Domino R8.x Router Restrictions and Controls Explained

Introduction

The Restrictions and Controls section of the Server Configuration document is an important part of the Domino SMTP/mail server. This is where mail restrictions are configured to help prevent spam. Spam mail is also referred to as Unsolicited Commercial Email (UCE) or Unsolicited Bulk Email (UBE) and can cause many problems for Domino Administrators. This section of the Configuration document can also be used to control users, servers, domains, and Notes organizations from sending or receiving mail.

Purpose
The purpose of this Technical Paper is to assist you in configuring the Restrictions and Control section of the Server Configuration document. In describing router restrictions, SMTP inbound controls, SMTP outbound controls, transfer controls, delivery controls and rules, this document not only addresses the restrictions for unwanted Internet mail, but it also describes the process for configuring threads and other router restrictions. Examples are provided of the restrictions and the error messages displayed when the restriction is applied by the server.

Assumptions
This document assumes that:

• You have a working SMTP Domino R8.x server with a registered Internet domain and the corresponding settings in Domain Name System (DNS).
• You have working knowledge of the SMTP conversation for mail transmission. For more information on the SMTP commands, refer to the Request for Comments number 821, also known as RFC821.

The error messages herein are the default error messages for each field; it is assumed that no error messages have been modified in the Failure Message section under Router/SMTP, Advanced, Controls.

Furthermore, this document uses the terms "local Internet domain" and "external Internet domain" throughout. Here, the local Internet domain refers to the Global Domain document's "Local Primary Internet Domain" and "Alternate Internet Domain aliases." All entries in these two fields are considered the local Internet domain, and all Internet domains not listed are considered the external Internet domains.


Router Restrictions




Allow mail only from domains:

This field is used to specify the Notes domains that can send mail to this domain. If a domain is added to this field, mail will be accepted only from this domain; mail from other Notes domains will be rejected. This restriction does not affect mail routing within the local Notes domain.

The following error message displays on the server console, is written to the log, and is sent back to the originator when the user's domain is not listed in this field:

"02:21:04 PM Router: Policy Reason: Your Domain does not have access to route messages to the specified domain."

Field-Level Help: Domains that will be allowed to send mail to this domain..

Deny mail from domains:

This field is used to specify the Notes domains that cannot send mail to this domain. Adding a domain to this field denies mail from this domain only; Domino will continue receiving mail from all other Notes domains. This restriction, like the "Allow mail from domains" field, does not affect mail routing in the local Notes domain.

The error message is the same as that for the "Allow mail from domains" field, except it is displayed when the domain is entered in this field.

Note: If a single Notes domain is entered in both the allow and deny fields, then the deny field would takes precedence over the allow, this is done because of security issues.

Field-Level Help: Domains that will be restricted from sending mail to this domain.

Allow mail only from the following organizations and organizational units: (*/Acme, */Sales/Corp)

This field is similar to the "Allow mail from domains" field; however, this restriction uses organizational units and/or organizations to allow mail instead of the Notes domains. An entry in this field allows mail only from this organization or organizational unit to send mail to this domain. For example, suppose you enter */acme in this field. This entry allows only users from the acme organization to send mail to the local domain. However, organizations can be split into multiple domains, so this restriction could be done with the "Allow mail from domains" field, but it would require multiple entries.

Error message when the organization is not listed in the allow field:

"02:44:01 PM Router: Policy Reason: Router: CN=First Last/O=ACME@ACME is restricted from sending mail through server SERVER/R80."

Field-Level Help: Organizations and organizational units which are allowed to send mail to this
domain. This restriction applies only if the sender's address is a Notes distinguished name.


Deny mail only from the following organizations and organizational units: (*/Acme, */Sales/Corp)

This field is very similar to "Deny mail from domains" field; however, this restriction uses the organizational units and/or organizations to restrict Notes mail routing. An entry in this field denies mail only from this organizational unit and/or organization. The Domino server will allow the server to route mail from all other organizations. For example, if you enter */north/acme in this field, it will deny all mail from this organizational unit, but it would allow mail from */south/acme to be delivered.

NOTE: If a single Notes organization is entered in both the Allow and Deny fields, the Deny takes the precedence over the Allow because of security reasons.

