internet mail to your users
Unsolicited commercial e-mail (UCE) can flood your server with numerous copies of the same message. Accepting UCE reduces performance and consumes system resources. You can specify restrictions to prevent UCE from being routed to or relayed through your server. Specifying restrictions prevents malicious users from using your system to spoof addresses or send UCE.
To save system resources, before it accepts a message, the Domino SMTP listener checks the Mail From address specified in the message envelope during the SMTP transaction. If you set the Domino server to deny mail from a particular source, Domino denies it whenever that source is encountered -- for example, if users from a denied domain send mail through a relay, Domino denies it based on its origin from that domain. Domino creates an entry in the log file (LOG.NSF) whenever a message is rejected.
To restrict who can send Internet mail to your users
1. Make sure you already have a Configuration Settings document for the server(s) to be configured.
2. From the Domino Administrator, click the Configuration tab and expand the Messaging section.
3. Click Configurations.
4. Select the Configuration Settings document for the mail server or servers you want to restrict mail on, and click Edit Configuration.
5. Click the Router/SMTP - Restrictions and Controls - SMTP Inbound Controls tab.
6. Complete these fields in the Inbound Sender Controls section, and then click Save & Close:
7. Reload the SMTP task, or update the SMTP configuration to put changes into effect.
Note
Be careful not to specify the same entry in an Allow field and a Deny field because Domino will deny messages for that entry. The Deny setting takes precedence for security reasons.
| Inbound Sender Controls | |
Field |
Enter |
Verify sender's domain in DNS |
Choose one: Enabled - Domino verifies that the sender's domain exists, by checking the DNS for an MX, CNAME, or A record that matches the domain part of the address in the MAIL FROM command received from the sending host. If no match is found, Domino rejects inbound mail from the host. Note This can result in Domino rejecting mail from legitimate hosts that do not have these records in their DNS entries. Disabled - (default) Domino does not check DNS to verify that the sender's domain exists. |
Allow messages only from the following Internet addresses/domains |
Internet addresses from which the server accepts messages. If you enter addresses in this field, only messages with senders matching those addresses can send Internet mail to users in your local Internet domain. Mail from all other addresses is denied. During the SMTP conversation, the Domino SMTP listener compares the address in the MAIL FROM command received from the connecting host with the entries in this field. For example, if you enter lotus.com in the field, Domino accepts incoming mail only if the address in the MAIL FROM command ends in lotus.com. Domino denies messages from all other Internet addresses. You can create a Notes group containing a list of addresses from which to allow messages and enter the group name in this field. A group entry is valid only if it does not contain a domain part or dot ("."). For example, the group with the name group1 is valid, but the groups named iris.com or group2@iris are not. |
Deny messages from the following Internet addresses/domains |
Internet addresses from which the server does not accept messages. During the SMTP conversation, the Domino SMTP listener compares the address in the MAIL FROM command received from the connecting host with the entries in this field. If you enter addresses in this field, all messages except those matching addresses listed in this field can route to your users. Mail is denied only from addresses matching the entries in this field. For example, if you enter lotus.com in the field, Domino accepts messages from all Internet addresses and domains except those ending in lotus.com. Domino denies messages from senders whose addresses end in lotus.com. You can create a Notes group containing a list of addresses from which to deny messages and enter the group name in this field. A group entry is valid only if it does not contain a domain part or dot ("."). For example, the group with the name group1 is valid, but the groups named iris.com or group2@iris are not. |
2. Preventing unauthorized SMTP hosts from using Domino as a relay.
To protect SMTP servers from unauthorized relaying, Domino provides inbound relay controls used to define the hosts to which and from which a server can relay messages. The Domino SMTP listener denies requests to relay messages to or from unauthorized hosts.
Setting and enforcing inbound relay controls
To prevent misuse of your system, configure Domino to prevent open relaying, while allowing relays originating from and destined for known domains and hosts. By default, a new Domino SMTP server prevents external hosts from relaying mail to any destination. You can further customize Domino's anti-relay controls to specify when relays are and are not allowed.
The Router/SMTP - Restrictions and Controls - SMTP Inbound Controls tab of the Configuration Settings document provides two sets of controls for managing relay access:
Inbound relay controls
Inbound relay enforcement
Use the Inbound relay controls to restrict relays by destination and origin. Use the relay enforcement controls to selectively apply the relay restrictions based on the originator's relation to the local Internet domain, host name, or authentication status.
3. Open relays.
An SMTP server that indiscriminately accepts mail from outside the local Internet domain and attempts to dispatch it to another external destination is known variously as a spam relay, third-party relay, or open relay host (open relay, for short). Leaving a mail server open to use by anonymous third parties is generally considered irresponsible, largely because open relays are often the target of Internet mass-mailers who use them to distribute unsolicited commercial e-mail (UCE), commonly referred to as electronic junkmail or spam. Spam vendors use open relays as waypoints between themselves and their target recipients, allowing them to distribute vast quantities of mail anonymously.
When someone reads a spam message that has been relayed through one of your SMTP servers, the message appears to originate in your Internet domain. In other words, your organization seems to be linked with the spam source.
