Without taking special precautions, Lotus Domino will act
as an open mail relay on the Internet.
An open mail relay means that anyone, anywhere that can
connect to your Domino server, can use it to send email, without needing to be
authenticated to your server.
Not exactly what we're looking for.
Let's configure the anti-relay settings starting with the
Global Domain document.
You need a Global Domain document for each
domain/sub-domain that you wish to allow to send mail through your Domino
We find the Global Domain
document by opening the 'Configuration' tab in the Domino Administrator client
and selecting 'Messaging' and 'Domains'.
You will want to set the
Domain type as 'Global Domain'.
Although it may look as if
you are supposed to enter your Internet (or DNS) domain name here (such as
server.wildunknown.com) you actually want to enter your Domino Domain
name. Mine is Wild.
Set the domain role field
to 'R5/R6/R7/R8 Internet Domain'. (fig
On the 'Restrictions' tab
of the Global Domain document, enter the Internet (or DNS) domain name of your
server. (fig 3)
On the 'Conversions' tab of
the Global Domain document, enter the same value in the ‘Local Primary Internet
domain’ field as the value you entered in the ‘Domino domains and aliases’
field on the 'Restrictions' tab. (fig 4)
Change the value of the 'Internet
Address lookup' field to Enabled.
For Internet mail, the 'Local
part' is formed of the 'Short Name' field on the person document in the Domino
Directory and the Domino Domain postion is to the 'Right of @', while the
Domino Domain separator is a '. - period'.
Save and close the Global
Domain document, then open the Server Configuration document for your server. (fig 5)
In the Server Configuration
document, open the ‘Router/SMTP’ tab.
Change the ‘Address lookup’
field value to 'Fullname only'. This will disallow partial matches on names
when delivering email. (fig 6)
If someone sends spam to:
We don't want it delivered
To limit where our Domino
server is willing to receive mail from, open the ‘Restrictions and Controls’
tab, and them the ‘SMTP Inbound Controls’ tab.
To prevent mail relaying, you
want to put a * in both of the ‘Deny’ fields.
If you have more than 1
Domino server, or any other servers that you do want to allow to replay email
through this one, enter their IP addresses in the second ‘Allow’ field. Remember to surround the IP addresses in
square brackets. (fig 7)
The logic may not look
correct when you read it, however, keep in mind that these are 'Inbound'
Setting these fields to
Deny all traffic only applies to 'Outside' servers trying to send through your
Under the ‘Inbound Replay
Enforcement’ section, set ‘Perform Anti-Relay enforcement for these connecting
hosts’ to 'All connecting hosts', but exclude our list of servers from that
check. Remember to put square brackets around your
IP addresses. (fig. 8)
Under the ‘DNS Blacklist
Filters’ section, you
can enable BNS blacklist filters. If
you’re using Domino to receive email, you might want to use them as additional
controls. If you are only setting up the
server to prevent it from being an open mail relay, you can ignore this. See Figure 9 for a sample setup.
Under the ‘Inbound Connection Controls’ section, we can
setup the server to verify the connecting hostname using DNS. That means that the server will do a reverse
DNS lookup to ensure that the IP address the server is connecting with matches
the IP address of the domain it is connecting from. (Fig. 10)
Under the ‘Inbound Intended Recipients Controls’ section,
there are a few changes we’ll want to make.
First of all, we want to set ‘Verify that local domain
recipients exist in the Domino Directory’ to ‘Enabled’. That means that we won’t accept email for
people who don’t have an account on the server.
Second, we’re going to set ‘Reject ambiguous names’ to
‘Enabled’. That means that we won’t
accept email unless we know exactly who it is for.
Third, we’re going to set ‘Deny mail to groups’ to ‘For
all connecting hosts’. This will stop
email from outside sources to be sent to any of our groups. (Figure 11)
(Personal Story: This happened once at a company I worked
at. A disgruntled former employee sent a
virus to the ‘AllEmployees’ group while masquerading as the CEO. Caused all sorts of problems.)
Securing Lotus Domino for the Web: Preventing Unwanted
Mail Relaying was written by John Lawren James of Wildunknown.com.