Chris-Linfoot.net

5.2.17 Domain Literals: RFC-822 Section 6.2.3 [cwl notes that RFC822 is obsoleted by RFC2822]

A mailer MUST be able to accept and parse an Internet domain literal whose content ("dtext"; see RFC-822) is a dotted- decimal host address. This satisfies the requirement of Section 2.1 for the case of mail.

An SMTP MUST accept and recognize a domain literal for any of its own IP addresses.

Alongside RFC2821, which says:

Any system that includes an SMTP server supporting mail relaying or delivery MUST support the reserved mailbox "postmaster" as a case- insensitive local name... The requirement to accept mail for postmaster implies that RCPT commands which specify a mailbox for postmaster at any of the domains for which the SMTP server provides mail service, as well as the special case of "RCPT TO:<Postmaster>" (with no domain specification), MUST be supported.

... this strongly suggests that mail addressed to <postmaster@[domain.literal]> must be accepted.

Domino admins who have been unfortunate enough to have their hosts listed as open relays, particularly on the DSBL, will come across this when they try to get delisted as DSBL wants to send confirmation of the removal request using precisely that address.

How to do this? Well, it's actually quite easy:

• First ensure that you can accept email addressed to postmaster@ any of your local Internet domains. Have an explicit postmaster account, either as a mail-in or a group, or use the default ND6 functionality that aliases postmaster to the named administrator(s) of a particular Domino server. Note that this last item only works if you do not have "Verify that local domain recipients exist in the Domino Directory:" enabled.
  
  
• In your global domain document, in the field "Alternate Internet domain aliases:", include the domain literal(s) of all of your Internet mail hosts that accept SMTP mail. Domain literals are just the IP addresses of your SMTP hosts, enclosed in square brackets, e.g. [192.168.0.1] _{(note 1)}. Domino will then treat these as alternate local Internet domains and will not treat attempts to deliver mail to them as attempted relays, so mail to postmaster@[192.168.0.1] will now be delivered.

Now you can accept the mail from DSBL to confirm removal. Close your relay first and be more careful in future.

Notes:

1. NB: RFC1918 addresses are used here for illustrative purposes only. See John Bell's comment below. The IP you should use in the sqare brackets to create the correct literal for your server is the public IP address. I do not use real IP addresses in examples because a) I do not want inadvertently to pick a production address belonging to someone and b) Google has a habit of finding these things and directing all sorts of queries here needlessly.

Category: Domino: Administration
Technorati: Domino: Administration

1. Richard Schwartz23/08/2003 19:12:11
Homepage: http://smokey.rhs.com/web/blog/rhs.nsf

Hmm... interesting. Bit of a problem for folks with servers sitting on dynamic IP addresses.

2. Ed Falcon26/08/2003 05:56:21
Homepage: http://www.madjunk.com

Good post Chris.
Fortunately, I've not had to deal with this issue (RFC1123 5.2.17), but will soon be addressing it.

3. Chris Linfoot26/08/2003 13:45:52

Thanks for the RFC ref.

Better than my RFC2821 reference, though that still works.

Will update this post with some better RFC references.

4. Christopher Harvey06/11/2003 16:07:36
Homepage: http://chris.brotherhoodmutual.com

First let me say that I love reading your blog. I don't know how you find the time to track spam so well. Your users are lucky to have all that junk taken care of for them.

Now the question
As a good email admin I plan to add the postmaster and abuse addresses to our domain. In your experience, are these accounts a magnet for spam themselves??

5. Chris Linfoot06/11/2003 16:15:44

In my experience, no.

Postmaster does get some but not much. Webmaster (not a strict RFC requirement, but we have it anyway) gets quite a lot. Abuse gets precisely none at all.

I have no idea whether this means anything.

Addresses we use for reporting spam or discussing it on NANAE, tend to be used very often by both spammers and viruses.

6. Rusty Gadberry22/01/2004 22:32:34
Homepage: http://www.ark-data-services.com

I moved my Domino server to another system and some how ended up with another configuration document which did not have the relay turned off. It does not take long for the spammers to find a mail server that is open for relays. My mail server got listed in DSBL.ORG. In order to get removed, I had to accept mail using the RFC1123 5.2.17 standards. I looked all over Lotus support site but could not find a solution. I have been trying to get this resolved for 3 days. I finally found your solution and it worked great. Thanks for publishing the info.

7. Chris Linfoot23/01/2004 08:35:36

No worries mate.

