MAIL


Restricting inbound SMTP connections
To prevent your mail system from accepting unwanted mail, IBM® Lotus® Domino® provides a set of controls that let you restrict incoming SMTP connections. The Inbound Connection controls let you specify: To determine whether a connection attempt is allowed or denied, the Domino SMTP task first checks the remote host's IP address, which the server's TCP/IP stack reads from the incoming IP packet headers. If the IP address does not match any entry in the Inbound Connection control fields, the SMTP task performs a second check, querying DNS to obtain the host name for the given address. If the query is successful, Domino compares the name obtained against the host names in Allow and Deny fields.

If you create a separate Configuration Settings document for your internal SMTP servers, you can use the inbound connection controls to ensure that these internal servers accept SMTP connections from specific SMTP hosts only. For example, configure servers to allow SMTP connections only from servers that receive mail from the Internet. Restricting connections in this way prevents users with POP3 or IMAP clients from sending mail through the server, helps you define valid outbound routing paths, and limits the load on the server.

Note SMTP can resolve names for group types of Mail-only or Multi-purpose. When you create or modify the SMTP and Router settings in the Configuration Settings document, be sure to enter group names that have a group type of Mail-only or Multi-purpose. These groups must be in the primary directory. This applies to settings on the Restrictions tab, the SMTP Inbound Controls tab, and the SMTP Outbound Controls tab.

In addition to these inbound connection controls, Domino provides two other means for blocking connections: DNS blacklist filters and access to the SMTP Listener through Domino Extension Manager (EM) services. DNS blacklist filters enable a server to check a host against one or more blacklists during the SMTP conversation. If a connecting host matches an entry in a blacklist, you can configure the server to reject the connection, tag any received messages, or record the transaction in the Notes Log.

Extension Manager (EM) services allow developers to access some functions of the SMTP Listener task. The Extension Manager (EM) allows an executable program library, such as a dynamic link library or shared object library, to register a callback routine that will be called before, after, or before and after Domino performs selected internal operations. Using EM hooks in the SMTP Listener can extend current functionality by providing:

The Domino C API header file EXTMGR.H, included in the Software Development Kit, defines symbols for the supported Extension Manager notification events and types. For additional information on the Extension Manager and registering callback routines, see the Lotus C API Toolkit for Notes/Domino under "Additional documentation resources" in the related topics.

To restrict inbound SMTP connection

1. Make sure you already have a Configuration Settings document for the server(s) to be configured.

2. From the Domino Administrator, click the Configuration tab and expand the Messaging section.

3. Click Configurations.

4. Select the Configuration Settings document for the mail server or servers you want to restrict mail on, and click Edit Configuration.

5. Click the Router/SMTP - Restrictions and Controls - SMTP Inbound Controls tab.

6. Complete these fields in the Inbound Connection Controls section and then click Save & Close:
FieldEnter
Verify connecting host name in DNSChoose one:
  • Enabled - Domino verifies the name of the connecting host by performing a reverse DNS lookup. Domino checks DNS for a PTR record that matches the IP address of the connecting host to a host name. If Domino cannot determine the name of the remote host because DNS is not available or no PTR record exists, it does not allow the host to transfer mail. Although Domino accepts the initial connection, later in the SMTP transaction it returns an error to the connecting host in response to the MAIL FROM command.
Note Internet SMTP hosts are not required to have PTR entries in DNS. As a result, when this field is enabled, the SMTP task may reject connections from valid SMTP hosts.
  • Disabled - (default) Domino does not check DNS to verify the name of the connecting host.
Allow connections only from the following SMTP Internet host names/IP addressesThe host names, group names, and/or IP addresses allowed to connect to the SMTP service on this server. If you enter host names and/or IP addresses in this field, only servers matching these entries can connect to the SMTP listener; connection requests from all other servers are denied.

Enter IP addresses in brackets -- for example, [192.168.10.17].

Host name entries may be complete, as in the fully qualified host name of a particular server, or partial and imply the existence of a wildcard. That is, if you enter:


    abc.com

Domino extends accepts only connections from mail hosts in the domains represented by *abc.com, that is, all host names ending in abc.com, including smtp.abc.com and mailhost.abc.com. Domino rejects all other connection requests.

If you specify host name entries, each time a host connects, Domino checks DNS for a PTR record for the connecting host. If Domino cannot resolve the IP address to a host name because DNS is unavailable or no PTR record exists, no mail is accepted from the connection.

Deny connections from the following SMTP Internet host names/IP addressesThe host names, group name, and/or IP addresses that are not allowed to connect to the SMTP service on this server. If you enter host names and/or IP addresses in this field, all servers except those matching entries in this field can connect to the SMTP listener; connection requests are denied only for servers matching the entries in this field.

Enter IP addresses in brackets -- for example, [192.168.10.17].

Host name entries may be complete, as in the fully qualified host name of a particular server, or partial and use an implied wildcard. That is, if you enter:


    abc.com

Domino implicitly extends the restriction to all mail hosts within the denied domain, denying connections from *abc.com, that is, all hosts in the abc.com domain, including smtp.abc.com and mailhost.abc.com.

The entry abc.com does not prevent connections from xyzabc.com.

Do not use a leading dot (.) in an entry; for example, .abc.com. Because Domino does not match the leading dot, the entry .abc.com does not prevent connections originating from the domain abc.com.

7. Reload the SMTP task or update the SMTP configuration to put changes into effect.

Note Be careful not to specify the same entry in an Allow field and a Deny field because Domino will deny messages for that entry. The Deny setting takes precedence for security reasons.

Restricting the total number of inbound SMTP sessions

By default, the SMTP service supports an unlimited number of inbound sessions; that is, as many connections as the server's resources physically permit. To restrict the number of concurrent SMTP sessions that a server accepts, set the variable SMTPMaxSessions in the server's NOTES.INI file, where xxx is the maximum number of sessions allowed without any buffering. When the specified number of inbound SMTP connections is reached, the server refuses additional connections and returns the following error:


Related topics