Router/SMTP - Restrictions and Controls - SMTP Inbound Controls tab
Inbound Relay Controls
FieldEnter
Allow messages to be sent only to the following external Internet domainsInternet domains to which Domino can relay messages. Domino relays messages to recipients in the specified domains only. Messages for recipients in other external Internet domains are denied.

For example, if you enter abc.com and xyz.com in this field, Domino accepts only messages to recipients with addresses that end in abc.com or xyz.com domains. Messages for recipients in other domains are denied.

To name a domain explicitly, prefix an @ sign to the entry. For example, if you enter @xyz.com the server relays messages only if the domain part of the address matches xyz.com exactly, such as User@xyz.com. Messages to addresses in other domains that end in xyz.com, such as User@uvwxyz.com or User@abc.xyz.com, are denied.

Prefix a percent sign (%) to specify the name of a Domino domain to which mail can be sent; for example, enter %AcmeEast to specify that the server can send mail to the Domino domain AcmeEast.

Deny messages to be sent to the following external Internet domainsInternet domains to which Domino will not relay messages. An asterisk (*) in this field prevents Domino from relaying messages to any external Internet domain.

Domino denies only messages destined for recipient addresses in the specified domains. All other messages may relay.

For example, if you enter abc.com in the field, Domino relays messages to recipients in all external Internet domains except abc.com. Domino denies messages for recipients in the abc.com domain.

To name a domain explicitly, prefix an @ sign to the entry. For example if you enter @xyz.com, the server rejects messages addressed to users if the domain part of the address matches xyz.com exactly, such as user@xyz.com, but allows messages to relay to other domains that end in xyz.com, such as user@server.xyz.com.

Prefix a percent sign (%) to specify a Domino domain name; for example, entering %AcmeEast specifies the Domino domain AcmeEast. This lets you prevent SMTP users from sending mail to certain internal Domino domains or even Notes servers such as FAX systems.

Allow messages only from the following Internet hosts to be sent to external Internet domainsSpecifies the hosts or domains that the Domino SMTP service allows to relay outbound Internet mail. If this field contains valid entries, Domino allows only servers matching these entries to relay. Message relays from other servers are denied.

Enter host names or IP addresses to designate the sites that are authorized to use Domino to relay messages to recipients outside your local Internet domain. For example, if you enter lotus.com, ibm.com in the field. Domino accepts messages to recipients in external Internet domains only from servers with host names ending in lotus.com or ibm.com. Domino rejects messages for external recipients from any server not listed in this field.

Deny messages from the following Internet hosts to be sent to external Internet domainsSpecifies the hosts or domains that the Domino SMTP service does not allow to relay outbound Internet mail. If this field contains valid entries, Domino denies message relays from servers matching those entries. Domino allows message relays from all other servers.

Enter host names or IP addresses to designate the sites that cannot use Domino to relay messages to recipients outside the your local Internet domain.

For example, you enter lotus.com in the field. Domino accepts messages to recipients in external Internet domains from all servers except those with host names ending in lotus.com. Domino denies messages to recipients in external Internet domains from servers in the lotus.com domain.

An asterisk (*) in this field prevents Domino from relaying messages from any host subject to the relay controls.


Inbound Relay Enforcement
FieldDescription
Perform Anti-relay enforcement for these connecting hostsSpecifies the connections for which the server enforces the inbound relay controls. Choose one:
  • External hosts (default) - The server applies the inbound relay controls only to hosts that connect to it from outside the local Internet domain. Hosts in the local Internet domain are exempt from anit-relay restrictions. The local Internet domain is defined by either a Global Domain document, if one exists; or as the Internet domain of the host server.
  • All connecting hosts - The server applies the Inbound relay controls to all hosts attempting to relay mail to external Internet domains.
  • None - The server ignores the settings in the Inbound relay controls. All hosts can always relay.
Exceptions for authenticated usersSpecifies whether users who supply login credentials when connecting to the server are exempt from enforcement of the inbound relay controls. Choose one:
  • Perform anti-relay checks for authenticated users - The server does not allow exceptions for authenticated users. Authenticated users are subject to the same enforcement as non-authenticated users.
  • Allow all authenticated users to relay - User who logs in with a valid name and password are exempt from the applicable inbound relay controls. Use this to enable relaying by POP3 or IMAP users who connect to the network from ISP accounts outside the local Internet domain.
Exclude these connecting hosts from anti-relay checksYou create an exceptions list containing the IP addresses or host names of hosts that relay to any permitted domain. For each specified exception, the inbound relay controls will not be enforced. Enter the IP addresses or host names of hosts to be exempted from the restrictions specified in the Inbound relay controls section.