Another satisfied customer.

8. Alfred Keith01/01/2005 20:18:09
Homepage: http://www.alkeith.com

I have been listed in DSBL.org and have tried for months to get it removed, however I cannot figure out how to configure my server to accept Email sent as domain literal. In order to get removed, I need to be able to accept mail from DSBL.org at postmaster@xxx.xxx.xxx.xxx where "xxx" is my IP address.

I am running Windows SBS Server 2000 with Exchange 2000 and I have configured reverse DNS and added the IP address in the address space of Exchange.

Can you possibly provide me with explicit instructions to setup ability to accept Email sent to domain literal address? What needs to be done in DNS and Exchange?

I would greatly appreciate your help!
Regards,
Al Keith

9. Chris Linfoot02/01/2005 20:13:57

Actually, DSBL wants to send email to postmaster@[xxx.xxx.xxx.xxx], not postmaster@xxx.xxx.xxx.xxx - there is an important difference.

I do not know exchange, but there must be a place somewhere where you tell it the names of local Internet domains (ie local domains for which this erver accepts email). You must include the IP literal of your server in that list. Remember, IP literal is the IP address enclosed in square brackets.

Your alternative, if you control DNS for that IP is just to have a PTR record for it pointing to a host in your local domain. DSBL will then send email to postmaster@example.com instead of the IP literal.

And be sure you have a postmaster account set up locally to accept the email.

HTH

10. Scott Iver11/03/2005 21:37:47

Chris, if you have time, could you detail something for me for large Domino installs?
It's my understanding there is a notes.ini var. that will allow you to specify a particular Global Domain Doc.. I *THINK* it's SERVER_DEFAULT_GLOBAL_DOMAIN=[global domain doc name]

I have no idea if this even works, and unfortunatly no budget for a test server

Anyway if this works, you domino admin's out there dealing with a large enviroment (multiple servers and sites, and/or multiple sub companies with thier own requirements) could setup seperate Global Domain doc's, if you don't want a particular MX to accept [x.x.x.x] but another does have too.

Just a thought...

11. Chris Linfoot11/03/2005 22:48:07

RFC compliance is the issue here. You really don't have a choice if you want to comply (and if not, why not?).

Every SMTP must be capable of accepting messages addressed to its own domain literal.

The feature you describe is very useful where in a large environment you only want certain servers to accept email for certain domains (perhaps geographic variation).

12. Scott Iver13/04/2005 16:22:15

Exactly, my thought here was that in large enviroments your server in the UK would not want to accept mail from the domain literal of your server sitting the US. If all sites are using the same Global Domain doc, then this would be the case, and a potential source for UCE (though not very likely I admit).

Still, if your Org is setup similar to ours, then each country unit runs it's own systems, and thus it's own domains, and everything that goes along with that. Anyway I thought it might be a good tip to include on this page, since in your enviroment you may have multiple domino servers, but may not want server1 to accept server2's domain literal mail. HTH

13. Chris Linfoot13/04/2005 16:47:15

This is about email addressed to a domain literal. Email doesn't usually come from one.

If a spammer forges my Domain literal in his sender address (SMTP MAIL FROM:<spammer@[192.168.0.1]> where 192.168.0.1 is the IP of my server) then I can (and do) deny it.

The issue here is not that - it is that if someone sends to (SMTP RCPT TO) <postmaster@[192.168.0.1]> (where 192.168.0.1 is the IP of my server), I must accept it.

14. Scott Iver13/04/2005 22:22:20

Chris, your almost on the same page with me, this should help

What I'm saying is this (not talking about spam at all)...

Server1 - USA 192.168.1.1 / Server2 - UK 192.168.2.2

If you only have 1 Global Domain doc, in order for your servers to accept Domain literal format mails you'd need to add both IP's in 1 Global Doc to make it work for both servers.
[192.168.1.1]
[192.168.2.2]

Instead, another method could be to setup two seperate global domain docs using the INI param I mentioned above.

So if someone did: SMTP RCPT TO <postmaster@192.168.1.1> but the connection was made to Server2 192.168.2.2 then Server 2 wouldn't accept the message, where as, if both servers were on the same Global Domain doc then Server 2 would accept messages to both name@[192.168.1.1] and name@[192.168.2.2].

Also, in this senario it's most likely that the US and UK have different domain names anyway, (for example, company.com UK and company.us US). This way a connection made to Server2 in the UK would not have to route mail for company.us if you didn't want it to.

