Chris-Linfoot.net

• Implement security policies and guard against unauthorized mail relaying or injection of unsolicited bulk mail
• Implement authenticated submission, including off-site submission by authorized users such as travelers
• Separate the relevant software code differences, thereby making each code base more straightforward and allowing for different programs for relay and submission
• Detect configuration problems with a site's mail clients
• Provide a basis for adding enhanced submission services in the future

Of these, the first two are probably the most important to a Domino administrator.

If your Domino SMTP server is also MX for one or more domains and is listening on port 25, then you probably have policies implemented to act against spam and these may include public and private blacklists as well as other policies which will get in the way of message submission.

Regardless of how you set up the fields Perform Anti-Relay enforcement for these connecting hosts: and Exceptions for authenticated users:, if you use blacklists or other policies designed to prevent transfer (by which we usually mean delivery) over SMTP, these will always work against message submission too.

A user of a non-Notes MUA, when connecting using an IP that is listed in a dialup DNSBL, for example, will be rejected even if s/he authenticates successfully.

If you have a policy which rejects email where the sender envelope is in your own domain (and you really should), then you will also reject your user's mail.

The solution is very simple, though it does involve the use of an additional Domino server in your DMZ. You need to set up a Domino server in the DMZ, listening for SMTP connections and allowing relay for authenticated users, but NOT using blacklists or similar policies, NOT announced as MX for any domain and NOT listening on port 25. It should listen on port 587 (per RFC2476) instead.

This need not be a dedicated server, so you may have it already.

If, like us, you are a BlackBerry shop and run BES on a Domino server, that server is already in the DMZ. Depending on how heavily loaded the BES is (in our case, not very), it is both an acceptable extra load and very simple to create an SMTP MSA on that server.

You need to:

1. Enable SMTP listener in the server document.
2. In the server document on the Ports, Internet Ports, Mail tab, Enable Mail (SMTP Inbound) and set the port to 587 and the authentication options to Name & Password: Yes, Anonymous: No.
3. In the server configuration document, set Perform Anti-Relay enforcement for these connecting hosts: to all hosts and set Exceptions for authenticated users: to Allow authenticated users to relay.
4. Open TCP port 587 inbound to the server at your firewall.

If you are using Internet Sites documents for the server in question, then you need to use an SMTP Inbound Site document to define the port and authentication options.

Now you can configure your users' non-Notes MUAs to use the new SMTP MSA by telling them to use the qualified hostname or IP address of this new MSA server, to connect using port 587 and to authenticate using the same credentials as they use to authenticate for POP3 or IMAP. Users will be able to submit email without policies which are designed to operate against unwanted message transfer getting in the way.

Yes, a port scan will reveal SMTP at port 587, but this will be useless to any abuser because it will not accept unauthenticated connections. You will need to monitor for unsuccessful authentication attempts though, in case anyone tries to brute force an authenticated connection.

Category: SnTT
Technorati: Domino Show-n-Tell+Thursday ShownTellThursday SnTT MSA

1. Jan-Piet Mens23/02/2007 12:39:04
Homepage: http://blog.fupps.com

Good article.

One thing though which is a bit off-topic. You write: and run BES on a Domino server, that server is already in the DMZ.

If you run BES on a Domino server, they are not necessarily placed in the DMZ, and IIRC, RIM even suggest against doing so. We run the BES "inside" and simply put the BlackBerry router in the DMZ, thereby lowering potential risks of having the Domino server attacked. A single outgoing TCP connection for SRP is then all that is needed.

2. Chris Linfoot23/02/2007 12:49:11

BES in the DMZ is perfectly safe providing the firewall is correctly configured.

What is the Blackberry router of which you speak?

3. Jan-Piet Mens23/02/2007 13:04:37
Homepage: http://blog.fupps.com

The "router" is a component of the BlackBerry installation (upon setup you can choose to install only the router). It runs on Windows only, obviously, and is the middle ware between the BES (inside) and BlackBerry.com (outside).

4. Jan-Piet Mens23/02/2007 13:09:25
Homepage: http://blog.fupps.com

Forgot this:
http://www.blackberry.com/knowledgecenterpublic/livelink.exe/fetch/2000/7979/1181821/278286/745137/Placing_the_BlackBerry_Router_in_the_DMZ.pdf?nodeid=817014&vernum=0

5. Chris Linfoot23/02/2007 13:18:27

I see. Our BES has been in the DMZ since version 2. This seems to be a version 4 feature. But I stand by what I said earlier - BES in the DMZ is safe providing the firewall is set up correctly.