When entering an IP address, enclose it within square brackets; for example, [127.0.0.1]. You can use wildcards to represent an entire subnet address, but not to represent values in a range. For example, [127.*.0.1] is valid; [123.123.12-*.123] is not.


DNS Blacklist Filters
FieldEnter
DNS Blacklist filtersChoose one:
  • Enabled - When Domino receives an SMTP connection request, it checks whether the connecting host is listed in the Blacklist at the specified sites.
  • Disabled - Domino does not check whether a connecting host is on the Blacklist.
DNS Blacklist sitesIf DNS Blacklist filters are enabled, specify the DNSBL sites to check when Domino receives an SMTP connection request.
Desired action when connecting host is found in a DNS BlacklistChoose one:
  • Log - When Domino finds that a connecting host is on the Blacklist, it accepts messages from the host, and records the host name and IP address of the connecting server, and the name of the site where the server was listed.
  • Log and tag message - When Domino finds that a connecting host is on the Blacklist, it accepts messages from the hosts; the host name and IP address of the connecting server, and the name of the site where the server was listed; and adds the Note item, $DNSBLSite, to each accepted message.
  • Log and reject message - When Domino finds that a connecting host is on the Blacklist, it rejects the connection and returns a configurable error message to the host.
Custom SMTP error response for rejected messagesEnter the text of the error message Domino returns when denying a connection because it found the host in the DNS Blacklist. The default error message indicates that the connection was denied for policy reasons.

You can use the format specifier '%s' to specify the IP address of the denied host and the DNS Blacklist site where Domino found the host listed. For example, if you enter the following:


    Your host %s was found in the DNS Blacklist at %s

When Domino denies a connection, it returns an error to the host, in which it replaces the first '%s' with the IP address of the host, and the second '%s' with the DNS Blacklist site name. Thus, if you entered the text in the preceding example, a denied host receives an error such as:

    Your host 127.0.0.2 was found in the DNS Blacklist at blackholes.mail-abuse.org

Inbound Connection Controls
FieldEnter
Verify connecting host name in DNSChoose one:
  • Enabled - Domino verifies the name of the connecting host by performing a reverse DNS lookup. Domino checks DNS for a PTR record that matches the IP address of the connecting host to a host name. If Domino cannot determine the name of the remote host, because DNS is not available or no PTR record exists, it does not allow the host to transfer mail. Although Domino accepts the intial connection, later in the SMTP transaction it returns an error to the connecting host in response to the MAIL FROM command.
Note Internet SMTP hosts are not required to have PTR entries in DNS. As a result, when this field is enabled, the SMTP task may reject connections from valid SMTP hosts.
  • Disabled - (default) Domino does not check DNS to verify the name of the connecting host.
Allow connections only from the following SMTP Internet host names/IP addressesThe host names and/or IP addresses allowed to connect to the SMTP service on this server. If you enter host names and/or IP addresses in this field, only servers matching these entries can connect to the SMTP listener; connection requests from all other servers are denied.

Enter IP addresses in brackets -- for example, [192.168.10.17]

Host name entries may be complete, as in the fully-qualified host name of a particular server, or partial, and imply the existence of a wildcard. That is, if you enter:


    abc.com

Domino extends accepts only connections from mail hosts in the domains represented by *abc.com, or all host names ending in abc.com, including smtp.abc.com and mailhost.abc.com. Domino rejects all other connection requests.

If you specify host name entries, each time a host connects, Domino checks DNS for a PTR record for the connecting host. If Domino cannot resolve the IP address to a host name because DNS is unavailable or no PTR record exists, no mail is accepted from the connection.

Deny connections from the following SMTP Internet host names/IP addressesThe host names and/or IP addresses that are not allowed to connect to the SMTP service on this server. If you enter host names and/or IP addresses in this field, all servers except those matching entries in this field can connect to the SMTP listener; connection requests are denied only for servers matching the entries in this field.

Enter IP addresses in brackets -- for example, [192.168.10.17]

Host name entries may be complete, as in the fully-qualified host name of a particular server, or partial, and use an implied wildcard. That is, if you enter:


    abc.com

Domino implicity extends the restriction to all mail hosts within the denied domain, denying connections from *abc.com, or all host names ending in abc.com, including smtp.abc.com and mailhost.abc.com.

