How inbound anti-relay settings control message transfer to external Internet domains
The following description shows the checks that are made before a message is transferred to an external Internet domain.
- The SMTP listener receives a connection request.
- The server performs a reverse DNS lookup, querying DNS to find the host name that matches the connecting host's IP address. If the address resolves to a name in one of the local Internet domains, the host is considered internal. IP addresses that resolve to host names outside the local Internet domains or that do not have DNS entries are considered external.
- The server checks the setting in the field Perform Anti-Relay enforcement for these connecting hosts to determine whether anti-relay controls are enabled, and if so, whether they apply to all hosts or external hosts only. If connections from the sending domain are not subject to inbound relay controls, the server allows relays for this session.
- If the relay controls apply, Domino® next checks whether the host name appears in the field Exclude these connecting hosts from anti-relay checks. If the host name is found, the server allows relays for this session.
- If the relay controls still apply and the connecting host successfully
authenticated with the server, the server checks the field Exceptions
for authenticated users to determine whether authenticated
users are exempt from the inbound relay checks. If authenticated users
are exempt, the server allows relays for this session.Note: A connecting host provides authentication credentials only when Domino requests them. Because Domino closes the session if authentication is not successful, there is no case where Domino needs to determine whether a host that could not authenticate might be allowed to relay.
- The SMTP listener receives RCPT TO commands from the connecting host.
- The server examines each recipient address to see if the message
would be a relay to an external domain. If so, the server checks the
Inbound relay controls to determine:
- Whether the connecting host is allowed to relay
- Whether relays are allowed to the target domain
Matching for domain is performed by looking for the restricted domain name as a trailing substring of the recipient's domain. If you deny the domain spamme.com, you also deny the domain you.spamme.com. Rejected recipients receive a failure status in response to the RCPT commands.