Chris-Linfoot.net

• Perform Anti-Relay enforcement for these connecting hosts: - All connecting hosts - We do have Domino hosts inside our secure zone that relay for some non-Domino applications, but those Domino hosts we have in the DMZ that listen for SMTP email are never used this way and so any host that connects to use the SMTP service must be subject to the same rule.
  
  
• Exceptions for authenticated users: - the default is Perform anti-relay checks for authenticated users - leave it that way unless you absolutely can't avoid changing it.
  
  
• DNS Blacklist filters: - I believe I have covered this in some depth already.
  
  
• Verify connecting hostname in DNS: - the default is Disabled - leave it that way. A surprisingly large number of otherwise legitimate connecting hosts will fail this test. Don't you be one of them - have correct forward and reverse DNS on all your Internet hosts. But it is unrealistic to expect the whole world to comply with this custom, more honoured as it is in the breach than the observance.
  
  
• Deny connections from the following SMTP internet hostnames/IP addresses: - this is your local block list. Use it wisely.
  
  
• Verify sender's domain in DNS: - Set it to Enabled - All this does is verify that the right hand side of a sender's email address is valid to send email to (i.e. has a DNS MX or A record). Without this it would be impossible to reply. It is reasonable to assume that any legitimate sender of email wants to be able to receive replies, so this test will work for legitimate mailers, but will fail for a small amount of spam and some viruses.
  
  
• Deny messages from the following internet addresses/domains: - a last resort way of blocking undesirable messages when you can't block the sending host for some reason. List domains (@example.com) or whole addresses (fred@example.com).
  
  
• Verify that local domain recipients exist in the Domino Directory: - Set it to Enabled - This prevents a lot of mail from going dead in mail.box when it arrives for a non-existent local recipient and the resulting delivery status notification (DSN) cannot be routed for some reason. Some quite large ISPs actively reject DSNs, presumably as a spam/virus countermeasure, though this is a blatant RFC violation.

Sorry it's a bit boring today. This is really just Google fodder and may help to keep a few more Domino hosts secure when people find it in the future.

Category: Domino: Administration
Technorati: Domino: Administration

1. Stoomaroo12/02/2004 18:29:08

Boring? -- Yes.
Email Admin 101 -- Absolutely!

...but as your SPAM traps indicate, make no excuses for others' incompetence. (including mine! where it may be observed...LOL)

2. Chris Linfoot13/02/2004 08:19:28

Just so I know, where exactly may it be observed?

3. Stomaroo13/02/2004 17:50:36

Smart-ass.

Follow me around for a while -- sooner or later I'll leave a shoe lace untied.

4. aleco29/04/2004 13:52:55

lol...

tks for the help chris. i never realized how little i know! i applied the above settings, and it made a huge difference. now trying to figure out the DNS Blacklist filters (i'm trying sbl-xbl.spamhaus.org as per your suggestion) but my server seems to think everything is blacklisted!!!

04/29/2004 07:30:25 AM SMTP Server: Remote host 199.85.70.201 (yertle1.workopolis.com) found in DNS blacklist at sbl-xbl.spamhaus.org
04/29/2004 08:15:56 AM SMTP Server: Remote host 142.107.4.100 (ns.moh.gov.on.ca) found in DNS blacklist at sbl-xbl.spamhaus.org

have you ever come across this problem? any suggestions?

aleco

5. Chris Linfoot29/04/2004 14:08:39

Well those IPs certainly don't seem to be blacklisted from here.

You can debug this from the command line on the server using nslookup.

Pick an address you know is listed (127.0.0.2 is always listed as a test host on DNSBLs). Make a hostname out of it by reversing the octets and appending the name of the DNSBL (==> 2.0.0.127.sbl-xbl.spamhaus.org). Use nslookup on that hostname to see what you get.

>nslookup 2.0.0.127.sbl-xbl.spamhaus.org

This should return 127.0.0.2.

Similarly. try a host you know is not listed (either of the above will do).

>nslookup 201.70.85.199.sbl-xbl.spamhaus.org

This should return domain not found.

If it does give a hit, what address is it returning? And who is your ISP?

6. aleco29/04/2004 20:14:19

tks chris, that helped me solve the problem. i'm almost too embarresed to post this, but maybe i'm not the only clown out there, so here goes:

our gateway (a linksys router) is also acting as our DHCP server, and i forgot to include the DNS servers when i set it up. without a DNS server to query, our Domino mail server kept getting a "domain not found" return from its DNSBL search.

7. Darren Renaud09/06/2005 21:01:24

I'm running into a similar problem...
Like aleco, I'm running a Linksys router but DNS's are listed.
Here goes...
Work server Domino 6.5 W2K static IP configuration for DNSBL working fine.
Home system Domino 6.5 Sol9 dynamic IP (using DNS2GO) same DNSBL config, but all connections seem to be "found".
I did the above nslookups and also removed the router IP fron the resolv.conf so that only the ISP and DNS2GO dns servers are listed.
Heres some results:
# nslookup 2.0.0.127.sbl-xbl.spamhaus.org
Server: taco.vianet.ca
Address: 209.91.128.11

Non-authoritative answer:
Name: 2.0.0.127.sbl-xbl.spamhaus.org
Addresses: 127.0.0.2, 127.0.0.4, 127.0.0.6

The following is the work mail server... (which get "found" every time)
# nslookup 123.159.91.209.sbl-xbl.spamhaus.org
Server: taco.vianet.ca
Address: 209.91.128.11

Non-authoritative answer:
Name: 123.159.91.209.sbl-xbl.spamhaus.org.nickydesigns.com
Address: 66.186.88.217

and the home server:
# nslookup 217.88.186.66.sbl-xbl.spamhaus.org
Server: taco.vianet.ca
Address: 209.91.128.11

Non-authoritative answer:
Name: 217.88.186.66.sbl-xbl.spamhaus.org.nickydesigns.com
Address: 66.186.88.217

Any clues?

8. Chris Linfoot10/06/2005 08:57:14

1. Both home and work seem to give the same response according to the above. I suspect this is not the case and you pasted the wrong sample for the work server.

2. Your home server is appending the local internet domain to nslookups, so a lookup of x.x.x.x.sbl-xbl.spamhaus.org is actually looking up x.x.x.x.sbl.spamhaus.org.nickydesigns.com.

nickydesigns.com has a wildcard A record which returns 66.186.88.217 for any host looked up under that domain. 66.186.88.217 is in any case not a valid response to a DNSBL query - you would expect to see 127.0.0.x where x is usually but not always 2.

Solution, change TCP/IP or hostname parameters on home machine so that it does not append the local domain suffix to names being looked up.

http://yellerdog.net/yellerdog/yellerdogblog.nsf/d6plinks/KNON-6APM5W

9. Darren Renaud10/06/2005 15:07:16

Removed the domain line from the resolv.conf file and all is well.

Thanks.

10. Luis21/08/2006 15:35:44

When I login on windows xp or 2000 pro it takes aboute 5 to 8 min. How
can I resolve this isue. I have a gateway for internet and the server is Windows 2000 Server.

11. Jeff11/02/2008 21:58:13

I have two Domino servers, Primary and secondary. Both has mail files. I want to block all incoming mails to secondary server until there is DR event. I can't turn off SMTP on seconday server because I want POP users to connect and get messages.

I would appreciate any help in this regard.

Thx

Jeff

12. Chris Linfoot13/02/2008 07:04:58

You can turn off SMTP at the secondary server. SMTP is not POP.

Unable to post a comment? Please read this for a possible explanation...