Error Message received on the Domino console when the sending organization is listed in this field:

"02:49:38 PM Router: Policy Reason: Router: CN=First Last/O=ACME@ACME is restricted from sending mail through server SERVER/R80"

Field-Level Help: Organizations and organizational units which are restricted from sending mail to this domain. This restriction applies only if the sender's address is a Notes distinguished name.


Maximum message size: 0 KB (default)

This is the maximum message size in KB (Kilobytes) the server will accept for routing both Internet mail and Notes mail. This restriction is used for both transfer and local delivery. The default setting 0 K, which will allow the router to deliver any message size.

There are two error messages associated with this field when the message exceeds the maximum size:

"02:53:13 PM Router: Policy Reason: Router: Unable to dispatch message. Size exceeds 1 Kbytes"

"552 Message size exceeds fixed maximum message size set by administrator"

The first is written to the Log and sent back to the registered Notes user in the form of a deliver failure report. The second error message is displayed on delivery failure reports for Internet users.

Field-Level Help: Messages larger than this size will not be transferred or delivered. A non delivery message will be returned to the sender reporting the reason for the failure.


Send all messages as low priority if message size is between: Disabled




This field works with the maximum message size; when the field is enabled, it displays another field. This hidden field allows the to set a size range in KB. If a message falls within this range, the message status would be set to low, and it would routed as low priority. For more details on setting low-priority message delivery, see "Low Priority mail routing time range" in the Transfer Controls tab.

This option can be used if network bandwidth is an issue and you want a certain-sized messages to be received but not transferred during busy production hours. This option works only if the message is being transferred; it does not work for local delivery.

No error messages given or displayed on the server. You can issue a "tell router show" on the server console to see the queue status.

Field-Level Help: Messages in this size range will have their priority permanently changed to low causing them to be sent only during off peak hours. Note that a range of 0 to 0 means never change priority.
---------------------------------------------------------------------------------------------------------------------------------------------------------


Obey database quotas during message delivery: Disabled

This is a tool used by administrators to set size limitation on a mail file. The Domino Administrator client is used when setting up the database quota (for more information on setting the Domino quotas, refer to Managing Domino Databases, pages 126--127).

The router, by default, will continue to deliver messages to mail files that have the database quotas setup. The user will still get error messages when trying to create or save a document in the mail file, this alone will help restrict the size of the database. However, with this setting enabled, the router then becomes restricted from delivering mail to this database until the user removes messages.

There are two different error messages written to the Log for this field, depending on the settings in the database quotas. If you have set up both the warning and quotas, the two error messages will display as follows.

Warning error message:

"04:25:12 PM Warning, database c:\notes\data\mail\mail.nsf has exceeded its warning size threshold of 7168 Kb by -262144 bytes."

Quota error message:

04:29:44 PM Cannot allocate database object - database e:\notes50\data\mail\mail.nsf would exceed its disk quota of 8192 Kb by 1310720 bytes.
04:29:44 PM Router: Database disk quota exceeded

Field Level Help: Do not deliver messages to mail databases that are over quota if enabled. Return a non delivery message to the sender reporting the reason for the failure .

SMTP Inbound Controls
Inbound Relay Controls

An IP range can be used to represent more than one host. If the asterisk is placed in one or more units of an IP address, the variant range(s) takes effect.

For example:

This syntax does not work ----> [9.9.*]

Some syntaxes that work ------> [9.9.9.*], [9.9.*.*], [9.*.*.*]




Allow messages to be sent only to the following external Internet domains:

This field configures the Domino R8 mail server as a relay for the specified Internet domains. For example, if you enter acme.com, Domino will relay messages for recipients only in this external Internet domain. This entry will also allow the server to route mail for user@server.acme.com. If @acme.com is entered in this field, a message addressed to user@server.acme.com will be rejected by the Domino server. Any message an SMTP server attempts to relay to this server will be rejected, unless they belong to the acme.com Internet domain.

It is important to note that this setting is used only when the connecting server is not a member of the local Internet domain and it is attempting to relay a message for a recipient in the acme.com domain. This field is a text field that will accept multiple entries, but these entries must be separated by a comma.

Error Message when the Internet domain is not listed in this field:

"12:59:11 PM SMTP Server [026A:0005-0125] Attempt to relay mail to anyone@domain1.com rejected for policy reasons. Relays to recipient's domain denied in your configuration."

