MAIL


Restricting who can send Internet mail to your users
Unsolicited commercial e-mail (UCE) can flood your server with numerous copies of the same message. Accepting UCE reduces performance and consumes system resources. You can specify restrictions to prevent UCE from being routed to or relayed through your server. Specifying restrictions prevents malicious users from using your system to spoof addresses or send UCE.

To save system resources, before it accepts a message, the IBM® Lotus® Domino® SMTP listener checks the Mail From address specified in the message envelope during the SMTP transaction. If you set the Domino server to deny mail from a particular source, Domino denies it whenever that source is encountered -- for example, if users from a denied domain send mail through a relay, Domino denies it based on its origin from that domain. Domino creates an entry in the log file (LOG.NSF) whenever a message is rejected.

Note SMTP can resolve names for group types of Mail-only or Multi-purpose. When you create or modify the SMTP and Router settings in the Configuration Settings document, be sure to enter group names that have a group type of Mail-only or Multi-purpose. These groups must be in the primary directory. This applies to settings on the Restrictions tab, the SMTP Inbound Controls tab, and the SMTP Outbound Controls tab.

To restrict who can send Internet mail to your users

1. Make sure you already have a Configuration Settings document for the server(s) to be configured.

2. From the Domino Administrator, click the Configuration tab and expand the Messaging section.

3. Click Configurations.

4. Select the Configuration Settings document for the mail server or servers you want to restrict mail on, and click Edit Configuration.

5. Click the Router/SMTP - Restrictions and Controls - SMTP Inbound Controls tab.

6. Complete these fields in the Inbound Sender Controls section, and then click Save & Close:
Inbound Sender Controls
FieldEnter
Verify sender's domain in DNSChoose one:
  • Enabled - Domino verifies that the sender's domain exists, by checking the DNS for an MX, CNAME, or A record that matches the domain part of the address in the MAIL FROM command received from the sending host. If no match is found, Domino rejects inbound mail from the host.
    Note This can result in Domino rejecting mail from legitimate hosts that do not have these records in their DNS entries.
  • Disabled - (default) Domino does not check DNS to verify that the sender's domain exists.
Allow messages only from the following Internet addresses/domainsInternet addresses from which the server accepts messages. If you enter addresses in this field, only messages with senders matching those addresses can send Internet mail to users in your local Internet domain. Mail from all other addresses is denied.

During the SMTP conversation, the Domino SMTP listener compares the address in the MAIL FROM command received from the connecting host with the entries in this field.

For example, if you enter lotus.com in the field, Domino accepts incoming mail only if the address in the MAIL FROM command ends in lotus.com. Domino denies messages from all other Internet addresses.

You can create a Notes group containing a list of addresses from which to allow messages and enter the group name in this field. A group entry is valid only if it does not contain a domain part or dot ("."). For example, the group with the name group1 is valid, but the groups named iris.com or group2@iris are not.

Deny messages from the following Internet addresses/domainsInternet addresses from which the server does not accept messages.

During the SMTP conversation, the Domino SMTP listener compares the address in the MAIL FROM command received from the connecting host with the entries in this field.

If you enter addresses in this field, all messages except those matching addresses listed in this field can route to your users. Mail is denied only from addresses matching the entries in this field.

For example, if you enter lotus.com in the field, Domino accepts messages from all Internet addresses and domains except those ending in lotus.com. Domino denies messages from senders whose addresses end in lotus.com.

You can create a Notes group containing a list of addresses from which to deny messages and enter the group name in this field. A group entry is valid only if it does not contain a domain part or dot ("."). For example, the group with the name group1 is valid, but the groups named iris.com or group2@iris are not.

7. Reload the SMTP task, or update the SMTP configuration to put changes into effect.

Note Be careful not to specify the same entry in an Allow field and a Deny field because Domino will deny messages for that entry. The Deny setting takes precedence for security reasons.

Related topics