Note Using name entries may inadvertently block mail from other unrelated domains. For example, in the previous example, entering abc.com also prevents connections from mailhost.xyzabc.com. To apply restrictions to hosts in a specified domain and its subdomains only, enter a leading dot (.) in domain name entries; for example:


     .abc.com

Inbound Sender Controls
FieldEnter
Verify sender's domain in DNSChoose one:
  • Enabled - Domino verifies that the sender's domain exists, by checking the DNS for an MX, CNAME, or A record that matches the domain part of the address in the MAIL FROM command received from the sending host. If no match is found, Domino rejects inbound mail from the host.
Note This can result in Domino rejecting mail from legitimate hosts that do not have these records in their DNS entries.
  • Disabled - (default) Domino does not check DNS to verify that the sender's domain exists.
Allow messages only from the following Internet addresses/domainsInternet addresses from which the server accepts messages. If you enter addresses in this field, only messages with senders matching those addresses can send Internet mail to users in your local Internet domain. Mail from all other addresses is denied.

During the SMTP conversation, the Domino SMTP listener compares the address in the MAIL FROM command received from the connecting host with the entries in this field.

For example, if you enter lotus.com in the field. Domino accepts incoming mail only if the address in the MAIL FROM command ends in lotus.com. Domino denies messages from all other Internet addresses.

You can create a Notes group containing a list of addresses from which to allow messages and enter the group name in this field. A group entry is valid only if it does not contain a domain part or dot ('.'). For example, the group with the name group1 is valid, but the groups named iris.com or group2@iris are not

Deny messages from the following Internet addresses/domainsInternet addresses from which the server does not accept messages.

During the SMTP conversation, the Domino SMTP listener compares the address in the MAIL FROM command received from the connecting host with the entries in this field.

If you enter addresses in this field, all messages except those matching addresses listed in this field can route to your users. Mail is denied only from addresses matching the entries in this field.

For example, if you enter lotus.com in the field. Domino accepts messages from all Internet addresses and domains except those ending in lotus.com. Domino denies messages from senders whose addresses end in lotus.com.

You can create a Notes group containing a list of addresses from which to deny messages and enter the group name in this field. A group entry is valid only if it does not contain a domain part or dot ('.'). For example, the group with the name group1 is valid, but the groups named iris.com or group2@iris are not.


Inbound Intended Recipients Controls
FieldEnter
Verify that local domain recipients exist in the Domino DirectorySpecifies whether the SMTP listener checks recipient names specified in RCPT TO commands against entries in the Domino Directory

Choose one:

  • Enabled - If the domain part an address specified in an SMTP RCPT TO command matches one of the configured local Internet domains, the SMTP listener checks all configured directories to determine whether the specified recipient is a valid user. If all lookups complete successfully and no matching username is found, the SMTP server returns a 550 permanent failure response indicating that the user is unknown. For example:
    550 bad_user@yourdomain.com ... No such user

    Choosing this setting can help prevent messages sent to nonexistent users (for example, spam messages and messages intended for users who have left the organization) from accumulating in MAIL.BOX as dead mail.

    To avoid messages from being rejected as a result of directory unavailability, Domino accepts messages when an attempted directory lookup does not complete successfully.

    To avoid unnecessary directory lookups, Domino completes the other SMTP inbound tests configured in the relay, sender, and recipient controls before verifying names in the Domino Directory.


Note When this setting is enabled, and there is an entry in the field "Local Internet domain smart host", messages that cannot be resolved are not accepted; therefore, they will not be forwarded to the smart host. When this setting is enabled, and the field "Smart host is used for all local Internet domain recipients" is enabled, only those messages sent to recipients that can be resolved are accepted, and these will be forwarded to the smart host.
  • Disabled - (default) The SMTP listener does not check whether local domain recipients specified in the RCPT TO command are listed in the Domino Directory.
Allow messages intended only for the following Internet addressesInternet addresses that are within the local Internet domain and that are allowed to receive mail from the Internet. If you enter addresses in this field, only those recipients can receive Internet mail. Domino denies mail for all other recipients.

You can create a Notes group containing a list of addresses allowed to receive mail from the Internet and enter the group name in this field. A group entry is valid only if it does not contain a domain part or dot ('.'). For example, the group with the name group1 is valid, but the groups named yourdomain.com or group2@yourdomain are not.

Deny messages intended for the following Internet addressesInternet addresses within the local Internet domain that are prohibited from receiving mail from the Internet. If you enter addresses in this field, all addresses except those listed in this field can receive Internet mail. Domino denies mail for only the addresses in this field.

You can create a Notes group containing a list of addresses who cannot receive mail from the Internet and enter the group name in this field. A group entry is valid only if it does not contain a domain part or dot ('.'). For example, the group with the name group1 is valid, but the groups named yourdomain.com or group2@yourdomain are not.

Note If the server supports Local Part name lookups, users whose addresses are listed in the Deny field may still receive mail addressed to alternate Internet addresses. To prevent use of alternate addresses, complete the Internet address field in each user's Person document and allow users to receive inbound mail destined for their fullname addresses only. Refer to "Specifying how Domino looks up users in the Domino Directory" for information on restricting name lookups.