Skip to main content link. Accesskey S
  • HCL Logo
  • HCL Notes and Domino wiki
  • THIS WIKI IS READ-ONLY. Individual names altered for privacy purposes.
  • HCL Forums and Blogs
  • Home
  • Product Documentation
  • Community Articles
  • Learning Center
  • API Documentation
Search
Community Articles > Lotus Domino > Domino security > Securing Lotus Domino for the Web: Email Relay
  • Share Show Menu▼
  • Subscribe Show Menu▼

Recent articles by this author

Securing Lotus Domino for the Web: Email Relay
Without taking special precautions, Lotus Domino will act as an open mail relay on the Internet. An open mail relay means that anyone, anywhere that can connect to your Domino server, can use it to send email, without needing to be authenticated to your server. Not exactly what we're looking ...

Add Site Certificates to the Lotus Domino JVM cacerts Keystore
How to add site certificates to the Lotus Domino JVM cacerts keystore. Fig. 1 - Navigate to the Domino JVM security directory Step 1 - Navigate to the Domino JVM security directory.   For me, that's c:/lotus/domino/jvm/lib/security.  For simplicity sake, I put the .cer certificate file in the ...
Community articleSecuring Lotus Domino for the Web: Email Relay
Added by ~Kirk Zenveluburings | Edited by ~Kirk Zenveluburings on June 1, 2011 | Version 2
  • Actions Show Menu▼
expanded Abstract
collapsed Abstract
Without taking special precautions, Lotus Domino will act as an open mail relay on the Internet. An open mail relay means that anyone, anywhere that can connect to your Domino server, can use it to send email, without needing to be authenticated to your server. Not exactly what we're looking for.
  

Without taking special precautions, Lotus Domino will act as an open mail relay on the Internet.

 

An open mail relay means that anyone, anywhere that can connect to your Domino server, can use it to send email, without needing to be authenticated to your server.

 

Not exactly what we're looking for.

 

Let's configure the anti-relay settings starting with the Global Domain document.

 

You need a Global Domain document for each domain/sub-domain that you wish to allow to send mail through your Domino server.

 

We find the Global Domain document by opening the 'Configuration' tab in the Domino Administrator client and selecting 'Messaging' and 'Domains'.  (fig 1)


You will want to set the Domain type as 'Global Domain'.

 

Although it may look as if you are supposed to enter your Internet (or DNS) domain name here (such as server.wildunknown.com) you actually want to enter your Domino Domain name.  Mine is Wild.

 

Set the domain role field to 'R5/R6/R7/R8 Internet Domain'.  (fig 2)

 

On the 'Restrictions' tab of the Global Domain document, enter the Internet (or DNS) domain name of your server.  (fig 3)

 

 

On the 'Conversions' tab of the Global Domain document, enter the same value in the ‘Local Primary Internet domain’ field as the value you entered in the ‘Domino domains and aliases’ field on the 'Restrictions' tab.  (fig 4)

 

Change the value of the 'Internet Address lookup' field to Enabled.

 

For Internet mail, the 'Local part' is formed of the 'Short Name' field on the person document in the Domino Directory and the Domino Domain postion is to the 'Right of @', while the Domino Domain separator is a '. - period'.

 

Save and close the Global Domain document, then open the Server Configuration document for your server.  (fig 5)

 

 

In the Server Configuration document, open the ‘Router/SMTP’ tab.

 

Change the ‘Address lookup’ field value to 'Fullname only'. This will disallow partial matches on names when delivering email.  (fig 6)

 

If someone sends spam to:

 

          sd@wildunknown.com

 

We don't want it delivered to:

 

          sdemers@wildunknown.com.

 

 

To limit where our Domino server is willing to receive mail from, open the ‘Restrictions and Controls’ tab, and them the ‘SMTP Inbound Controls’ tab.

 

To prevent mail relaying, you want to put a * in both of the ‘Deny’ fields.