Field Level Help: The external Internet domains to which messages will be relayed (or the Domino domains to which messages will be relayed if the item starts with a percent sign). Recipients in all other domains will be rejected. Items need only match the end of the domain name (acme.com will match jsmith@serv1.acme.com, @acme.com will match jsmith@acme.com but will not match pbrown@serv1.acme.com ).

Deny messages from external Internet domains to be sent to the following Internet domains:

Entries in this field restrict the Domino server from relaying messages from external hosts to the domain specified in this field. If the message is addressed to recipients in this domain, the Domino server rejects the message. This field, like the Allow field, will also accept multiple entries, but these entries must be separated by a comma.

For example, if you enter "acme.com" in this field, when a external server connects to send mail to user@acme.com, the message would be rejected. If you enter "@acme.com" in this field, the Domino server would only reject message from users that belong to this Internet domain; messages addressed to user@server.acme.com would be allowed.

NOTE: If you specify the same entry in the Allow field and the Deny fields, Domino will always take the Deny field as precedence over the Allowed field. Because of security concerns, Deny must take precedence. You can also use an asterisk (*) as a wildcard to indicate all domains are denied.

Error Message displayed when the domain is entered the deny field:

"01:04:18 PM SMTP Server [0101:0004-0148] Attempt to relay mail to user@acme.com rejected for policy reasons. Relays to recipient's domain denied in your configuration."

Field Level Help: The external Internet domains to which we will never relay messages(or the Notes domains to which messages will never be relayed if the item starts with a percent sign). * would reject message relays to all recipients. Items need only match the end of the domain name (acme.com will match jsmith@serv1.acme.com, @acme.com will match jsmith@acme.com but will not match pbrown@serv1.acme.com ).

Allow messages only from the following external Internet hosts to be sent to external Internet domains:

The entries in this field identify the external hosts and/or IP addresses allowed to relay messages through this Domino server. The message destination must be an Internet domain for which the intended recipient is another Internet domain. These host names and/or IP address will be able to relay messages through the Domino R5 server.

For Example, if you enter acme.com in this field, Domino will only accept mail from servers that match this entry, so server.acme.com would match. More information on this can be found in the Field Level help.

Error Message received in the form of Delivery failure reports when the domain is not listed in the Allow field:

"554 Relay rejected for policy reasons"

Field Level Help: The fully qualified host names or IP addresses of connecting hosts for which we will relay messages. Items need only match the end of host names (acme.com will match serv1.acme.com). IP addresses are always enclosed in square brackets and may include * as a wildcard for subnet addresses.

Deny messages from the following external Internet hosts to be sent to external Internet domains:

The entries in this field identify the external hosts and/or IP address restricted from relaying messages through this Domino server. A message intended for recipients outside the local Internet domain would be rejected.

For Example, if you enter Domain1.com in this field, Domino will reject the ability to relay mail from servers that belong to this Internet domain.

NOTE: If you specify the same entry in the Allow field and the Deny fields, Domino will always take the Deny field as precedence over the Allowed field. Because of security concerns, Deny must take precedence. You can also use an asterisk (*) as a wildcard to indicate all domains that are denied from relaying.

Error Message received in the form of Delivery failure reports when the domain is listed Deny:

"554 Relay rejected for policy reasons"

Field Level Help: The fully qualified host names or IP addresses of connecting hosts for which we will never relay messages. * means all hosts. Items need only match the end of host names (acme.com will match serv1.acme.com). IP addresses are always enclosed in square brackets and may include * as a wildcard for subnet addresses.


Inbound Relay Enforcement

Perform Anti-Relay enforcement for these connecting hosts:

Field Level Help: Specifies whether inbound relay controls apply to internal as well as external host. Choose one.

"External host" (default) The server enforces inbound relay controls only for host outside the local internet domain. Internal host can always relay.

"All connecting host" Provides a stricter relay enforcement by applying inbound relay controls to internal as well as external host.

"None" - Disables inbound relay controls.

Exclude these connecting hosts from anti-relay checks

Field Level Help: Enter the IP address or host names to specify host exempt from enforcement of inbound relay controls. Enter an IP address in square brackets: for example [127.0.0.1]. You can wild cards to represent an entire subnet address, but not to represent values in a range.