If you really wanted to make the two MX's work with each other, keep 1 Global domain doc. However, in a semi-seperate enviroment (where about the only thing shared between subsidaries is the NAB) then I would go with seperate Global domain docs. Why would I want my server in the US accepting mail for users in the UK ? For that matter why would the UK want me to accept mail on thier behalf?

I could see if you had a leased private line between the two sites and wanted to have some degree of failover (T1 to internet in the UK goes down, the US server is setup as 2nd MX on the UK domain and will accept internet mail and route over private line until the UK's connection is restored)... I mean there are hundreds of possible setups with domino.

Does this help to clarify what I'm talking about?

15. Chris Linfoot14/04/2005 08:30:10

I understand what you mean - it is just that the scenario you describe is unheard of. If a message is in transit and the recipient envelope says <user@[literal_1]>, then the MTA responsible for delivering it will only ever try to connect to the system at literal_1 to deliver it - never literal_2.

To do this would require some new piece of spamware which could:

a) look up MX for victim's domain
b) on finding multiple MXes, resolve IP for all of them
c) create a message addressed to <victim@[literal_1]>
d) connect directly to port 25 on all MXes other than the one identified by literal_1 to deliver the message

Domino configured with a single global domain document would accept these obviously. Most other MTAs would not. So as an attack vector this simply hasn't got legs.

If you want a large Domino installation where multiple SMTP gateways exist to be absolutely correct, then of course doing it your way is perfect. There's just no real need to do it.

16. Batuhan Kisacikoglu14/10/2005 12:05:09

"or use the default ND6 functionality that aliases postmaster to the named administrator(s) of a particular Domino server. Note that this last item only works if you do not have "Verify that local domain recipients exist in the Domino Directory:" enabled."

I am using 6.5 and "verify local domain recipients exists..." is enabled. There is neither explicit nor aliased postmaster account but posts to postmaster is coming to administrators inbox. I think "verify that local domain recipients exists ..." setting doesn't harm the default domino server 6.5 functionality.

17. Chris Linfoot14/10/2005 13:16:37

Thanks for the tip. Does it work for abuse@ as well as postmaster@?

In any case, that is new behaviour in 6.5.

6.0 did behave as I have described. I wonder if 7 also works correctly.

18. John Bell09/01/2006 11:46:57

If you are setting up your server to receive mail addressed to the IP address, then remember it must be the public IP address, which is not necesarily the IP address of the machine if it is behind a firewall.
i.e. [192.168.1.1] won't work as this is a private IP address.

19. Chris Linfoot09/01/2006 12:06:17

Thank you. I am aware of this. We tend to use RFC1918 addresses for illustrative purposes here in the same way as we tend to use example.com when talking about domains.

20. Josh Shortlidge20/09/2006 20:59:12
Homepage: http://bcccc.net

I just got off an unusual (and frustrating) phone comversation with tech support at Network Solutions. They host the DNS for one of our newest domains, "globalleadershipnetwork.org" (I will abbreviate this to GLN.org below). I wanted to install the "postmaster@GLN.org" and the "abuse@GLN.org" addresses. Their "Account Manager" says that the names are both reserved, and cannot be set up. I went through two levels of tech support on the phone, and they both said the same. The last person I talked to said he understands the importance of those two addresses, and that he himself had tried to get Network Solutions (where he works) to set them up for his domain, without success. However, he also said he would escalate my request to a higher tier of support. I remain appalled and unsatisfied. Any ideas?

21. Chris Linfoot20/09/2006 22:06:35

Other than not using Netsol, no.

However a number of our .com domains are registered with Netsol and we have abuse@ and postmaster@ working fine.

Where is MX for your domain? Is Netsol handling that for you? This is the only factor that I can think of that might "reserve" the postmaster and abuse accounts.

If you are able, use your own servers as MX for your domains. Then policy regarding postmaster, abuse and so on should be entirely up to you.

22. Josh Shortlidge21/09/2006 20:59:17
Homepage: http://bcccc.net

Chris,

Yes, at present NetSol is providing the MX services. That explains the power they have to make this strange decision. However, it is also even more amazing that they would not want someone monitoring complaints sent to those two addresses.

Josh
:-

23. Chris Linfoot21/09/2006 22:16:48

It isn't amazing and those addresses are monitored - not by you but by them.

Unable to post a comment? Please read this for a possible explanation...