 

If you have more than 1 Domino server, or any other servers that you do want to allow to replay email through this one, enter their IP addresses in the second ‘Allow’ field.  Remember to surround the IP addresses in square brackets.  (fig 7)

 

The logic may not look correct when you read it, however, keep in mind that these are 'Inbound' controls.

 

Setting these fields to Deny all traffic only applies to 'Outside' servers trying to send through your server.

 

 

Under the ‘Inbound Replay Enforcement’ section, set ‘Perform Anti-Relay enforcement for these connecting hosts’ to 'All connecting hosts', but exclude our list of servers from that


 

check.  Remember to put square brackets around your IP addresses.  (fig. 8)

 

 

Under the ‘DNS Blacklist Filters’ section, you can enable BNS blacklist filters.   If you’re using Domino to receive email, you might want to use them as additional controls.  If you are only setting up the server to prevent it from being an open mail relay, you can ignore this.  See Figure 9 for a sample setup.

 

 

Under the ‘Inbound Connection Controls’ section, we can setup the server to verify the connecting hostname using DNS.  That means that the server will do a reverse DNS lookup to ensure that the IP address the server is connecting with matches the IP address of the domain it is connecting from.  (Fig. 10)

 

 

Under the ‘Inbound Intended Recipients Controls’ section, there are a few changes we’ll want to make. 

 

First of all, we want to set ‘Verify that local domain recipients exist in the Domino Directory’ to ‘Enabled’.   That means that we won’t accept email for people who don’t have an account on the server.

 

Second, we’re going to set ‘Reject ambiguous names’ to ‘Enabled’.   That means that we won’t accept email unless we know exactly who it is for.

 

Third, we’re going to set ‘Deny mail to groups’ to ‘For all connecting hosts’.   This will stop email from outside sources to be sent to any of our groups.   (Figure 11)

 

(Personal Story: This happened once at a company I worked at.  A disgruntled former employee sent a virus to the ‘AllEmployees’ group while masquerading as the CEO.   Caused all sorts of problems.)

 

 

Securing Lotus Domino for the Web: Preventing Unwanted Mail Relaying was written by John Lawren James of Wildunknown.com. 

 

  • Actions Show Menu▼


expanded Attachments (11)
collapsed Attachments (11)
Edit the article to add or modify attachments.
File TypeSizeFile NameCreated OnDelete file
image/jpeg 46 KB Figure1.jpg 6/1/11, 12:39 PM
image/jpeg 38 KB Figure2.jpg 6/1/11, 12:39 PM
image/jpeg 30 KB Figure3.jpg 6/1/11, 12:39 PM
image/jpeg 63 KB Figure4.jpg 6/1/11, 12:39 PM
image/jpeg 48 KB Figure5.jpg 6/1/11, 12:40 PM
image/jpeg 57 KB Figure6.jpg 6/1/11, 12:40 PM
image/jpeg 56 KB Figure7.jpg 6/1/11, 12:40 PM
image/jpeg 27 KB Figure8.jpg 6/1/11, 12:40 PM
image/jpeg 29 KB Figure9.jpg 6/1/11, 12:41 PM
image/jpeg 27 KB Figure10.jpg 6/1/11, 12:41 PM
image/jpeg 27 KB Figure11.jpg 6/1/11, 12:41 PM
expanded Versions (1)
collapsed Versions (1)
Version Comparison     
VersionDateChanged by              Summary of changes
This version (2)Jun 1, 2011, 12:42:20 PM~Kirk Zenveluburings  
expanded Comments (0)
collapsed Comments (0)
Copy and paste this wiki markup to link to this article from another article in this wiki.
Go ElsewhereStay ConnectedAbout
  • HCL Software
  • HCL Digital Solutions community
  • HCL Software support
  • BlogsDigital Solutions blog
  • Community LinkHCL Software forums and blogs
  • About HCL Software
  • Privacy
  • Accessibility