For example, [127.*.0.1] is valid. 123.123.12.*.123] is not.


Exceptions for authenticated users:

Field Level Help: Specifies whether authenticated user are exempt from enforcement of the inbound relay controls.

Perform anti-relay checks for authenticated users - The server does not allow exceptions for authenticated users. Authenticated users are subject to the same enforcement as non-authenticated users.

Allow all authenticated users to relay - User who logs in with a valid name and password are exempt from the applicable inbound relay controls. Use this to enable relaying by POP3 or IMAP users who connect to the network from ISP accounts outside the local Internet domain.

Note: When setting your configuration settings document to 'Allow all authenticated users to relay' the
administrator will need to change the server document: Mail tab Name & password to Yes under Mail SMTP Inbound

Server Document:
Server Document:



DNS Blacklist Filters
DNS Blacklist Filters:

Field Help: If enabled the smtp listener task will perform dns queries against the blacklist sites configured below for all host that are subject to inbound relay control enforcement.

Enabled - When Domino receives an SMTP connection request, it checks whether the connecting host is listed in the blacklist at the specified sites.

Disabled - Domino does not check whether a connecting host is on the blacklist.


Allow connections only from the following SMTP internet hostnames/IP addresses:

Field Help: Allow messages only from these host. Items need only match the end of host names (acme.com will match server1.acme.com) IP address must be enclosed in square brackets and may include an * as a wild card or subnet address.

Deny connections from the following SMTP internet hostnames/IP addresses:

Field Help: Refuse messages from these hosts. Items need only match the end of host names (acme.com will match server1.acme.com) IP address must be enclosed in square brackets and may include an * as a wild card or subnet address.

Error limit before connection is terminated:

Field Help: Terminates the connection when the number of protocol errors returned for the session exceeds this value. For example, possible errors are blacklist rejections, or RCPT to rejections. The error returned is – 421 smtp service is not available.. Closing transmission channel.

DNS Whitelist Filters

DNS Whitelist Filters:
When enabled the SMTP listener task performs DNS queries against whitelist sites your you define in the "DNS Whitelist filters".

Field Help: If enabled the smtp listener task will perform dns queries against the whitelist sites configured below for all host that are subject to inbound relay control enforcement.

DNS Whitelist Sites:
Defines a list of DNS whitelist sites in which the SMTP listener task will perform DNS queries.

Field Help: Specifies the dns whitelist sites to check when domino receives an smtp connection request.

Desired action when a connecting host is found in a dns whitelist:
Specifies actions to be taken when a host is found in DNS whitelist,

Field Help:
Silently skip blacklist filters – Performs no logging>
Log only – Records the host name and IP address of the connecting server found in the private whitelist.
Log and tag – Adds the Note item, $DNSWLSITES, to messages accepted from whitelisted hosts.

Private Blacklist Filters
Private Blacklist Filter:

Field Help: If enabled, the smtp listener task will determine if the connecting host has been blacklisted by the Administrator. Note: Applies only to host subject to inbound relay enforcement.

Blacklist the following hosts:

Field Help: Enter the ip addresses or host names of the systems to black list. Enclose IP addresses with square brackets: For example [127.0.0.1]. IP ranges and masks are supported. Wild cards can be used except within ranges.

Desired action when a connecting host is found in the private blacklist:

Field Help: Log only - Records the host name and IP address of the connecting server and the name of the site where the server was listed.
Log and tag messages - Adds the Note item, $DNSBLSites to the messages accepted from blakclisted host.
Log and reject message - Rejects the connection and returns a configurable error message to a blacklisted host.

All actions skip blacklist filters, if enabled.

Custom SMTP error response for rejected messages:

Field Help: Text included in the error response when rejecting messages from blacklisted hosts. The format specifier '%s' can be used to insert the ip address of the connecting host. For example, if you enter the following text Your host %s was blacklisted, when domino rejects a message from the blacklisted host 127.0.0.1, it will return the following error message. Your host 127.0.0.1 was black listed.

Private Whitelist Filters
Private Whitelist filters

Field Help: If enabled, the SMTP listener task will perform DNS queries against the whitelist sites configured below for all host that are subject to inbound relay control enforcement.


THIS TECHNOTE IS NOT FINISHED. MORE INFORMATION TO FOLLOW.