Back on topic, the point here is that you need to run SMTP for message submission on a different server than your MX server and that many sites may already have a server they can place in this role (whether BES or not).

6. Peter Herrmann01/03/2007 01:15:14

I went a different way to this. Actually, I used your TLS post (it was an excellent reference).

I bought an ssl cert for the domino SMTP server and implemented SSL/TLS on port 465. I then set "Allow Authenticated Users to relay" to Yes. The users just need to fill in their NAB username and Httppassword in their mail program settings and that's it. No additional servers are required and this is how most ISPs and Gmail do secured email and message submission.

7. Chris Linfoot01/03/2007 08:52:54

Glad you liked the SSL(TLS?) post.

Sadly, it won't save you here. Allow me to demonstrate.

I have set up a test server which has an SSL cert and will accept secure SMTP connections on port 465. Authenticated users may relay. It also uses one DNSBL - bogons.cymru.com - chosen because it lists RFC1918 addresses (among others) and I want it to detect my connection from my 10.*.*.* address. DNSBL setting is log and reject. Debug is on for SSL so that I can show the SSL channel being established.

Watch this:

01/03/2007 08:35:43.64 [0154:0009-0808] ReadKeyfile> Recovering password from stash file
01/03/2007 08:35:43.64 [0154:0009-0808] ReadKeyfile> Password is [password]
01/03/2007 08:35:43.64 [0154:0009-0808] ReadKeyfile> Reading keyfile d:\lotus\domino\data\keyfile.kyr
01/03/2007 08:35:43.64 [0154:0009-0808] ReadKeyfile> Looking for trusted roots
01/03/2007 08:35:43.64 [0154:0009-0808] ReadKeyfile> Found trusted roots
01/03/2007 08:35:43.64 [0154:0009-0808] ReadKeyfile> Exit status = 0
01/03/2007 08:35:43.64 [0154:0009-0808] ReadKeyfile> Recovering password from stash file
01/03/2007 08:35:43.64 [0154:0009-0808] ReadKeyfile> Password is [password]
01/03/2007 08:35:43.64 [0154:0009-0808] ReadKeyfile> Reading keyfile d:\lotus\domino\data\keyfile.kyr
01/03/2007 08:35:43.64 [0154:0009-0808] ReadKeyfile> Looking for cert chain
01/03/2007 08:35:43.64 [0154:0009-0808] ReadKeyfile> Got cert chain
01/03/2007 08:35:43.64 [0154:0009-0808] ReadKeyfile> Exit status = 0
01/03/2007 08:35:43.64 [0154:0009-0808] ReadKeyfile> Recovering password from stash file
01/03/2007 08:35:43.66 [0154:0009-0808] ReadKeyfile> Password is [password]
01/03/2007 08:35:43.66 [0154:0009-0808] ReadKeyfile> Reading keyfile d:\lotus\domino\data\keyfile.kyr
01/03/2007 08:35:43.66 [0154:0009-0808] ReadKeyfile> Looking for private key
01/03/2007 08:35:43.66 [0154:0009-0808] ReadKeyfile> Decoding keys
01/03/2007 08:35:43.66 [0154:0009-0808] ReadKeyfile> Keys decoded
01/03/2007 08:35:43.66 [0154:0009-0808] ReadKeyfile> Exit status = 0
01/03/2007 08:35:44   SMTP Server: Remote host 10.100.0.10 (mypc) found in blacklist at bogons.cymru.com
01/03/2007 08:35:44   SMTP Server: Message from 10.100.0.10 (mypc) rejected by DNS blacklist filter
01/03/2007 08:35:44   SMTP Server: 10.100.0.10 connected
01/03/2007 08:35:45   SMTP Server: Authentication succeeded for user [me] ; connecting host 10.100.0.10
01/03/2007 08:35:49   SMTP Server: 10.100.0.10 disconnected. 0 message[s] received

8. Chris Miller20/03/2007 20:03:20
Homepage: http://www.IdoNotes.com

I love TLS but our lovely Cisco issue prevents it on 465.

9. Chris Linfoot20/03/2007 20:20:34

You are kidding, right?

10. Roderick Boekdrukker04/07/2008 10:32:41
Homepage: http://www.sapabuildingsystem.be

Brilliant...

After weeks of frustration and searching, this worked seamlessly for connecting Outlook and PDA users from remote ISPs and other locations to our Domino servers.

Unable to post a comment? Please read this for a possible explanation...