Hier:
SMTPMTA_ALLOW_KNOWN_DOMAINS Provides for Enhanced Relay Limitation on SMTP MTA
Problem:
A customer wants to protect his Domino 4.6.4 SMTP MTA from being used as a mail relay while also enabling POP3 clients to send outbound (relay) from the SMTP MTA.
Solution:
The Release 4.6.4 SMTP MTA supports the new NOTES.INI variable SMTPMTA_ALLOW_KNOWN_DOMAINS, which activates an enhanced relay limitation mechanism that provides for configuration of domains for which relay is allowed. If this variable is present and has a non-zero value assigned, the following rules described will be enforced:
Mail for a recipient will be rejected if: The connecting host resides in an unknown domain and the recipient also resides in an unknown domain.
Mail for a recipient will be accepted if: Either the connecting host or the recipient resides in a known domain.
In addition to the "local" domain, all domains identified in the Global Domain document's Internet Domain Suffix List will be considered "known domains" when applying the rules described above. If the SMTP MTA decides that a disallowed relay is being attempted, it will return the following reply to the sending host:
"501 This MTA does not relay, from: [connecting host name] to : [recipient domain name]"
These are the steps to configure:
1. Domino Server version 4.6.4 or higher required.
2. SMTPMTA_ALLOW_KNOWN_DOMAINS=1 should not be used in conjunction with SMTPMTA_REJECT_RELAYS=1.
3. SMTPMTA_ALLOW_KNOWN_DOMAINS=1 uses the "Internet Domain Suffix" section of the SMTPMTA's Global Domain document to specify known domains, those not listed are considered unknown and attempts to relay will be rejected .
und hier:
MAPS Relay Spam Stopper Adds Lotus Domino 4.6x Servers to Its BlackList
Problem:
The Mail Abuse Prevention System (MAPS) is a monitoring service that prevents Spamming and Open Relay systems. A customer reports that this monitoring service has blacklisted their Domino SMTP MTA 4.6x server, so mail can no longer be routed. The error message received is as follows, depending on the different logging levels set by the administrator:
"Refused by blackhole site"
or
"An SMTP protocol error was detected. The peer SMTP returned an invalid reply code."
Solution:
To prevent the open relays on the Domino 4.6.4 or later SMTP MTA, you must specify one of the following options and include both (or all three, if using Option 2) NOTES.INI settings on the SMTP MTA server (NOTE: These settings work only for 4.6x; they are not applicable in Domino R5):
Option 1:
1: SMTP_OCH_REJECT_SMTP_ORIGINATED_MESSAGES=1
2: SMTPMTA_REJECT_RELAYS=1
This option may still fail the relay test because the relay challenge is not checked until the conversion task attempts to convert the message.
Option 2 (Recommended):
1: SMTP_OCH_REJECT_SMTP_ORIGINATED_MESSAGES=1
2: SMTPMTA_ALLOW_KNOWN_DOMAINS=1
3: SMTPMTA_RELAY_FORWARDS=1
This option will reject the message during the conversation because SMTPMTA_ALLOW_KNOWN_DOMAINS is configured to reject the message before receiving it; unlike the SMTPMTA_REJECT_RELAYS parameter, this feature will reject the message after the message is received during the conversion process.
Error message received during communication when running the SMTPMTA_ALLOW_KNOWN_DOMAINS:
"501 This MTA is configured NOT to relay message from [acme.com] to [domainabcde.com]."
Note: The SMTPMTA_REJECT_RELAYS setting rejects all messages not intended for the local Internet domain, but the SMTPMTA_ALLOW_KNOWN_DOMAINS setting allows relays for domains listed in the Internet domain suffix of the Global Domain document. For further information, refer to the document titled "SMTPMTA_ALLOW_KNOWN_DOMAINS Rejects Users with DHCP Assigned Addresses" (#172663 ).
In addition, from the 4.6.4 Release Notes:
SMTPMTA_ALLOW_KNOWN_DOMAINS is a new variable which activates an enhanced relay limitation mechanism that provides for configuration of domains for which relay is allowed.
Supporting Information:
The details of the MSS Relay Blacklisting can be found at
http://www.mail-abuse.orgSome other parameters useful in open relay protection are as follows:
SMTPMTA_DENIED_DOMAINS=filename
Can be used if the domain that is sending the spam mail smtpmta server is known. This will reject all connections from that domain.
SMTPMTA_HELO_DOMAIN_VERIFY=1
This is used to authenticate the domain name specified in the HELO/EHLO smtp command.
SMTPMTA_RELAY_FORWARDS=1
When this variable is set, the SMTP MTA checks if a recipient has a forwarding address. If the forwarding
address is an SMTP 821 address, it relays the message back out without conversion.
(For more information on the above NOTES.INI features, refer to the document titled "Certified NOTES.INI Parameters for SMTP MTA on Domino 4.6.2 and 4.6.2a" (#167173 )
und hier:
SMTPMTA_ALLOW_KNOWN_DOMAINS Rejects Users with DHCP Assigned Addresses
Problem:
You are running Domino Server release 4.6.4 or higher and implemented SMTPMTA_ALLOW_KNOWN_DOMAINS=1. You are noticing that your internal POP3 or IMAP users are not able to send outbound SMTP messages. This parameter was implemented into the product to allow for internal hosts to use this server as an outbound relay for SMTP messages.
"501 This MTA does not relay, from: [connecting host name] to : [recipient domain name]"
Why are users getting delivery failures for messages they sent to external Internet users?
Solution:
This issue was reported to Lotus Quality Engineering; however, it was determined not to be a software problem.
SMTPMTA_ALLOW_KNOWN_DOMAINS
The variable SMTPMTA_ALLOW_KNOWN_DOMAINS supports an enhanced relay limitation mechanism that provides for configuration of domains for which relay is allowed. The variable is assigned a value of either zero or non-zero (ex. SMTPMTA_ALLOW_KNOWN_DOMAINS=1). If this variable is present and has a non-zero value assigned, then the following rules will be enforced:
Mail for a recipient will be rejected if the connecting host resides in an unknown domain and the recipient also resides in an unknown domain. A failure message will be sent to LOG.NSF when SMTP MTA rejects inbound mail for this reason.
Mail for a recipient will be accepted if either the connecting host or the recipient resides in a known domain.
In addition to the "local" domain, all domains identified in the Global Domain record (Internet Domain Suffix List) will be considered "known domains" when applying the rules described above. If the MTA decides that a disallowed relay is being attempted, it will return the following reply to the sending host:
"501 This MTA does not relay, from: [connecting host name] to : [recipient domain name]"
If local Mail Clients are utilizing dynamically allocated (DHCP) TCP/IP addresses, it may not be possible for the SMTP MTA to obtain the "domain name" of these Mail Clients via the Domain Name Service (DNS). Because the SMTP MTA may not be able to obtain the Domain Name for this local Mail Client, it will assume that this is a host in an unknown domain and possibly reject mail from it. It is therefore recommended that if such local Mail Clients are to be utilized, the Network Administrator configure the DHCP Server so that all IP Addresses it assigns are registered with the DNS and assigned a valid Domain Name.