Not only does relaying spam reflect badly on your organization, but there are other more serious and costly implications. Relayed mail consumes network bandwidth and server resources, reducing your system's ability to handle legitimate mail. As mail backs up, administrators and help desk personnel are faced with service interruptions and the task of sorting out the backlog of undeliverable messages. Failure to restrict access to an open relay could result in the server being reported on Internet blacklists. Because SMTP hosts in many organizations will not accept mail from blacklisted servers, if your outbound mail server is blacklisted, your organization may be unable to transfer mail to other Internet domains.
Setting inbound relay controls
To block relays to a specific domain or from a specific host, set restrictions in the inbound relay controls on the Router/SMTP - Restrictions and Controls - SMTP Inbound Controls tab of the Configuration Settings document.
Use the inbound relay controls to define:
The destination domains to which you allow and deny relays
The originating hosts from which you allow and deny relays
Note In determining whether to allow a relay, Domino checks the original sender, not just the last hop domain. This prevents people from routing from a denied source through an accepted one to your domain.
To set inbound relay controls
1. Make sure you already have a Configuration Settings document for the server(s) to be configured.
2. From the Domino Administrator, click the Configuration tab and expand the Messaging section.
3. Click Configurations.
4. Select the Configuration Settings document for the mail server or servers you want to administer and click Edit Configuration.
5. Click the Router/SMTP - Restrictions and Controls - SMTP Inbound Controls tab.
6. Complete these fields in the Inbound Relay Controls section, and then click Save & Close:
Field |
Enter |
Allow messages to be sent only to the following external Internet domains |
Internet domains to which Domino can relay messages. Domino relays messages to recipients in the specified domains only. Messages for recipients in other external Internet domains are denied. For example, if you enter abc.com and xyz.com in this field, Domino accepts only messages to recipients with addresses that end in abc.com or xyz.com domains. Messages for recipients in other domains are denied. To name a domain explicitly, prefix an @ sign to the entry. For example, if you enter @xyz.com the server relays messages only if the domain part of the address matches xyz.com exactly, such as User@xyz.com. Messages to addresses in other domains that end in xyz.com, such as User@uvwxyz.com or User@abc.xyz.com, are denied. Prefix a percent sign (%) to specify the name of a Domino domain to which mail can be sent; for example, enter %AcmeEast to specify that the server can send mail to the Domino domain AcmeEast. |
Deny messages to be sent to the following external Internet domains |
Internet domains to which Domino will not relay messages. An asterisk (*) in this field prevents Domino from relaying messages to any external Internet domain. Domino denies only messages destined for recipient addresses in the specified domains. All other messages may relay. For example, if you enter abc.com in the field, Domino relays messages to recipients in all external Internet domains except abc.com. Domino denies messages for recipients in the abc.com domain. To name a domain explicitly, prefix an @ sign to the entry. For example, if you enter @xyz.com, the server rejects messages addressed to users if the domain part of the address matches xyz.com exactly, such as user@xyz.com, but allows messages to relay to other domains that end in xyz.com, such as user@server.xyz.com. Prefix a percent sign (%) to specify a Domino domain name; for example, entering %AcmeEast specifies the Domino domain AcmeEast. This lets you prevent SMTP users from sending mail to certain internal Domino domains or even foreign domain servers, such as FAX systems. |
Allow messages only from the following Internet hosts to be sent to external Internet domains |
Specifies the hosts or domains that the Domino SMTP service allows to relay outbound Internet mail. If this field contains valid entries, Domino allows only servers matching these entries to relay. Message relays from other servers are denied. Enter host names or IP addresses to designate the sites that are authorized to use Domino to relay messages to recipients outside your local Internet domain. For example, if you enter lotus.com or ibm.com in the field, Domino accepts messages for recipients in external Internet domains only from servers with host names that end in lotus.com or ibm.com. Domino rejects messages for external recipients from any server not listed in this field. |
Deny messages from the following Internet hosts to be sent to external Internet domains |
Specifies the hosts or domains that the Domino SMTP service does not allow to relay outbound Internet mail. If this field contains valid entries, Domino denies message relays from servers matching those entries. Domino allows message relays from all other servers. Enter host names or IP addresses to designate the sites that cannot use Domino to relay messages to recipients outside the local Internet domain. For example, you enter lotus.com in the field. Domino accepts messages to recipients in external Internet domains from all servers except those with host names ending in lotus.com. Domino denies messages to recipients in external Internet domains from servers in the lotus.com domain. An asterisk (*) in this field prevents Domino from relaying messages from any host subject to the relay controls. |
7. Reload the SMTP task, or update the SMTP configuration to put the changes into effect.
You can use an asterisk (*) to indicate "all domains." For example, putting * in an Allow field allows all hosts in all domains to perform that operation.
Wildcards may be used in place of an entire subnet address; for example, [127.*.0.1]. Wildcards are not valid for representing values in a range -- for example, the entry [123.234.45-*.0-255] is not valid because the asterisk is used to represent the high-end value of the range that begins with 45.
When entering multiple addresses, separate them with carriage returns; after the document is saved, Domino automatically reformats the list, inserting semicolons between the entries.
When entering an IP address, enclose it within square brackets; for example, [127.0.0.1].