Chris-Linfoot.net

The only essential element here is that * in the field "Deny messages to be sent to the following external internet domains:"

This is what closes an otherwise open Domino relay. That * should always be there on any Internet facing Domino server. No exceptions.

Inbound Relay Enforcement

You should enforce anti-relay restrictions on all connecting hosts.

It is unwise to exclude any host from these checks so do so only with extreme caution.

If you have external users submitting messages via SMTP (why?), then they should authenticate and you should allow authenticated users to relay. Otherwise, don't make any exceptions for authenticated users. Brute force attacks against SMTP AUTH to gain relay privileges are still fairly common.

DNS Blacklist Filters and Private Blacklist Filter

Blacklists, even very strong ones, are a very good thing when counterbalanced by whitelisting (see below). Use both DNS and local blacklists and note that local blacklists are best implemented as Servers Only groups in the Domino Direcory.

In this example, we have two such groups in the Domino Directory named BlockedDNSNames and BlockedNetworks. These work in a similar manner to the whitelist groups described in this earlier SnTT post, but obviously cause the rejection of email, not its acceptance.

See this earlier SnTT post for a more complete description of the "Custom SMTP error response" fields.

The groups should look something like this:

And this:

DNS Whitelist Filters and Private Whitelist Filter

DNS whitelists are unlikely to be all that useful, but this picture illustrates how best to use them if you so choose. If you don't need them (and we don't), then just leave DNS Whitelist Filters disabled.

I have already written at some length about how to use the private whitelist so will not revisit that here.

Inbound Connection Controls

First, "Verify connecting hostname in DNS". Leave it disabled!

It is true that enabling it will defeat some spam, but it will also defeat a lot of real email (because too many systems used to send business email still have incorrect or missing DNS). As a corollary to this, it will also accept a lot of spam because so much spam comes from systems that do have well formed DNS but just shouldn't be sending any direct-to-MX email.

"Deny connections from the following SMTP internet hostnames/IP addresses" is an often overlooked feature of D7, distinct as it is from the private blacklist, but is a useful supplement to local and DNS blacklisting.

Why? Because systems blocked by DNS and local blacklists will see your custom error response and thus senders will know why they were blocked. In many cases you want them to know - that is why you use the custom error response - but in some cases you just don't want to accept messages and may not want to say why.

This is where Deny connections from the following SMTP internet hostnames/IP addresses comes in.

Populate it with the names of servers only groups that contain the DNS names or IP addresses of sites whose email you just don't want, in this example DeniedDNSNames and DeniedNetworks.

These systems will just see a generic "rejected for policy reasons" response and will not be offered the more polite explanation used by DNS and private blacklists.

Inbound Sender Controls

First, "Verify sender's domain in DNS". Turn it on.

This just ensures that inbound mail comes from an envelope sender that can actually accept replies and not something completely bogus. Real senders always want to accept replies. Spammers often do not and may spoof a completely invalid address. Thus the risk of false positives is nil but this will keep out a small amount of spam and some malware.

"Allow messages only from the following external internet addresses/domains" should rarely be needed. This is a local whitelist based on SMTP MAIL FROM sender envelope and will cause all email from unlisted addresses or domains to be rejected. If you do need to use it, use groups as elsewhere in the SMTP inbound controls tab.

Next, the field "Deny messages from the following internet addresses/domain". This denies inbound email based on the SMTP MAIL FROM envelope and is useful where you can't blacklist a sending host. Perhaps that host is shared with other domains whose email you do want. Populate this field with the name of a Domino Directory Servers Only group containing the email addresses or domains of senders whose email you don't want.

There's just one small problem with this. The group you just created contains email addresses and, although it is unavailable to Notes users for mail addressing, it is available to the server router task for routing. This means that it is possible for an external sender to send email to, for example, DeniedSenders@YourDomain and have it accepted and reflected back out to every address on the list. You probably don't want this, so read on.

Inbound Intended Recipients Controls

First, "Verify that local domain recipients exist in the Domino Directory". Enable this.

Downside - this leaves you open to simple dictionary attacks where a spammer connects and tries lots of recipient envelopes to see which elicit a 250 (continue) response or a 550 response (permanent failure). There are other ways of achieving a similar end though so this is neither hugely useful to the spammer nor a fix to dictionary attacks if you turn it off.

Upside - your Domino server will never accept undeliverable mail and bounce it after accepting it. This eliminates a lot of backscatter and backscatter can get you blacklisted, besides being very rude.

"Allow messages only for the following internet addresses" is a way of limiting the delivery of Internet email to a subset of your users. Again you would use a group for this in those rare cases where it is needed.

Finally, we have "Deny messages intended for the following internet addresses". This is a useful place to store addresses which may be valid aliases for real users but are used only by spammers.

However, you will note that in addition to storing the name of this group in the Deny messages intended for the following internet addresses field, we also list the Denied Senders group. This is how we avoid the problem of an external sender reflecting email back out to your list of denied senders.

Category: SnTT
Technorati: Domino Show-n-Tell+Thursday ShownTellThursday SnTT

1. Gerco Wolfswinkel30/06/2006 08:28:20
Homepage: http://www.domino-weblog.nl

Great summary, Chris. Thanks!

2. Martin30/06/2006 17:52:29

Hi Chris, what does mean the settings in "Deny messages from the following internet hosts to be sent to external internet domains:(* means all)" - I think that it's for deny relay from internal hosts and should be set as well - am I correct?

3. Chris Linfoot30/06/2006 18:12:05

No, it's for selective relay deny regardless of whether hosts are internal or external. You only need a * in "Deny messages to be sent to the following external internet domains:" to deny relay.

* in "Deny messages from the following internet hosts to be sent to external internet domains:" will have exactly the same effect, but is redundant. This field is actually not very useful on an Internet facing server.

4. Jack Dausman02/07/2006 21:30:56
Homepage: http://leadershipbynumbers.com

Thanks, Chris, very clear.

5. Tommy13/07/2006 11:09:15
Homepage: http://www.inse.cpom

Hi, great config but I have a problem with the groups. I have a ASP setup (xsp), and when I use groups in deny fields it doesn't work! I have to put the group members directly to the deny list field. Do you know why? Have tried to change groupnames to DenyGroup/Maildomain and so on....
//Tommy

6. Chris Linfoot13/07/2006 11:17:10

I've a feeling this may not work in an ASP environment. I'm not in a position to test and the documentation is no help so experimentation is your only hope I'm afraid.

7. Jamie Price12/08/2006 07:20:14
Homepage: http://www.notesnerd.com

Chris,

Great work. Keep it up. This site is a great resource and you've worked hard on it. I am currently training my replacement for my current job and when the subject of spam control came up I pointed him here. "Nuff said."

8. Mike Bonito05/03/2007 04:13:35

Hi Chris,
Thanks for this great rundown of the security setting in Lotus Notes. Althought I do have a particluar situation that maybe you can help with. I am running a server at home and my ISP does not allow me to have a fixed IP address. Therefore I must use one of those dynamic dns systems. The one I use is DYNDNS. I have two registered domains r-zutls.com and rzults.com. No matter what I do I can not get the server to allow both both r-zutls.com and rzults.com message through using your setup. I have tried adding r-zutls to "exclude from anti-realy checking" section but it always gives me a relay checking error. The only way to get it to work is to add my server ip address in the inbound relay controls. I don't feel this is very secure because anyone who gets into my network can start using my server for spam.

Do you have any suggestions on how to set this up.

thansk.

9. Chris Linfoot05/03/2007 08:36:47

Is this an inbound or an outbound problem?

If inbound then it's pretty easy. As long as your Domino server knows that your two domains are local domains, then it will accept email addressed to them. Does DYNDNS give you an MX record or just an A record? This wouldn't make any difference, I'm just curious.

If outbound then you will have trouble sending to a lot of sites because of your dynamic address. Set up your ISP's mail core as a smart host and you should be fine.

10. Randy02/01/2008 20:26:05

How does one ensure that a domino server knows what local domains it serves? My problem is that I've recently setup a Domino 8 server and its rejecting all inbound mail. I need to find where to specify the domains it serves.

11. Chris Linfoot02/01/2008 20:54:47

You need a Global Domain document.

12. James26/01/2008 08:36:00

RE: Outbound Routing.

Please forgive me for asking a 'newb' question, but once again if "Deny messages to be sent to the following external internet domains:" must contain an '*' with NO exceptions, then how can my internal server behind a firewall use my DMZ Internet facing server?

I've been trying for weeks messing about with a Foreign SMTP Domain + SMTP Connection document combination, but I'm exhausted from trying far too many combinations, and now feel like dismissing that method altogether (and don't even now if it's the right thing to be doing anymore anyway)

I've read the Domino manual considerably, along with info from several links and forums that all say the same thing, but I just can't find the way. I always end up back at "No route found to domain some_domain.com. Check Server, Connection and Domain documents in Domino Directory"

When I use SMTP Outbound/Relay Host (with restrictions) I'm fine, everything works, I can do everything I need to. Which on paper even looked harder.

But using your website as my guidepost, for the greater good of the world I don't want to relay even a little, including from my Internal server.

At a minimum, do you know of "proper" book I can read?

Thank you in advance, I'm trying to use you as a standard and do the right thing, but after weeks and far too many hours, I'm exhausted now and have to move on. As such I'm inclined to take that '*' out and use something in the "Allow messages from only ..." along with all your other excellent advice.

This website is the best of it's kind out there, so I trust you and welcome any comments you might have to offer.

-James

Thank you.

13. Derrick27/01/2008 20:23:34
Homepage: http://www.ags-us.com

We have a similar problem to Randy's. A few days ago our 7.0.2 email server started rejecting all inbound mail claiming that the sender had been found in one of the blacklists that we use. It is not the blacklist I'm sure becuase the server continues to reject inbound email even if I set the blacklist filter to check at "thisIsAFakeBlackListNameASDF.org" or any such.
- Derrick

14. Henning Heinz09/02/2008 14:42:33

Derrick,
from what I know. If you use blacklists and a query fails due to DNS error, a typo or that the service is unavailable the message will be rejected. That is why I keep the rbl list short. So what you can do is to check if querying the blacklist works at all at the server, if you have a typo (even a blank can cause some problems). If you use a fake entry like in your example all mail will be refused too when the rbl check is initiated.

15. Chris Linfoot09/02/2008 18:53:58

@14 - not true. DNS errors will look like a DNSBL miss, not a hit.

16. Carlos Alonso Padrones28/02/2008 11:37:59

In the SMTP Inbound Control tab of my Domino 6.5.5 server there aren't some of the options you configure here: "Private Blacklist Filter" and "DNS Whitelist Filters and Private Whitelist Filter".

Also, I have two differences with this document (appart of not having server list groups of denied servers, domain and recipients in the directory):

"Deny messages from the following internet hosts to be sent to external internet domains" set to * because I don't want to anoyone except domino users can send mail to anywhere.

"Allow messages intended only for the following internet addresses", where I've put all the valid adresses in my organization. This avoids accepting the junk email with random adresses.

Do you think the configuration is optimus? Thanks in advance.

17. John Willemse19/06/2008 22:19:03
Homepage: http://www.badkey.com

Thanks again.

Regards,
John

Unable to post a comment? Please read this for a possible explanation...